Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted were in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Terminal Disclaimer
The terminal disclaimer filed on 02-04-2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of patents 10609051 and 10230740 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Eric Jensen (attorney) for filed claims on 03-04-2021:
1.	(Currently Amended) A method comprising:
receiving network traffic data from a network traffic hub within a local network, the network traffic hub configured to aggregate intercepted network traffic; 

computing, for the smart appliance, a score comprising a numeric confidence value representing a probability that the smart appliance is performing a malicious behavior and based on historic network traffic data and identification data associated with a different smart appliance performing malicious behavior; [[and]]
when it is determined that the numeric confidence value exceeds first threshold, blocking subsequent network traffic being sent by or to the smart appliance and sending a notification to a user;
when it is determined that the numeric confidence value is less than the first threshold but greater than a second threshold, adding the smart appliance to a security watchlist and alerting an operator associated with the network traffic hub of the smart appliance and/or the computed score.

2.	(Original) The method of claim 1, further comprising:
receiving, from the network traffic hub, software that is being downloaded by the smart appliance;
determining that the software is malicious; and
transmitting an instruction to the network traffic hub to block network traffic associated with the software.

3.	(Original) The method of claim 1, wherein the historic network traffic data is received over a threshold period of time.

4.	(Original) The method of claim 1, wherein the score is additionally computed using threat intel data.

5.	(Original) The method of claim 1, wherein the notification contains information about a source address or a destination internet address associated with the blocked network traffic.

6.	(Cancelled).

7.	(Original) The method of claim 1, wherein the score is additionally computed based on one or more of: a time interval associated with features of the network traffic data or the identification data, a location for smart appliance behavior that may be falsely determined to be malicious, and a timeframe for a software update.

8.	(Currently Amended) A non-transitory computer-readable storage medium storing executable computer instructions that, when executed by a hardware processor, cause the hardware processor to perform steps comprising:
receiving network traffic data from a network traffic hub within a local network, the network traffic hub configured to aggregate intercepted network traffic; 
receiving identification data from the network traffic hub identifying a smart appliance on the local network and identifying a current internet address for the smart appliance on the local network;
computing, for the smart appliance, a score comprising a numeric confidence value representing a probability that the smart appliance is performing a malicious behavior and based on historic network traffic data and identification data associated with a different smart appliance performing malicious behavior; [[and]]
when it is determined that the numeric confidence value exceeds a first threshold, blocking subsequent network traffic being sent by or to the smart appliance and sending a notification to a user; 
when it is determined that the numeric confidence value is less than the first threshold but greater than a second threshold, adding the smart appliance to a security watchlist and alerting an operator associated with the network traffic hub of the smart appliance and/or the computed score.

9.	(Original) The non-transitory computer-readable storage medium of claim 8, wherein the instructions, when executed, cause the processor to perform further steps comprising:
receiving, from the network traffic hub, software that is being downloaded by the smart appliance;

transmitting an instruction to the network traffic hub to block network traffic associated with the software.

10.	(Original) The non-transitory computer-readable storage medium of claim 8, wherein the historic network traffic data is received over a threshold period of time.

11.	(Original) The non-transitory computer-readable storage medium of claim 8, wherein the score is additionally computed using threat intel data.

12.	(Original) The non-transitory computer-readable storage medium of claim 8, wherein the notification contains information about a source address or a destination internet address associated with the blocked network traffic.

13.	(Cancelled).

14.	(Original) The non-transitory computer-readable storage medium of claim 8, wherein the score is additionally computed based on one or more of: a time interval associated with features of the network traffic data or the identification data, a location for smart appliance behavior that may be falsely determined to be malicious, and a timeframe for a software update.

