ADAPTIVE DYNAMIC NETWORK DECOY SYSTEM

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Information Disclosure Statement The information disclosure statement (IDS) submitted on 08/15/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 5-6, 9-16, 17-18 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (CN 117040871 A) in view of Mao et al. (CN 115392323 A). Regarding claim 1: Huang teaches: A method of maintaining a pool of network decoys on a network, the method comprising: monitoring the network for one or more interactions between the network attacker and the pool of network decoys (Huang - [Page 5, Line 51-52]: deploying a monitoring tool for the protected honey pot, detecting network intrusion, malicious software and user abnormal behaviour. [Page 9, Line 4-5]: There are 100 existing virtual machine honey pots); modeling preferences of the network attacker based on the one or more interactions to generate a preference model of the network attacker (Huang - [Page 2, Line 2-3]: according to the known vulnerability of the vulnerability report, the vulnerability database and the target system, determining the preference of the attacker) However, Huang doesn’t explicitly teach, but Mao discloses: evolving, over a plurality of epochs, the pool of network decoys towards one or more preferences of a network attacker (Mao - [Page 6, Line 22-23]: the reconstruction parameter may include a honeypot population N and maximum iteration times based on honey pot algorithm), wherein each epoch includes: updating a fitness function based on the preference model (Mao - [Page 3, Line 7-8]: establishing the fitness function of the VMD parameter optimization according to the energy evaluation index and the correlation evaluation index); applying the fitness function to each network decoy included in the pool of network decoys to determine a plurality of fitness values, wherein each fitness value is representative of an attractiveness of a respective network decoy to the network attacker (Mao - [Page 7, Line 8]: calculating the value of the fitness function based on the E value and the C value, so as to judge whether satisfy the criterion); and updating the pool of network decoys based on the plurality of fitness values (Mao - [Page 7, Line 9]: if satisfy optimization criteria, the optimal honey badger and minimum fitness value will be updated). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huang with Mao so that attacker’s preferences are determined and a fitness function is also determine to evaluate fitness values of each honey pot for updating honey pot. The modification would have allowed the system to make honey pot more close to a real system. Regarding claim 2: Huang as modified teaches: wherein the fitness function includes one or more weights applied to a respective property of each network decoy, and wherein updating the fitness function comprises: adjusting the one or more weights based on the preference model (Mao - [Page 8, Line 47-48]: weighting the obtained result, to obtain the final evaluation result (i.e.: optimal parameter and model)). The reason to combine is in the same rational as claim 1. Regarding claim 5: Huang as modified teaches: wherein each network decoy includes one or more associated configurations for presenting the network decoy on the network as a network device, a network service, or a network resource (Huang - [Page 3, Line 29-31]: according to the network topology, system architecture and device configuration attribute of the Honey pot, obtaining the deployment environment of the honey pot, and evaluating the network topology) Huang - [Page 2, Line 3-4]: according to the known vulnerability of the vulnerability report, the vulnerability database and the target system, determining the preference of the attacker). Regarding claim 6: Huang as modified teaches: wherein updating the fitness function comprises: determining that a particular network decoy of the pool of network decoys includes the one or more associated configurations preferenced by the network attacker (Huang - [Page 2, Line 3-4]: according to the known vulnerability of the vulnerability report, the vulnerability database and the target system, determining the preference of the attacker); updating the fitness function to increase the fitness value for the particular network decoy (Mao - [Page 3, Line 22-23]: according to and C (uk, x)) calculating the VMD parameter corresponding to the minimum value of the fitness function as the optimal parameter). Regarding claim 9: Huang as modified teaches: wherein updating the pool of network decoys includes: selecting at least two network decoys from the pool of network decoys based on the plurality of fitness values; generating a new network decoy based on the at least two network decoys; and adding the new network decoy to the pool of network decoys (Huang - [Page 4, Line 21-23]: if the risk level is low, middle or honey pot has configuration updating ability, selecting part of updating honey pot configuration; if the risk level is high and cannot be eliminated by updating, completely replacing the honey pot; adopting corresponding updating or replacing strategy according to the type of the current honey pot). Regarding claim 10: Huang as modified teaches: wherein adding the new