DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to an application filed 12/08/2020, wherein claims 1 – 8 are pending and ready for examination.  

Response to Arguments
Applicant’s arguments, see Remarks, filed 12/08/2020, with respect to the rejection(s) of claim(s) 1- 8 under 35 USC § 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Rieke.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims-- 1-8 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 9-16 of copending Application No. 15/934,931. Instant claims 1-8 are the methods that are implemented by the apparatus of co-pending claims 9-16.This is a provisional nonstatutory double patenting rejection.


15/934,931 (co-pending)
16/457,948 (instant)
9. An apparatus to protect a network, comprising: a processor; computer memory holding computer program instructions executed by the processor, the computer program instructions configured to: in association with during a network management protocol message exchange: receive a message from an Internet of Things (IoT) device, the message including a network location storing a set of flow attributes for the IoT device; responsive to receipt of the message, issue a query to the network location; in response to the query, receive information including the set of flow attributes; responsive to receipt of the information, configure [the] a network control device to monitor a network behavior of the IoT device by associating at least a portion of the information with a network address associated with the IoT device; and the computer program instructions further configured to monitor a network 


 
10. The apparatus as described in claim 9 wherein the network management protocol is a Dynamic Host Configuration Protocol (DHCP) and the message is a DHCP discover message.
2. The method as described in claim 1 wherein the network management protocol is a Dynamic Host Configuration Protocol (DHCP) and the message is a DHCP discover message that has been extended with a custom DHCP option to include the network location. See response for Claim 1 of Instant above.
11. The apparatus as described in claim 10 wherein the network address is an Internet Protocol (IP) assigned to the IoT device in response to the DHCP discover message.
3. The method as described in claim 2 wherein the network address is an Internet Protocol (IP) assigned to the IoT device in response to the DHCP discover message. See response for Claim 1 of Instant above.
12.  The apparatus as described in claim 9 wherein the computer program instructions are further configured to:

determine whether the network communication is consistent with a network flow as defined in the information; and

upon a determination that the network communication is not consistent with the network flow, take a given action.
4. The method as described in claim 1 further including:
determining whether the network communication is consistent with a network flow as defined in the information; and

upon a determination that the network communication is not consistent with the network flow, taking a given action. See response for Claim 1 of Instant above.
 apparatus as described in claim 12 wherein the given action is one of: issuing a notification, blocking an operation of the IoT device, logging the determination, and ignoring the network communication.
5. The method as described in claim 4 wherein the given action is one of: issuing a notification, blocking an operation of the IoT device, logging the determination, and ignoring the network communication. See response for Claim 1 of Instant above.
14. The apparatus as described in claim 9 wherein the message includes a DHCP option comprising the network location that is an Internet location, and a device identification string that identifies the IoT device.
6. The method as described in claim 1 wherein the message includes a DHCP option comprising the network location that is an Internet location, and a device identification string that identifies the IoT device. See response for Claim 1 of Instant above.
15. The apparatus as described in claim 14 wherein the computer program instructions operating in association with the network management protocol message exchange are further configured to:

determine whether the message originates from a known MAC address; when the message originates from a known MAC address and the DHCP option matches a previously-stored DHCP option for the MAC 

when the message originates from the known MAC and the DHCP option does not match a previously-stored DHCP option for the MAC address, take the given action;

when the message does not originate from a known MAC address, alert that a new IoT device has been detected and wait for a response before issuing the query to the network location.


when the message originates from the known MAC and the DHCP option does not match a 

when the message does not originate from a known MAC address, alerting that a new IoT device has been detected and waiting for a response before issuing the query to the network location. 
As per network management protocol message exchange, DHCP is analogous to the protocol is taught by instant.   As per apparatus See response for Claim 1 of Instant above.
 apparatus as described in claim 9 wherein the computer program instructions operating in association with the network management protocol message exchange are further configured to cache the information for a time period as identified in the information.
As to claim 8, The method as described in claim 1 further including caching the information for a time period as identified in the information.  As per apparatus See response for Claim 1 of Instant above.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Rieke; Malcolm, US 20160072831 A1, March 10, 2016, hereafter referred to as Rieke, in view of Smith; Ned M. et al, US 20190349426 A1, November 14, 2019, hereafter referred to as Smith.

