DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Non-Final Office Action in response to communications received on September 12, 2024. Claims 1-20 are pending and addressed below.
Specification
For the record, Examiner acknowledges that the Specification submitted on September 12, 2024 has been accepted.
Drawings
For the record, Examiner acknowledges that the Drawings submitted on September 12, 2024 have been accepted.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 13-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 13 recites the limitations “the deception network” and “the secure network infrastructure.” There is insufficient antecedent basis for these limitations. Dependent claims 14-16 are rejected for containing the same indefinite language as parent claim 13 without further remedying the indefinite language.
Claim 14 recites the limitations “the network events” and “the adversary’s network infrastructure and location”. There is insufficient antecedent basis for these limitations.
Claim 15 recites the limitation “the report”. There is insufficient antecedent basis for this limitation.
Claim 16 recites the limitations “the rerouting” and “the detected type of cyber attack”. There is insufficient antecedent basis for these limitations.
Claim 17 is considered to recite limitations that invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The limitations “a machine learning module that analyzes…” and “a dynamic traffic management module to adjust….” are considered to invoke 35 U.S.C. 112(f). The specification only merely recites the claim language without providing any detail on the structure of the limitations. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Dependent claims 18-20 are rejected for containing the same indefinite language as parent claim 17 without further remedying the indefinite language.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 13 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hooda et al. (U.S. Pub. No. 2020/0177629 and hereinafter referred to as Hooda).
As to claim 13, Hooda discloses a method for deploying a cloud-hosted deceptive defense system, comprising:
simulating network resources on a deception server hosted on a cloud platform (paragraphs [0105]-[0108], Hooda teaches a honeypot server in a cloud environment);
redirecting unauthorized traffic to the deception server through a network address translation service (paragraphs [0105]-[0108], Hooda teaches using NAT to redirect potential attacker traffic to the honeypot server);
capturing and logging interactions with adversaries to analyze patterns of attack (paragraphs [0105]-[0108], Hooda teaches monitoring/tracking potential attacker actions on the honeypot server); and
isolating the deception network from the secure network infrastructure to prevent unauthorized access (paragraphs [0105]-[0108] and [0124], Hooda teaches isolating the honeypot network from the real internal network.).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3 and 6-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda et al. (U.S. Pub. No. 2020/0177629 and hereinafter referred to as Hooda) in view of Ettema et al. (U.S. Patent No. 10,044,675 and hereinafter referred to as Ettema).
As to claim 1, Hooda discloses a system for deceptive resistance to adversary cyber operations comprising:
a deception server in a deception network to: respond to a cyber threat actor on at least one networking protocol, wherein the deception server impersonates an operational server on an operational network using network traffic redirection and network address translation, and log relevant network events of the cyber threat actor (paragraphs [0105], [0106], [0123] and [0124], Hooda teaches a honeypot server in a honeypot network where the server appears to be a legitimate host and the activity is monitored. Additionally traffic redirection and network address translation is performed in the honeypot network); and
an analytics server to: receive and store the logs of the relevant network events from the deception server, and generate dashboards based on the logs to provide visual analytics to an end user (paragraphs [0037], [0038] and [0105], Hooda teaches an analytics engine to provide graphical representations which allow an administrator to secure the network);
manage connections to the deception network from an Internet, and allow administration of the deception network (paragraph [0105], Hooda teaches a LISP mapping system to manage the honeypot network); and
a router to: route traffic between components of the deception network, and terminate a virtual private network connection to the operational network (paragraphs [0029], [0063], [0105], [0107], [0108] and [0124], Hooda teaches routing traffic in the honeypot network and utilizing a VPN.).
Hooda is not explicitly clear in disclosing a network firewall to: manage connections to the deception network from an Internet, and allow administration of the deception network (emphasis added) as claimed. However, Ettema does disclose
a network firewall to: manage connections to the deception network from an Internet, and allow administration of the deception network (col. 8 lines 8-20, Ettema teaches a firewall to manage a honey/decoy network.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hooda with the teachings of Ettema for having a network firewall because Hooda already discloses various aspects performed by a firewall and it would be a simple substitution to replace the device of Hooda with the firewall of Ettema to yield the predictable results of managing the honeypot network with a firewall.
