DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 112(b):
	Applicant’s amendment is considered to have overcome said rejection. Accordingly, the rejection has been withdrawn.

Regarding claims rejected under 35 USC 103:
Applicant’s arguments have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Kuperman (US 2017/0244737 A1).

Regarding claims rejected under 35 USC 101:
Applicant's arguments, in view of the amended claims, have been fully considered but they are not persuasive.
The claims now recite “associated with a plurality of IoT devices” and “using machine learning.” However, the claims still appear to be drawn to the judicial exception of a mathematical concept. For instance, the recited IoT devices do not perform any steps of the method of claim 1, nor are they configured as part of the system of claim 12. Further, the machine of “machine learning” is not specified as performing any steps, nor as being configured to perform any steps. It is also noted that the “using” is not sufficiently specified concerning its implementation (i.e., the manner of use). Accordingly, the claims still lack additional elements that would be sufficient to amount to significantly more than the exception. 

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: the “network administration engine; domain knowledge datastore; IoT device demographics generation engine; IoT personality datastore; personality classification engine; signal correlation engine; new personality discovery engine; personality aware enrichment engine; and offline modeling engine” in claims 12-22.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) classifying data via machine learning and associated feedback and recursion; i.e., the claims are drawn to the judicial exception of a mathematical concept (e.g., mathematical relationships, formulas or equations, or calculations). This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). 
Abstract idea limitations (exemplary claim 12): obtaining domain knowledge including knowledge regarding bad IoT personalities received from the network administration engine; perform common factor aggregation of enriched metadata derived from event parameters to 
Claim elements which may be considered to be additional elements (exemplary claim 12): a network administration engine; a domain knowledge datastore, coupled to the network administration engine, that stores domain knowledge; an IoT device demographics generation engine; an IoT personality definition engine, coupled to the IoT device demographics generation engine and the domain knowledge datastore; an IoT personality datastore, coupled to the IoT personality definition engine; a personality classification engine, coupled to the IoT personality definition engine and the IoT personality datastore; a signal correlation engine, coupled to the personality classification engine; to the network administration engine; a new personality profile discovery engine; coupled to the personality classification engine and the signal correlation engine; to the IoT personality definition engine.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because there are no additional elements recited apart from that required to perform the judicial exception (i.e., the claims recite “engines” and “datastores” implementing all the functionality, which are generic computing components such as a processor and memory and do not otherwise recite any integration of the judicial exception in a practical application). For instance, FIG. 15 and [0157] of the specification disclose that the claimed engines may be implemented locally with respect to the claimed IoT device. As such, in one potential embodiment, the entirety of the engines may be resident within a single computer, and are not otherwise specified as being limited to a particular computing environment or 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ridley (US 2018/0115574 A1) in view of Muddu (US 9,516,053 B1) and Kuperman (US 2017/0244737 A1).

