DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/08/2021, for application 16/653,898 has been entered.
This Office Action is in response to the Amendment filed on 09/08/2021. In the instant amendment: Claims 1-4 and 11-14 have been amended and claims 1 and 11 are independent claims. Claims 5, 9, 15, 19, and 21 have been cancelled. Claims 1-4, 6-8, 10-14, 16-18 and 20 have been examined and are pending. 
Response to Arguments
Applicants' arguments in the instant Amendment with respect to 35 U.S.C. 101 have been fully considered but they are not persuasive.
Applicant’s Arguments: claim 1 is statutory under 35 U.S.C. 101 because the amended claim recites “at least in part by analyzing at least one packet associated with a communication that involves the first IoT device,” “wherein the IoT signal features include: a start time value, and end time value, an interval value, and an interval fluctuation,” “wherein the periodic activity instance descriptors are data structures that describe an activity of the first IoT device using the start time, end time, interval value and interval fluctuation,” and “by generating an alert that indicates that an anomaly has been detected.” See Remarks at 7. 
Examiner's Response: Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claims 1 and 11 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without being integrated into a practical application nor being significantly more.  
The claims recite the limitations of “capturing…events,” “analyzing,” “generating…features5generating =geggg,” “extracting background event,” “generating periodic activity instance descriptors,” “describe…using…start time, end time, interval value, and interval fluctuation,” “identifying periodic activities,” “matching the detected activities … to the expected periodicities,” “determining that at least one of a maximum interval and a minimum interval has been exceeded” and “taking remedial actions…by generating an alert that indicates that an anomaly has been detected” are directed to an abstract idea because these claim limitations, under its broadest reasonable interpretation, covers processes that could be performed in the human mind. Thus, these limitations falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. It is noted that the claims recite additional elements (i.e., system and IOT devices). However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of generating model and comparing data), such that it amounts no more than mere instructions to apply the exception using a generic computer component. In addition, “taking a remedial action in response to detecting the anomaly” recites broad, generic language and lacks sufficient details on how such actions may integrate into a practical application. See, e.g., Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1316, 120 USPQ2d 1353, 1359 (patent owner argued that the claimed email filtering system improved technology by shrinking the protection gap and mooting the volume problem, but the court disagreed because the claims themselves did not have any limitations that addressed these issues). Accordingly, these additional elements do not integrate the abstract idea into a practical application because it do not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. It is noted that the claim recites some additional elements such as “detecting activities of the first IOT device.” However, these additional elements, taken individually and as a combination, do not result in the claim amounting to significantly more than the abstract idea because “detecting activities of IOT devices” in a network is recited as performing generic computer functions routinely used in information collection, measurement, processing, and analysis (Dezent at [0003] – [0004]. Electronic devices and computing devices are utilized on a daily basis by millions of users worldwide. For example , laptop computers , desktop computers , smartphone , tablets , and other electronic devices are utilized for browsing the Internet , consuming digital content , streaming audio and video , sending and receiving electronic mail ( email ) messages , Instant Messaging ( IM ) , video conferences , playing games , or the like. An “Internet of Things ” ( IoT ) device is an appliance, machine or device that is able to communicate over a network with a remote server or with a remote recipient. Das at [0005]. The proliferation of connected IoT devices pro vides an avenue for malicious actors to hack into these connected IoT devices to steal personal information , create botnets by utilizing the compromised IoT devices to mount attacks such as Denial of Service attacks , to spy on unsuspecting users with such IoT devices in their homes , and can be a security threat for safety and well being of users of such IoT devices , including minors. ). Generic computer components recited as performing generic computer functions that are well-understood, routine, and conventional activities amounts to no more than implementing the abstract idea with a computerized system. Therefore, the claim is directed to non-statutory subject matter. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of abstract idea into a practical application, the additional element of “detecting activities of the first IOT device” amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, these claims are not patent eligible. 



Applicants' arguments in the instant Amendment, filed on 09/08/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant Argues: Dezent in view of Das do not disclose “at least in part by analyzing at least one packet associated with a communication that involves the first IoT device,” “wherein the IoT signal features include: a start time value, and end time value, an interval value, and an interval fluctuation,” “wherein the periodic activity instance descriptors are data structures that describe an activity of the first IoT device using the start time, end time, interval value and interval fluctuation.” See Remarks at 7. 
