Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Application 16/830,717 filed 3/26/2020 has been examined.
In this Office Action, claims 1-20 are currently pending.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an
abstract idea without significantly more.
Claim 1 recites:
Forming a concept graph that comprises nodes representing device attributes.
The limitation of forming a concept graph that comprises nodes representing device attributes, as drafted, is a process that, under its broadest reasonable interpretation,
covers performance of the limitation in the mind but for the recitation of generic computer
components. That is, other than reciting a “device classification service”, nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “device classification service”/service language, querying in the context of this claim encompasses the user manually determining reservation graphs of generic device attributes using generic “data”. Similarly, the limitation(s) of determining and using, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation 
Further, these concepts also recite “Certain Methods of Organizing Human Activity”; (such as
commercial or legal interactions (including agreements in the form of contracts; legal
obligations; advertising, marketing or sales activities or behaviors; business relations) where
forming a concept graph for clustering/grouping using scores a is a method of human activity in commercial or legal interactions.
Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claim only
recites one additional element – using a generic “service” to perform both the forming; determining and using steps. The “service” in both steps is recited at a high level of generality (i.e., as a generic “service” without and statutory computer hardware/processor performing a generic function of querying/forming device attributes) such that it amounts no more than mere instructions to apply the exception using a generic service, without and mention of a statutory computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more
than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a “service” without any stator computer hardware/processor to perform both the forming; determining and using steps 

Dependent claims 2-9 are merely add further details of the abstract steps/elements recited in
claim 1 without integrating the idea into a practical application; or including an improvement to
another technology or technical field, an improvement to the functioning of the computer itself,
or meaningful limitations beyond generally linking the use of an abstract idea to a particular
technological environment. Therefore, dependent claims 2-9 are also directed towards
nonstatutory subject matter.

As per independent claims 10 and 19, are also rejected as ineligible subject matter under 35
U.S.C. 101 for substantially the same reasons as the method claim(s) 1. The components (i.e.,
apparatus/medium described in independent claims 10 and 19 do not provide for integrating the
abstract idea into a practical application. At best, the claim(s) are merely providing alternate
environments to implement the abstract idea.

Dependent claims 11-18 and 20 merely add further details of the abstract steps/elements recited in claim 1 without integrating the idea into a practical application; or including an improvement to another technology or technical field, an improvement to the functioning of the computer itself, or meaningful limitations beyond generally linking the use of an abstract idea to a particular technological environment. Therefore, dependent claims 11-18 and 20 are also directed towards non-statutory subject matter.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al., US Pub. No. 2018/0270229, in view of Yadav et al., US Pub. No.: US 2016/0359872.

As to claim 1 (and substantially similar claim 10 and claim 19), Zhang discloses
a method comprising:
obtaining, by a device classification service, data indicative of device attributes of
a plurality of devices;
(Zhang [0033] In some embodiments, a device classification heuristic may be used to classify devices into different groups. The groups may be predefined (e.g., default groups that are
part of the heuristic) or created dynamically (e.g., on-the-fly after network traffic is received). For example, a group may be dynamically created for a device classification based on
the device name based on the device classification not matching predefined groups; see also Zhang [0025] Network monitor device 102 can function as a device identification system that monitors devices on network 100 (e.g., continuously, at a regular interval, upon a

to identify a device based on three-tiers of information including a general tier (e.g., operating system), to more specific (e.g., vendor), and to very specific (e.g., product of
one vendor).)

Zhang does not disclose:
forming, by the device classification service and based on the obtained data
indicative of the device attributes, a concept graph that comprises nodes that represent
different sets of the device attributes;
determining, by the device classification service and by analyzing the concept
graph, a relevance score for each of the device attributes that quantifies how relevant that
attribute is to classifying a device by its device type;
and
using, by the device classification service, the relevance scores for the device
attributes to cluster the plurality of devices into device type clusters by their device
attributes;
However, Yadav discloses:
forming, by the device classification service and based on the obtained data
indicative of the device attributes, a concept graph that comprises nodes that represent
different sets of the device attributes;
(Yadav [0429] The traffic monitoring system policy pipeline is
composed of four major steps/modules:
[0430] (1) Application Dependency Mapping
[0431] In this stage, network traffic is analyzed to determine a respective graph for each application operating in a data center (discussed in detail elsewhere). That is, particular

application.)

determining, by the device classification service and by analyzing the concept
graph, a relevance score for each of the device attributes that quantifies how relevant that
attribute is to classifying a device by its device type; 
(Yadav (0573] A suitable number of clusters of nodes in a computing network can be determined by using of the Minimum Description Length principle, or MDL. A MDL score can be
determined based on a directed communication graph, which may include client nodes, server nodes and server ports, and an algorithm for MDL score optimizations in the presence of multiple partitions. ).;

and
using, by the device classification service, the relevance scores for the device
attributes to cluster the plurality of devices into device type clusters by their device
attributes
(Yadav [0577] Computing the MDL for a clustering: (0578] for all the observed edges (for the time-span in which a network was monitored and data was collected), find the assigned source cluster, src cluster, and dst ( destination) cluster. (Note each node is belongs ( or
is assigned) a unique cluster in a clustering, where a cluster is simply a non-empty set of nodes).; see also [0587] The MDL scores (for example, the one given above), can be used to improve the number of clusters for each partition by using a randomized local search algorithm