As to claim 3, the combination of teachings between Hooda and Ettema disclose the system of claim 1, further comprising:
a border router, outside the operational network, to route attack traffic of the cyber threat actor to a Network Address Translation (NAT) service, wherein the attack traffic is isolated from the operational network (paragraphs [0105], [0107] and [0111], Hooda teaches border routers and NAT for routing traffic to an isolated honeypot network); and
the NAT service to: change a destination address of the attack traffic to reflect a deception address of the deception server (paragraphs [0105]-[0107], [0111] and [0123], Hooda teaches NAT on a destination address), and change a source address of a response to the attack traffic to reflect an operational address of the operational server (col. 35 line 49 – col. 36 line 30 and col. 43 lines 40-60, Ettema teaches ensuring external Internet-facing IP addresses are associated with the production network.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
As to claim 6, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the network firewall is configured to block unauthorized outbound traffic from the deception network (col. 39 line 60 – col. 40 line 15, Ettema teaches blocking outbound traffic.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
As to claim 7, the combination of teachings between Hooda and Ettema disclose the system of claim 1, further comprising a visualization dashboard on the analytics server that provides real-time monitoring of adversary interactions (paragraphs [0037], [0038] and [0105], Hooda teaches an analytics engine to provide graphical representations which allow an administrator to secure the network.).
As to claim 8, the combination of teachings between Hooda and Ettema disclose the system of claim 1, further comprising a configuration management interface that allows administrators to customize how the deception network responds to different types of cyber threats (paragraphs [0036], [0037] and [0105], Hooda teaches providing graphical representations which allow an administrator to alter honeypot policies.).
As to claim 9, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the analytics server includes a feature that generates alerts when abnormal attack patterns are detected (col. 37 lines 17-37, Ettema teaches alerting analysts.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
As to claim 10, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the router logs all network traffic between the operational and deception networks (paragraphs [0035], [0063], [0105], [0106], [0123] and [0124], Hooda teaches monitoring activity. col. 12 line 63 – col. 13 line 3 and col. 41 lines 11-26, Ettema teaches logging traffic between the real and decoy networks.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
As to claim 11, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the deception server is hosted on a cloud platform with dynamic scaling capabilities to handle varying levels of attack traffic (paragraphs [0024] and [0108], Hooda teaches a honeypot server in the cloud and provisioning additional resources for the honeypot network.).
As to claim 12, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the deception network includes several honeypots, each simulating different services or operating systems (col. 10 line 48 – col. 11 line 24 and col. 22 line 64 – col. 23 line 28, Ettema teaches honeypots emulating different services and different operating systems.).
Examiner supplies the same rationale for the combination of the references as in claim 1 above.
Claim(s) 2 and 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda and Ettema as applied to claim 1 above, and further in view of Ries et al. (U.S. Pub. No. 2021/0067553 and hereinafter referred to as Ries).
As to claim 2, the combination of teachings between Hooda and Ettema disclose the system of claim 1. The combination of teachings between Hooda and Ettema does not specifically disclose wherein the analytics server is on the deception network as claimed. However, Ries does disclose
wherein the analytics server is on the deception network (paragraph [0071], Ries teaches a honeynet contains an analytics server.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Hooda with the teachings of Ries for having the analytics server on the deception network because Hooda already discloses an analytics device and it is a simple substitution to replace the analytics device of Hooda with the honeynet based analytics server of Ries to yield the predictable results of having an analytics server in a honeypot network.
As to claim 4, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the deception server is configured to emulate HTTP and FTP protocols (col. 3 lines 20-35, Ettema teaches HTTP and FTP). The combination of teachings between Hooda and Ettema does not specifically disclose SSH as claimed. However, Ries does disclose SSH (paragraphs [0075] and [0135], Ries teaches SSH honeypot servers.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Hooda with the teachings of Ries for having SSH because this would increase security.
Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda and Ettema as applied to claim 1 above, and further in view of Crabtree et al. (U.S. Pub. No. 2023/0370439 and hereinafter referred to as Crabtree).
As to claim 5, the combination of teachings between Hooda and Ettema disclose the system of claim 1, wherein the analytics server further comprises machine learning algorithms (paragraph [0039], Hooda teaches machine learning algorithms used by the analytics engine.). The combination of teachings between Hooda and Ettema does not specifically disclose to automatically detect and categorize attack patterns based on adversary behavior as claimed. However, Crabtree does disclose
to automatically detect and categorize attack patterns based on adversary behavior (paragraphs [0107]-[0108], Crabtree teaches collecting data using a honeypot and classifying attacks using machine learning.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Hooda with the teachings of Crabtree for categorizing attack patterns based on adversary behavior because this would increase security.
Claim(s) 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda as applied to claim 13 above, and further in view of Payne (U.S. Patent No. 12,301,614).
