Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see remarks, filed 11-10-2021, with respect to 35 USC 112(b) have been fully considered and are persuasive in light of new amendments and arguments.  The rejection under 112(b) is withdrawn. 
Applicant's arguments filed 11-10-2021, with respect to 35 USC 101 (abstract idea) have been fully considered but they are not persuasive even in light of new amendments and arguments. The client argues that “Applicant respectfully disagrees the claimed subject matter is abstract. A network edge device is a physical network element configured to connect one or more endpoint devices to a network. One of ordinary skill in the art would recognize the endpoint devices can be generic computing components. A network edge device is not. Applicant has amended the Claims to recite, in relevant part: network edge device configured to connect one or more endpoint devices to a network, the network edge device. This is clearly a practical application of network access from the edge. Also, the subject matter here is similar to content filtering in BASCOM Global Internet Servs. v. AT&T Mobility LLC, 827 F.3d 1341, 1350, 119 USPQ2d 1236, 1242 (Fed. Cir. 2016) (inventive concept may be found in the non-conventional and non-generic arrangement of components that are individually well-known and conventional). Adding a specific limitation other than what is well-understood, routine, conventional activity in the field, or adding unconventional steps that confine the claim to a particular useful application, e.g., a non-conventional and non-generic arrangement of various computer components for filtering Internet content, as discussed in /d at 1350-5. Applicant also submits the claimed subject matter provides improvements to the functioning of a computer, e.g., a modification of conventional Internet hyperlink protocol to dynamically produce a dual-source hybrid webpage, as discussed in DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258-59, 113 USPQ2d 1097, 1106-07 (Fed. Cir. 2014).” The examiner disagrees with the arguments. Spec. recites in Pg. 9, para. [0046] if the device 14 fails the assessment process and is evaluated as untrusted (suspicious), its traffic is steered into one of the restricted zones 20. Restricted zones 20 are tailorable and based on each individual organization's risk policy. Zones could include: a sinkhole zone where traffic is simply dropped; a forensic zone where traffic capture is enabled for evaluation of activity; a remediation zone where devices access security services to remediate identified deficiencies in their configuration; the rate-limited zone where traffic is allowed but slowed to allow for monitoring of adversary intent.
Applicant's arguments filed 11-10-2021, with respect to 35 USC 103 have been fully considered but they are not persuasive. The client argues that “Alp is cited for a reputation-based routing system that provides backbone communications and that prioritizes traffic based upon reputation information of a device. Zimmer is cited to teach classifying endpoint devices into trust levels. Applicant's claimed subject matter relates to a network edge device. For clarification, Applicant has amended the independent Claims to recite, in relevant part: route the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered to one or more restricted zones. First, Alp is clearly backbone communication which is not an edge device. Second, the combination of Alp and Zimmer fails to suggest these limitations. At best, the combination teaches prioritizing traffic based on trust, not steering to restricted zones.” The examiner disagrees with the arguments. Spec. recites in para. [0046] see above. For all practical purposes the edge device is any given switches, hubs, routers (spec. [0008] a network edge device includes switching circuitry configured to switch traffic… The network edge device can be configured to provide network connectivity to the one or more endpoint devices) or shall be client device(s). The arguments of the client is contradictory to what is recited in spec. and by generally defined network parlance. Prior art Alp. clearly teaches this part in figs. 1A, 1B and 2 and C2L45-50: routing devices (e.g., routers i.e., network edge device). Routers typically inspect packets to extract destinations associated with the data packets and retrieve routing information associated with the destinations before communicating the data packets to the recipient (or to another router). Routers i.e., edge devices are part of the backbone of the network and is very well understood and well known to one of ordinary skilled in the art. If edge devices such as routers, switches or hubs are not part of backbone then the client should say what they consider as spec. [0008] clearly contradicts the client’s arguments, a recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art.  If the prior art structure is capable of performing the intended use, then it meets the claim.  Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Therefore the rejection is maintained.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:


The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “switching circuitry configured to switch traffic, processing circuitry configured to monitor” in claim 1.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.  If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the 

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites monitoring the network traffic and classifying the endpoint devices by comparing the traffic to similar devices and route the traffic based on corresponding trust level that includes an untrusted level where the traffic is steered to restricted zone(s).