The examiner respectfully disagrees because these arguments are not persuasive. 
Regarding “at least in part by analyzing at least one packet associated with a communication that involves the first IoT device,” Dezent teaches “[t]he IoT grouping unit may [ ] measure or count bytes or packets or data - items that are sent by and / or received from an IoT device.” See Dezent  ¶ [0087] (emphasis added). 
Regarding “wherein the IoT signal features include: a start time value, and end time value, an interval value, and an interval fluctuation” and “wherein the periodic activity instance descriptors are data structures that describe an activity of the first IoT device using the start time, end time, interval value and interval fluctuation,”Dezent teaches “[t]he Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices … : ( a ) timestamp of start… The data is periodically collected ( e . g . , at pre - defined time intervals ) by a Data Collector unit 211 ( e . g . , via C1 interface ) , and is stored in a repository therein. In some embodiments, the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , has a total time - duration of between M1 to M2 seconds , wherein M1 and M2 are pre - defined threshold values ; wherein the outlier detector comprises a time - duration abnormality detector , ( i ) to determine that said particu lar IoT device sends at least one upstream cellular transmission that has a total time - duration which is not between M1 to M2 seconds.” See Dezent ¶¶ [0035], [0114] (emphasis added). Thus, Dezent teaches the above amended claim limitations. 
In conclusion, applicant’s argument are unpersuasive and the rejection of claim 1 is maintained. Similarly, rejection of independent claim 11, which recite similar matter to claim 1, is also maintained.  
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-4, 6-14, and 16-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.  
Regarding claims 1 and 11, claims 1 and 11 are rejected under 35 U.S.C. 101 because the claims are directed to an abstract idea without being integrated into a practical application nor being significantly more.  
The claims recite the limitations of “capturing…events,” “analyzing,” “generating…features,” “extracting background event,” “generating periodic activity instance descriptors,” “describe…using…start time, end time, interval value, and interval fluctuation,” “identifying periodic activities,” “matching the detected activities … to the expected periodicities,” “determining that at least one of a maximum interval and a minimum interval has been exceeded” and “taking remedial actions…by generating an alert that indicates that an anomaly has been detected” are directed to an 
This judicial exception is not integrated into a practical application. It is noted that the claims recite additional elements (i.e., system and IOT devices). However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of generating model and comparing data), such that it amounts no more than mere instructions to apply the exception using a generic computer component. In addition, “taking a remedial action in response to detecting the anomaly” recites broad, generic language and lacks sufficient details on how such actions may integrate into a practical application. See, e.g., Intellectual Ventures I LLC v. Symantec Corp., 838 F.3d 1307, 1316, 120 USPQ2d 1353, 1359 (patent owner argued that the claimed email filtering system improved technology by shrinking the protection gap and mooting the volume problem, but the court disagreed because the claims themselves did not have any limitations that addressed these issues). Accordingly, these additional elements do not integrate the abstract idea into a practical application because it do not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are not integrated into a practical application. 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. It is noted that the claim recites some additional elements such as “detecting activities of the first IOT device.” However, these additional elements, taken individually and as a combination, do not result in the claim 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of abstract idea into a practical application, the additional element of “detecting activities of the first IOT device” amounts to no more than mere instructions to 
Regarding claims 2-4, 6-14, and 16-20, claims 2-4, 6-14, and 16-20 are also rejected under 35 U.S.C 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice Corporation v. CLS Bank International, (S.Ct.2014). See also Intellectual Ventures LLC v. Symantec Corp. (Fed. Cir. 2016), Electric Power Group, LLC v. Alstom SA (Fed. Cir. 2016), Affinity Labs of Texas LLC v. Amazon.com Inc. (Fed. Cir. 2016).