network decoy to the pool of network decoys includes replacing at least one existing network decoy included in the pool of network decoys with the new network decoy (Huang - [Page 4, Line 19-20]: if the updating is difficult or the automatic updating cannot be realized, completely replacing the honey pot;). Regarding claim 11: Huang as modified teaches: wherein the at least one existing network decoy is a network decoy of the pool having a lowest fitness value (Huang - [Page 4, Line 21-23]: if the updating is difficult or the automatic updating cannot be realized, completely replacing the honey pot; according to the risk level and the honey pot configuration updating ability). Regarding claim 12: Huang as modified teaches: wherein selecting the at least two network decoys from the pool of network decoys includes selecting two network decoys from the pool of network decoys having the highest fitness values (Huang - [Page 3, Line 29-31]: performing evaluation on the monitored honey pot activity and attacker behavior, determining the risk level in the system, generating a risk evaluation report, determining the attacker behavior and the system risk, the risk evaluation report comprises dividing the risk into low, middle, Three higher levels, as well as the association of the attacker's behavior with the system risk). Regarding claim 13: Huang as modified teaches: wherein each network decoy includes one or more associated configurations for presenting the network decoy on the network as a network device, a network service, or a network resource (Huang - [Page 2, Line 5-7]: obtaining the honey pot with corresponding network set; through the configured network setting, configuring firewall and IDS, obtaining the protected honey pot system; deploying a monitoring tool for the protected honey pot, detecting network intrusion, malicious software and user abnormal behaviour), and wherein generating the new network decoy includes generating the new network decoy to include one or more configurations randomly selected from between configurations of the two network decoys with the highest fitness values (Huang - [Page 4, Line 21-22]: if the risk level is low, middle or honey pot has configuration updating ability, selecting part of updating honey pot configuration). Regarding claim 14: Huang as modified teaches: wherein generating the new network decoy further comprises: randomly mutating one or more configurations of the new network decoy (Huang - [Page 6, Line 43-44]: the bait and configuration of the honey pot can be periodically changed to keep the validity of the honey pot). Regarding claim 15: Huang as modified teaches: wherein randomly mutating the one or more configurations comprises: randomly assigning one or more network services to the new network decoy (Huang - [Page 6, Line 43-45]: The bait and configuration of the honey pot are periodically changed, including changing the false data, adjusting the network topology, and modifying the vulnerability and vulnerability). Regarding claim 16: Huang as modified teaches: wherein randomly mutating the one or more configurations further comprises: randomly selecting a port number for the one or more network services assigned to the new network decoy (Huang - [Page 5, Line 16-17]: The real IP address of the honey pot is hidden by the NAT technology of PAT type, and it is mapped to a public IP address and different ports). Regarding claims 17-18: Claims are directed to server claims and do not teach or further define over the limitations recited in claims 1 and 6. Therefore, claims 17-18 are also rejected for similar reasons set forth in claims 1 and 6. Furthermore, The combination of Huang and Mao teaches network interface ( Huang - [Page 5]), processor (Mao [Page 8] and memory (Mao - [page 9]). Regarding claims 19-20: Claims are directed to apparatus/device claims and do not teach or further define over the limitations recited in claims 1 and 6. Therefore, claims 17-18 are also rejected for similar reasons set forth in claims 1 and 6. Furthermore, Mao in page 9 discloses a non-transitory computer-readable media. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (CN 117040871 A) in view of Mao et al. (CN 115392323 A) and Wu et al. (CN 115460002 B). Regarding claim 3: Huang as modified doesn’t explicitly teach but Wu discloses: wherein monitoring the network for one or more interactions between the network attacker and the network includes: determining the respective property for each network decoy, wherein the respective property is at least one property selected from the group consisting of: (T) a total number of times that the network decoy was interacted with by the network attacker, (L) a time since the network decoy was last interacted with by the network attacker, and (D) a number of services accessed on the network decoy by the network attacker (Wu - [Page 4, Line 46-49]: S600: obtaining the weakest honey pot data according to the attack data, updating and dynamically deploying the honey net according to the weakest honey pot data. Exemplary, by analyzing the number of times that the service is attacked and the time that the service is attacked, judging which service system is most vulnerable to attack, obtaining the weakest honey-pot data). