DETAILED ACTION
1.	This action is responsive to communications regarding the applicant’s amendments and arguments, filed on 02/10/2021. 
2. 	Claims 1-4, 6-11, 13-18, and 20 are pending.
Response to Arguments and Amendments
3.	Applicant’s arguments, see page 2-4 on remarks, filed 02/10/2021, with respect to the rejection(s) of claim(s) 103 rejection under 1-4, 6-11, 13-18, and 20 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Nagendra Kumar Nainar (US 20170302663).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-4, 6-11, 13-18, and 20  are rejected under 35U.S.C 103 as being unpatentable over Jean-Philippe Vasseur (US 20160219071), in view of Nagendra Kumar Nainar (US 20170302663), hereinafter Nainar.

	Regarding claim 1:
	Vasseaur discloses 6receiving a set of endpoint data at an attestation entity included in an Internet of Things (IoT) network, 7wherein the data is received from a plurality of loT endpoint 8devices for purposes of anomaly detection (e.g., by the machine learning-based anomaly detector, SLN process 248), DLA 402 may receive any number of forms of raw network information 410 regarding traffic flows in the network. In various embodiments, information 410 may include traffic flow records and/or other information gathered by existing networking monitoring mechanisms in the network (e.g., Netflow, OnePK, application-specific information, etc.) (Vasseaur, paragraph 60), and further network 100 may include one or more mesh networks, such as an Internet of Things network. Loosely, the term “Internet of Things” or "IoT' refers to uniquely identifiable objects (things) and their virtual representations in a network-based architecture. In particular, the next frontier in the evolution of the Internet is the ability to connect more than just computers and communications devices (Vasseaur, paragraph 29); 10analyzing the set of endpoint data against a set of conditions based on a set of network policy data pertaining to the plurality of loT 11endpoint devices SLN process 248 may compare raw traffic information 410 to the trained model, to determine whether raw traffic information 410 is considered anomalous. For example, assume that raw traffic information 410 indicates that a particular node or set of nodes have unexpectedly increased their generated traffic by a significant amount to a particular address, for a particular application, etc. In such cases, SLN process 248 may determine that the corresponding traffic flow is anomalous(Vasseaur, paragraph 61); 16reporting the detected on one or more network anomalies and their corresponding 17loT endpoint devices report detected anomalies to the SCA, and/or perform local mitigation action (Vasseaur, paragraph 46), and further these decisions may be based on multiple parameters, such as the relevance of a particular set of data to a candidate anomaly, the type of target visualization (e.g., topology, historical trends, interactive data exploration), policy, degree of confidence, and/or user settings (e.g., tradeoff between accuracy/responsiveness and traffic overhead) (Vasseaur, paragraph 68). However, Vasseaur fails to disclose  in response to determining that the set of endpoint data conforms to the set of conditions: selecting a first loT endpoint device and a second loT endpoint device from the set of loT endpoint devices; capturing a first subset of the set of endpoint data corresponding to the first loT device and capturing a second subset of the set of endpoint data corresponding to the second loT device; cross-validating the first loT endpoint device against the second loT device by testing the first subset of endpoint data and the second subset of endpoint data against a set of cross validation corresponding to the first IoT endpoint device and the second IoT device; detecting, based upon the testing, one or more network anomalies corresponds to the set of cross-validation conditions; and reporting the detected one or more network anomalies and their corresponding IoT devices; wherein the reporting includes the set of cross-validation conditions.
Nainar teaches disclose  in response to determining that the set of endpoint data conforms to the set of conditions: selecting a first loT endpoint device and a second loT endpoint device from the set of loT endpoint devices; capturing a first subset of the set of endpoint data corresponding to the first loT device and capturing a second subset of the set of endpoint data corresponding to the second loT device; cross-validating the first loT endpoint device against the second loT device by testing the first subset of endpoint data and the second subset of endpoint data against a set of cross validation corresponding to the first IoT endpoint device and the second IoT device the device causes performance of a validation of the information about the particular node via comparison of the information about the particular node to a distributed block chain that includes information regarding the particular node and one or more other nodes (Nainar, paragraph 30), and further  a validator may compare the information in notification 404 from edge device 1 against the block chain , to determine a level of trust for node F . Recall, for example, that server 1505 previously updated the block chain to indicate that the manufacturer of node F sold the node to the operator of domain ABC. In turn, the validator in FIG. 4C may compare the reported domain in notification 404 against the existing block chain, to determine whether the two domains match. If so, the validator may update the block chain with the information in notification 404 and set a high trust level for node F in the block chain (Nainar, pargraph 50). Examiner interprets node F is first end point and, against the existing block chain is second IoT endpoint device limitation in claim 1. Detecting, based upon the testing, one or more network anomalies corresponds to the set of cross-validation conditions; and reporting the detected one or more network anomalies and their corresponding IoT devices; wherein the reporting includes the set of cross-validation conditions the block chain allows the other nodes/devices to verify the identity of node F (e.g., when node F migrates to another local network, when node F sends a request to another node, etc.), to detect anomalies (e.g., by comparing traffic profile information or other behavioral information regarding node F stored in the block chain to an observed behavior of node F), and to perform other functions using the shared information about node F (Nainar, paragraph 47). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching Vasseaur with that of Nainar in order to computer networks, and, more particularly, to block chain-based device identity verification and anomaly detection in Internet of Things (IoT) and similar networks.

