Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the amendment filed 03/03/2021.
Claims 1-8 and 10-21 are presented for examination.

Response to Arguments
Applicant’s arguments, see pages 10 and 11 of the Remarks, filed 03/03/2021, with respect to the 35 USC 112(f) interpretation and 35 USC 112(b) rejection directed to the “a device …” limitation have been fully considered and are persuasive.  The rejection of claim 8 has been withdrawn.
Applicant's arguments, see pages 11-16 of the Remarks, filed 03/03/2021, with respect to the 35 USC 103 rejection to claims 1, 8 and 15 have been fully considered but they are not persuasive. It has been argued that that Wang does not teach the limitations of “patterns derived using statistical bounds” and “the current behavior thereof is not within a predetermined or configurable threshold”. The Applicant’s interpretation of the references has been noted, however the Examiner respectfully disagrees.
Regarding the limitation of “patterns derived using statistical bounds”, the context of “statistical bounds” in paragraph 32 of the specification cited by the Applicant in the Remarks appears to be different than that of the claims. As cited by the Applicant, paragraph 32 states, “Such a pattern would capture (with statistical bounds) the normal behavior,” while the claims state “patterns derived using statistical bounds. Based on paragraph 32 of the specification, the context is directed to an idea that by using the [statistical] patterns it places statistical bounds on the normal behavior, e.g., inferring statistical bounds by the use of statistical patterns. The claims mention the patterns are derived using statistical bounds, e.g., the statistical bounds are type of information that may be collected in order to perform the analysis … it does not describe the actual analysis performed …” In response, it is noted that the features upon which applicant relies (i.e., the actual analysis performed) are not recited in the rejected claims.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Referring again to Wang, Wang teaches that the information collected includes statistics concerning the network connection while the details of how the collected or received data is used was previously cited by the Examiner in the Office Action when pointing to Col. 14, lines 9-19. The Examiner believes these citations of Wang meets the current limitation of “patterns derived using statistical bounds”. The Examiner notes the example at the end of paragraph 32 of the Applicant’s specification; similar subject matter, if amended into the claims, would be helpful in the advancement of the examination process.
Regarding the limitation of “the current behavior thereof is not within a predetermined or configurable threshold”, “threshold” is the level or point at which something starts to happen or change. Therefore, without further limitations defining the claimed threshold, the claimed threshold is merely a level or point. However, the Applicant’s arguments seem to be based on if the plural form of threshold was claimed, e.g. “within predetermined or configurable thresholds” or “within a range or window of thresholds”. Nonetheless, if there is a number line counting one through ten, with a threshold is set at 7, a measurement matching 7 would fall “within the threshold” which is the same concept as taught by Wang and meets the limitation of the claim. The Examiner notes that the specification does not detail the threshold much more than in paragraph 37 of the specification it states “above a certain threshold”. Also, Wang 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-8, 10-15 and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,505,959 to Wang et al. (hereinafter Wang) in view of US 2016/0269436 to Danielson et al. (hereinafter Danielson) in further view of US 2013/0247187 to Hsiao et al. (hereinafter Hsiao).
As to claims 1, 8 and 15, Wang teaches computer-implemented method for detecting a malicious device within one or more related networks (abstract and Col 15, lines 18-25 identifying a malicious attack or behavior is being performed), the computer-implemented method comprising the (Col 11, lines 29-49, monitor and collect traffic and/or data); determining behavior profiles for the second devices in the functional groups wherein the behavior profiles include behavioral data estimated to be normal behavior (Col 14, lines 9-19, produce one or more reference profiles that correspond to observed behaviors by a particular group of entities), said normal behavior based on patterns derived using statistical bounds (Col 6, line 64 to Col 7, line 10); and comparing a current behavior of a first device with a behavior profile of the behavior profiles, and to indicate malicious behavior for the first device in response to determining that the current behavior thereof is not within a predetermined or configurable threshold of the compared behavior profile (Col 15, lines 18-33 Col 16, lines 4-9, determination of whether the monitored behavior matches the reference profiles and to what degree of matching).
Wang does not explicitly teach creating functional groups based, at least in part, on behaviors of second devices, wherein each of the functional groups is comprised of second devices that perform the same task.