Regarding claim 1, Ridley discloses: A method comprising: 
performing common factor aggregation of enriched metadata derived from event parameters associated with a plurality of IoT devices to obtain aggregated metadata permutations; 
Refer to at least FIG. 2, [0024]-[0026], and [0035]-[0039] of Ridley with respect to obtaining network traffic metadata; vectorized metadata. 
Refer to at least [0031] of Ridley with respect to obtaining and storing metadata for multiple devices. 
defining a personality, including data samples associated with the personality, using the aggregated metadata permutations, and prior personality data set feedback from a new personality profile discovery engine; 
classifying the personality using the data samples and IoT personality models, wherein the personality has a signal associated therewith; 
Refer to at least FIG. 3, [0006], [0032], and [0034]-[0035] of Ridley with respect to analyzing and classifying the obtained metadata, as well as other information, for use in creating behavior profiles for IoT devices. The profiles may be continually updated.
correlating the signal to reach a verdict and, if the personality is a bad personality, providing bad personality feedback associated with the personality to the network administration engine; 
Refer to at least [0006], [0033] and [0035] of Ridley with respect to said correlating.
Refer to at least [0034], [0036], and [0058] of Ridley with respect to supervised learning and user feedback. The feedback is used to further update profiles. 
Ridley specifies storing multiple sets of metadata and profiles, and further specifies typical and atypical behavior for profiles, but may not fully disclose all elements of: using machine learning to obtain domain knowledge, including knowledge regarding at least one bad IoT personality that models one or more behavior patterns indicative of undesired behavior , from a network administration engine;  the domain knowledge. However, Ridley in view of Muddu discloses: using machine learning to obtain domain knowledge, including knowledge, from a network administration engine;  the domain knowledge.
Refer to at least FIG. 69 and Col. 102, Ll. 24-44 of Muddu with respect to gathering data from external and internal sources; e.g., blacklist data. 
Further, Ridley-Muddu in view of Kuperman discloses: regarding at least one bad IoT personality that models one or more behavior patterns indicative of undesired behavior.
Refer to at least the abstract, [0054], [0063], [0074], and [0076] of Kuperman with respect to training a classifier using known malicious and known non-malicious client device data.
The teachings of Ridley, Muddu, and Kuperman each concern event collection, behavior analysis, and classification, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ridley to further include additional data from internal and external sources (including known malicious and known non-malicious data) for at least the purpose of increasing profile accuracy and/or the rate of detection. 

Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning building behavior profiles).

Regarding claim 3, Ridley-Muddu-Kuperman discloses: The method of claim 1, comprising enriching raw metadata to obtain the enriched metadata.
Refer to at least [0006], [0046], and [0054] of Ridley with respect to additional data such as temporal information and beacon information.
Refer to at least FIG. 33 and Col. 65, Ll. 10-15 of Muddu with respect to enriching event data.
This claim would have been obvious for substantially the same reasons as claim 1 above.



Regarding claim 5, Ridley-Muddu-Kuperman discloses: The method of claim 1, wherein the aggregated metadata permutations are aggregated over a data rollup window that varies based on the context of the IoT device.
Refer to at least [0006] and [0032] of Ridley with respect to building a profile over a period of time deemed necessary to provide an accurate representation for a given device.

Regarding claim 6, Ridley-Muddu-Kuperman discloses: The method of claim 1, comprising: performing offline modeling using the data samples; updating the IoT personality models with the offline modeling.
Refer to at least 116 in FIG. 1 of Ridley with respect to storing data and analysis.
Refer to at least [0032] of Ridley with respect to continually updating profiles.
Refer to at least Col. 51, Ll. 55-64 of Muddu with respect to providing analysis results as needed (i.e., obtaining events, performing analysis, and remediation may be provided separately).
This claim would have been obvious because the substitution of one known element for another (updating models constantly, periodically, based on request, and/or on a set schedule) would have yielded predictable results to one of ordinary skill in the art at the time.

Regarding claim 7, it is rejected for substantially the same reasons as claim 6 above,

The method of claim 1, comprising: recognizing behavior patterns of the IoT device using either or both learned state-transition learning and deep learning.
Refer to at least [0034] of Ridley with respect to a behavioral profile comprising a state machine. 

Regarding claim 9, it is rejected for substantially the same reasons as claims 1 and 8 above (i.e., the citations concerning machine learning).

Regarding claim 10, Ridley-Muddu-Kuperman discloses: The method of claim 1, comprising: computing a degree of risk of undesirable behavior; generating the bad personality alert if the degree of risk of undesirable behavior exceeds an actionable intelligence threshold.
Refer to at least [0058] and [0036] of Ridley with respect to remedial actions such as generating an alert. 

Regarding claim 11, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning supervised learning and user feedback for machine learning).

Regarding independent claim 12, it is substantially similar to independent claim 1 above, but is in system form. Accordingly, claim 12 is rejected for substantially the same reasons as claim 1 above.

Regarding claims 13-21, they are substantially similar to claims 2-11 above, and are therefore likewise rejected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432