Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3, 5 – 8, 10, 12 – 15, 17, 19 and 20 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Sikder et al (US Pub. #: 20190108330), hereafter Sikder and Aguayo Gonzalez et al (US Pub. #: 9268938), hereafter Ag have been fully considered and are persuasive. Claims 2, 4, 9, 11, 16 and 18 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3, 5 – 8, 10, 12 – 15, 17, 19 and 20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with David Fox (attorney) for filed amended claims on 03-09-2020:
1.	(Currently Amended) A method for intrusion detection, the method comprising:

building a security model for the plurality of IoT devices based at least in part on the IoT device data, wherein the security model comprises one or more IoT device data ranges; and
monitoring the plurality of IoT devices to identify a potential intrusion in any of the plurality of IoT devices based at least in part on the IoT device data exceeding any of the one or more IoT device data ranges;
identifying a first device in the plurality of IoT devices where the potential intrusion occurred;
analyzing one or more characteristics of the potential intrusion to determine that the potential intrusion is an intrusion event;
analyzing the intrusion event to determine whether the intrusion event is a known event or an unknown event;
employing, in the first device, a first security measure based on a determination that the intrusion event is a known intrusion event; and
employing, in the first device, a second security measure based on a determination that the intrusion event is an unknown intrusion event;
wherein employing one of the first security measure and the second security measure for the intrusion event comprises:
isolating the first device of the plurality of IoT devices from one or more other IoT devices in the plurality of IoT devices, the first device of the plurality of IoT devices indicating an anomaly; and
reconfiguring the one or more IoT devices to account for the isolating the first device.

2.	(Canceled) 


updating the security model with the one or more characteristics of the potential intrusion.

4.	(Canceled)

5.	(Currently Amended) The method of Claim [[2]] 1, wherein evoking the security measure for the intrusion event comprises triggering a change to a configuration of the first device.

6.	(Previously Presented) The method of Claim 1, wherein the device data further comprises status data associated with the plurality of IoT devices; and wherein the monitoring the plurality of IoT devices to identify the potential intrusion comprises:
analyzing the status data for each of the plurality of IoT devices to determine one or more anomalies associated with a first device; 
obtaining additional IoT device data associated with the first IoT device; and 
analyzing the additional IoT device data to determine the potential intrusion. 

7.	(Currently Amended) The method of Claim [[2]] 1, wherein the determining that the potential intrusion is an intrusion event further comprises:
comparing the one or more characteristics of the potential intrusion to historical IoT device data associated with the plurality of IoT devices. 

8.	(Currently Amended) A system for intrusion detection, the system comprising:
a processor communicatively coupled to a memory, the processor configured to perform a method comprising:

building a security model for the plurality of IoT devices based at least in part on the IoT device data, wherein the security model comprises one or more IoT device data ranges; and
monitoring the plurality of IoT devices to identify a potential intrusion in any of the plurality of IoT devices based at least in part on the IoT device data exceeding any of the one or more IoT device data ranges;
identifying a first device in the plurality of IoT devices where the potential intrusion occurred;
analyzing one or more characteristics of the potential intrusion to determine that the potential intrusion is an intrusion event;
analyzing the intrusion event to determine whether the intrusion event is a known event or an unknown event;
employing, in the first device, a first security measure based on a determination that the intrusion event is a known intrusion event; and
employing, in the first device, a second security measure based on a determination that the intrusion event is an unknown intrusion event;
wherein employing one of the first security measure and the second security measure for the intrusion event comprises:
isolating the first device of the plurality of IoT devices from one or more other IoT devices in the plurality of IoT devices, the first device of the plurality of IoT devices indicating an anomaly; and
reconfiguring the one or more IoT devices to account for the isolating the first device.

9.	(Canceled)


updating the security model with the one or more characteristics of the potential intrusion.

11.	(Canceled)

12.	(Currently Amended) The system of Claim [[9]] 8, wherein evoking the security measure for the intrusion event comprises triggering a change to a configuration of the first device.

13.	(Previously Presented) The system of Claim 8, wherein the device data further comprises status data associated with the plurality of IoT devices; and wherein the monitoring the plurality of IoT devices to identify the potential intrusion comprises:
analyzing the status data for each of the plurality of IoT devices to determine one or more anomalies associated with a first device; 
obtaining additional IoT device data associated with the first device; and 
analyzing the additional IoT device data to determine the potential intrusion.

14.	(Currently Amended) The system of Claim [[9]] 8, wherein the determining that the potential intrusion is an intrusion event further comprises:
comparing the one or more characteristics of the potential intrusion to historical IoT device data associated with the plurality of IoT devices. 

15.	(Currently Amended) A computer program product comprising:
a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to perform a method comprising:

building a security model for the plurality of IoT devices based at least in part on the IoT device data, wherein the security model comprises one or more IoT device data ranges; and
monitoring the plurality of IoT devices to identify a potential intrusion in any of the plurality of IoT devices based at least in part on the IoT device data exceeding any of the one or more IoT device data ranges;
identifying a first device in the plurality of IoT devices where the potential intrusion occurred;
analyzing one or more characteristics of the potential intrusion to determine that the potential intrusion is an intrusion event;
analyzing the intrusion event to determine whether the intrusion event is a known event or an unknown event;
employing, in the first device, a first security measure based on a determination that the intrusion event is a known intrusion event; and
employing, in the first device, a second security measure based on a determination that the intrusion event is an unknown intrusion event;
wherein employing one of the first security measure and the second security measure for the intrusion event comprises:
isolating the first device of the plurality of IoT devices from one or more other IoT devices in the plurality of IoT devices, the first device of the plurality of IoT devices indicating an anomaly; and
reconfiguring the one or more IoT devices to account for the isolating the first device.

16.	(Canceled)


updating the security model with the one or more characteristics of the potential intrusion.

18.	(Canceled)

19.	(Currently Amended) The computer program product of Claim [[16]] 15, wherein evoking the security measure for the intrusion event comprises triggering a change to a configuration of the first device.

20.	(Previously Presented) The computer program product of Claim 15, wherein the device data further comprises status data associated with the plurality of IoT devices; and wherein the monitoring the plurality of IoT devices to identify the potential intrusion comprises:
analyzing the status data for each of the plurality of IoT devices to determine one or more anomalies associated with a first device; 
obtaining additional IoT device data associated with the first device; and 
analyzing the additional IoT device data to determine the potential intrusion.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Sikder teaches [0004] sensor data collector receives data from (Fig. 1) plurality of smart devices such as [0073] IoT devices, where the data consists of numerical values and state information from plurality of sensors; [0006] the data processor takes the numerical values and creates an input matrix... The data analyzer receives the input matrix, trains an analytical model [0028] using one or more machine learning 

Further, a second prior art of record Ag teaches col. 6 lines 57-59: power fingerprinting (PFP) analytics retrieves reference data from a PFP references database and compares the reference data to the received side-channel information from discrete-time signal processor (DSP). Col. 7 lines 23-31: response module triggers automatic actions, the actions/responses includes, but not limited to activating another device, disabling control ports of the target device, notifying user of the target device, triggering the target device for reboot and reinitiating virtualization, extra intelligence/analysis, collecting data for forensics purposes, collecting data for a blacklist for spotting intrusions, and/or the like… col. 7 lines 45-48: the malware is stored and used to improve the detection of malware in other devices and for analysis of how the malware is spreading and to what extent (col. 18 line 55) and possible mitigation and such analytics data.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claims 8 and 15 mutatis mutandis.  Claims 2, 4, 9, 11, 16 and 18 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BADRINARAYANAN /Examiner, Art Unit 2438.