Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
Claims 1-20 are pending
Priority
This application claims no priority. Therefore, the effective filing date of this application is 07/26/2024.
Drawings
Applicants’ drawings filed on 07/26/2024 has been inspected and it is in compliance with MPEP 608.02.
Specification
The abstract of the disclosure is objected to because it contains legal phraseology of “comprises” and “comprising”. Examiner suggests replacing all legal phraseology. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/09/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement has been considered by the examiner.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
“… first plurality of synthetic elements configured to resemble” in claims 1 and 16
“… a second plurality of synthetic elements configured to resemble” in claims 1 and 16
“… a third plurality of synthetic elements configured to resemble” in claims 2, 3, 5, 17, 18, and 20.
“… a fourth plurality of synthetic elements configured to resemble” in claims 2, 3, 5, 17, 18, and 20.
“… generate a second virtual environment configured to resemble” in claims 3 and 18
“… a fifth plurality of synthetic elements configured to resemble” in claim 6
“… a sixth plurality of synthetic elements configured to resemble” in claim 6
“… generate a third virtual environment configured to resemble” in claim 6
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
See specification para. [0047, 0073, 0076] for hardware support for “… … plurality of synthetic elements configured to resemble”
See specification para. [0006, 0041] for functional support for “… … plurality of synthetic elements configured to resemble”
See specification para. [0073, 0074] for hardware support for “… generate a … virtual environment configured to resemble”
See specification para. [0040, 0074] for functional support for “… generate a … virtual environment configured to resemble”
If applicant does not intend to have these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1-3, 5, 6, 9-11, 13, 14, 16-18, and 20 recite the limitations “determine a first determined intent”, “determine a second determined intent”, “determine a third determined intent”, “determine a fourth determined intent”, “determine a fifth determined intent”, and “determine a sixth determined intent”. It is unclear how the limitation is determining already determined intents. For the purpose of examination Examiner is interpreting these limitations as determine a first/second/third/fourth/fifth/sixth intent and removing the term “determined”. Appropriate correction is required.
Claims 4, 7, 8, 12, 15, and 19 depend on claims 3, 5, 11, 13, and 18. Therefore, they also inherit the rejection.
Claims 3, 11, and 18 recite the limitation “present, to the first entity, access to the third synthetic network structure and the fourth synthetic network structure in the first virtual environment” while the claim previously recites the limitation “place the third synthetic network structure and the fourth synthetic network structure in the second virtual environment”. It is unclear how the entity can be presented the third synthetic network structure and the fourth synthetic network structure in the first virtual environment while they were previously placed in the second virtual environment. For the purpose of examination Examiner is interpreting this limitation as “present, to the first entity, access to the third synthetic network structure and the fourth synthetic network structure in the second virtual environment”. Appropriate correction is required.
Claims 4, 12, and 19 depend on claims 3, 11, and 18. Therefore, they also inherit the rejection.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-3, 5-6, 9-11, 13, 14, 16-18, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 2 of U.S. Patent No. US 12615295 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter.
Current Application 18/785,721
U.S. Patent No. US 12615295 B2
1.) A system, comprising:
a memory operable to store:
a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models; and
at least one processor communicatively coupled to the memory and configured to:
receive a first plurality of tracked activities comprising one or more actions performed by a first entity in a first virtual environment over a first period of time, wherein:
the first entity is associated with a first electronic attacker; and
the first virtual environment is an isolated partition of a communication network;
execute the machine learning algorithm to:
determine a first determined intent based on a first activity of the first plurality of tracked activities;
generate a first synthetic network structure based on the first determined intent, the first synthetic network structure comprising a first plurality of synthetic elements configured to resemble a first plurality of network resources;
assign a first adverse impact to the first synthetic network structure;
place the first synthetic network structure in the first virtual environment;
determine a second determined intent based on a second tracked activity of the first plurality of tracked activities;
generate a second synthetic network structure based on the second determined intent, the second synthetic network structure comprising a second plurality of synthetic elements configured to resemble a second plurality of network resources;
assign a second adverse impact to the second synthetic network structure; and
place the second synthetic network structure in the first virtual environment;
present, to the first entity, access to the first synthetic network structure and the second synthetic network structure in the first virtual environment, wherein:
the first synthetic network structure is associated with a first divergent path in the first virtual environment; and
the second synthetic network structure is associated with a second divergent path in the first virtual environment;
determine whether the first entity performed a first action in association with the first synthetic network structure or a second action in association with the second synthetic network structure;
in response to determining that the first entity performed the first action in association with the first synthetic network structure, generate a first report comprising that the first entity is associated with the first adverse impact over the first period of time;
in response to determining that the first entity performed the second action in association with the second synthetic network structure, generate a second report comprising that the first entity is associated with the second adverse impact over the first period of time; and
train the one or more machine learning models using the first report and the second report.
