DETAILED ACTION
This Office Action has been issued in response to Applicant's Request for Continued Examination filed April 30, 2021.
Claims 1, 17, and 19 have been amended.  Claims 1-20 have been examined and are pending. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on April 30, 2021 has been entered.
 
Response to Arguments
Applicant's arguments filed April 30, 2021 have been fully considered but they are moot in view of the new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-6 and 8-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2018/0332064 to Harris et al. (hereinafter “Harris”) and further in view of US Pat. No. 9800606 to Yumer (hereinafter “Yumer”) and further in view of US Pub. No. 2020/0076846 to Pandian et al. (hereinafter “Pandian”).

As to Claim 1, Harris discloses a method comprising: 
identifying device communications over at least one network of an enterprise (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source ; 
evaluating the device communications to identify one or more services that communicated with, using the at least one network, a plurality of devices of the enterprise connected to the at least one network (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the destination IP address value and destination port of the network flow, a number of packets of the network flow, a total number of bytes of the network flow, a minimum packet length of the network flow, a maximum packet length of the network flow, a number of network flows between the source and destination IP addresses of the network flow, IP type of service value, input interface value, output interface value, TCP flags seen for the network flow, etc.); 
generating an activity-based network profile for each device of the plurality of devices based at least in part on the identified one or more services that communicated with each respective device of the plurality of devices, wherein the activity-based network profile for a given device of the plurality of devices: (i) identifies the one or more services that communicated with the given device for each service that communicated with the given device, (ii) identifies other devices of the plurality of devices that communicate with a respective service on the given device, and (iii) provides a local fraction metric based at least in part on one or more network metrics of the other devices of the plurality of devices that communicate with the respective service on the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614.  Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the destination IP address value and destination port of the network flow, a number of packets of the network flow, a total number of bytes of the network flow, a minimum packet length of the network flow, a maximum packet length of the network flow, a number of network flows between the source and destination IP addresses of the network flow, IP type of service value, input interface value, output interface value, TCP flags seen for the network flow, etc.);
clustering the devices into a plurality of clusters based at least in part on a functional characterization of the devices derived from the activity-based network profiles (Paragraph ; and 
ranking the devices within one or more clusters based on one or more of network activity and network exposure (Figure 22 of Harris discloses searching for risk scores by peer group)
ranking the devices within one or more clusters based at least in part on factors of: a total number of services exported; a number of external IP addresses that access each device; and a total number of IP addresses that access the network (Paragraph [0315] of Harris discloses the peer group comparative statistics include a total counter value and the number of deviations value computed for the source IP address and user pair and a maximum value, a minimum value, a mean value, a standard deviation value, and a population size value for the peer group for each variable of the variables indicated by the fourth indicator. For example, the total counter value for the variable DistinctInternalDstIpmeasure is a number of unique internal destination IP addresses contacted by the source IP address and user pair during the last reporting time period. The total counter value for the variable DistinctExternalDstIpmeasure is a number of unique external destination IP addresses contacted. The total counter value for the variable WebProxyDstIpmeasure is a number of unique external destination IP addresses connected through a web proxy server.); 
computing a [product] of the factors (Paragraph [0307] of Harris discloses a weighted rank for each variable is computed by multiplying the computed rank by the weight defined for the selected variable.  Paragraph [0308] of Harris discloses the computed weighted rank is added to the combined weighted rank value); and 
generating an [ordered] rank of devices from high to low [product] value, [such that the rank of the devices is ordered from high risk to low risk] (Figure 22 of Harris discloses searching for risk scores by peer group), 
wherein the method is performed by at least one processing device comprising a processor coupled to a memory.
Harris does not explicitly disclose a product of the factors.
However, Yumer discloses this.  Column 11 lines  1-30 of Yumer disclose calculation module 110 may calculate the network risk score according to the following formula: SUM(ApplicationActivity*ApplicationThreatLevel), such that ApplicationActivity and ApplicationThreatLevel are multiplied as a product for each hacking tool downloaded by organization computers over the period of time and then all of these products are added together.  In other examples, one or more of the summation operations may be replaced by a multiplication operation (and vice versa).
It would have been obvious to one of ordinary skill in the art at the time of effective filing of the invention to combine the clustering system as disclosed by Harris, with using a product for risk scores as disclosed by Yumer.  One of ordinary skill in the art would have been motivated to combine to apply a known technique to a similar device.  Harris and Yumer are directed toward network data analysis and as such it would be obvious to use the techniques of one in the other.
ordered and such that the rank of the devices is ordered from high risk to low risk.
However, Pandian discloses this.  Paragraph [0179] of Pandian discloses devices are filtered, sorted, and/or grouped based on the respective risk scores associated with the devices. For example, devices associated with higher risk scores (indicating higher level of risk) may be sorted to appear first, while devices associated with lower risk scores may be sorted to appear last.
It would have been obvious to one of ordinary skill in the art at the time of effective filing of the invention to combine the clustering system as disclosed by Harris, with sorting risk scores as disclosed by Pandian.  One of ordinary skill in the art would have been motivated to combine to apply a known technique to a similar device.  Harris and Pandian are directed toward network data analysis and as such it would be obvious to use the techniques of one in the other.

As to Claim 2, Harris-Yumer-Pandian discloses the method of claim 1, wherein the activity-based network profile for the given device further identifies a device type of the given device and wherein the clustering is further based on the device type such that a plurality of devices having one or more of a substantially similar functional characterization and a substantially similar device type are grouped together, wherein the functional characterization assigns the device type to each device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, .

