DETAILED ACTION
This office action is in response to applicant’s amendment filed on 11/30/2020.  Claim 20 have been added. Claims 1, 5-8, 11, and 15-18 have been amended.  Claims 1-20 are pending and are directed towards system, method, and computer product for Sensor-Based Wireless Network Vulnerability Detection.  Examiner acknowledges applicant’s amendment to specification and therefore withdraws the previous office action’s objections to the specification.  In addition, the examiner acknowledges applicant’s amendment to claim 5 and therefore withdraws the previous office action’s objections to claim 5.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 11/30/2020 have been fully considered.
A) Applicant’s arguments, with respect to newly amended claim 1, that Stephens fails to teach “a plurality of coexisting wireless networks” (page 8 of the present response) have been fully considered but they are not persuasive.
	Regarding A) Stephens teaches wireless environment comprising a plurality of coexisting wireless networks (para 88, line 1-9; network interface 918 of 
B) Applicant’s arguments, with respect to 102 rejection 1, that Stephens fails to teach “sensors employed in wireless environment, as called for in the claim, where the sensors are, by their very nature, deployed out-of-band and sniff the air to detect information being sent over the air” (page 8-9 of the present response) have been fully considered but they are not persuasive.
	Regarding B) claim 1 only recites “network sensor deployed in the wireless environment”, where Stephens teaches network sensor deployed in the wireless environment (para 33, line 1-14 and para 88, line 1-9; sensors are embedded within network 102 and may be placed on hosts to detect local activity, and network interface 918 of host computer communicates with networks via wireless connections).  The claim itself does not recite any language that narrows the limitation to out-of-band sensors.  Therefore, the claimed limitation in question is taught by the prior art.
Claim Rejections - 35 USC § 102
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
3.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


4.	Claims 1-7, 10-17, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Stephens et al. (US Pub. 2008/0271143), hereinafter Stephens, filed on Apr. 24, 2007.
Regarding claim 1, Stephens teaches method for detecting potential vulnerabilities in a wireless environment comprising a plurality of coexisting wireless networks (para 40, line 1-5 and para 88, line 1-9; a method for insider threat detection with network interface 918 of computer communicating with networks via wireless connections), comprising: 

analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment (para 41, line 1-2 and para 42, line 1-6; step 203 includes processing the collected activity to generate information-use events and step 206 includes generating contextual information associated with users of the network); 
initiating at least one investigation action to determine if any wireless network of the at least two of the plurality of coexisting wireless networks is a vulnerable network (para 43, line 1-12 and para 44, line 1-5 and para 88, line 1-9; step 208 includes examining network activities enabled by the information-use events for volumetric anomalies and suspicious and/evasive behavior, and 
determining a risk score based in part on the at least one investigation action (para 43, line 1-3 and para 45, line 1-2; step 210 includes determining a threat score for each user of the network using the generated alerts based on the information-use events); and 
enforcing a security policy on the identified vulnerable network of the plurality of coexisting wireless networks, wherein the security policy is determined responsive to the risk score and instructions received from a control system (para 45, line 3-8 and para 88, line 1-9; using a Bayesian network, if a given user’s threat score is above a set threshold, the user’s activity is further examined to determine whether it corresponds to a real insider threat, and network interface 918 of computer communicating with networks via wireless connections).
	Regarding claim 2, Stephens teaches method of claim 1.
	Stephens teaches a vulnerable network is detected when a risk score is over a predefined threshold value (para 45, line 1-8; if a given user’s threat score is above a threshold, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network).
Regarding claim 3, Stephens teaches method of claim 1.
	Stephens teaches performing a mitigation action based on the determined risk score (para 39, line 10-12 and para 45, line 1-6; if the threat score is above a set threshold and corresponds to a real insider threat, the analysts inform appropriate organizational authorities to take action).
Regarding claim 4, Stephens teaches method of claim 1.
	Stephens teaches a suspicious network is automatically labeled as a vulnerable network (para 43, line 3-6 and para 45, line 1-6; if the threat score is above a set threshold through examining volumetric anomalies and suspicious and/or evasive behavior, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network).