1.) A system, comprising: a memory operable to store: a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models; and at least one processor communicatively coupled to the memory and configured to: receive first communication feedback from a first entity requesting to access a first plurality of network resources in a communication network; execute the machine learning algorithm to: determine a first plurality of determined intents based on the first communication feedback; and generate a first synthetic network structure based on the first plurality of determined intents, the first synthetic network structure being associated with a first dynamic trigger; present access to the first synthetic network structure to the first entity in the communication network; in response to receiving the first dynamic trigger from the communication network, determine that the first entity performed one or more actions associated with the first synthetic network structure; determine that the first entity is associated with a first electronic attacker; generate a first report comprising that the first entity is associated with the first electronic attacker; and train the one or more machine learning models using the first report; wherein the at least one processor is further configured to: determine a first plurality of entity actions based on the first communication feedback; in response to generating the first report, assign the first plurality of entity actions to a first position in an attack depiction comprising one or more network resources attacked in the communication network; determine a second plurality of entity actions based on the first communication feedback; and in response to generating the second report, assign the second plurality of entity actions to a second position in the attack depiction.
2.) The system of claim 1, wherein the at least one processor is further configured to: receive second communication feedback from the first entity requesting to access a second plurality resources in the communication network; execute the machine learning algorithm to: determine a second plurality of determined intents based on the second communication feedback; and generate a second synthetic network structure based on the second plurality of determined intents, the second synthetic network structure being associated with a second dynamic trigger; present access to the second synthetic network structure to the first entity in the communication network; in response to receiving the second dynamic trigger from the communication network, determine that the first entity performed one or more additional actions associated with the second synthetic network structure; determine that the first entity is associated with the first electronic attacker; generate a second report comprising that the first entity is associated with the first electronic attacker; and train the one or more machine learning models using the second report.
Claims 2-3, 5-6, 9-11, 13, 14, 16-18, and 20 recite limitations similar to that of claim 1. Therefore, they are also rejected in a similar manner.
Claims 1-3, 5-6, 9-11, 13, 14, 16-18, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 2 of U.S. Application No. 18/785,570. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter.
A Notice of Allowance has been issued for 18/785,570. However, a patent number has not been assigned at the time of this office action.
Current Application 18/785,721
U.S. Application No. 18/785,570
1.) A system, comprising:
a memory operable to store:
a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models; and
at least one processor communicatively coupled to the memory and configured to:
receive a first plurality of tracked activities comprising one or more actions performed by a first entity in a first virtual environment over a first period of time, wherein:
the first entity is associated with a first electronic attacker; and
the first virtual environment is an isolated partition of a communication network;
execute the machine learning algorithm to:
determine a first determined intent based on a first activity of the first plurality of tracked activities;
generate a first synthetic network structure based on the first determined intent, the first synthetic network structure comprising a first plurality of synthetic elements configured to resemble a first plurality of network resources;
assign a first adverse impact to the first synthetic network structure;
place the first synthetic network structure in the first virtual environment;
determine a second determined intent based on a second tracked activity of the first plurality of tracked activities;
generate a second synthetic network structure based on the second determined intent, the second synthetic network structure comprising a second plurality of synthetic elements configured to resemble a second plurality of network resources;
assign a second adverse impact to the second synthetic network structure; and
place the second synthetic network structure in the first virtual environment;
present, to the first entity, access to the first synthetic network structure and the second synthetic network structure in the first virtual environment, wherein:
the first synthetic network structure is associated with a first divergent path in the first virtual environment; and
the second synthetic network structure is associated with a second divergent path in the first virtual environment;
determine whether the first entity performed a first action in association with the first synthetic network structure or a second action in association with the second synthetic network structure;
in response to determining that the first entity performed the first action in association with the first synthetic network structure, generate a first report comprising that the first entity is associated with the first adverse impact over the first period of time;
in response to determining that the first entity performed the second action in association with the second synthetic network structure, generate a second report comprising that the first entity is associated with the second adverse impact over the first period of time; and
train the one or more machine learning models using the first report and the second report.
1. A system, comprising: a memory operable to store: a machine learning algorithm configured, when executed, to analyze data in accordance with one or more machine learning models; and at least one processor communicatively coupled to the memory and configured to: receive a first plurality of tracked activities comprising one or more actions performed by a first entity in a communication network over a first period of time; receive a first access command from the first entity to access a first plurality of network resources in the communication network; execute the machine learning algorithm to: determine a first determined intent based on the first plurality of tracked activities and the first access command, wherein the first determined intent comprises a predicted future behavior that the first entity is expected to perform in the communication network, and wherein the predicted future behavior is determined by the machine learning algorithm analyzing both the first plurality of tracked activities and the first access command in combination to predict network resources the first entity is expected to attempt to access; generate a first synthetic network structure based on the first determined intent, the first synthetic network structure comprising a first plurality of synthetic elements configured to resemble the first plurality of network resources; generate a first virtual environment configured to resemble one or more portions of the communication network, the first virtual environment being an isolated partition of the communication network; and place the first synthetic network structure in the first virtual environment; present, to the first entity, access to the first synthetic network structure in the first virtual environment; determine whether the first entity performed a first action in association with the first synthetic network structure; in response to determining that the first entity performed the first action in association with the first synthetic network structure, determining that the first entity is associated with a first electronic attacker over the first period of time; enclose the first entity in the first virtual environment such that the first entity is unable to access network resources from the rest of the communication network; generate a first report comprising that the first entity is associated with the first electronic attacker over the first period of time; and train the one or more machine learning models using the first report.
