Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 21, 28, 35 were amended, claims 21-40 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/09/20, 06/09/20.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
This application discloses and claims only subject matter disclosed in prior application no 15/593164, filed 05/11/17, and names the inventor or at least one joint inventor named in the prior application. Accordingly, this application may constitute a continuation or division. Should applicant desire to claim the benefit of the filing date of the prior application, attention is directed to 35 U.S.C. 120, 37 CFR 1.78, and MPEP § 211 et seq.
Response to Arguments
Applicant’s arguments with respect to claim(s) 21, 28, 35 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 


Instant Application 16657,687
US patent US 10623389 B2
A computer-implemented method of a receiving device for authentication, comprising operations for: 












receiving a first communication from a requesting device of a plurality of devices in an internet of things network that includes the receiving device; determining whether the first communication matches an accepted communication pattern; 

in response to determining that the first communication matches the accepted communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the accepted communication pattern; authenticating the receiving device and the requesting device as an authenticated cluster; and responding to the first communication; in response to determining that the first communication does not match the accepted communication pattern, flagging the first communication as an anomaly; 

receiving a second communication from the requesting device; based on whether the receiving device and the requesting device are in the authenticated cluster and based on the authentication score of the requesting device, determining whether to respond to the second communication.


storing accepted communication patterns representing accepted modes of communication between devices in an internet of things network, wherein each of the accepted communication patterns includes one or more features, wherein each of the accepted communication patterns includes one or more features, and wherein each of the one or more features describes which of the devices are communicating, a type of a communication, when the devices are communicating, a duration of the communication, and a frequency of the communication;
 in response to receiving a first communication from a requesting device of the devices, determining whether the first communication matches a communication pattern of the accepted communication patterns; 

in response to determining that the first communication matches the communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the communication pattern; and 


responding to the first communication; and 
in response to determining that the first communication does not match the communication pattern, flagging the first communication as an anomaly; and 
in response to receiving a second communication from the requesting device, determining whether the authentication score of the requesting device exceeds a threshold; and in response to determining that the requesting device has the authentication score that exceeds the threshold, responding to the second communication.




Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. US 10623389 B2. Although the claims at similar limitations with obvious variations.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 21, 28, 35 are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al. (US 2016/0261621, hereinafter Srivastava) in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey) and further in view of Morimoto et al (US 20100223663 A1).


receiving a first communication from a requesting device of a plurality of devices in an internet of things network that includes the receiving device (Srivastava, para [0015], the multiple users may be using multiple client devices that are in communication with the classifier device (not shown). Assume further that the classifier device has created a model that includes a normal behavior pattern associated with the multiple users (e.g., shown as information in a row labeled "Normal Behavior Pattern" in a data structure stored by the classifier device). The normal behavior pattern may be an average of behaviors, associated with the multiple users that conform to the normal behavior parameters. Para [0024], client device 210 may be a device that is not associated with a user (e.g., a plurality of client devices 210, not associated with a user, may form an internet of things); 
determining whether the first communication matches an accepted communication pattern (Srivastava, fig-2,para [0024], client device 210 may request access to a network resource (e.g., content provided by network resource device 230). Para [0025] Network security device 220 may include one or more devices capable of processing and/or transferring traffic between client devices 210 and/or network resource devices 230… In some implementations, network security device 220 may receive, from client device 210, a request to access a network resource associated with network resource device 230 and/or another client device 210. Additionally, or alternatively, network security device 220 may provide, to classifier device 240, behavior information that identifies a behavior associated with a user, so that classifier device 240 may determine whether the behavior 
Storing the receiving device and the requesting device as an authenticated cluster (FIG 7B User A’s Normal Pattern with X.com); and responding to the first communication (FIG 6 650 and associated text;[0088]; For example, if the behavior is normal, then classifier device 240 may instruct network security device 220 to grant the user permission to proceed with the behavior.); 
in response to determining that the first communication matches the accepted communication pattern (FIG 6 630-640 and associated text;), generating grant/deny for the requesting device based on how closely the first communication matches with the accepted communication pattern ([0027]; a distributed computing device, a cloud computing device, or the like. Additionally, or alternatively, classifier device 240 may, based on classifying behavior exhibited by client device 210 as normal or abnormal, instruct network security device 220 to grant or deny client device 210 permission to access a network resource. )
in response to determining that the first communication does not match the accepted communication pattern, flagging the first communication as an anomaly (FIG 6 630-640 and associated text; ); 
receiving a second communication from the requesting device (FIG 8A 810 and associated text; ); 
based on determining that the receiving device and the requesting device are in the authenticated cluster (FIG 7B  and associated text; User A’ normal pattern with  and determining whether to respond to the second communication (FIG 7A and 7B and associated text;)
Srivastava does not but Ivey teaches,
in response to determining that the first communication matches the accepted communication pattern, generating an authentication score for the requesting device based on how closely the first communication matches with the accepted communication pattern ([0006] In an embodiment, a system for detecting fraud, comprising: a non-transitory memory; a processor; and at least one application stored in the memory and executable by the processor, wherein the application is in communication with a data store, wherein the application: receives a request to at least one of view a website and engage in a transaction using a stored-value card, wherein the request is associated with an artifact, wherein the artifact comprises at least one of a profile, a key, a fingerprint, and a digital fingerprint; determines if the artifact is approved to use the stored-value card based upon at least one of: an analysis of the risk score associated with the request and a risk threshold,); 
based on determining that the receiving device and the requesting device are in the authenticated cluster and based on the authentication score of the requesting device exceeding a threshold, responding to the second communication ([0006]; based upon the determination whether the artifact is approved to use the stored-value card, at least one of: process, based upon a determination that the first party is not on the banned access list and is approved to use the stored -value card when the risk score is below the risk threshold, the request, and provide, to the first party, based on a determination that at least one of the first party is on the banned access list and that the 

