HONEYPOT NETWORK OPERATION METHOD AND APPARATUS, DEVICE, AND STORAGE MEDIUM

DETAILED ACTION Claim 9 was cancelled in a preliminary amendment. Claims 11-16 were added in a preliminary amendment. Claims 1-8 and 10-16 have been examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Priority The current application is a National Stage entry of PCT/CN2023/074348, International Filing Date: 02/03/2023 which claims foreign priority to 202210373820.X, filed 04/07/2022. Information Disclosure Statement The information disclosure statement (IDS) submitted on 09/26/2024 has been considered by the examiner. Specification The abstract of the disclosure is objected to because of the two dashes (i.e., “- -“) at the beginning and ending of the Abstract. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b). Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-6, 8 and 10-15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by United States Patent Application Publication No. US 20180159701 A1 to Krause et al., hereinafter Krause. Regarding claim 1, Krause teaches a method for operating a honeypot network, the method comprising: acquiring attack traffic for a service machine (Figures 6 and 7D, paragraph 116, “shows an attacker or a threat actor 602 and a client 604 interacting with network 606”); forwarding the attack traffic to a honeypot container corresponding to the service machine, wherein a container address of the honeypot container is the same as a service address of the service machine, the service address is a network address of the service machine, and the container address is a network address of the honeypot container (paragraph 20, “injecting a honeypot container into the network, wherein the honeypot container is accessible only by threat actors, and monitoring all traffic going into the honeypot container”, paragraphs 26 and 32, “executing an application in a first container on a first host with a first virtual address in a network; detecting a threat actor interacting with the first host; executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network”, paragraphs 38 and 45, “executing an application in a first container on a first host with a first virtual address in a network; computer-executable instructions for detecting a threat actor interacting with the first host; computer-executable instructions for executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network; computer-executable instructions for capturing a state of the application in the first container; and computer-executable instructions for migrating the state of the application from the first host to the second host”, paragraph 66, “the targeted container will be converted to a honeypot container”, paragraphs 68 and 77, “to provide virtual IP addresses to containers and to keep track of container hops across an enterprise”, and paragraph 78, “Each machine can have containers deployed thereon that are live containers with real applications and services and honeypot containers that are used to identify and study adversaries”); and returning virtual data generated by the honeypot container, wherein the virtual data is data requested by the attack traffic, and the virtual data comprises the container address (Figure 8, paragraph 142, “assume there is an incoming packet that is addressed to 10.1.0.1 (vIP) that currently maps to 10.0.0.9 (rIP). In this type of mutation, the packet is modified in-flight by the SDN data plane (assuming deployment on an SDN) such that it is now addressed to 10.9.0.3. Note that this is not the rIP. The data plane may be configured such that traffic addressed to 10.9.0.3 safely reaches 10.0.0.9, but packets addressed directly to 10.0.0.9 would instead reach some other host”). Regarding claim 2, Krause teaches wherein, before the acquiring attack traffic for a service machine, the method further comprises: acquiring the service address of the service machine; and creating the honeypot container corresponding to the service machine based on the service address (paragraphs 68, 77, 78, 126, and 136). Regarding claim 3, Krause teaches wherein, the acquiring the service address of the service machine, comprises: acquiring the service address transmitted by a probe, wherein the probe is located at the service machine, and the probe is used to acquire and forward the service address of the service machine (paragraphs 71, 78, 126, and 136); the acquiring attack traffic for a service machine, comprises: acquiring the attack traffic transmitted by the probe, wherein the probe is also used to forward the attack traffic accessing the service machine (paragraphs 71, 78, 126, 136, and 142). Regarding claim 4, Krause teaches wherein, before the acquiring the service address for the service machine, the method further comprises: acquiring a service network segment of a service subnet, wherein the service network segment comprises at least one network address occupied by the service subnet (paragraphs 70, 72, and 73); and setting up an application container engine based on the service network segment (paragraph 82), wherein the application container engine is used to create, based on the network address in the service network segment, the honeypot container corresponding to the network address (paragraphs 66-68, 77, and 78); the creating the honeypot container corresponding to the service machine based on the service address, comprises: invoking, after determining that the service address belongs to the service network segment, the application container engine to create the honeypot container corresponding to the service machine (paragraphs 66-68, 77, and 78). Regarding claim 5, Krause teaches wherein, before the creating the honeypot container corresponding to the service machine based on the service address, the method comprises: acquiring a honeypot custom directive for creating the honeypot container corresponding to the service machine, wherein the honeypot custom directive comprises an execution manner and a service type of the honeypot container (paragraphs 32, 38, 45, 77, and 78); the creating the honeypot container corresponding to the