2.) The system of claim 1, wherein the at least one processor is further configured to: receive a second plurality of tracked activities comprising one or more additional actions performed by the first entity in the first virtual environment over a second period of time; execute the machine learning algorithm to: determining a second determined intent based on the second plurality of tracked activities; generate a second synthetic network structure based on the second determined intent, the second synthetic network structure comprising a second plurality of synthetic elements configured to resemble a second plurality of network resources; and place the second synthetic network structure in the first virtual environment; present, to the first entity, access to the second synthetic network structure in the first virtual environment; determine whether the first entity interacted with the second synthetic network structure; in response to determining that the first entity interacted with the second synthetic network structure, determine that the first entity is associated with the first electronic attacker over the second period of time; generate a second report comprising that the first entity is associated with the first electronic attacker over the second period of time; and train the one or more machine learning models using the second report.
Claims 2-3, 5-6, 9-11, 13, 14, 16-18, and 20 recite limitations similar to that of claim 1. Therefore, they are also rejected in a similar manner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-7, 9-11, 13-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over EVRON (US-20180309787-A1) in view of CRABTREE (US-20230370439-A1), hereinafter EVRON-CRABTREE.
Regarding claim 1, EVRON teaches “A system, comprising: a memory operable to store: a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models; and ([EVRON, para. 0052] “Optionally, one or more machine learning processes, methods, algorithms and/or techniques are employed on the identified activity pattern(s) to further collect analytics data regarding the activity patterns. Such machine learning analytics may serve to increase the accuracy of classifying the potential attacker(s) and/or better predict further activity and/or intentions of the potential attacker(s) in the protected network.”) at least one processor communicatively coupled to the memory and configured to: receive a first plurality of tracked activities comprising one or more actions performed by a first entity in a first virtual environment over a first period of time, wherein: ([EVRON, para. 0058] “Furthermore, the presented deception traffic injection and monitoring methods and systems may allow for high scaling capabilities over large organizations, networks and/or systems. In addition, using the templates for creating and instantiating the decoy endpoints and/or decoy agents … The centralized management and monitoring of the deception network traffic may further simplify tracking the potential unauthorized operations and/or potential attacks.”) ([EVRON, para. 0047] “one or more deception campaigns in a protected network comprising a plurality of endpoints to identify one or more potential attackers by monitoring usage of deception data contained in deception traffic transmitted in the protected network.”) ([EVRON, para. 0054] “Following the detection of the unauthorized operation(s), one or more additional actions may be initiated. For example, initiating additional communication session between the decoy endpoints to inject additional deception traffic into the protected network.”) ([EVRON, para. 0051] “Optionally, one or more activity patterns of the potential attacker(s) are identified by analyzing the detected unauthorized operation(s), in particular unauthorized communication operations.”) ([EVRON, para. 0073] “Optionally, the decoy endpoints 210 may include one or more virtual decoy endpoints 210B, for example, a nested VM hosted by one or more of the physical endpoints 220 and/or by one or more of the physical decoy servers 210A.”) the first entity is associated with a first electronic attacker; and ([EVRON, para. 0051] “Optionally, one or more activity patterns of the potential attacker(s) are identified by analyzing the detected unauthorized operation(s), in particular unauthorized communication operations.”) the first virtual environment is an isolated partition of a communication network; ([EVRON, para. 0073] “Optionally, the decoy endpoints 210 may include one or more virtual decoy endpoints 210B, for example, a nested VM hosted by one or more of the physical endpoints 220 and/or by one or more of the physical decoy servers 210A.”) ([EVRON, para. 0073] “endpoints 220 may further include one or more virtual endpoints, for example, a virtual machine (VM) hosted by one or more of the physical devices, instantiated through one or more of the cloud services and/or provided as a service through one or more hosted services available from the cloud service(s). The virtual device may provide an abstracted and platform-dependent and/or independent program execution environment.”) execute the machine learning algorithm to: determine a first determined intent based on a first activity of the first plurality of tracked activities; ([EVRON, para. 0052] “Optionally, one or more machine learning processes, methods, algorithms and/or techniques are employed on the identified activity pattern(s) to further collect analytics data regarding the activity patterns. Such machine learning analytics may serve to increase the accuracy of classifying the potential attacker(s) and/or better predict further activity and/or intentions of the potential attacker(s) in the protected network.”) generate a first synthetic network structure based on the first determined intent, the first synthetic network structure comprising a first plurality of