15.	(Currently Amended) A system comprising:
a non-transitory computer-readable storage medium storing executable instructions that, when executed, cause the system to perform steps comprising:
receiving network traffic data from a network traffic hub within a local network, the network traffic hub configured to aggregate intercepted network traffic; 
receiving identification data from the network traffic hub identifying a smart appliance on the local network and identifying a current internet address for the smart appliance on the local network;
computing, for the smart appliance, a score comprising a numeric confidence value representing a probability that the smart appliance is performing a malicious 
when it is determined that the numeric confidence value exceeds a first threshold, blocking subsequent network traffic being sent by or to the smart appliance and sending a notification to a user; 
when it is determined that the numeric confidence value is less than the first threshold but greater than a second threshold, adding the smart appliance to a security watchlist and alerting an operator associated with the network traffic hub of the smart appliance and/or the computed score; and
a processor configured to execute the instructions.

16.	(Original) The system of claim 15, wherein the instructions, when executed, cause the system to perform further steps comprising:
receiving, from the network traffic hub, software that is being downloaded by the smart appliance;
determining that the software is malicious; and
transmitting an instruction to the network traffic hub to block network traffic associated with the software.

17.	(Original) The system of claim 15, wherein the historic network traffic data is received over a threshold period of time.

18.	(Original) The system of claim 15, wherein the score is additionally computed using threat intel data.

19.	(Original) The system of claim 15, wherein the notification contains information about a source address or a destination internet address associated with the blocked network traffic.

20.	(Cancelled).  

Response to Arguments
The amended claims 1 – 5, 7 – 12 and 14 – 19 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Zak, Omar (US Pub. #: 20160295364), hereinafter Zak, Ben-Or et al (US Pub. #: 9294497), hereafter Ben and further in view of Kumar et al (US Pub. #: 20130298192), hereinafter Kumar have been fully considered and are persuasive.  Dependent claims 6, 13 and 20 are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 5, 7 – 12 and 14 – 19 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 
                                                                                                                                                                                  
Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Zak teaches [0031] & Figs. 1A, 1B, 2 & 3: The IoT devices may be equipped with various types of sensors to collect information about themselves and their surroundings and provide the collected information to the IoT service, user devices and/or external Websites via the IoT hub; [0061] a remote control code learning module on the IoT hub may retrieve the required IR/RF codes from the remote control code database on the IoT service (e.g., identifying each piece of electronic equipment with a unique ID); [0114] Fig. 16A each IoT device or SIM may be packaged with a barcode or QR code uniquely identifying the IoT device and/or SIM; [0061-0062]  the IoT hub is equipped with an IR/RF interface to allow the remote control code learning module to "learn" new remote control codes directly from the original remote control provided with the electronic equipment; [0114] the IoT 

Further, a second prior art of record Ben teaches: C5L7-27, 46-65, C6L31-34: Risk scores are calculated for all the entities where the scores calculated are based on key indicators from the networks and sub-networks. Key Indicators (KI) include various transaction occurring between entities, changes in volume, value and velocity including the identification of the entity. The KIs are statistically calculated variables from which risk scores are computed. Risk scores may be between 0 and 1 or 0 and 100 which indicates a likelihood that a transaction activity is suspicious due to a malicious software takeover of an entity.

Further, a third prior art of record Kumar teaches: [0142, 0255, 0280] event correlator, analyzes and classifies threats along with a forensic confidence score, sends real-time actions to the remediation controller, and real-time status indications to a dashboard controller. Remediation controller sends directives to orchestration and policy enforcement point services for machine, flow or transaction level remediation based on configured thresholds. OpenFlow controller sends rules to the Open Flow enabled network element (switch) to divert or block traffic flows to/from the forewarned network device.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: the system collects the data from a network hub and computes score representing a probability to find the maliciousness from 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record.  The same reasoning applies to amended independent claims 8 and 15 their corresponding dependent claims mutatis mutandis. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
                                                                                                                                                                                                            
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see form “PTO-892 Notice of References Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to whose telephone number is 571-2703867.  The examiner can normally be reached on M-F: 7:30am-5pm (EST).  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  If attempts to reach the examiner by telephone 



/BADRINARAYANAN /Examiner, Art Unit 2438.