Step 1: The claims 1, 10 and 19 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 10 and 19 recites: monitoring the network traffic and classifying the endpoint devices by comparing the traffic to similar devices and route the traffic based on corresponding trust level that includes an untrusted level where the traffic is steered to restricted zone(s), as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper without a generic computer. Except for words ‘device with switching circuitry’, there is nothing in the claim element precludes the step from practically being performed in human mind 
Dependent claims 2 – 9, 11 – 18 and 20 which in turn recite collection of one or more of network measurements and non-network measurements, endpoint device is classified in a suspicious trust level and moved based on continuous monitoring, classified by comparing behavior relative to a group of similar types of devices, continually monitor the traffic, training circuitry configured to create the model, training circuitry utilizes a one-class classifier that has suspicious/attacking traffic removed from a data set is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in a human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: monitoring the network traffic and classifying the endpoint devices by comparing the traffic to similar devices and route the traffic based on corresponding trust level that includes an untrusted level where the traffic is steered to restricted zone(s). The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. [0104]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical 
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, monitoring the network traffic and classifying the endpoint devices by comparing the traffic to similar devices and route the traffic that includes an untrusted level where the traffic is steered to restricted zone(s) based on corresponding trust level amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 9, 11 – 18 and 20 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alperovitch et al (US 8606910), hereafter Alp and Zimmer et al (US 11049039), hereafter Zim.
Claim 1: Alp teaches a network edge device configured to connect one or more endpoint devices to a network, the network edge device comprising (Figs. 1A, 1B, 2): switching circuitry configured to switch traffic from the one or more endpoint devices to corresponding application services over [[a]] the network; (C2L44-46, 64-66: reputation based routing systems provides backbone communications facilities for the network to communicate data packets between entities);
and processing circuitry configured to monitor the traffic from the one or more endpoint devices, (C2L46-50: routers typically inspect packets from originating entities to extract destinations associated with the data packets and retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router);
and route the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered to one or more restricted zones. (C2L55-57: reputation based prioritization system then prioritizes the traffic based upon reputation information associated with the device; C2L52-54: reputation information provides an indication of whether the traffic associated with the data packets is non-reputable category and (C10L19-26, 15L7-15) if the communication is determined not to be legitimate and/or with indeterminate reputation (i.e., untrusted level), the communication is either dropped, quarantined, delayed, etc (i.e., steered to restricted zone)).
Alp is silent on compare the monitored traffic to classify the one or more endpoint devices into a corresponding trust level of a plurality of trust levels.
But the analogous art Zim teaches compare the monitored traffic to classify the one or more endpoint devices into a corresponding trust level of a plurality of trust levels. (C2L4-8: comparing the operations, interfaces and characteristics... and (C9L62-63) perform context identification and classification based on aggregated data (C1L58-61) to identify and classify characteristics, and assign reputation scores or profiles across various networked devices (C9L3-14) among various or larger profiles). 
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of classifying endpoints based on traffic as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 10: Alp teaches a non-transitory computer-readable medium comprising instructions that, when executed, cause a processor to perform the steps of (Fig. 2): monitoring traffic received by a network edge device from one or more endpoint devices destined for corresponding application services over a network, wherein the network edge device is configured to connect the one or more endpoint devices to the network; and causing routing of the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered to one or more restricted zones. (C2L44-46, 64-66, Figs. 1A, 1B: reputation based routing systems provides backbone communications facilities for the network to communicate data packets between entities; C2L46-50: routers typically inspect packets from originating entities to extract destinations associated with the data packets and retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router; C2L55-57: reputation based prioritization system then prioritizes the traffic based upon reputation information associated with the device; C2L52-54: reputation information provides an indication of whether the traffic associated with the data packets is non-reputable category and (C10L19-26, 15L7-15) if the communication is determined not to be legitimate and/or with indeterminate reputation (i.e., untrusted level), the communication is either dropped, quarantined, delayed, etc (i.e., steered to restricted zone)).
Alp is silent on classifying, by comparing the monitored traffic, the one or more endpoint devices into a corresponding trust level of a plurality of trust levels;
But the analogous art Zim teaches classifying, by comparing the monitored traffic, the one or more endpoint devices into a corresponding trust level of a plurality of trust levels; (C2L4-8: comparing the operations, interfaces and characteristics... and (C9L62-63) perform context identification and classification based on aggregated data (C1L58-61) to identify and classify characteristics, and assign reputation scores or profiles across various networked devices (C9L3-14) among various or larger profiles). 
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of classifying endpoints based on traffic as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 19: Alp teaches a method comprising: monitoring traffic, by a network edge device configured to connect the one or more endpoint devices to a network, from one or more endpoint devices, destined for corresponding application services over [[a]] the network; and causing routing of the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered to one or more restricted zones. (C2L44-46, 64-66, Figs. 1A, 1B: reputation based routing systems provides backbone communications facilities for the network to communicate data packets between entities; C2L46-50: routers typically inspect packets from originating entities to extract destinations associated with the data packets and retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router; C2L55-57: reputation based prioritization system then prioritizes the traffic based upon reputation information associated with the device; C2L52-54: reputation information provides an indication of whether the traffic associated with the data packets is non-reputable category and (C10L19-26, 15L7-15) if the communication is determined not to be legitimate and/or with indeterminate reputation (i.e., untrusted level), the communication is either dropped, quarantined, delayed, etc (i.e., steered to restricted zone)).