Regarding claim 11, the claim is directed to a system. However, the body of the claim does not positively recite any hardware elements. As recited in the body of the claim, the claimed system includes “engine.” The specification does not explicitly define the claimed “engine” as only implemented in hardware. (See Specification at [0020], “[t]he engines described in this paper, or the engines through which the systems and devices described in this paper can be implemented, can be cloud-based engines.”). One of ordinary skill in the art would understand that “engine” could be implemented in software. See The Authoritative Dictionary of IEEE Standards Terms,” Seventh Edition, published in 2000 for details). As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter. The nominal recitation of the system in the Am. Med. Sys., Inv. v. Biolitec, Inc., 618 F.3d 1354, 1358 (Fed. Cir. 2010). See also Ex Parte Cohen et al., (Appeal No. 2009-011366) for details. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101. 
Regarding claims 12-14, 16-20, claims 12-14, 16-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 10, 11-14, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dezent et al. (“Dezent,” US 20180375887, filed June 26, 2018) in view of Das et al. (“Das,” US 20190182278, filed Dec. 12, 2017). 
Regarding claim 1, Dezent discloses a method, comprising: 
capturing IoT events associated with a first IoT device and a first IoT application (Dezent FIGs 1-2, [0116]. In some embodiments , the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , is performed by a particular application running on each member of said particular IoT group ; wherein the outlier detector comprises an application abnormality detector , ( i ) to determine that said particular IoT device sends at least one upstream cellular transmission via another application running on said particular IoT device , and ( ii ) to determine that said particular IoT device is malfunctioning or compromised.), at least in part by analyzing at least one packet associated with a communication that involves the first IoT device (Dezent  ¶ [0087]. The IoT grouping unit may [ ] measure or count bytes or packets or data - items that are sent by and / or received from an IoT device.); 
generating IoT signal features from the IoT events, at least some the IoT signal features being associated with activities of the first IoT device and the first IoT application (Dezent FIGs 1-2, [0116]. In some embodiments , the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , is performed by a particular application running on each member of said particular IoT group ; wherein the outlier detector comprises an application abnormality detector , ( i ) to determine that said particular IoT device sends at least one upstream cellular transmission via another application running on said particular IoT device , and ( ii ) to determine that said particular IoT device is malfunctioning or compromised.), wherein the IoT signal features include: a start time value, and end time value, an interval value, and an interval fluctuation (Dezent [0035], [0114]. The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices … : ( a ) timestamp of start… The data is periodically collected ( e . g . , at pre - defined time intervals ) by a Data Collector unit 211 ( e . g . , via C1 interface ) , and is stored in a repository therein. In some embodiments, the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , has a total time - duration of between M1 to M2 seconds , wherein M1 and M2 are pre - defined threshold values ; wherein the outlier detector comprises a time - duration abnormality detector , ( i ) to determine that said particular IoT device sends at least one upstream cellular transmission that has a total time - duration which is not between M1 to M2 seconds.); 
extracting background event context from the IoT events (Dezent FIGs 1-2, [0035]. The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as man aged IoT devices , and / or for each data connection : ( a ) timestamp of start ; ( b ) 5 - tuple of the connections ( e . g . , source IP address , source port , destination IP address , destination port , protocol being used ) ; ( c ) Identified protocols ; ( d ) upstream volume of traffic ; ( e ) downstream volume of traffic ; ( f ) upstream packet count ; ( g ) downstream packet count . The data is periodically collected ( e . g . , at pre - defined time intervals ) by a Data Collector unit 211 ( e . g . , via C1 interface ) , and is stored in a repository therein. [See Specification at par. [0063] for “background event context.”] ); 
generating periodic activity instance descriptors based on the IoT signal features and the background event context (Dezent FIGs 1-2, [0091]. In some embodiments , the IoT grouping unit is to group said multiple IoT devices into said particular IoT group , based on at least detection of a particular repeating pattern of outgoing and incoming cellular communication operations that each one of said IoT devices performs repeatedly over a pre - defined time period.), 
