Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 12/11/2025. Claims 1-20 are pending. This Office Action is Final.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 4/2/2025, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
A) Applicant’s arguments with respect to claim(s) 1, 6, 11 and 16 have been considered but are moot because the new ground of rejection, as necessitated by amendment, does not rely on the exact combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 5-7, 10-12, 15-17 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hodgman (US 2019/0238575) in view of Kuan et al. (US 2023/0027149).
As per claim 1, Hodgman teaches a method for capturing reconnaissance traffic, the method implemented by a network traffic management system comprising one or more network traffic apparatuses, client devices, or server devices, the method comprising: detecting, using a listener, a receipt of a packet from a user at a destination port of a server (Hodgman, Paragraph 0055 recites “The management component 112 is operable to, for example, process the network data collected from the computing devices, and analyze the network data to identify an incident for reporting from the analyzed data. In this example, the network data or network activity information can include payload information, an identifier to identify the network data, timestamp information, source internet protocol (IP) address and source port of the computing device sending the network data, destination port IP address and destination port of the computing device receiving the network data, communication protocol used to interconnect computing devices, etc. The management component 112 can obtain the network data periodically and/or in response to an event.”);
and in response to determining that the packet is from the malicious user, transmitting the packet to a honeypot process to capture reconnaissance of the packet, wherein the honeypot process is configured to interact with the user (Hodgman, Paragraph 0043 recites “In various embodiments, approaches allow for automatically detecting changes in network activity (e.g., internet traffic) without active user intervention and, in response to detecting the changes, communicating the detected changes and/or other such anomalous behavior to the user. Various types of behavior can be monitored, including, for example, anomalous behavior involving a network port of a network device or network data, where network data can include, for example, information from attempted network connections, including network port connections and payload information. The network device or honeypot can include a computing device that includes a processor and software instructions to monitor and collect network data, such as indiscriminate scanning behavior on the internet. Further, various remedial actions can be taken in response to detected anomalous behavior. For example, the anomalous behavior can simply be noted for later processing, or a user can be notified of the anomalous behavior.”).
But fails to teach determining whether the packet is from a malicious user on by comparing characteristics of the packet against services provided at the destination port to detect whether the packet is directed to a non-standard port for the packet.
However, in an analogous art Kuan teaches determining whether the packet is from a malicious user on by comparing characteristics of the packet against services provided at the destination port to detect whether the packet is directed to a non-standard port for the packet (Kuan, Paragraph 0094 recites “determining whether the packet is from a malicious user on by comparing characteristics of the packet against services provided at the destination port to detect whether the packet is directed to a non-standard port for the packet” It is interpreted that an anomalous port would read on a non-standard port).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kuan’s Network anomaly control with Hodgman’s Detecting Anomalous Network Behavior because it offers the advantage of preventing suspicious packets based on a port destination.
As per claim 2, Hodgman in combination with Kuan teaches the method as set forth in claim 1, Hodgman further teaches wherein the listener is created automatically when the server is created and is an all ports listener configured to detect traffic directed to ports of the server (Hodgman, Paragraph 0055 recites “The management component 112 is operable to, for example, process the network data collected from the computing devices, and analyze the network data to identify an incident for reporting from the analyzed data. In this example, the network data or network activity information can include payload information, an identifier to identify the network data, timestamp information, source internet protocol (IP) address and source port of the computing device sending the network data, destination port IP address and destination port of the computing device receiving the network data, communication protocol used to interconnect computing devices, etc. The management component 112 can obtain the network data periodically and/or in response to an event.”).
As per claim 5, Hodgman in combination with Kuan teaches the method as set forth in claim 1, Hodgman further teaches wherein the honeypot process is selected from among a plurality of honeypot processes, wherein a portion of the plurality of honeypot processes correspond to ports of the server, and wherein the honeypot process that is selected for the transmission of the packet corresponds to the destination port of the server (Hodgman, Paragraph 0054 recites “In an embodiment, a virtual security appliance or “honeypot” can be a computing device and/or software configured to monitor and collect network data. In this example, virtual security appliances 120 and 122 can be in communication through network 105. In various embodiments, virtual security appliances 120 and 122 can be configured to offer particular functionality (“honeypot functionality”), e.g., presenting services as available on one or more ports and/or emulating the actual functionality offered by these emulated services. For example, in an embodiment, individual virtual security appliances can receive connections from various third party devices seeking to access the functionality offered by the virtual security appliances. In this situation, virtual security appliances 120 and 122 can collect information regarding these connections for storage and/or analysis.”).