It would have been obvious to one having ordinary skill in the art at the time the time of the effective filing date to apply device monitoring as taught by Yadav since it was known in the art that traffic monitoring systems can implement sensors in the VMs, hypervisors, and switches in the ACI in order to perform analytics and collect information for troubleshooting, planning, deployment, and security and as the amount of traffic seen by the sensors grows and events and implementation of sensors in VMs, hypervisors, and switches can be very useful for analytics, management, and troubleshooting where self-monitoring mechanism allows the sensors to run properly and efficiently and avoid creating unnecessary burdens on the network and systems. (Yadav [0089-0091]).

As to claim 2, Yadav discloses under the rationale above, the method as in claim 1, wherein the concept graph comprises a directed acyclic graph (DAG), and wherein each node in the DAG is associated with a count of the devices in the plurality that have the set of device attributes represented by that node (Yadav Directed Acyclic Graph of Down Services to Prioritize Repair
Summary
[0193] When multiple services fail, determining priorities
in fixing services can be difficult.
Detailed Description
[0194] When multiple services go down, it is useful to determine the root cause of the failure. One way to predict the root cause of failure is to create a service dependency directed acyclic graph (DAG) that represents how services depend from each other. When multiple services fail, the system can try to fix the service that is highest on the hierarchy of down services. In other words, the system can create a new DAG that only represents the services that are

(meaning it has the most dependents, even if those dependents are currently functioning).;
See also [0172] b. Take a intersection of the sets that are second element in the tuples gathered above. Call this intersection set 'Front sensors'. It represents the list of sensors that can see all flows that sensor Si can see. In our example, for Sl, the set of Front sensors will be {S2, S3}.
See also [0173] c. Take a union of the sets that are second element in the tuples generated in Step a. Compute the difference between the union set and the intersection set. Call this 'Difference set' as the 'Rear sensors'. It represents the list sensors whose all flows can be seen by sensor Si. In our example, for Sl, the set of Rear sensors will be empty set. For S2, the set of Rear sensors is {Sl}).

As to claim 3, Yadav discloses under the rationale above, the method as in claim 1, wherein determining the relevance score for each of the device attributes comprises:
computing a conditional entropy of a device attribute conditioned on a node in the
concept graph
(Yadav Header Field Entropy
Summary
[0503] The disclosure can be to do entropy or pattern analysis on any of the packet's header fields. The header fields that have the most predictive patterns are the best to analyze and catalog. Therefore analysis of a packet that is outside the normal predictive header pattern gives an indication that the packet is a spoof and part of an attack.; see also [0508] The disclosure can be directed to entropy or pattern analysis on any of the packet's header fields. The header fields that have the most predictive patterns are the best to analyze and catalog.).


tracking changes in the device attributes of the plurality of devices; 
(Zhang [0044] Aggregation device 106 may further provide log information of activity and properties of network coupled devices 122a-b to network monitor device 102. It is appreciated
that log information may be particularly reliable for stable network environments ( e.g., where the type of devices on the network do not change often).)
and
assessing stability of each of the device attributes based on the tracked changes
(Zhang [0044] Aggregation device 106 may further provide log information of activity and properties of network coupled devices 122a-b to network monitor device 102. It is appreciated
that log information may be particularly reliable for stable network environments ( e.g., where the type of devices on the network do not change often).;
see also [0064] A score (e.g., confidence score) can be determined by the packet engine 204 based on the analysis by one or more components of the packet engine 204. The confidence
score may then be compared with a threshold associated with a configured accuracy level ( e.g., minimum) for device identification.;
see also [0026] Network monitor device 102 can use multiple pieces of information and algorithms to determine a confidence score for information on each tier. The packet analysis by network monitor device 102 can include accessing information including the MAC address
(e.g., from layer 2), protocol information (e.g., from layer 3 and layer 4), payload (e.g., from layer 7), and dynamic host control protocol (DHCP) patterns. The information accessed
during the packet analysis can used for fingerprint analysis (e.g., by an identification engine 240) for determining of a confidence score.).



assigning a low relevance score to an unstable device attribute (Zhang [0066] In some
embodiments, the confidence score may be computed based the extent to which the data determined by the data collection component 202 matches a particular device identification
fingerprint. For example, a high confidence score may be determined for data associated with a device to be identified that matches 80% of a stored device fingerprint while a low confidence score may be determined for data associated with a device to be identified that matches 30%
of the device fingerprint.).