synthetic elements configured to resemble a first plurality of network resources; ([EVRON, para. 0055] “The campaign manager may further adapt the deception traffic, i.e. the communication deception data objects to tackle an estimated course of action and/or intentions of the potential attacker based on the identified activity pattern(s) of the potential attacker(s), according to the classification of the potential attacker(s) and/or according to the predicted intentions of the potential attacker(s) as learned from the machine learning analytics.”) ([EVRON, para. 0058] “the presented deception traffic injection and monitoring methods and systems may allow for high scaling capabilities over large organizations, networks and/or systems. In addition, using the templates for creating and instantiating the decoy endpoints and/or decoy agents executed by the endpoints coupled with automated tools for selecting, creating and/or configuring the communication deception data objects according to the detected unauthorized operations”) ([EVRON, para. 0074] “Each deception campaign may include deploying one or more decoy endpoints 210, instructing the decoy agents 232 to transfer the deception network traffic,”) ([EVRON, para. 0026] “by deploying a decoy agent (e.g., an application, a utility, a tool, a script, an operating system, etc.)”) ([EVRON, para. 0099] “The campaign manager 230 may further use the machine learning analytics to adjust the additional deception traffic according to the classification of the potential attacker(s) and/or according to the predicted intentions and/or activity in the protected network 200.”) assign a first adverse impact to the first synthetic network structure; ([EVRON, para. 0077] “The deployed communication deception data objects 234 may include deception data configured to tempt the potential attacker(s), for example, a user, a process, a utility, an automated tool, an endpoint and/or the like attempting to access resource(s) in the protected network 200 to use the deception data objects 234.”) ([EVRON, para. 0086] “the decoy agents 232 may include at least some functionality of the campaign manager 230, for example, monitoring the network activity on the network 240, the monitoring may be further conducted by the decoy agent(s) 232. Since the deception traffic may be transparent and/or not used by legitimate users in the protected network 200, usage of the deception data contained in the communication deception data objects 234 may typically be indicative of a potential cyber security threat imposed by the potential attacker(s).”) place the first synthetic network structure in the first virtual environment; ([EVRON, para. 0074] “Each deception campaign may include deploying one or more decoy endpoints 210, instructing the decoy agents 232 to transfer the deception network traffic,”) ([EVRON, para. 0026] “by deploying a decoy agent (e.g., an application, a utility, a tool, a script, an operating system, etc.)”) ([EVRON, para. 0026] “the decoy endpoints 210 may include one or more virtual decoy endpoints 210B”) determine a second determined intent based on a second tracked activity of the first plurality of tracked activities; ([EVRON, para. 0051] “The activity pattern(s) may be further used to classify the potential attacker(s) in order to estimate a course of action and/or intentions of the potential attacker(s).”) ([EVRON, para. 0093] “Using the activity pattern(s), the campaign manager 230 may gather useful forensic data on the operations of the potential attacker and may classify the potential attacker in order to estimate a course of action, attack vector characteristic(s), attack technique(s) and/or intentions of the potential attacker. Such information may be used by the campaign manager 230 to take further one or more actions, for example, a deception action, a preventive action and/or a containment action to encounter the predicted next operation(s) of the potential attacker(s).”) generate a second synthetic network structure based on the second determined intent, the second synthetic network structure comprising a second plurality of synthetic elements configured to resemble a second plurality of network resources; ([EVRON, para. 0055] “The campaign manager may further adapt the deception traffic, i.e. the communication deception data objects to tackle an estimated course of action and/or intentions of the potential attacker based on the identified activity pattern(s) of the potential attacker(s), according to the classification of the potential attacker(s) and/or according to the predicted intentions of the potential attacker(s) as learned from the machine learning analytics.”) ([EVRON, para. 0074] “Each deception campaign may include deploying one or more decoy endpoints 210, instructing the decoy agents 232 to transfer the deception network traffic,”) ([EVRON, para. 0026] “by deploying a decoy agent (e.g., an application, a utility, a tool, a script, an operating system, etc.)”) ([EVRON, para. 0081] “The communication deception data objects 234 may be configured to include an IP address of a third decoy endpoint 210 which is not used by legitimate users in the protected network 200. In another example, assuming a certain authentication session is typically used by the endpoints 220 using hashed credentials. Using the campaign manager 230, one or more communication deception data objects 234 may be created according to the structure of the hashed credentials and configured to include fake credentials.”) assign a second adverse impact to the second synthetic network structure; and ([EVRON, para. 0077] “The deployed communication deception data objects 234 may include deception data configured to tempt the potential attacker(s), for example, a user, a process, a utility, an automated tool, an endpoint and/or the like attempting to access resource(s) in the