          As to claim 1, Rieke teaches a method of protecting a network – Rieke [0111] the method in FIG. 9 may be practiced in any suitable order and in conjunction with any suitable system, device, and/or process, including the process shown in FIG. 4 and the system shown in FIG. 8 that includes a network control device – Rieke [0045] FIG. 2 depicts components and programmatic inputs and outputs of a Security Control Management System (SCMS) 200, comprising:
         during a network management protocol message lease acquisition exchange – Rieke [0081] if a Dynamic Host Configuration Protocol (DHCP) IP address lease expires and Asset1 receives a different IP address upon renewal of the lease;
        receiving a message from an Internet of Things (IoT) device - [0113] … Data may be received or collected (905) in any suitable manner, such as by polling and/or receiving data streams (as in IPFIX streams, system logs, APIs, etc.). Here, the claimed ‘protocol message’ is taught by Rieke as ‘IPFIX’, the claimed ‘Things (IoT) device’ is illustrated by Rieke as ‘client device 820 in Figure 8’); the message including a network location storing a set of flow attributes for the IoT device – [0111] identifying connections between assets and characteristics thereof from the data (920), and generating (925) and presenting (930) a flow information graph. Here, the claimed ‘network location’ is taught by Rieke as ‘identifying connections’, the claimed ‘flow attributes’ is taught by Rieke as ‘flow information’);
            responsive to receipt of the message, issuing a query to the network location – Rieke [0111] generating (925) and presenting (930) a flow information graph;
            in response to the query, receiving information including the set of flow attributes – Rieke [0111] … Method 900 further includes receiving a selection of a component in the flow information graph (935), displaying additional information in response to the selection (940);
             responsive to receipt of the information, configuring the network control
device to monitor a network behavior of the IoT device – Rieke [0111 and [0045] since at ‘111 … receiving edits to network traffic rules and applying such rules to the network since at ‘27  by associating at least a portion of the information with a network address associated with the IoT device – Rieke [0111] Data can be collected from multiple sources, normalized and combined into a list of records for the purpose of associating all "attributes" with network flow data) and
               monitoring a network communication associated with the IoT device using the information – [0114] Rieke the logic configured to receive and/or transmit information 305 can include sensory or measurement hardware by which the communication device 300 can monitor its local environment (e.g., an accelerometer, a temperature sensor, a light sensor, an antenna for monitoring local RF signals, etc.).  Here, the claimed ‘network communication’ is taught by Chandhok as ‘logic’ whereas the logic suggests that ‘a’ communication is only monitored.  While RIEKE suggests monitoring a network communication associated with the IoT device using the information, SMITH teaches
             monitoring a network communication associated with the IoT device using the information – Smith [1617] At block 22630, the performance of the systems may be continually monitored in terms of resource usage and application objectives.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention for Rieke to consider Smith monitoring feature that not only monitors the IoT device environment but further monitors the IoT device utilization of the requested data.  Rieke provides for environment monitoring thereby increasing the security and safety of the data.  Rieke does not explicitly teach monitoring the subsequent device activities explicated requested as Smith teaches.  Rieke would be motivated to consider Smith because to track not only where assets are being consumed by the progress of that consumption as taught by Rieke at location [0004]).

           As to claim 2, the combination of Rieke and Smith teaches the method as described in claim 1 wherein the network management protocol is a Dynamic Host Configuration Protocol (DHCP) and the message is a DHCP discover message – Rieke [0080] if a Dynamic Host Configuration Protocol (DHCP) IP address lease expires and Asset1 receives a different IP address upon renewal of the lease).

           As to claim 3, the combination of Rieke and Smith teaches the method as described in claim 2 wherein the network address is an Internet Protocol (IP) assigned to the IoT device in response to the DHCP discover message – Rieke [0080] if a Dynamic Host Configuration Protocol (DHCP) IP address lease expires and Asset1 receives a different IP address upon renewal of the lease).

           As to claim 4, the combination of Rieke and Smith teaches the method as described in claim 1 further including:
           determining whether the network communication is consistent with a network flow as defined in the information – Rieke [0111] displaying additional information in response to the selection, receiving edits to network traffic rules (945) and applying such rules to the network); and
           upon a determination that the network communication is not consistent with the network flow, taking a given action – Smith [0404] in lower security applications, the coalition group name server may not require credentials in enroll a device in a coalition group. If the request is determined to be valid at block 1716, at block 1718, a coalition group credential, such as an EPID, may be issued to the object O1. It would have been obvious to a person of ordinary skill in the art before the effective date of the claimed invention to modify Rieke with Smith’s decision logic for restricting access to content and services.  Smith teaches matching data consistent with network flow attributes and would be motivated to consider Smith because to track not only where assets are being consumed but also verify if the request is consistent with predefined data for a group or entity as taught by Rieke at location [0007]).