service machine based on the service address, comprises: creating, based on the service address, the honeypot container corresponding to the service machine, in the execution manner and the service type in the honeypot custom directive, wherein a honeypot service comprises a virtual service established in the service type (paragraphs 66-68, 77, and 78); after the forwarding the attack traffic to a honeypot container corresponding to the service machine, the method further comprises: executing the virtual service in the execution manner based on the attack traffic (paragraphs 66-68, 77, 78, and 142). Regarding claim 6, Krause teaches wherein, the acquiring the service address transmitted by a probe, comprises: acquiring at least one service address transmitted by at least one probe respectively, wherein the at least one probe is located on at least one service machine respectively (paragraphs 71, 78, 126, and 136); the creating the honeypot container corresponding to the service machine based on the service address, comprises: creating a honeypot container respectively corresponding to the at least one service machine based on the at least one service address (paragraphs 68, 77, 78, 126, and 136); the acquiring the attack traffic transmitted by the probe, comprises: acquiring the attack traffic transmitted by the at least one probe, respectively targeting at the at least one service machine (paragraphs 71, 78, 126, 136, and 142); the forwarding the attack traffic to a honeypot container corresponding to the service machine, comprises: forwarding the attack traffic respectively targeting at the at least one service machine, to the honeypot container respectively corresponding to the at least one service machine, respectively (paragraphs 32, 38, 45, 77, and 78). Regarding claim 8, Krause discloses an apparatus for operating a honeypot network, the apparatus comprising: at least one processor (paragraph 59, “may include a single processor or may be architectures employing multiple processor designs”); and a memory storing instructions which, when executed by the at least one processor, cause the at least one processor to perform operations (paragraphs 57, 59, and 97, “Container hopping impacts resource consumption by requiring increased CPU and memory utilization”), the operations comprising: acquiring attack traffic for a service machine (Figures 6 and 7D, paragraph 116, “shows an attacker or a threat actor 602 and a client 604 interacting with network 606”); forwarding the attack traffic to a honeypot container corresponding to the service machine, wherein a container address of the honeypot container is the same as a service address of the service machine, the service address is a network address of the service machine, and the container address is a network address of the honeypot container (paragraph 20, “injecting a honeypot container into the network, wherein the honeypot container is accessible only by threat actors, and monitoring all traffic going into the honeypot container”, paragraphs 26 and 32, “executing an application in a first container on a first host with a first virtual address in a network; detecting a threat actor interacting with the first host; executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network”, paragraphs 38 and 45, “executing an application in a first container on a first host with a first virtual address in a network; computer-executable instructions for detecting a threat actor interacting with the first host; computer-executable instructions for executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network; computer-executable instructions for capturing a state of the application in the first container; and computer-executable instructions for migrating the state of the application from the first host to the second host”, paragraph 66, “the targeted container will be converted to a honeypot container”, paragraphs 68 and 77, “to provide virtual IP addresses to containers and to keep track of container hops across an enterprise”, and paragraph 78, “Each machine can have containers deployed thereon that are live containers with real applications and services and honeypot containers that are used to identify and study adversaries”); and returning virtual data generated by the honeypot container, wherein the virtual data is data requested by the attack traffic, and the virtual data comprises the container address (Figure 8, paragraph 142, “assume there is an incoming packet that is addressed to 10.1.0.1 (vIP) that currently maps to 10.0.0.9 (rIP). In this type of mutation, the packet is modified in-flight by the SDN data plane (assuming deployment on an SDN) such that it is now addressed to 10.9.0.3. Note that this is not the rIP. The data plane may be configured such that traffic addressed to 10.9.0.3 safely reaches 10.0.0.9, but packets addressed directly to 10.0.0.9 would instead reach some other host”). Regarding claim 10, Krause discloses a non-transitory computer readable storage medium, storing a computer program thereon, wherein, the computer program, when executed by a processor, performs operations, the operations comprising: acquiring attack traffic for a service machine (Figures 6 and 7D, paragraph 116, “shows an attacker or a threat actor 602 and a client 604 interacting with network 606”); forwarding the attack traffic to a honeypot container corresponding to the service machine, wherein a container address of the honeypot container is the same as a service address of the service machine, the service address is a network address of the service machine, and the container address is a network address of the honeypot container (paragraph 20, “injecting a honeypot container into the network, wherein the honeypot container is accessible only by threat actors, and monitoring all traffic going into the honeypot container”, paragraphs 26 and 32, “executing an application in a first container on a first host with a first virtual address in a network; detecting a threat actor interacting with the first host; executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network”, paragraphs 