protected network 200 to use the deception data objects 234.”) ([EVRON, para. 0077] “deception data objects 234 may be created according to the structure of the hashed credentials and configured to include fake credentials”) ([EVRON, para. 0067] “Therefore, operation(s) in the protected network that use the data contained in the communication deception data object(s) may be considered as potential unauthorized operation(s) that in turn may be indicative of a potential attacker.”) place the second synthetic network structure in the first virtual environment; ([EVRON, para. 0074] “Each deception campaign may include deploying one or more decoy endpoints 210, instructing the decoy agents 232 to transfer the deception network traffic,”) ([EVRON, para. 0026] “by deploying a decoy agent (e.g., an application, a utility, a tool, a script, an operating system, etc.)”) ([EVRON, para. 0026] “the decoy endpoints 210 may include one or more virtual decoy endpoints 210B”) ([EVRON, para. 0084] “deception data object(s) 234 to one or more other decoy agents 232 executed by other decoy endpoints 210, for example, a third decoy endpoint 210.”) present, to the first entity, access to the first synthetic network structure and the second synthetic network structure in the first virtual environment, wherein: ([EVRON, para. 0054] “Furthermore, one or more communication session may be established with the potential attacker(s) himself, for example, in case of a responder attack vector, a communication session(s) may be initiated with the responder device. The additional deception traffic may include one or more additional communication deception data objects automatically selected, created, configured and/or adjusted according to the detected unauthorized operations.”) ([EVRON, para. 0056] “the presented deception environment deceives the potential attacker from the very first stage in which the attacker enters the protected network by creating the deception network traffic.”) ([EVRON, para. 0077] “The deployed communication deception data objects 234 may include deception data configured to tempt the potential attacker(s), for example, a user, a process, a utility, an automated tool, an endpoint and/or the like attempting to access resource(s) in the protected network 200 to use the deception data objects 234.”) the first synthetic network structure is associated with a first divergent path in the first virtual environment; and ([EVRON, para. 0050] “The usage of the communication deception data object(s) may be analyzed to identify one or more unauthorized operations which may be indicative of one or more potential attacker(s) in the protected network, for example, a user, a process, a utility, an automated tool, an endpoint and/or the like using the intercepted communication deception data objects to access resource(s) in the protected network. The detected unauthorized operation(s) may be further analyzed to identify one or more attack vectors applied to attack the resource(s) of the protected network.”) ([EVRON, para. 0089] “In particular, the attacker may sniff the network 240 and intercept the fake hashed credentials object transmitted by the certain decoy endpoint 210. Therefore, in case the campaign manager 230 identifies that the fake hashed credentials object is used to access the respective decoy endpoint 210 and/or the respective decoy agent 232, the campaign manager 230 may determine that an attacker has applied a pass the hash attack vector in the protected system 200.”) the second synthetic network structure is associated with a second divergent path in the first virtual environment; ([EVRON, para. 0081] “The IoT decoy endpoints 210 may be assigned with one or more network addresses according to the IoT protocols. In another example, using the campaign manager 230, one or more fake credit card numbers may be created and encoded in one or more of the communication deception data objects 234.”) ([EVRON, para. 0087] “In another example, the campaign manager 230 may detect the usage of one or more of the fake credit card numbers encoded in certain communication deception data objects 234. Moreover, the campaign manager 230 may detect the usage of the fake credit card numbers by using and/or interacting with one or more of the services and/or systems already available in the protected system, for example, a credit card clearing system and/or service.”) determine whether the first entity performed a first action in association with the first synthetic network structure or a second action in association with the second synthetic network structure; ([EVRON, para. 0089] “Therefore, in case the campaign manager 230 identifies that the fake hashed credentials object is used to access the respective decoy endpoint 210 and/or the respective decoy agent 232, the campaign manager 230 may determine that an attacker has applied a pass the hash attack vector in the protected system 200.”) ([EVRON, para. 0087] “the campaign manager 230 may detect the usage of the fake credit card numbers by using and/or interacting with one or more of the services and/or systems already available in the protected system, for example, a credit card clearing system and/or service.”)
However, EVRON does not teach “in response to determining that the first entity performed the first action in association with the first synthetic network structure, generate a first report comprising that the first entity is associated with the first adverse impact over the first period of time; in response to determining that the first entity performed the second action in association with the second synthetic network structure, generate a second report comprising that the first entity is associated with the second adverse impact over the first period of time; and train the one or more machine learning models using the first report and the second report.