Srivastava in view of Ivey does not exclusively but Morimoto teaches, wherein the authentication score is generated by comparing features of the first communication and the accepted communication pattern to identify differences of the features, wherein different values are associated with each of the differences, and wherein the authentication score is generated from the values ([0158] The user authenticating unit 304 converts by the processing device 352 the biometric information inputted by the user specifying information inputting unit 303 from the format selected by the format selecting unit 315 to the original format and authenticates the user based on the converted biometric information (a user authenticating step)….. For example, if the biometric information data sent by the client is based on the data format of "feature quantity N, feature quantity 2, feature quantity 5, . . . , feature quantity 1," it is possible to retrieve each feature quantity data "feature quantity 1, 2, 3, . . . , N" by returning the order of alignment to the original. The authentication processing unit 323 carries out the authentication process (checking process) using the feature quantity data from the client retrieved by the encoding unit 322 and the feature quantity data of the registration data on the server (step S214). This authentication process is the same authentication process carried out at the client side. For example, as shown in FIG. 18, the authentication result can be obtained by processing a total sum of .alpha. and .beta., which are obtained by 

Claims 28, and 35, are device and product claims corresponding method claim 21, also rejected accordingly.

Claims 22, 29 and 36 are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al.(US 2016/0261621, hereinafter Srivastava) in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey), and further in view of Morimoto et al (US 20100223663 A1) and in view of Pegna et al. (US 2016/0191560 A1, hereinafter Pegna).

Regarding claim 22, the combination teaches all the claimed limitation of claim 21. However, the combination does not expressly teach the following limitation that Pegna teaches: further comprising:
creating a connected communication graph to represent communications between authenticated clusters with a time dimension (Pegna, para [0019], method and system for implementing threat detection that operates by identifying clusters of hosts (communities) built from the connectivity graph of communications within an internal It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Srivastava in view of Ivey and Morimoto’s method with teaching of Pegna in order for identifying insider threats within an organization. (Pegna, abstract).
Claims 29, and 36, are device and product claims corresponding method claim 22, also rejected accordingly.

Claims 23, 25, 30, 32 36, 39, are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al.(US 2016/0261621, hereinafter Srivastava) in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey), and further in view of Morimoto et al (US 20100223663 A1),  in view of Zou et al. (US 2016/0212099, hereinafter Zou).

Regarding claim 23, the combination teaches all the claimed limitation of claim 21, further comprising: determining that a selected device from the devices has been compromised based on at least one of the selected device has changed a kind, a volume, and a frequency of data that the selected device sends (Zou, para [0058], the private cloud control center agent 208 functions to detect rogue IoT devices based on detection of abnormal behavior. Behavior can be determined to be abnormal based on data and data traffic for an IoT device. For example, if a large amount of data is being sent to an IoT device, then the private cloud control center agent 208 can determine that the IoT device is exhibiting abnormal behavior. The private cloud control center agent 208 can determine that behavior exhibited by an IoT device is abnormal by one or an applicable combination of a comparison with past behavior of the IoT device, a comparison with other IoT devices managed by the private cloud control center agent 208, a comparison with other IoT devices of the same type, and a comparison with IoT devices used by other users, as indicated by IoT device data. For example, the private cloud control center agent 208 can determine that IoT device behavior is abnormal if the IoT device is using substantially more data than previously used, as indicated by IoT device data.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Srivastava in view of Ivey and Morimoto’s method with teaching of Zou in order to manage security of IoT devices, including detection of rogue IoT devices, based on data stored in the private clouds 106. (Zou, para [0025]).