wherein the periodic activity instance descriptors are data structures that describe an activity of the first IoT device using the start time, end time, interval value and interval fluctuation (Dezent [0035], [0114]. The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices … : ( a ) timestamp of start… The data is periodically collected ( e . g . , at pre - defined time intervals ) by a Data Collector unit 211 ( e . g . , via C1 interface ) , and is stored in a repository therein. In some embodiments, the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , has a total time - duration of between M1 to M2 seconds , wherein M1 and M2 are pre - defined threshold values ; wherein the outlier detector comprises a time - duration abnormality detector , ( i ) to determine that said particu lar IoT device sends at least one upstream cellular transmission that has a total time - duration which is not between M1 to M2 seconds.); 
identifying periodic activities of the first IoT device based on the periodic activity instance descriptors and the external context (Dezent FIGs 1-2,  [0081]. [The system can] dynamically generated data that indicates that said multiple devices exhibit same communication pattern over a particular time period ; a baseline behavior determination unit 327 , to determine a Regular Baseline Cellular Communication Behavior ( RBCCB ) profile that characterizes the cellular communications that are outgoing from and incoming to each member of said particular IoT group; an outlier detector 307 , to subsequently detect that a particular IoT device of said particular IoT group , exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for said particular IoT group.); 
determining expected periodicities of the periodic activities of the first IoT device (Dezent FIGs 1-2, [0081]. [The system can] dynamically generated data that indicates that said multiple devices exhibit same communication pattern over a particular time period ; a baseline behavior determination unit 327 , to determine a Regular Baseline Cellular Communication Behavior ( RBCCB ) profile that characterizes the cellular communications that are outgoing from and incoming to each member of said particular IoT group; an outlier detector 307 , to subsequently detect that a particular IoT device of said particular IoT group , exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for said particular IoT group.); 
detecting activities of the first IoT device (Dezent FIGs 1-2, [0081]. [The system can] dynamically generated data that indicates that said multiple devices exhibit same communication pattern over a particular time period ; a baseline behavior determination unit 327 , to determine a Regular Baseline Cellular Communication Behavior ( RBCCB ) profile that characterizes the cellular communications that are outgoing from and incoming to each member of said particular IoT group; an outlier detector 307 , to subsequently detect that a particular IoT device of said particular IoT group , exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for said particular IoT group.);
detecting an anomaly at least in part by attempting to match the detected activities of the first IoT device to the expected periodicities, including by determining that at least Dezent [0074]. [A]n enforcement and quarantine unit 330 determines that a smoke detector, that typically communicates only at 3:00 AM for up to 20 seconds by sending a fixed-size message of 640 bytes to a destination IP address that corresponds to “Smoke-Detectors-Company.com”, exhibits abnormal behavior, such as, it sends every four hours a varying-size message of between 47 kilobytes to 58 kilobytes to a destination IP address that corresponds to “Hackerz-Unite-Server.com”. Similarly, the enforcement and quarantine unit 330 may put “Hackerz-Unite-Server.com” and/or its corresponding IP address(es) into a blacklist of destinations and senders that the smoke detector is unauthorized to communicate with. Then, full blocking, or partial blocking or selective blocking, of traffic to or from the compromised or malfunctioning IoT device, is applied.); and 
taking a remedial action in response to detecting anomaly, including by generating an alert that indicates than an anomaly has been detected (Dezent [0056],. A Notifications Generator unit 308 may generate a notification or alarm or alert , that said particular IoT device is malfunctioning or is compromised , based on said dissimilar network traffic characteristics that are exhibited by said particular IoT device.). 
Dezent does not explicitly disclose: extracting external context from non-active IOT events. 
However Das, in an analogous art, discloses a method, comprising the step of extracting external context from non-active IOT events (Das FIG. 8, [0051]. FIG . 8 flowchart includes : the block denoting an IoT device 810 connected to a router according to some embodiments ; the raw data being transferred from the IoT device to the router according to some embodiments ; the step of router extracting 820 the connection level or packet level features from the raw data and step of dividing the features into behavioral features 830 such as IP addresses and port numbers , and volumetric features 850 such as total bytes transferred and connection duration according to some embodiments.), including by generating an alert that indicates that an anomaly has been detected (Dezent [0056]. A Notifications Generator unit 308 may generate a notification or alarm or alert , that said particular IoT device is malfunctioning or is compromised , based on said dissimilar network traffic characteristics that are exhibited by said particular IoT device.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Das with the teachings of Dezent to include the steps of: extracting external context from non-active IOT events, to provide users with a means for extracting relevant IoT device behavior data for comparison and monitoring anomalous behavior.  (See Das [0051]). 