In analogous teaching CRABTREE teaches “… in response to determining that the first entity performed the first action in association with the first synthetic network structure, generate a first report comprising that the first entity is associated with the first adverse impact over the first period of time; ([CRABTREE, para. 0075] “Emulation engine may receive network traffic data from network sensors, route the network traffic to an appropriate simulated destination service associated with the network traffic, and monitor the interactions between an attacker and the simulated destination. Logged interactions may be used as an input to generate the threat landscape.”) ([CRABTREE, para. 0095] “Network module 3211 may provide functionality for simulating (i.e., emulating) various network services, such as, for example (and not limiting) Simple Network Time Protocol (SNTP) (e.g., responding to time synchronization requests), Domain Name System (DNS) (e.g., emulating DNS server functionality, responding to DNS queries), File Transfer Protocol (FTP) (e.g., simulating an FTP server, responding to basic commands), and Telnet or Secure Shell (SSH) (e.g., emulating remote terminal access, capturing login attempts and commands). Information gathered via network module 3211, and any analysis thereof, may be used by sensor node 3200 as an input when generating and/or updating a threat landscape.”) ([CRABTREE, para. 0100] “The activity (e.g., commands executed, files accessed or modified, network connections established, or other relevant information) of an attacker within a dummy OS can be captured and logged by sensor node 3200 and used to provide a rich contextual data about a network or organization's threat landscape.”) ([CRABTREE, para. 0100] “Sensor node 3200 may further comprise a log module 3230 configured to capture essential information about attacker activities … application logs focus on specific applications or services running within the sensor node 3200 and/or emulation engine 3210”) [Examiner’s note: Examiner is interpreting the logs as a first and second report being generated based on an attacker being able to interact with various different type of synthetic network structures that are simulated by the network module 3211, and the threat landscape as an adverse impact.] in response to determining that the first entity performed the second action in association with the second synthetic network structure, generate a second report comprising that the first entity is associated with the second adverse impact over the first period of time; and ([CRABTREE, para. 0095] “Network module 3211 may provide functionality for simulating (i.e., emulating) various network services, such as, for example (and not limiting) Simple Network Time Protocol (SNTP) (e.g., responding to time synchronization requests), Domain Name System (DNS) (e.g., emulating DNS server functionality, responding to DNS queries), File Transfer Protocol (FTP) (e.g., simulating an FTP server, responding to basic commands), and Telnet or Secure Shell (SSH) (e.g., emulating remote terminal access, capturing login attempts and commands). Information gathered via network module 3211, and any analysis thereof, may be used by sensor node 3200 as an input when generating and/or updating a threat landscape.”) ([CRABTREE, para. 0100] “The activity (e.g., commands executed, files accessed or modified, network connections established, or other relevant information) of an attacker within a dummy OS can be captured and logged by sensor node 3200 and used to provide a rich contextual data about a network or organization's threat landscape.”) ([CRABTREE, para. 0100] “Sensor node 3200 may further comprise a log module 3230 configured to capture essential information about attacker activities … application logs focus on specific applications or services running within the sensor node 3200 and/or emulation engine 3210”) [Examiner’s note: CRABTREE teaches of multiple logs based on an attacker interacting with any one of the various network services. Therefore, the plurality of logs and emulated services teaches a second report and a second synthetic network structure.] train the one or more machine learning models using the first report and the second report. ([CRABTREE, para. 0091] “event types, and patterns that may be stored for future use (for example, to perform new analysis using historical data, or for training of machine learning models using batches of logged traffic data as training input sets).”) ([CRABTREE, para. 0108] “Applying machine learning techniques to sensor node logs can help identify anomalous behavior and patterns that may be indicative of attacks.”)
Thus, given the teaching of CRABTREE, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of first report and second report and training a machine learning model based on the reports by CRABTREE into the teaching of a system, comprising: a memory operable to store: a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models by EVRON. One of ordinary skill in the art would have been motivated to do so because CRABTREE recognizes the need to monitor a network ([CRABTREE, para. 0022] “What is needed is a system that uses distributed sensor nodes to monitor and aggregate varied Internet traffic alongside a system capable of aggregating, analyzing, simulating and forecasting scanning and general utilization to identify aberrations, trends, and patterns in support of ultimately surfacing changing operational dynamics and risks”) ([CRABTREE, para. 0023] “Accordingly, the inventor has conceived, and reduced to practice, a system and methods for network action classification and analysis using widely distributed lightweight honeypot sensor nodes, comprising a plurality of network traffic sensors each configured to monitor visible network traffic, analyze monitored traffic to identify patterns”)
Regarding claim 9, this claim recites of a method that performs the features of system claim 1. Therefore, claim 9 is rejected in a similar manner as in the rejection of claim 1.
Regarding claim 16, this claim recites of a non-transitory computer-readable medium storing instructions that when executed by a processor cause the processor to perform the features of system claim 1. Therefore, claim 16 is rejected in a similar manner as in the rejection of claim 1.