Regarding claim 25, the combination teaches all the claimed limitation of claim 1, further comprising: identifying a new communication pattern of a device from the devices trying to continuously reconnect over a period of time, wherein the new communication pattern indicates that the device has gone rogue (Zou, para [0057] in onboarding the IoT devices 204 according to an IoT firewall, the private cloud control center agent 208 functions to decrease the risk of rogue IoT devices being used. Specifically, if an IoT firewall specifies specific devices, or IoT devices of specific users, which can be onboarded for management through a private cloud, the private cloud control center agent 208 can prevent rogue IoT devices from coupling to the gateway 206 and gaining access to the private cloud, and subsequently other IoT devices managed through the private cloud. For example, if a hacker places an IoT device within range of the gateway 206 to gain access to a private cloud, the private cloud control center agent 208 can recognize, based on the IoT firewall, the IoT device is not authorized for onboarding, and prevent the IoT device from connecting and becoming a rogue IoT device. In various implementations, a rogue IoT device can include a device not authorized to be managed through a private cloud or an IoT device that includes installed malware.)

Claims 30, 32 and 36, 39 are device and product claims corresponding method claims 23 and 25 respectively, also rejected accordingly.

Claim 24, 31, 38 are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al.(US 2016/0261621, hereinafter Srivastava) in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey), and further in view of Morimoto et al (US 20100223663 A1),  in view of Smith et al. (US 2017/0195303 A1, hereinafter Smith).

Regarding claim 24, the combination teaches all the claimed limitation of claim 21. However, the combination does not expressly teach the following limitation that Smith teaches, further comprising: determining that a selected device from the devices has been compromised based on receiving a same security token from the selected device and from another device (Smith, para [0034], It may be possible for an attacker to compromise the clock value of a device on the network. If a majority of devices are compromised it may be possible for the compromised devices to provide incorrect clock values to other devices on the network. Para [0035-0036], the external verifier 402 may evaluate a number of nodes that return a given value. In an example, the external verifier 402 may determine that a particular g b value, whether authentic or compromised, is prevalent on the network. For example, the first node 404 and the second node 406 may return the same incorrect g b value. If the majority of other devices on the network report the same incorrect g b value the external verifier 402 may determine that the network is compromised. Para [0037] Using the DH protocol in a clock synchronization message may prevent an attacker from resetting the clock of a device on the network. By synchronizing the clocks of many devices at once it may make it difficult for an attacker to compromise a majority of devices.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Srivastava in view of Ivey and Morimoto’s method with teaching of Smith for implementing secure iot devices using entropy multiplexing (Smith, abstract and para [0001]).

.

Claim 26, 33 are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al.(US 2016/0261621, hereinafter Srivastava)  in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey) and further in view of Morimoto et al (US 20100223663 A1),  and in view of Donnelly et al. (US 2016/0006755 A1, hereinafter Donnelly).

Regarding claim 26, the combination teaches all the claimed limitation of claim 21, However, the combination does not expressly teach the following limitation that Donnelly teaches further comprising: identifying an infected device from the devices based on a signature of the infected device that comprises an abnormal communication pattern (Donnelly, para [0043] In one embodiment there is provided means to ascertain if there are traffic patterns corresponding to normal characteristic patterns associated with a device activity, and/or means to ascertain out of the ordinary communication patterns associated with a device activity, wherein said patterns are configured to be used as control signature patterns for detecting other devices behaving abnormally.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Srivastava in view of Ivey Morimoto’s method with teaching of Donnelly  in order to provide security system and method for use in a communications network, said network comprising means to allow a plurality of devices to communicate over the network; a security agent configured on at 

Claims 33, is device claim corresponding method claim 26, also rejected accordingly.

Claims 27, 34 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Srivastava et al.(US 2016/0261621, hereinafter Srivastava) in view of Ivey et al. (US 20160005029 A1, hereinafter Ivey) and further in view of Morimoto et al (US 20100223663 A1) and in view of Dost et al. (US 2017/0295057 A1, hereinafter Dost).

Regarding claim 27, the combination teaches all the claimed limitation of claim 21. However, the combination does not expressly teach the following limitation that Dost teaches wherein a Software as a Service (SaaS) is configured to perform the operations of the computer system (Dost, para [0088], the one or more processors may also operate to support performance of the relevant operations in a "cloud computing" environment or as a "software as a service" ( SaaS).).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Srivastava in view of Ivey and Morimoto’s method with teaching of Dost in order for storing a plurality of service configurations and a plurality of configuration programs one of which is Saas (Dost, abstract).
.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987.  The examiner can normally be reached on 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

//MOHAMMED WALIULLAH/ Primary Examiner, Art Unit 2498