38 and 45, “executing an application in a first container on a first host with a first virtual address in a network; computer-executable instructions for detecting a threat actor interacting with the first host; computer-executable instructions for executing a copy of the application in a copy of the first container on a second host with a second virtual address in the network; computer-executable instructions for capturing a state of the application in the first container; and computer-executable instructions for migrating the state of the application from the first host to the second host”, paragraph 66, “the targeted container will be converted to a honeypot container”, paragraphs 68 and 77, “to provide virtual IP addresses to containers and to keep track of container hops across an enterprise”, and paragraph 78, “Each machine can have containers deployed thereon that are live containers with real applications and services and honeypot containers that are used to identify and study adversaries”); and returning virtual data generated by the honeypot container, wherein the virtual data is data requested by the attack traffic, and the virtual data comprises the container address (Figure 8, paragraph 142, “assume there is an incoming packet that is addressed to 10.1.0.1 (vIP) that currently maps to 10.0.0.9 (rIP). In this type of mutation, the packet is modified in-flight by the SDN data plane (assuming deployment on an SDN) such that it is now addressed to 10.9.0.3. Note that this is not the rIP. The data plane may be configured such that traffic addressed to 10.9.0.3 safely reaches 10.0.0.9, but packets addressed directly to 10.0.0.9 would instead reach some other host”). Regarding claim 11, Krause discloses wherein, before the acquiring attack traffic for a service machine, the operations further comprise: acquiring the service address of the service machine; and creating the honeypot container corresponding to the service machine based on the service address (paragraphs 68, 77, 78, 126, and 136). Regarding claim 12, Krause discloses wherein, the acquiring the service address of the service machine, comprises: acquiring the service address transmitted by a probe, wherein the probe is located at the service machine, and the probe is used to acquire and forward the service address of the service machine (paragraphs 71, 78, 126, and 136); the acquiring attack traffic for a service machine, comprises: acquiring the attack traffic transmitted by the probe, wherein the probe is also used to forward the attack traffic accessing the service machine (paragraphs 71, 78, 126, 136, and 142). Regarding claim 13, Krause discloses wherein, before the acquiring the service address for the service machine, the operations further comprise: acquiring a service network segment of a service subnet, wherein the service network segment comprises at least one network address occupied by the service subnet (paragraphs 70, 72, and 73); and setting up an application container engine based on the service network segment, wherein the application container engine is used to create, based on the network address in the service network segment, the honeypot container corresponding to the network address (paragraphs 66-68, 77, and 78); the creating the honeypot container corresponding to the service machine based on the service address, comprises: invoking, after determining that the service address belongs to the service network segment, the application container engine to create the honeypot container corresponding to the service machine (paragraphs 66-68, 77, and 78). Regarding claim 14, Krause discloses wherein, before the creating the honeypot container corresponding to the service machine based on the service address, the operations comprise: acquiring a honeypot custom directive for creating the honeypot container corresponding to the service machine, wherein the honeypot custom directive comprises an execution manner and a service type of the honeypot container (paragraphs 32, 38, 45, 77, and 78); the creating the honeypot container corresponding to the service machine based on the service address, comprises: creating, based on the service address, the honeypot container corresponding to the service machine, in the execution manner and the service type in the honeypot custom directive, wherein a honeypot service comprises a virtual service established in the service type (paragraphs 66-68, 77, and 78); after the forwarding the attack traffic to a honeypot container corresponding to the service machine, the operations further comprise: executing the virtual service in the execution manner based on the attack traffic (paragraphs 66-68, 77, 78, and 142). Regarding claim 15, Krause discloses wherein, the acquiring the service address transmitted by a probe, comprises: acquiring at least one service address transmitted by at least one probe respectively, wherein the at least one probe is located on at least one service machine respectively (paragraphs 71, 78, 126, and 136); the creating the honeypot container corresponding to the service machine based on the service address, comprises: creating a honeypot container respectively corresponding to the at least one service machine based on the at least one service address (paragraphs 68, 77, 78, 126, and 136); the acquiring the attack traffic transmitted by the probe, comprises: acquiring the attack traffic transmitted by the at least one probe, respectively targeting at the at least one service machine (paragraphs 71, 78, 126, 136, and 142); the forwarding the attack traffic to a honeypot container corresponding to the service machine, comprises: forwarding the attack traffic respectively targeting at the at least one service machine, to the honeypot container respectively corresponding to the at least one service machine, respectively (paragraphs 32, 38, 45, 77, and 78). Allowable Subject Matter Claims 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to dealing with traffic attacking a network environment. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JEREMIAH L AVERY/Primary Examiner, Art Unit 2431