Regarding claims 2, 10, and 17, EVRON-CRABTREE teach all limitations of claims 1, 9, and 16. Furthermore, this claim recites of features similar to that of independent claim 1. While only now reciting of a “third …” and “fourth …” features which are similar to the first and second features of claim 1. Repetition of a process in this manner would be obvious to one of ordinary skill in the art. Therefore, claims 2, 10, and 17 are rejected in a similar manner as in the rejection of claim 1. EVRON further teaches ([EVERON, para. 0047] “According to some embodiments of the present invention, there are provided methods, systems and computer program products for launching one or more deception campaigns in a protected network comprising a plurality of endpoints to identify one or more potential attackers”)
Regarding claims 3, 11, and 18, EVRON-CRABTREE teach all limitations of claims 1, 9, and 16. Furthermore, this claim recites of features similar to that of claims 1 and 2. Therefore the same rejection as seen in claims 1 and 2 applies. EVRON further teaches “generate a second virtual environment configured to resemble one or more additional portions of the communication network; and place the third synthetic network structure and the fourth synthetic network structure in the second virtual environment” ([EVRON, para. 0055] “The campaign manager may further adapt the deception traffic, i.e. the communication deception data objects to tackle an estimated course of action and/or intentions of the potential attacker based on the identified activity pattern(s) of the potential attacker(s)”) ([EVRON, para. 0055] “Deploying the decoy endpoints in the protected network and injecting the deception network traffic into the protected network may present significant advantages compared to currently existing methods for detecting potential attackers accessing resources in the protected network.”) ([EVRON, para. 0067] “A process 100 is executed to deploy launch one or more deception campaigns comprising deployment of one or more decoys endpoints”) ([EVRON, para. 0074] “Each of the decoy endpoints 210 may execute a decoy agent 232 comprising one or more software modules”) ([EVRON, para. 0070] “The endpoints 220 may further include one or more virtual endpoints, for example, a virtual machine (VM) hosted by one or more of the physical devices”) ([EVRON, para. 0073] “the decoy endpoints 210 may include one or more virtual decoy endpoints 210B”)
Regarding claims 5, 13, and 20, EVRON-CRABTREE teach all limitations of claims 1, 9, and 16. Furthermore, this claim recites of features similar to that of claims 1 and 2. Therefore the same rejection as seen in claims 1 and 2 applies. EVRON further teaches “wherein: the second entity is associated with a second electronic attacker; and the second virtual environment is an isolated partition of a communication network” ([EVRON, para. 0031] “The detection methods and systems are designed to detect a wide variety of potential attackers.”) ([EVRON, para. 0047] “According to some embodiments of the present invention, there are provided methods, systems and computer program products for launching one or more deception campaigns in a protected network comprising a plurality of endpoints to identify one or more potential attackers by monitoring usage of deception data contained in deception traffic transmitted in the protected network. … The deception campaign(s) comprise deployment of one or more decoys endpoints in the protected network”) ([EVRON, para. 0070] “The endpoints 220 may further include one or more virtual endpoints, for example, a virtual machine (VM) hosted by one or more of the physical devices”)
Regarding claims 6 and 14, EVRON-CRABTREE teach all limitations of claims 5 and 13. Furthermore, this claim recites of features similar to that of claims 1-3. Therefore the same rejection as seen in claims 1-3 applies. EVRON further teaches “over a third period of time; receive a third plurality of tracked activities comprising one or more second additional actions performed by the second entity in the second virtual environment over a fourth period of time; ([EVRON, para. 0058] “Furthermore, the presented deception traffic injection and monitoring methods and systems may allow for high scaling capabilities over large organizations, networks and/or systems. In addition, using the templates for creating and instantiating the decoy endpoints and/or decoy agents … The centralized management and monitoring of the deception network traffic may further simplify tracking the potential unauthorized operations and/or potential attacks.”) ([EVRON, para. 0047] “one or more deception campaigns in a protected network comprising a plurality of endpoints to identify one or more potential attackers by monitoring usage of deception data contained in deception traffic transmitted in the protected network.”) ([EVRON, para. 0054] “Following the detection of the unauthorized operation(s), one or more additional actions may be initiated. For example, initiating additional communication session between the decoy endpoints to inject additional deception traffic into the protected network.”) ([EVRON, para. 0051] “Optionally, one or more activity patterns of the potential attacker(s) are identified by analyzing the detected unauthorized operation(s), in particular unauthorized communication operations.”) ([EVRON, para. 0073] “Optionally, the decoy endpoints 210 may include one or more virtual decoy endpoints 210B, for example, a nested VM hosted by one or more of the physical endpoints 220 and/or by one or more of the physical decoy servers 210A.”)