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huang and Mao with Wu so that the weakest honey-pot data is obtained based on analysis. The modification would have allowed the system to determine the property of honey pot. Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (CN 117040871 A) in view of Mao et al. (CN 115392323 A) and ALOHALY et al. (IDS reference, NPL - Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection, 18 October 2022). Regarding claim 7: Huang as modified doesn’t explicitly teach but ALOHALY discloses: wherein modeling the preferences of the network attacker comprises: calculating at least one network attacker interaction probability, wherein the network attacker interaction probability is a probability that the network attacker will interact with a particular network decoy of the pool of network decoys (ALOHALY - [Page 108971, Module 1]: measures the uncertainty in an event using its probability P as defined in Equation 4, to quantify the sensitivity (or the amount of surprise and uncertainty) in an attribute access); and generating the preference model based on the at least one network attacker interaction probability (ALOHALY - [Page 108971, Module 1]: The proposed sensitivity assessment algorithm is shown in Algorithm1. We note that we applied the RootMeanSquare(RMS) in this algorithm due to its sensitivity to large values). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huang and Mao with ALOHALY so that a probability is calculated to measure the uncertainty of accessing. The modification would have allowed the system to build an algorithm based on probability. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (CN 117040871 A) in view of Mao et al. (CN 115392323 A) and Tian et al. (CN 117411670 A) and ALOHALY et al. (IDS reference, NPL - Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection, 18 October 2022). Regarding claim 8: Huang as modified teaches: wherein each network decoy includes one or more associated configurations for presenting the network decoy on the network as a network device, a network service, or a network resource, and wherein modeling the preferences of the network attacker includes: maintaining a set of network attacker preferences, wherein the set of network attacker preferences indicates at least one configuration of the one or more configurations preferenced by the network attacker (Huang - [Page 2, Line 3-4]: according to the known vulnerability of the vulnerability report, the vulnerability database and the target system, determining the preference of the attacker); updating the set of network attacker preferences based on the total observed probability and the network attacker interaction probability (Huang - [Page 2, Line 10]: periodically changing the bait and configuration of the honey pot). However, Huang as modified doesn’t explicitly teach but Tian discloses: determining whether the network attacker has interacted a threshold number of times with the pool of network decoys in response to the monitoring of the one or more interactions; and if so, computing a total observed probability that the network attacker has interacted with the particular network decoy of the pool of network decoys based on the one or more interactions (Tian - [Page 2, Line 1-4]: at least one of the historical normal access honey court times and the historical abnormal access honey court times is greater than the access times threshold, The security detection result of the honey court access request indicates that the honey court access request is normal, and the network attack probability of the honey court access request is calculated); It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huang and Mao with Tian so that the network attack probability of the honey court access request is calculated based on access honey court times is greater than the access times threshold. The modification would have allowed the system to obtain network attack probability of the honey court access request. However, Huang as modified in combination with Tian doesn’t explicitly teach but ALOHALY discloses: computing a network attacker interaction probability based, at least in part, on the set of network attacker preferences, wherein the network attacker interaction probability is a probability that the network attacker will interact with the particular network decoy (ALOHALY - [Page 108971, Module 1]: measures the uncertainty in an event using its probability P as defined in Equation 4, to quantify the sensitivity (or the amount of surprise and uncertainty) in an attribute access); It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huang and Mao with Tian and ALOHALY so that a probability is calculated to measure the uncertainty of accessing. The modification would have allowed the system to build an algorithm based on probability. Allowable Subject Matter Claim 4 is objected to as being dependent upon a rejected base claim but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Sidiroglou et al. Pub. No.: US 2008/0141374 - Systems and methods for detecting and inhibiting attacks using honeypots Crabtree et al. US 20230370439 - NETWORK ACTION CLASSIFICATION AND ANALYSIS USING WIDELY DISTRIBUTED HONEYPOT SENSOR NODES Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG LI/ Primary Examiner, Art Unit 2437