Regarding claim 2, Dezent and Das disclose the method of claim 1. Dezent further discloses wherein the alert indicates that a periodicity of a detected activity of the first IoT device cannot be matched to an expected periodicity (Dezent [0056], [0114]. A Notifications Generator unit 308 may generate a notification or alarm or alert , that said particular IoT device is malfunctioning or is compromised , based on said dissimilar network traffic characteristics that are exhibited by said particular IoT device . In some embodiments, the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , has a total time - duration of between M1 to M2 seconds , wherein M1 and M2 are pre - defined threshold values ; wherein the outlier detector comprises a time - duration abnormality detector, ( i ) to determine that said particular IoT device sends at least one upstream cellular transmission that has a total time - duration which is not between M1 to M2 seconds, and ( ii ) to determine that said particular IoT device is malfunctioning or compromised.). 
Regarding claim 3, Dezent and Das disclose the method of claim 1. Dezent further discloses the alert indicates a periodicity of a detected activity of the first IoT device matches an expected periodicity of a periodic activity known to be malicious (Dezent [0056], [0081]. A Notifications Generator unit 308 may generate a notification or alarm or alert , that said particular IoT device is malfunctioning or is compromised , based on said dissimilar network traffic characteristics that are exhibited by said particular IoT device. [The system can] dynamically generated data that indicates that said multiple devices exhibit same communication pattern over a particular time period ; a baseline behavior determination unit 327 , to determine a Regular Baseline Cellular Communication Behavior ( RBCCB ) profile that characterizes the cellular communications that are outgoing from and incoming to each member of said particular IoT group; an outlier detector 307 , to subsequently detect that a particular IoT device of said particular IoT group , exhibits cellular traffic characteristics that are abnormal relative to the RBCCB profile that was characterized for said particular IoT group.). 
Regarding claim 4, Dezent and Das disclose the method of claim 1. Dezent further discloses the alert indicates an expected periodic activity of the first IoT device fails to occur (Dezent [0056], [0114]. A Notifications Generator unit 308 may generate a notification or alarm or alert , that said particular IoT device is malfunctioning or is compromised , based on said dissimilar network traffic characteristics that are exhibited by said particular IoT device. In some embodiments, the baseline behavior determination unit is to generate said RBCCB profile which indicates that each upstream cellular transmission , that is typically performed by each member of said particular IoT group , has a total time - duration of between M1 to M2 seconds , wherein M1 and M2 are pre - defined threshold values ; wherein the outlier detector comprises a time - duration abnormality detector, ( i ) to determine that said particular IoT device sends at least one upstream cellular transmission that has a total time - duration which is not between M1 to M2 seconds, and ( ii ) to determine that said particular IoT device is malfunctioning or compromised.).  
Regarding claim 10, Dezent and Das disclose the method of claim 1. Dezent further discloses wherein the periodic activity instance descriptors include one or more of an activity ID, a periodic activity ID, multi-dimensional consolidated feature values, feature value ranges, device ID, application ID, user ID, sampling intervals, feature class, feature group, feature priorities, algorithm used to classify activity, timestamp, interval value, and interval fluctuation value (Dezent [0063], [0093]. In some embodiments , the analyzer and clustering unit may comprise or may utilize a K - means Clustering Module 309 , which performs K - means clustering ( or other type of clustering ) of data - points representing commence ment time - stamps of upstream data transmissions by each one of said IoT devices that belong to said particular type of IoT device ; such that the outlier detector detects that a particular IoT device exhibits commencement time - stamps of upstream data transmissions that are dissimilar relative to said cluster representing commencement time - stamps of upstream data transmissions by each one of said IoT devices of said particular type of IoT devices. In some embodiments , the baseline behavior deter mination unit is to generate said RBCCB profile [ ] by performing analysis of both ( i ) cellular traffic data of each one of said multiple IoT devices , and ( ii ) meta - data about cellular communications of each one of said multiple IoT devices ; wherein said analysis determines : ( A ) a maximum volume of outgoing cellular traffic that is outgoing from a member of said particular IoT group within a pre - defined time - period ; and ( B ) a minimum volume of outgoing cellular traffic that is outgoing from a member of said particular IoT group within a pre - defined time – period.). 