Regarding claims 7 and 15, EVRON-CRABTREE teach all limitations of claims 5 and 13. EVRON further teaches “wherein: the first virtual environment and the second virtual environment are a same virtual environment.” ([EVRON, para. 0070] “The endpoints 220 may further include one or more virtual endpoints, for example, a virtual machine (VM) hosted by one or more of the physical devices, instantiated through one or more of the cloud services and/or provided as a service through one or more hosted services available from the cloud service(s). The virtual device may provide an abstracted and platform-dependent and/or independent program execution environment. The virtual device may imitate operation of dedicated hardware components”) ([EVRON, para. 0076] “the user 250 may use the user interface 208 of the endpoint 220 hosting the virtual decoy endpoint 210B to interact with one or more of the software modules executed by the virtual decoy endpoint 210B,”) ([EVRON, para. 0025] “each of the plurality of endpoints is a physical device comprising one or more processors and/or a virtual device hosted by one or more physical devices”)
Claims 4, 8, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over EVRON-CRABTREE in view of BUCK (US-20200081733-A1).
Regarding claims 4, 12, and 19, EVRON-CRABTREE teach all limitations of claims 3, 11, and 18. However, EVRON-CRABTREE does not teach “the first virtual environment is controlled by a first server associated with a first organization; and the second virtual environment is controlled by a second server associated with a second organization.”
In analogous teaching BUCK teaches “the first virtual environment is controlled by a first server associated with a first organization; and the second virtual environment is controlled by a second server associated with a second organization. ([BUCK, para. 0061] “the service broker machine 106 a, the management machine 106 e, and the provisioning machine 106 f are associated with or maintained by a first organization and the directory server 106 b and the hosting servers 106 c are associated with or maintained by a second organization.”) ([BUCK, para. 0064] “establish a firewall policy preventing a user authorized to access a second organizational unit in the directory service from accessing the first organizational unit, the second organizational unit associated with a second entity (304).”) ([BUCK, para. 0004] “The connection information includes an identification of at least one virtual machine in the data center. The at least one virtual machine is (i) associated with a first organization, (ii) designated to provide access to at least one virtual resource for a user associated with the at least one credential, and (iii) executing on a physical server hosting a second virtual machine associated with a second organization and providing shared sessions to users of the second organization.”)
Thus, given the teaching of BUCK, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of first organization and a second organization by BUCK into the teaching of a system, comprising: a memory operable to store: a machine learning algorithm configured, when executed, to evaluate data in accordance with one or more machine learning models by EVRON-CRABTREE. One of ordinary skill in the art would have been motivated to do so because BUCK recognizes the need to secure data ([BUCK, para. 0070] “In some embodiments, providing a multi-tenant directory service while also establishing the firewall rules needed to secure each tenant's data enables service providers implementing the methods and systems described herein to provide more flexible, secure resources while fully leveraging their physical resources.”)
Regarding claim 8, EVRON-CRABTREE teach all limitations of claim 5. However, EVRON-CRABTREE does not teach “the first virtual environment and the second virtual environment are different virtual environments.”.
In analogous teaching BUCK teaches “the first virtual environment and the second virtual environment are different virtual environments.” ([BUCK, para. 0061] “the service broker machine 106 a, the management machine 106 e, and the provisioning machine 106 f are associated with or maintained by a first organization and the directory server 106 b and the hosting servers 106 c are associated with or maintained by a second organization.”) ([BUCK, para. 0064] “establish a firewall policy preventing a user authorized to access a second organizational unit in the directory service from accessing the first organizational unit, the second organizational unit associated with a second entity (304).”) ([BUCK, para. 0004] “The connection information includes an identification of at least one virtual machine in the data center. The at least one virtual machine is (i) associated with a first organization, (ii) designated to provide access to at least one virtual resource for a user associated with the at least one credential, and (iii) executing on a physical server hosting a second virtual machine associated with a second organization and providing shared sessions to users of the second organization.”)
The same motivation to modify EVRON-CRABTREE with BUCK as in the rejection of claim 4 applies.
Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
WILLIAMS (US-10977379-B1): This prior art teaches of a service provider to monitor a cloud-based service by generating and placing canary records in storage locations along with real records to identify improper access events of the records or other data. The service provider may detect an access event where records in a storage location were accessed, and determine whether a canary record was accessed. If a canary record was accessed, the service provider may determine that the access event was potentially performed by a malicious entity because authorized users generally may not have reason to access a canary record when utilizing their cloud-based service. The service provider may generate canary records that are difficult to identify by a malicious entity, and may position canary records in the storage locations to help ensure that the canary records are accessed by a malicious entity during an improper access event.
MEYERS (US-20140250524-A1): This prior art teaches of transitioning a security attack to a monitored computing device posing as a computing device impacted by the security attack and enabling the adversary to obtain deceptive information from the monitored computing device. Also, the adversary may obtain a document configured to report identifying information of an entity opening the document, thereby identifying the adversary associated with the attack. Further, the techniques include determining that a domain specified in a domain name request is associated with malicious activity and responding to the request with a network address of a monitored computing device to cause the requesting process to communicate with the monitored computing device in place of an adversary server. Additionally, a service may monitor dormant domains names associated with malicious activity and, in response to a change, respond with an alert or a configuration update.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.A./
04/30/2026
/AFAQ ALI/Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434