But the analogous art Zim teaches classifying, by comparing the monitored traffic, the one or more endpoint devices into a corresponding trust level of a plurality of trust levels; (C2L4-8: comparing the operations, interfaces and characteristics... and (C9L62-63) perform context identification and classification based on aggregated data (C1L58-61) to identify and classify characteristics, and assign reputation scores or profiles across various networked devices (C9L3-14) among various or larger profiles). 
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of classifying endpoints based on traffic as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 2: the combination of Alp and Zim teaches the network edge device of claim 1, wherein the traffic is monitored through collection of one or more of network measurements and non-network measurements of each of the one or more endpoint devices. (Alp: C4L12-18: any of communications between the entities, traffic patterns, similar communications originating from the entities independently, sporadic communication patterns, or use of commonly spoofed address (i.e., non-network measurement) among many others).
Claim 3: the combination of Alp and Zim teaches the network edge device of claim 2, wherein the network measurements include any of timings and sizes of data packets, timings and headers of data packets, and timings and content of control packets, (Alp: C4L12-18: any of communications between the entities, traffic patterns (similar increases and/or decreases in traffic volume) associated with the entities, similar communications originating from the entities independently, sporadic communication patterns, or use of commonly spoofed address (IP, MAC, URL, domain, etc.), among many others).
and the non-network measurements include CPU, memory, and file system utilizations; host identifiers; operating system logs; classification is done with one of labeled supervised, unlabeled supervised, [[or]] and unsupervised machine learning. (C11L23-40: retrieved data includes device behavioral information and device usage and be retrieved from, BIOS, WCE, security management software, secure policy manager and network profile. BIOS data include boot information, both during boot and post-boot processes. Data is dynamic, where data change based on device status and/or device usage (based on "soft" characteristics of a device). Data from device includes device status and one or more security policies using (C8L35-38) using a neural network as a portion of the artificial intelligence, logic programming, automated reasoning, Bayesian networks, decision theory or statistical learning methods).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of having non-network measurements as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 4: the combination of Alp and Zim teaches the network edge device of claim 1, wherein the network edge device is configured to provide network connectivity to the one or more endpoint devices. (Alp: C2L46-50: routers typically retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router).
Claim 5: the combination of Alp and Zim teaches the network edge device of claim 1, wherein, for initial connectivity of an endpoint device, the endpoint device is classified in a suspicious trust level and moved based on continuous monitoring. (Alp: C4L41-45: communications received from a different geolocation that claim to be associated with the same entity is treated as suspect and/or the reputation of an entity is identified as non-reputable (C3L52-55) communication of updated reputation information is relayed from one reputation based routing system to another reputation based routing system).
Claim 6: the combination of Alp and Zim teaches the network edge device of claim 1, wherein the one or more endpoint devices are classified by comparing behavior relative to a group of similar types of devices. (Zim: C2L2-8: a cloud based machine learning system learns the typical operation and interfacing of a device, and identifies atypical operations or interfaces associated with that device by comparing the operations and interfaces to those of a similar networked devices or to those of a defined standard or reference device(s)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of classifying endpoints based on traffic from similar devices as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 7: the combination of Alp and Zim teaches the network edge device of claim 1, wherein the processing circuitry is configured to continually monitor the traffic from the one or more endpoint devices, update the corresponding trust level based thereon, and reroute the traffic based on an updated trust level. (Alp: C7L53-59: prioritization policy provided by the administrator specifies that data originating from specified classes of reputations are to be transmitted, with low priority, dropped, quarantined for further testing or information gathering, etc., and/or that specified classes of reputations are to be transmitted, with high priority and (C1L64-67) managing network traffic across multiple networks based on real-time feedback from a distributed set of local network devices, in the multiple networks, reporting network activities (network volume and concentration) and (C9L9-10) updates to the local reputation is performed periodically).
Claim 8: the combination of Alp and Zim teaches the network edge device of claim 1, further comprising training circuitry configured to create the model. (Zim: C8L23-26: CBML system is a device behavior model generator, where data from a plurality of networked devices is collected and device behavior patterns are learned).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of training model as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 9: the combination of Alp and Zim teaches the network edge device of claim 8, wherein the training circuitry utilizes a one-class classifier that has suspicious/attacking traffic removed from a data set of training traffic. (Zim: C10L38-49: characteristics ranking engine sorts and ranks aggregated data characteristics that were identified by inference engine based on various criteria. A characteristic shall be ranked higher or lower depending on the number of times the characteristic was observed within a given sample interval in a device and/or the number of different devices. Characteristics identification and classification is performed based on defined policies or rules that is updated with additional learning. Characteristics that indicate a likely threat or a catastrophic impact ranked higher and (C11L1-3) feedback engine improves the learning by CBML module by providing feedback and corrections to past inference errors and/or mischaracterizations).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of training model using malicious traffic removal as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 11: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, wherein the monitoring traffic includes collecting one or more of network measurements and non-network measurements of each of the one or more endpoint devices. (Alp: C4L12-18: any of communications between the entities, traffic patterns, similar communications originating from the entities independently, sporadic communication patterns, or use of commonly spoofed address (i.e., non-network measurement) among many others).