Regarding claim 11, claim 11 corresponds to system corresponding to the method of claim 1. Claim 11 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 corresponds to system corresponding to the method of claim 2. Claim 12 is similar in scope to claim 2 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 corresponds to system corresponding to the method of claim 3. Claim 13 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 14, claim 14 corresponds to system corresponding to the method of claim 4. Claim 14 is similar in scope to claim 4 and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 corresponds to system corresponding to the method of claim 10. Claim 20 is similar in scope to claim 10 and is therefore rejected under similar rationale.
Claims 6-8, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Dezent et al. (“Dezent,” US 20180375887, filed June 26, 2018) in view of Das et al. (“Das,” US 20190182278, filed Dec. 12, 2017) and Canzanese Jr. et al. (“Canzanese,” US 20150295945, published Oct. 15, 2015). 
Regarding claim 6, Dezent and Das disclose the method of claim 1. Dezent and Das does not explicitly disclose: wherein the expected periodicities are determined using a Fourier transform algorithm, a p-score based algorithm, or an exponential distribution algorithm. 
However, in an analogous art, Canzanese discloses wherein the expected periodicities are determined using a Fourier transform algorithm, a p-score based algorithm, or an exponential distribution algorithm (Canzanese FIG.3,  [0101], [0197]. Before the malware infection occurs, the cumulative LLR Values periodically spike above Zero and are frequently reset to Zero when the LLR becomes negative. At t=840 seconds, the malware is executed and the system is infected. After that time, an increase in the LLR g, 'Pis noted. Once it crosses the detection threshold hº’, the local detector 40 reports the decision that malware has been detected. Rather, it is likely due to the performance monitor features being better described by the models used at the local detectors: The raw performance monitor data are approximately normally distributed, while the raw system call data are more closely approximated by an exponential distribution.). 
See Canzanese [0197]). 
Regarding claim 7, Dezent and Das disclose the method of claim 1. Canzanese further discloses wherein the expected periodicities are determined using time series correlation (Canzanese [0175]. To describe the operation of the local detectors, consider a single feature output by the feature extractor. The data at the j” feature is considered to be a time series of measurement S: where the superscript indicates which feature the sensor data came from. Next, the infection time t is defined as the time the host begins executing malware. The distribution oft is not known a priori, nor is t guaranteed to be finite (a host may never be infected with malware). Given t, one can separate the feature data into two separate time series … The data Y clecara can be approximately described as realizations of a independent, identically distributed (i.i.d.) random variable (RV) with a normal probability distribution function (PDF).). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Canzanese with the teachings of Dezent and Das to include the step of: wherein the expected periodicities are determined using time series correlation, to provide users with See Canzanese [0175]). 
Regarding claim 8, Dezent and Das disclose the method of claim 1. Canzanese further discloses wherein the periodic activity instance descriptors are generated using normalization techniques (Canzanese [0162]. The performance monitors report system-wide CPU, disk, network, and memory usages statistics, and application-specific statistics. To ensure that the relative scales of the statistics do not bias the detection system, normalization is used to scale the data from each sensor to be Zero mean, unit variance.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Canzanese with the teachings of Dezent and Das to include the step of: wherein the periodic activity instance descriptors are generated using normalization techniques, to provide users with a means for using normalization for generating relevant statistical distribution and analyzing abnormal behavior. (See Canzanese [0162]). 
Regarding claim 16, claim 16 corresponds to system corresponding to the method of claim 6. Claim 16 is similar in scope to claim 6 and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 corresponds to system corresponding to the method of claim 7. Claim 17 is similar in scope to claim 7 and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 corresponds to system corresponding to the method of claim 8. Claim 18 is similar in scope to claim 8 and is therefore rejected under similar rationale.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961. The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on 571 270 5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 




/EDWARD  LONG/
Examiner, Art Unit 2439


/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439