As to claim 6, Yadav discloses under the rationale above, the method as in claim 1, wherein using the relevance scores for the device attributes to cluster the plurality of devices into device type clusters by their device attributes
comprises:
computing a distance metric based on the relevance scores for the device
attributes; 
(Yadav [0625] In some embodiments, a common long prefix from hostnames of members of a cluster can be determined using a computing algorithm. If the prefix satisfies certain criteria
(e.g., a length or commonality among the members),; See also (0582] the description length is the min of (obs, (l+notobs)))
and
clustering the plurality devices into the device type clusters based on the
computed distance metric
(Yadav [0583] MDL of a clustering is the sum of the description lengths across all src cluster*dst cluster*port combinations (Note: in some implementations, the lower the
MDL score is, the better the clustering in a computing network)).

As to claim 7, Yadav discloses under the rationale above the method as in claim 1, further comprising:
receiving feedback from a user interface regarding one of the device type clusters;
(Yadav Re-Generate ADM Pipeline Incorporating User Feedback
and Corrections
Summary
[0628] A user interface (UI) is provide with options for a user to adjust parameters in generating clusters ( e.g., adding or removing nodes) in a computing network or changing
dates for data collection, etc. An ADM pipeline can be re-generated by incorporating user feedback and/or other changes.)
and
adjusting the relevance scores for the device attributes based on the received
feedback
(Yadav [0628] A user interface (UI) is provide with options for a user to adjust parameters in generating clusters ( e.g., adding or removing nodes) in a computing network or changing
dates for data collection, etc. An ADM pipeline can be re-generated by incorporating user feedback and/or other changes.).
 
As to claim 8, Yadav discloses under the rationale above the method as in claim 1, further comprising:
generating device classification rules from the device type clusters and their
associated device attributes
(Yadav [0631] The present technology extracts various features ( e.g., attributes/properties) of both ends of a connection in a computing network to determine a machine learned classifier


As to claim 9, Zhang discloses the method as in claim 1, wherein the device attributes comprise at least one of: a Hypertext Transfer Protocol (HTTP) user agent, 
(Zhang [0084] The payload analysis component 210 can access HTTP traffic with a user-agent of"ABC Sensor Model 123." This can indicate that the device may be a sensor and related
to vendor ABC.; see also [0014] Currently there is no reliable methodology for device identification. Current methodologies are based on an agent running on the device or based on a single property, such as, HTTP user-agent, MAC address, or a port scan.)

an organizationally unique identifier (OUD), 
(Zhang [0063] Identifier analysis component 212 can analyze one or more packets for unique identifiers and based on the unique identifiers determine device properties including
device identification. For example, identifier analysis component 212 may access or select a MAC address from a packet and analyze the organizationally unique identifier (OUI) portion of the MAC address. Identifier analysis component 212 can then set a value of a data structure (e.g., of the data structure 300) based on the OUI portion of the MAC address. This value may then be combined with other values to make a device identification.)

or a Dynamic Host Configuration Protocol (DHCP) parameter
(Zhang [0053] DHCP analysis component 206 can access a variety of parameters of one or more DHCP packets including an option parameter list or request parameter list and the DHCP operating system parameter. For example, the DHCP option parameters examined can include 1-20 and 45. The DHCP analysis component 206 can be configured to determine different 


Referring to claim 11, this dependent claim recites similar limitations as claim 2;
therefore, the arguments above regarding claim 2 are also applicable to claim 11.

Referring to claim 12, this dependent claim recites similar limitations as claim 3;
therefore, the arguments above regarding claim 3 are also applicable to claim 12.

Referring to claim 13, this dependent claim recites similar limitations as claim 4;
therefore, the arguments above regarding claim 4 are also applicable to claim 13.

Referring to claim 14, this dependent claim recites similar limitations as claim 5;
therefore, the arguments above regarding claim 5 are also applicable to claim 14.

Referring to claim 15, this dependent claim recites similar limitations as claim 6;
therefore, the arguments above regarding claim 6 are also applicable to claim 15.

Referring to claim 16, this dependent claim recites similar limitations as claim 7;
therefore, the arguments above regarding claim 7 are also applicable to claim 16.

Referring to claim 17, this dependent claim recites similar limitations as claim 8;
therefore, the arguments above regarding claim 8 are also applicable to claim 17.


therefore, the arguments above regarding claim 9 are also applicable to claim 18.

Referring to claim 20, this dependent claim recites similar limitations as claim 4;
therefore, the arguments above regarding claim 4 are also applicable to claim 20.


CONTACT INFORMATION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVAN S ASPINWALL whose telephone number is (571)270-7723. The examiner can normally be reached Monday-Friday 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on 571-270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Evan Aspinwall/Primary Examiner, Art Unit 2152                                                                                                                                                                                                        11/22/2021