Regarding claim 2:
	Vasseaur discloses receiving, at the attestation entity, external data provided by one or more 3external sources;  4analyzing one or more group operational contexts based upon the data 5received from a different set of loT endpoint devices and the external  data; and  Docket No. YOR920161202US124 Atty. Ref. No. 6055 based upon the analyzing of the one or more group operational contexts, detecting that one of the one or more network anomalies is 8found in the one or more group operational context, wherein the reporting includes the different 9difeset of loT endpoint devices and the external data sensor networks, a type of smart object network, are typically shared-media networks, such as wireless or PLC networks. That is, in addition to one or more sensors, each sensor device (node) in a sensor network may generally be equipped with a radio transceiver or other communication port such as PLC, a microcontroller, and an energy source, Such as a battery. Often, Smart object networks are considered field area networks (FANs), neighborhood area networks (NANs), personal area networks (PANs), etc. Generally, size and cost constraints on Smart object nodes (e.g., sensors) result in corresponding constraints on resources such as energy, memory, computational speed and bandwidth (Vasseaur, paragraph 16), and further provide the raw data as a compressed digest, send the traffic using a DSCP selected based on the severity of the detected anomaly, send the raw data via a path selected so as not to disrupt existing traffic in the network, or the like (Vasseaur, paragraph 80).

Regarding claim 3:
Vasseaur discloses wherein the one or more external sources are selected from a 2group consisting of a device sensor, and an environmental sensor that provides a set of 4environmental data smart object networks, such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or AMI applications) temperature, pressure, vibration, Sound, radiation, motion, pollutants, etc. (Vasseaur, paragraph 16), but fails to disclose a GPS that provides a geographic 3location. Nainar teaches smart object networks, such as sensor networks, in particular, are a specific type of network having spatially distributed autonomous devices such as sensors, actuators, etc., that cooperatively monitor physical or environmental conditions at different locations, such as, e.g., energy/power consumption, resource consumption (e.g., water/gas/etc. for advanced metering infrastructure or “AMI” applications) temperature, pressure, vibration, sound, radiation, motion, pollutants, etc. (Nainar, paragraph 14).It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching Vasseaur with that of Nainar in order to computer networks, and, more particularly, to block chain-based device identity verification and anomaly detection in Internet of Things (IoT) and similar networks.

	Regarding claim 4:
	Vasseur discloses determine that the set of endpoint data comprises one or more anomalies;  retrieving a set of acceptable device operational parameters;  3comparing the set of acceptable device operational parameters to a set 4of conditions pertaining to a selected one of the plurality of loT endpoint 5devices; and  6based on the comparing, detecting that at least one of the  one or more network 7anomalies pertains to the selected one of the IoT endpoint devices, 8wherein the reporting indicates a failure of includes the selected one of the IoT endpoint 9devices and comprises at least one of the conditions of the selected one of the IoT 10endpoint devices that failed to meet one of the sets of acceptable device 11operational parameters, SLN process 248 may employ any number of machine learning based models that have been trained using, e.g., raw traffic data that has been previously classified as “normal” and/or "abnormal.” In turn, SLN process 248 may compare raw traffic information 410 to the trained model, to determine whether raw traffic information 410 is considered anomalous. For example, assume that raw traffic information 410 indicates that a particular node or set of nodes have unexpectedly increased their generated traffic by a significant amount to a particular address, for a particular application, etc. In Such cases, SLN process 248 may determine that the corresponding traffic flow is anomalous (Vasseur, paragraph 61).

	Regarding claim 6:
	Vasseur discloses wherein the network policy data defines normal 2behavior of the IoT network, and wherein at least one network behavior is 3selected from the group consisting of a normal working condition, a sensor 4reading range, and a correlation between a plurality of sensor readings anomaly detection in the context of computer networking typically presents a number of challenges: 1.) a lack of a ground truth (e.g., examples of normal vs. abnormal network behavior), 2.) being able to define a “normal region in a highly dimensional space can be challenging, 3.) the dynamic nature of the problem due to changing network behaviors/anomalies. 4.) malicious behaviors such as mal ware, viruses, rootkits, etc. may adapt in order to appear “normal and 5.) Differentiating between noise and relevant anomalies is not necessarily possible from a statistical stand point, but typically also requires domain knowledge (Vasseur, paragraph 39), and further the time scales of such temporal changes can range between milliseconds (e.g., transmissions from other transceivers) to months (e.g., seasonal changes of an outdoor environment (Vasseur, paragraph 31).

	Regarding claim 7:
Vasseur and Nainar disclose logging the data to a secured ledger, wherein the secured ledger is stored in a 2Blockchain provide for the use of a block chain based mechanism that conveys information regarding the identity of nodes and/or other metadata regarding the nodes, to control the behavior of the nodes in the networks. In some aspects, a fog/edge/root device may act as a proxy to update node information in the block chain on behalf of the nodes (Nainar, column 29). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching Vasseaur with that of Nainar in order to computer networks, and, more 

Regarding claim 8:
Claim 8 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 9:
Claim 9 is rejected under the same reason set forth in rejection of claim 2.

Regarding claim 10:
Claim 10 is rejected under the same reason set forth in rejection of claim 3.

Regarding claim 11:
Claim 11 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 13:
Claim 13 is rejected under the same reason set forth in rejection of claim 6.

Regarding claim 14:
Claim 14 is rejected under the same reason set forth in rejection of claim 7.

Regarding claim 15:
Claim 15 is rejected under the same reason set forth in rejection of claim 1.

Regarding claim 16:
Claim 16 is rejected under the same reason set forth in rejection of claim 2.

Regarding claim 17:


Regarding claim 18:
Claim 18 is rejected under the same reason set forth in rejection of claim 4.

Regarding claim 20:
Claim 20 is rejected under the same reason set forth in rejection of claim 6.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFREY L NICKERSON whose telephone number is (469)295-9235.  The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nickerson Jeffrey L can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
/THANH H LE/Examiner, Art Unit 2432                                                                                                                                                                                                        
/Kevin Bechtel/Primary Examiner, Art Unit 2491