            As to claim 5, the combination of Rieke and Smith teaches the method as described in claim 4 wherein the given action is one of: issuing a notification, blocking an operation of the IoT device, logging the determination, and ignoring the network communication - Rieke [0117] The flow information graph depicts network traffic that is allowed between network assets (i.e., via the solid flow lines) and traffic that is blocked (i.e, via the dashed flow lines).

          As to claim 6, the combination of Rieke and Smith teaches the method as described in claim 1 wherein the message includes a DHCP option comprising the network location that is an Internet location – Smith [1103] the network address is an Internet Protocol (IP) assigned to the loT device in response to the DHCP discover message since lower level addresses that are usually regulated by leases, and a device identification string that identifies the IoT device -– Smith [0568] …The Device ID can include a string (e.g., a four-byte string) that presents the unique identifier for the sending device).  The same rationale to combine Smith with Rieke in claim 4 applies here.

            As to claim 8, the combination of Rieke and Smith teaches the method as described in claim 1 further including caching the information for a time period as identified in the information - Smith [0635] A cache window may be maintained for all requests. The frequency can be determined by a number of factors, such as the number of requests over a period of time). The same rationale to combine Smith with Rieke in claim 4 applies here.


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Rieke and Smith, in view of DeGraaf, Kathryn et al, US  20110154440, June 23, 2011, hereafter referred to as DeGraaf. 

              As to claim 7, the combination of Rieke and Smith teaches the method as described in claim 6 further including: 
             determining whether the message originates from a known MAC address - Smith [0929] the absence of a periodic "Is Alive" message, or other heartbeat signal, from a watchdog agent in the IoT device to the power plug device may be used as a trigger to reset the IoT device.  Here, the claimed ‘known MAC address’ is taught by Smith as ‘heartbeat signal’ because the signal originates from a known IOT device under watchdog agent.  Smith teaches the MAC Frame 4305 in Figure 53 includes address fields as further taught at location [0551].  THE COMBINATION OF RIEKE AND SMITH DO NOT TEACH when the message originates from a known MAC address and the DHCP option matches a previously-stored DHCP option for the MAC address, issuing the query to the network location;
when the message originates from the known MAC and the DHCP option does not match a previously-stored DHCP option for the MAC address, taking the given action; when the message does not originate from a known MAC address, alerting that a new IoT device has been detected and waiting for a response before issuing the query to the 10 network location, HOWEVER DEGRAFF TEACHES 
           when the message originates from a known MAC address and the DHCP option matches a previously-stored DHCP option for the MAC address, issue the query to the network location - DeGraaf [0041] network device 140 may recognize (e.g., as indicated by reference number 165) that user device 110 is a legacy user device based on the DHCP Option 82 information and/or user device information that may be stored by network device 140 As a result, network device 140 may not generate an encrypted challenge response. Rather, RADIUS server 145 may generate RADIUS access-accept message 170 and may not insert an encrypted challenge response. RADIUS server 145 may send RADIUS access-accept message 170 to network device 125.  Here, the claimed ‘known device’ is taught by DeGraaf as ‘legacy device’ whereas the claimed ‘match’ is taught by DeGraaf as ‘recognize’. The claimed ‘match’ is taught by DeGraaf as ‘recognize’ since a comparison is made);
            when the message originates from the known MAC and the DHCP option does not match a previously-stored DHCP option for the MAC address, take the given action - DeGraaf [0041] network device 125 may generate a DHCP FORCERENEW message 400. User device 110 and network device 140 may generate new encrypted challenges that may be compared by network device 125, as illustrated in FIG. 4. In instances when the encrypted challenges do not match, authentication may fail and security prevention measures may be actuated);
when the message does not originate from a known MAC address, alert that a new IoT device has been detected and wait for a response before issuing the query to the network location - DeGraaf [0053 and 0054] since at ‘53 It may be determined whether the challenge responses match (block 630). For example, network device 125 may compare the encrypted challenges received from both user device 110 and network device 140, since at 54’ If it is determined that the challenge responses do not match (block 630--NO), authentication of the DHCP client may be denied (block 635). For example, DHCP server 130 may send DHCP negative acknowledgement 195 to DHCP client 115).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Rieke and Smith to include the DCHP logic of DeGraaf.  Both Rieke and Smith teaches the message challenge response protocol DHCP but both are silent on logic/policy for authenticating new IOTs.  However, DeGraaf provides for extensive method options for new IOT device provisioning.  Rieke would be motivated to consider DeGraaf because the combination of Rieke and Smith fails to provide the feature to contextualize security and compliance-relevant data from various components of systems for computing, security control, and verify if the request is consistent with predefined data for a group or entity as taught by Rieke at location [0004]).

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
                
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 24912/11/2021

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491