However, Danielson teaches creating functional groups based, at least in part, on behavior patterns of second devices, wherein each of the functional groups is comprised of second devices that perform the same task (paragraph 31, determine groups for components by function).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Wang to include the method of creating functional groups as taught by Danielson in order to provide a more normalized data output thus increasing data integrity.
Wang and Danielson do not explicitly teach deploying the behavior profiles to at least one monitor node on the one or more local networks, wherein the at least one monitor node on the one or more local networks includes a data stream monitor.
However, Hsiao teaches deploying the behavior profiles to at least one monitor node on the one or more local networks, wherein the at least one monitor node on the one or more local networks includes a data stream monitor (FIG. 6 and paragraph 55, wherein the server comprises a behavior analysis engine and classifier and the computing devices each comprise a behavior analysis engine and classifier and the server pushes behavior models to the behavior analysis engine and classifier of the computing devices).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Wang and Danielson to include the method of deploying behavior profiles as taught by Hsiao in order to provide a more efficient method of monitoring behavior of malicious devices by distributing the load of monitoring to each device while keeping each device up-to-date on the current monitoring practices.
As to claims 3 and 17, Danielson teaches wherein the at least one data stream for the one or more first devices is transmitted from one or more routers or the at least one monitor node to a device outside of the local network (FIG. 1 and paragraph 29, data of the devices are analyzed by the system 100).
As to claims 4 and 18, Danielson teaches wherein the one or more routers or the at least one monitor nodes are coupled to an internet, and wherein the internet is coupled to the device outside of the local network (FIG. 1 and paragraphs 13 and 22, internet connecting the devices and the system).
As to claims 5 and 19, Danielson teaches wherein the device outside of the local network is coupled to a behavior database having known device behavior data obtained by one or more of user input, detection, or input from third parties (paragraphs 21 and 36, wherein the behavior models are stored and used for monitoring and detection of malicious devices, location of stored baseline behavior models)
As to claims 6, 10 and 20, Danielson teaches alerting a user that the first device is malicious if the current behavior of the first device is not within the predetermined or configurable threshold of the compared behavior profile (paragraph 43, generate a notification indicating anomalous component).
As to claims 7, 11 and 21, Danielson teaches shutting down or quarantining the first device if the current behavior of the first device is not within the predetermined or configurable threshold of the compared behavior profile (paragraph 45, isolate or deactivate).
As to claim 12, Danielson teaches further comprising a computing device including one or more processors, a network interface module, and memory, and wherein the processor is coupled to the network interface module and is configured to execute a behavior tracking process (paragraphs 18 and 19, components to enable real-time monitoring).
As to claim 13, Danielson teaches wherein the behavior analyzer is coupled to a device outside of the local network having the behavior profile and known device behavior data (paragraph 29, use of the real-time and historical information to build behavior model; paragraphs 21 and 36, wherein the historical data and behavior models are stored and used for monitoring and detection of malicious devices, location of stored baseline behavior models).
As to claim 14, Danielson teaches wherein the one or more monitor nodes include a data stream monitor and device statistics (paragraphs 29 and 30, device used for receiving the performance data and real-time behavior detection).

Claims 2 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Danielson in view of Hsiao in further view of US 9,185,095 to Moritz et al. (hereinafter Moritz).
As to claims 2 and 16, Wang, Danielson and Hsiao do not explicitly teach wherein the at least one data stream for the one or more first devices includes one or more of, a statistical amount of inbound or outbound network traffic, a type of network traffic, a source and destination port of a 
However, Moritz teaches wherein the at least one data stream for the one or more first devices includes one or more of: a statistical amount of inbound or outbound network traffic, a type of network traffic, a source and destination port of a packet, a destination address of the packet, time between the packet arrival and transmission, and a duration of a connection (Col 15, lines 4-13 and Col 21, lines 49-54).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Wang, Danielson and Hsiao with the method of monitoring a data stream including traffic as taught by Moritz in order to predict and identify possible intrusive behavior based on traffic thus further increasing the efficiency and accuracy of detecting malicious devices.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MALCOLM CRIBBS whose telephone number is (571)270-1566.  The examiner can normally be reached on Monday-Friday 930a-330p; 430p-630p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571)270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MALCOLM . CRIBBS
Examiner
Art Unit 2497



/MALCOLM CRIBBS/               Primary Examiner, Art Unit 2497