As to claim 14, Hooda discloses the method of claim 13, wherein the network events recorded include detailed information about the adversary’s location (paragraphs [0105]-[0108], Hooda teaches monitoring/tracking potential attacker locations.). Hooda does not specifically disclose the adversary’s network infrastructure as claimed. However, Payne does disclose the adversary’s network infrastructure (col. 28 lines 6-46, Payne teaches recording data of a cyber attacker’s network infrastructure.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hooda with the teachings of Payne for recording the adversary’s network infrastructure because this would increase security.
Claim(s) 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda as applied to claim 13 above, and further in view of Sellers et al. (U.S. Pub. No. 2020/0092165 and hereinafter referred to as Sellers).
As to claim 15, Hooda discloses method of claim 13. Hooda does not specifically disclose wherein the reports generated include specific recommendations for improving network defenses based on observed adversary tactics as claimed. However, Sellers does disclose
wherein the reports generated include specific recommendations for improving network defenses based on observed adversary tactics (paragraphs [0062]-[0063], Sellers teaches generating reports and recommendations for security actions.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hooda with the teachings of Sellers for having specific recommendations for improving network defenses because this would increase security.
Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda as applied to claim 13 above, and further in view of Vasseur et al. (U.S. Pub. No. 2015/0326598 and hereinafter referred to as Vasseur).
As to claim 16, Hooda discloses method of claim 13. Hooda does not specifically disclose wherein the network address translation service adjust the rerouting based on the detected type of cyber attack as claimed. However, Vasseur does disclose
wherein the network address translation service adjust the rerouting based on the detected type of cyber attack (paragraph [0069], Vasseur teaches adjusting routing based on an attack type.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hooda with the teachings of Vasseur for adjusting the rerouting based on the detected type of cyber attack because this would increase security.
Claim(s) 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hooda et al. (U.S. Pub. No. 2020/0177629 and hereinafter referred to as Hooda in view of Crabtree et al. (U.S. Pub. No. 2023/0370439 and hereinafter referred to as Crabtree).
As to claim 17, Hooda discloses a system for isolating and analyzing cyber adversary activity, comprising:
a deception network configured to reroute attack traffic away from an operational network (paragraphs [0105]-[0108], [0123] and [0124], Hooda teaches an isolated honeypot network that appears to be a legitimate host network and traffic is routed to the honeypot network);
a deception server that simulates real network services and captures adversary behavior across multiple networking protocols (paragraphs [0105]- [0108], [0123] and [0124], Hooda teaches a honeypot server in the honeypot network where the server appears to be a legitimate host and the activity is monitored); and
a dynamic traffic management module to adjust network redirection in real time to maintain deception quality (paragraphs [0024], [0105]- [0108], [0123] and [0124], Hooda teaches dynamic provisioning of resources for the honeypot network based on current resources.). Even though Hooda does generally disclose machine learning (paragraph [0039]) and identifying attack patterns (paragraph [0105]), Hooda is not explicitly clear on disclosing a machine learning module that analyzes logged adversary behavior to identify patterns of attack as claimed. However, Crabtree does disclose
a machine learning module that analyzes logged adversary behavior to identify patterns of attack (paragraphs [0024], [0107] and [0108], Crabtree teaches machine learning for identifying patterns of attacks.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hooda with the teachings of Crabtree for having a machine learning module that analyzes logged adversary behavior to identify patterns of attack because this would increase security.
As to claim 18, the combination of teachings between Hooda and Crabtree disclose the system of claim 17, wherein the machine learning module is trained to distinguish between automated and human-operated cyber attacks based on interaction data (paragraphs [0020], [0024], [0107], [0108] and [0153], Crabtree teaches determining human and nonhuman bad actors.).
Examiner supplies the same rationale for the combination of the references as in claim 17 above.
As to claim 19, the combination of teachings between Hooda and Crabtree disclose the system of claim 17, wherein the dynamic traffic management module prioritizes high risk attack traffic to specialized honeypots (paragraphs [0088], [0091] and [0093], Crabtree teaches identifying risky traffic and employing honeypots.).
Examiner supplies the same rationale for the combination of the references as in claim 17 above.
As to claim 20, the combination of teachings between Hooda and Crabtree disclose the system of claim 17, wherein the machine learning module is further configured to predict future attack methods by analyzing past adversarial behavior (paragraphs [0021] and [0121], Crabtree teaches using machine learning to forecast attacks.).
Examiner supplies the same rationale for the combination of the references as in claim 17 above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506. The examiner can normally be reached M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THADDEUS J PLECHA/Examiner, Art Unit 2438