Claim 12: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 11, wherein the network measurements include any of timings and sizes of data packets, timings and headers of data packets, and timings and content of control packets, (Alp: C4L12-18: any of communications between the entities, traffic patterns (similar increases and/or decreases in traffic volume) associated with the entities, similar communications originating from the entities independently, sporadic communication patterns, or use of commonly spoofed address (IP, MAC, URL, domain, etc.), among many others).
and the non-network measurements include CPU, memory, and file system utilizations; host identifiers; operating system logs; classification is done with one of labeled supervised, unlabeled supervised, [[or]] and unsupervised machine learning. (C11L23-40: retrieved data includes device behavioral information and device usage and be retrieved from, BIOS, WCE, security management software, secure policy manager and network profile. BIOS data include boot information, both during boot and post-boot processes. Data is dynamic, where data change based on device status and/or device usage (based on "soft" characteristics of a device). Data from device includes device status and one or more security policies using (C8L35-38) using a neural network as a portion of the artificial intelligence, logic programming, automated reasoning, Bayesian networks, decision theory or statistical learning methods).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of having non-network measurements as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 13: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, wherein the monitoring, the classifying, and the causing are performed by a network edge element that is configured to provide network connectivity to the one or more endpoint devices. (Alp: C2L46-50: routers typically retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router).
Claim 14: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, wherein, for initial connectivity of an endpoint device, the endpoint device is classified in a suspicious trust level and moved based on continuous monitoring. (Alp: C4L41-45: communications received from a different geolocation that claim to be associated with the same entity is treated as suspect and/or the reputation of an entity is identified as non-reputable (C3L52-55) communication of updated reputation information is relayed from one reputation based routing system to another reputation based routing system).
Claim 15: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, wherein the one or more endpoint devices are classified by comparing behavior relative to a group of similar types of devices. (Zim: C2L2-8: a cloud based machine learning system learns the typical operation and interfacing of a device, and identifies atypical operations or interfaces associated with that device by comparing the operations and interfaces to those of a similar networked devices or to those of a defined standard or reference device(s)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of classifying endpoints based on traffic from similar devices as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 16: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, further comprising continually monitoring the traffic from the one or more endpoint devices, updating the corresponding trust level based thereon, and rerouting the traffic based on an updated trust level. (Alp: C7L53-59: prioritization policy provided by the administrator specifies that data originating from specified classes of reputations are to be transmitted, with low priority, dropped, quarantined for further testing or information gathering, etc., and/or that specified classes of reputations are to be transmitted, with high priority and (C1L64-67) managing network traffic across multiple networks based on real-time feedback from a distributed set of local network devices, in the multiple networks, reporting network activities (network volume and concentration) and (C9L9-10) updates to the local reputation is performed periodically).
Claim 17: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 10, further comprising performing training to create the model. (Zim: C8L23-26: CBML system is a device behavior model generator, where data from a plurality of networked devices is collected and device behavior patterns are learned).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Alp to include the idea of training model as taught by Zim so that the system identifies new policies, rules and recommendations and communicate proposals to remote administrator (C13L12-13).
Claim 18: the combination of Alp and Zim teaches the non-transitory computer-readable medium of claim 17, wherein the training utilizes a one-class classifier that has suspicious/attacking traffic removed from a data set of training traffic. (Zim: C10L38-49: characteristics ranking engine sorts and ranks aggregated data characteristics that were identified by inference engine based on various criteria. A characteristic shall be ranked higher or lower depending on the number of times the characteristic was observed within a given sample interval in a device and/or the number of different devices. Characteristics identification and classification is performed based on defined policies or rules that is updated with additional learning. Characteristics that indicate a likely threat or a catastrophic impact ranked higher and (C11L1-3) feedback engine improves the learning by CBML module by providing feedback and corrections to past inference errors and/or mischaracterizations).
C13L12-13).
Claim 20: the combination of Alp and Zim teaches the method of claim 19, wherein the monitoring traffic includes collecting one or more of network measurements and non-network measurements of each of the one or more endpoint devices. (Alp: C4L12-18: any of communications between the entities, traffic patterns, similar communications originating from the entities independently, sporadic communication patterns, or use of commonly spoofed address (i.e., non-network measurement) among many others).

Conclusion

Applicant's amendments necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2496.