DETAILED ACTION
This action is responsive to amendment filed on October 28th, 2025.
Claims 1~3, 5~8, 12~14, 19, 21, 23~25, 29~34, 36, 39, 42, and 51~63 are examined.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 10/28/25 have been fully considered but they are not persuasive.
In response to Applicant’s remarks (Pg. 11~12), that Sysman does not anticipate each virtual device simulation to mimic a real device that can be connected into the network. Examiner respectfully disagrees because Sysman taught endpoint 220 (“virtual decoy”) may be a physical device, for example, a computer, a workstation, a server, a processing node, a cluster of processing nodes, a network node, a smartphone, a tablet, a modem, a hub, a bridge, a switch, a router, a printer and/or any network connected device having one or more processors.…capable of executing one or more real applications 222, for example, an OS, an application, a service, a utility, a tool, a process, an agent and/or the like [¶71]. In a similar art, Varadarajan taught that security devices 660, 760 are standalone device[s] that can be added to the networks 600, 700 by connecting it to a router or switch (C23:52~65) and may deploy deceptive security mechanisms that emulate devices that may be found on the network 700, including having an identifiable device type and/or network identifiers (such as a MAC address and/or IP address (C31: 3~20). Despite Applicant’s assertion that Sysman’s disclosure are expensive and require cyber professionals to run extensive budgets, the claims do not limit the simulator device to provide a home-based solution nor would patentable weight be given since it would amount to intended usage. Furthermore, Varadarajan taught the security device may be implemented in a private home (see Fig. 6). Accordingly, the combination of Sysman and Varadarajan taught the amended claim 1.
Claim Rejections - 35 USC § 103
Claims 1~3, 5~7, 12~13, 19, 21, 23~25, 29~34, 36, 39, 42, and 51~53, 56, 57, and 60 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. hereinafter Sysman (U.S 2018/0212995) in view of Varadarajan et al. hereinafter Varadarajan (U.S 10,326,796).
Regarding Claim 1,
Sysman taught a simulator device for detecting a possible network intrusion in a network, comprising:
a virtual network communications module configured to simulate one or more virtual device simulations, each virtual device simulation to mimic a real device that is or can be connected into the network to provide a virtual decoy for a possible network intrusion [¶71, endpoint 220 (“virtual decoy”) may be a physical device…capable of executing one or more real applications 222; ¶73, decoy endpoints are set to emulate the real endpoints 220 and as such may be physical endpoints. Deception data objects 214 (“breadcrumbs”) emulate valid data objects that are available in the endpoints 220 for interacting with applications 222]; and
a threat detection module configured to detect the possible network intrusion by detecting received data intended for any one or more of the virtual device simulations [¶69, operation(s) in the protected network that use the deception data object(s) 214 may be considered as potential unauthorized operation(s) that in turn may be indicative of a potential attacker].
Sysman did not specifically teach each virtual device simulation comprising a MAC address and an IP address.
Varadarajan taught each virtual device simulation comprising a MAC address and an IP address (C31: 3~20, security device 760 may deploy deceptive security mechanisms that emulate devices that may be found on the network 700, including having an identifiable device type and/or network identifiers (such as a MAC address and/or IP address)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Varadarajan’s teaching of limitations with the teachings of Sysman, because the combination would allow the security device block the network's access to the outside world, effectively quarantining the network until the intruder can be expelled (Varadarajan: C6:4~8).
Regarding Claim 2,
Sysman taught wherein the virtual decoy is perceived by the possible network intrusion to be an active device connected into the network [¶54, make the deception data objects look like they are in use by the real processing environment in the protected network; ¶58, create an impression of a real active environment and may lead the potential attacker(s) to believe the deception data objects are genuine (valid) data object].
Regarding Claim 3,
Sysman taught wherein the virtual network communications module is configured to simulate one or more virtual device simulations by generating chatter on the network for each respective virtual device simulation [¶107~¶108].
Regarding Claim 5,
Sysman taught wherein the real device connected into the network is a device other than the simulator device [¶73, decoy endpoints are set to emulate the real endpoints 220 and as such may be physical and/or virtual endpoints; ¶53, deception environment co-exists with a real (valid) processing environment].
Regarding Claim 6,
Sysman taught wherein there are more virtual device simulations than there are real devices connected into the network [¶87, decoy OS(s) 210 is selected according to a number of endpoints 220].
Regarding Claim 7,
Sysman taught wherein the virtual network communications module is configured to simulate a plurality of virtual device simulations concurrently [¶87, decoy OS(s) 210 is selected according to a number of endpoints 220].
Regarding Claim 12,
Sysman taught wherein the simulator device further comprises a threat response module configured to respond to the detected possible network intrusion [¶56, respond to operations of the attacker, by creating the false environment in which the attacker advances].
Regarding Claim 13,
Sysman taught wherein the threat response module is configured to respond by any one or more of: issuing an alert [¶57]; packet monitoring; and packet blocking.