Regarding claim 5, Stephens teaches method of claim 1.
	Stephens teaches determining a vulnerable network based on at least one of: a connection type, transmitted data, usage patterns (para 43, line 1-6 and para 45, line 1-2; determine a threat score for the network based on examining volumetric anomalies and suspicious and/or evasive behavior), and a fingerprint of an unknown device.  
Regarding claim 6, Stephens teaches method of claim 1.

Regarding claim 7, Stephens teaches method of claim 6.
	Stephens teaches determining the wireless network of the plurality of wireless networks to be vulnerable when the wireless network of the plurality of wireless networks, or any device connected in the wireless network of the plurality of wireless networks, performs a malicious activity (para 43, line 3-6 and para 45, line 1-6 and para 88, line 1-9; if the threat score is above a set threshold through examining volumetric anomalies and suspicious and/or evasive behavior, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network, and network interface 918 of computer communicates with networks via wireless connections).
Regarding claim 10, Stephens teaches a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry (para 90, line 1-11; computer readable medium having computer program that, when executed by one or more data processing devices) to execute the method of claim 1 (same teaching as claim 1).
	Regarding claim 11, Stephens teaches a system for detecting potential vulnerabilities in a wireless environment comprising a plurality of coexisting wireless networks (para 40, line 1-5 and para 88, line 1-9; a system for insider threat detection with network interface 918 of computer communicating with networks via wireless connections), comprising: 
a processing circuitry (para 90, line 8-10; one or more data processing devices); and 
a memory, the memory containing instructions that, when executed by the processing circuitry (para 90, line 1-11; computer readable medium having computer program that, when executed by one or more data processing devices), configure the system to: 
collect wireless traffic data for at least two of the plurality of coexisting wireless networks, the collecting being performed by at least one network sensor deployed in the wireless environment (para 33, line 1-14 and para 40, line 3-9 and 
analyze the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment (para 41, line 1-2 and para 42, line 1-6; step 203 includes processing the collected activity to generate information-use events and step 206 includes generating contextual information associated with users of the network); 
initiate at least one investigation action to determine if any wireless network of the at least two of the plurality of coexisting wireless networks is a vulnerable network (para 43, line 1-12 and para 44, line 1-5 and para 88, line 1-9; step 208 includes examining network activities enabled by the information-use events for volumetric anomalies and suspicious and/evasive behavior, and network interface 918 of computer communicating with networks via wireless connections); 
determine a risk score based in part on the at least one investigation action (para 43, line 1-3 and para 45, line 1-2; step 210 includes determining a threat 
enforce a security policy on the identified vulnerable network of the plurality of coexisting wireless networks, wherein the security policy is determined responsive to the risk score and instructions received from a control system (para 45, line 3-8 and para 88, line 1-9; using a Bayesian network, if a given user’s threat score is above a set threshold, the user’s activity is further examined to determine whether it corresponds to a real insider threat, and network interface 918 of computer communicating with networks via wireless connections).
Regarding claim 12, Stephens teaches system of claim 11.
Stephens teaches the system is configured such that a vulnerable network is detected when a risk score is over a predefined threshold value (para 45, line 1-8; if a given user’s threat score is above a threshold, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network). 
Regarding claim 13, Stephens teaches system of claim 11.
	Stephens teaches perform a mitigation action based on the determined risk score (para 39, line 10-12 and para 45, line 1-6; if the threat score is above a set 
Regarding claim 14, Stephens teaches system of claim 11.
Stephens teaches the system is further configured such that a suspicious network is automatically labeled as a vulnerable network (para 43, line 3-6 and para 45, line 1-6; if the threat score is above a set threshold through examining volumetric anomalies and suspicious and/or evasive behavior, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network).
Regarding claim 15, Stephens teaches system of claim 11.
Stephens teaches determine a vulnerable network based on at least one of: a connection type, transmitted data, usage patterns (para 43, line 1-6 and para 45, line 1-2; determine a threat score for the network based on examining volumetric anomalies and suspicious and/or evasive behavior), and a fingerprint of an unknown device.