Regarding claims 6, 11 and 16, claims 6, 11 and 16 are directed to a non-transitory computer readable medium, an apparatus and a system associated with the method of claim 1, respectively. Claims 6, 11 and 16 are of similar scope to claim 1, and are therefore rejected under similar rationale.
Regarding claims 7, 12 and 17, claims 7, 12 and 17 are directed to a non-transitory computer readable medium, an apparatus and a system associated with the method of claim 2, respectively. Claims 7, 12 and 17 are of similar scope to claim 2, and are therefore rejected under similar rationale.
Regarding claims 10, 15 and 20, claims 10, 15 and 20 are directed to a non-transitory computer readable medium, an apparatus and a system associated with the method of claim 5, respectively. Claims 10, 15 and 20 are of similar scope to claim 5, and are therefore rejected under similar rationale.
Claim(s) 3, 8, 13 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hodgman (US 2019/0238575) and Kuan et al. (US 2023/0027149) and in further view of Gelernter et al. (US 11,196,635).
As per claim 3, Hodgman in combination with Kuan teaches the method as set forth in claim 1, but fails to teach wherein the server and the honeypot process have a same IP address.
However, in an analogous art Gelernter wherein the server and the honeypot process have a same IP address (Gelernter, Col. 10 Lines 39-47 recites “In an alternative embodiment of the disclosure, as shown in FIG. 2B, resource server 210 may have been shut down and a dedicated computerized system 100 may be deployed to replace resource server 210. The dedicated computerized system 100 is configured to use the domain name and/or IP address of resource server 210 to serve as a “honeypot” and detect access attempts to the previously deployed resource server 210, before releasing the domain name and/or IP address.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Gelernter’s Connection Detection And Prevention Of Dangling Connections with Hodgman’s Detecting Anomalous Network Behavior because it offers the advantage of consolidating network resources.
Regarding claims 8, 13 and 18, claims 8, 13 and 18 are directed to a non-transitory computer readable medium, an apparatus and a system associated with the method of claim 3, respectively. Claims 8, 13 and 18 are of similar scope to claim 3, and are therefore rejected under similar rationale.
Claim(s) 4, 9, 14 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hodgman (US 2019/0238575) and Kuan et al. (US 2023/0027149) and in further Nishijima et al. (US 2022/0279008).
As per claim 4, Hodgman in combination with Kuan teaches the method as set forth in claim 1, but fails to teach receiving, from the honeypot process, logs of interactions with the user, wherein the logs comprise a source IP address, SSH fingerprint, attempted username, attempted password, commands, file uploads, or combinations thereof from the packet or the interactions.
However, in an analogous art Nishijima teaches receiving, from the honeypot process, logs of interactions with the user, wherein the logs comprise a source IP address, SSH fingerprint, attempted username, attempted password, commands, file uploads, or combinations thereof from the packet or the interactions (Nishijima, Paragraph 0154 recites “On the detailed information presentation screen 1500, the transition of a traffic to a destination port/protocol in which a change point has been detected, the number of accesses of each transmission source IP, a darknet correlation score with the user organization, a relevant honeypot log, relevant cyber threat intelligence, and a relevant CVE are presented as a list. Note that, in this example, there is no relevant cyber threat intelligence, and no value is thus displayed”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Nishijima’s network monitoring device, network monitoring method, and storage medium having recorded thereon network monitoring program with Hodgman’s Detecting Anomalous Network Behavior because it offers the advantage of keeping detailed information of network analysis.
Regarding claims 9, 14 and 19, claims 9, 14 and 19 are directed to a non-transitory computer readable medium, an apparatus and a system associated with the method of claim 4, respectively. Claims 9, 14 and 19 are of similar scope to claim 4, and are therefore rejected under similar rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
RODERICK . TOLENTINO
Examiner
Art Unit 2439
/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439