Regarding Claim 19,
Sysman-Varadarajan taught wherein the MAC address of the respective virtual device simulation is similar but not identical to a MAC address of a real device connected into the network (C26:20~28, the security mechanisms should not have the same MAC address as a new device). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 21,
Sysman-Varadarajan taught wherein the IP address of the respective virtual device simulation is similar but not identical to an IP address of a real device connected into the network (C64:55~67, Fig. 19, set of deceptions for a first subnet have different addresses from deceptions for a second subnet). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 23,
Sysman taught wherein the real device connected into the network is a device other than the simulator device [¶73, decoy endpoints are set to emulate the real endpoints 220 and as such may be physical and/or virtual endpoints.
Regarding Claim 24,
Sysman-Varadarajan taught further comprising a packet sniffer for filtering received data received by the simulator device via a network connector (C59:55~63, packet filters). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 25,
Sysman-Varadarajan taught wherein the packet sniffer is configured to filter through received data intended for any one or more of the virtual device simulations (C59:55~63, packet filters). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 29,
Sysman taught wherein the virtual network communications module is further configured to generate any one or more of the virtual device simulations [¶118].
Regarding Claim 30,
Sysman taught wherein any one or more of the generated virtual device simulations is generated based on a device connected into the network [¶118].
Regarding Claim 31,
Sysman taught wherein the device connected into the network is a device other than the simulator device [¶118, Fig. 2B decoy server and endpoints 220 are different].
Regarding Claim 32,
Sysman taught wherein the virtual network communications module is further configured to scan for one or more other devices connected into the network in order to generate any one or more of the virtual device simulations that is generated based on the real device connected into the network [¶90, explore the protected network 235 and identify the applications 222 executed on the endpoints 220 to automatically select the deception applications(s) to be included in the deception environment].
Regarding Claim 33,
Sysman taught wherein the virtual network communications module generates any one or more of the virtual device simulations using machine learning to learn behaviour of the real device connected into the network [¶144, machine learning may further be used by campaign manager 216 to adjust future deception environments and deception components to adapt to the learned activity pattern(s) of a plurality of potential attacker(s)].
Regarding Claim 34,
Sysman-Varadarajan taught wherein the virtual network communications module generates any one or more of the virtual device simulations comprising generating a MAC address and/or IP address for the respective virtual device simulation (C31:5~11, emulated devices having network identifiers such as MAC address and/or IP address). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 36,
Sysman-Varadarajan taught wherein the MAC address is generated based on a MAC address of a real device connected into the network, the generated MAC address being similar but not identical to the MAC address of the real device connected into the network (C31:5~11, emulated devices having network identifiers such as MAC address and/or IP address; C64:55~67, Fig. 19). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 39,
Sysman-Varadarajan taught wherein the IP address is generated based on an IP address of a real device connected into the network, the generated IP address being similar but not identical to the IP address of the real device connected into the network (C31:5~11, emulated devices having network identifiers such as MAC address and/or IP address; C64:55~67, Fig. 19). The rationale to combine as discussed in claim 1, applies here as well.
Regarding Claim 42,
Sysman taught wherein the device connected into the network is a device other than the simulator device [¶73, decoy endpoints are set to emulate the real endpoints 220 and as such may be physical and/or virtual endpoints].
Regarding Claim 56,
Sysman taught wherein the active device being perceived by the possible network intrusion is also perceived by the possible network intrusion to be communicating with another device [¶56, respond to operations of the attacker, by creating the false environment in which the attacker advances].
Regarding Claim 57,
Sysman taught wherein the virtual network communications module is configured to simulate up to 25 virtual device simulations concurrently [¶87, decoy OS(s) 210 is selected according to a number of endpoints 220].
Regarding Claim 51~53 and 60, the claims are similar in scope to claim(s) above and therefore, rejected under the same rationale.
Claims 8, 55, 58, 62, and 63 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman and Varadarajan in view of NPL: “Raspberry Pi as an Intrusion Detection System, a Honeypot and a Packet Analyzer” hereinafter NPL.
Regarding Claims 8 and 55,
Sysman-Varadarajan-NPL taught wherein the simulator device has a low power rating (Pg. 81, §2.2 Honeypot; Pg. 82, §3 ‘Proposed System’ using raspberry pi 3 to deploy a decoy honeypot. Examiner Note: raspberry pi 3 are well-known to consume 10-15W of power under full load).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, NPL’s teaching of limitations with the teachings of Sysman and Varadarajan, because the combination would provide small-scale network security solution with easy implementation and inexpensive maintenance cost, can help strengthen security in home networks and small businesses (NPL: Pg. 80).
Claims 14, 54, 59, and 61 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman and Varadarajan in view of Araujo et al. hereinafter Araujo (U.S 2019/0068640).
Regarding Claims 14 and 54,
Sysman- Varadarajan-Araujo wherein the threat response module is configured to respond by counter-attacking the detected possible network intrusion [¶49, these decoys appeal to the data deception layer to purvey disinformation in the form of false secrets or even malware counter-attacks against adversaries].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Araujo’s teaching of limitations with the teachings of Sysman and Varadarajan, because the combination provides tools and techniques allowing organizations to engineer applications with proactive and deceptive capabilities that degrade attackers' methods and disrupt their reconnaissance efforts [Araujo: ¶49].
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE SOO KIM whose telephone number is (571)270-3229. The examiner can normally be reached M-F 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/H.K/Primary Examiner, Art Unit 2443
/HEE SOO KIM/Primary Examiner, Art Unit 2443