Regarding claim 16, Stephens teaches system of claim 11.
Stephens teaches determine whether a wireless network of the plurality of coexisting wireless networks, or any device connected in the wireless network of the plurality of coexisting wireless networks, performs a malicious activity (para 
Regarding claim 17, Stephens teaches system of claim 16.
Stephens teaches determine the wireless network of the plurality of coexisting wireless networks to be vulnerable when the wireless network of the plurality of coexisting wireless networks, or any device connected in the wireless network of the plurality of coexisting wireless networks, performs a malicious activity (para 43, line 3-6 and para 45, line 1-6 and para 88, line 1-9; if the threat score is above a set threshold through examining volumetric anomalies and suspicious and/or evasive behavior, the user’s activity is further examined to determine whether it corresponds to a real insider threat to the network, and network interface 918 of computer communicates with networks via wireless connections).
Regarding claim 20, Stephens teaches method of claim 6.
Stephens teaches wherein the at least one network sensor comprises at least two network sensors, wherein a first of the at least two network sensors .
Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
6.	Claims 8-9 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Stephens in view of Gong et al. (US Pub. 2016/0078229), hereinafter Gong, filed on Nov. 9, 2015.
Regarding claim 8, Stephens teaches method of claim 1.
	Stephens does not teach generating a list of wireless entities in the wireless environment.
	Gong teaches generating a list of wireless entities in the wireless environment (para 47, line 6-10 and para 53, line 1-6; the security server 108 may provide new entries for a whitelist and entries for a blacklist to assist the data flagging module 418 to determine if network data is suspicious, where the network data is network traffic on a network from one device to another).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Stephens to incorporate the teachings of Gong to provide new entries to a whitelist and a blacklist, which are associated with network traffic on a network from one device to another.  Doing so would allow for the detection of suspicious network activities, as recognized by Gong.
Regarding claim 9, Stephens teaches method of claim 8.
	Stephens teaches checking a wireless device to detect at least known or unknown vulnerabilities (para 40, line 3-9 and para 43, line 3-8; sensors 101 in system 100 of Fig. 1 may collect network activity and examine for volumetric anomalies and suspicious and/or evasive behaviors)

Gong teaches where the wireless device is added to the list of wireless entities in the wireless environment (para 47, line 6-10 and para 53, line 1-6; the security server 108 may provide new entries for a whitelist and entries for a blacklist to assist the data flagging module 418 to determine if network data is suspicious, where the network data is network traffic on a network from one device to another).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Stephens to incorporate the teachings of Gong to provide new entries to a whitelist and a blacklist, which are associated with network traffic on a network from one device to another.  Doing so would allow for the detection of suspicious network activities, as recognized by Gong.
Regarding claim 18, Stephens teaches system of claim 11.
	Stephens does not teach generate a list of wireless entities in the wireless environment.
	Gong teaches generate a list of wireless entities in the wireless environment (para 47, line 6-10 and para 53, line 1-6; the security server 108 may 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Stephens to incorporate the teachings of Gong to provide new entries to a whitelist and a blacklist, which are associated with network traffic on a network from one device to another.  Doing so would allow for the detection of suspicious network activities, as recognized by Gong.
Regarding claim 19, Stephens teaches system of claim 18.
	Stephens teaches check a wireless device to detect at least known or unknown vulnerabilities (para 40, line 3-9 and para 43, line 3-8; sensors 101 in system 100 of Fig. 1 may collect network activity and examine for volumetric anomalies and suspicious and/or evasive behaviors)
Stephens does not teach where the wireless device is added to the list of wireless entities in the wireless environment.
Gong teaches where the wireless device is added to the list of wireless entities in the wireless environment (para 47, line 6-10 and para 53, line 1-6; the security server 108 may provide new entries for a whitelist and entries for a 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Stephens to incorporate the teachings of Gong to provide new entries to a whitelist and a blacklist, which are associated with network traffic on a network from one device to another.  Doing so would allow for the detection of suspicious network activities, as recognized by Gong.
Conclusion
7.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will 
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/NHAN HUU NGUYEN/Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492