As to Claim 3, Harris-Yumer-Pandian discloses the method of claim 1, wherein the activity-based network profile for the given device further identifies, for each accessed service, (i) other devices that connect to the respective accessed service on the given device, and (ii) a local fraction metric based at least in part on a ratio of one or more network metrics of communications of other devices that accessed the respective accessed service on the given device to the one or more network metrics of communications of other devices that accessed any service on the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

As to Claim 4, Harris-Yumer-Pandian discloses the method of claim 1, further comprising: computing a centroid for each of the plurality of clusters; receiving a search request for the devices in the plurality of devices similar to a specified device; comparing the specified device to the computed centroids for the plurality of clusters; and returning the devices in the clusters having centroids similar to the specified device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614.  Paragraph [0379] of Harris discloses the clustering algorithm defines a centroid location for each cluster based on the variables used to the define the centroid location).

As to Claim 5, Harris-Yumer-Pandian discloses the method of claim 1, wherein the activity-based network profile for the given device further identifies, for each service accessed by the given device, (i) other devices where the given device accessed the respective service accessed by the given device, and (ii) a local fraction metric based at least in part on a ratio of one or more network metrics of communications of the given device with the respective service accessed by the given device to the one or more network metrics of communications with any service accessed by the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, .

As to Claim 6, Harris-Yumer-Pandian discloses the method of claim 1, wherein the functional characterization is further derived from one or more of the activity-based profile, the local fraction metric, a threshold value for a minimum number of network addresses that communicated with the given device, and a threshold value for the ratio of the number of services communicating with the given device, and a threshold for the ratio between the number of services and the number of network addresses communicating with the device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

As to Claim 8, Harris-Yumer-Pandian discloses the method of claim 1, wherein the ranking the devices within each cluster based at least in part on the network exposure orders the devices assigned to a given cluster based at least in part on one or more of a total number of distinct services communicating with the given device, a number of network addresses external to the at least one network of the enterprise that communicated with each given device, and a total number of network addresses that communicated with each given device (Paragraph [0179] of Pandian discloses devices are filtered, sorted, and/or grouped based on the respective risk scores associated with the devices. For example, devices associated with higher risk scores (indicating higher level of risk) may be sorted to appear first, while devices associated with lower risk scores may be sorted to appear last.).

As to Claim 9, Harris-Yumer-Pandian discloses the method of claim 1, further comprising assigning devices that do not demonstrate a functional characterization to a cluster using a divide and conquer clustering algorithm to form groupings based at least in part on one or more of a profile-similarity, a network proximity, and a device address proximity, wherein the divide and conquer clustering algorithm evaluates, for the given device, one or more of a set of services communicating with the given device, a total number of network addresses communicating with the given device and a network address of the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

As to Claim 10, Harris-Yumer-Pandian discloses the method of claim 1, wherein the activity-based network profile for the given device is based at least in part on one or more network metrics comprising one or more of a number of distinct network addresses, a total amount of data transferred, a total amount of data uploaded, a total amount of data downloaded and a duration of communication (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

As to Claim 11, Harris-Yumer-Pandian discloses the method of claim 1, wherein the functional characterization of the given device is provided by a subject matter expert, and wherein at least one additional device that satisfies at least one similarity criteria is assigned to the same cluster as the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, .

As to Claim 12, Harris-Yumer-Pandian discloses the method of claim 1, wherein the activity-based network profile for the given device of the plurality of devices is generated by associating, with each device of the plurality of devices, a numeric feature vector that represents quantitative information about services the device exports and imports (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

As to Claim 13, Harris-Yumer-Pandian discloses the method of claim 1, wherein the identifying is passive with respect to the devices connected to the at least one network (Paragraph [0055] of Harris discloses network activity data capture device(s) 104 may include one or more computing devices that are collector computing devices that receive network flow records from routers and switches related to communications with any of the plurality of monitored devices 102).

As to Claim 14, Harris-Yumer-Pandian discloses the method of claim 1, further comprising evaluating the device communications to identify one or more previously unknown devices or a deviation of the given device from an original profile (Paragraph [0294] of Harris discloses a number of deviations of the computed value from the mean value is computed for each variable).

As to Claim 15, Harris-Yumer-Pandian discloses the method of claim 1, further comprising generating content or contextual details for at least one of the plurality of devices based at least in part on one or more of: (a) the activity-based network profile for each of the plurality of devices, (b) the devices within at least one cluster, and (c) the ranking of the devices within at least one cluster (Paragraph [0307] of Harris discloses a weighted rank for each variable is computed by multiplying the computed rank by the weight defined for the selected variable.  Paragraph [0308] of Harris discloses the computed weighted rank is added to the combined weighted rank value).

As to Claim 16, Harris discloses the method of claim 1, wherein the identifying device communications comprises processing one or more of network traffic on the at least one network and log entries for one or more of the devices connected to the at least one network (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the .

As to Claim 17, Harris discloses an apparatus comprising: at least one processing device comprising a processor coupled to a memory; the at least one processing device being configured to implement the following steps: 
identifying device communications over at least one network of an enterprise (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the destination IP address value and destination port of the network flow, a number of packets of the network flow, a total number of bytes of the network flow, a minimum packet length of the network flow, a maximum packet length of the network flow, a number of network flows between the source and destination IP addresses of the network flow, IP type of service value, input interface value, output interface value, TCP flags seen for the network flow, etc.); 
evaluating the device communications to identify one or more services that communicated with, using the at least one network, a plurality of devices of the enterprise connected to the at least one network (Paragraph [0052] of Harris discloses the network flow record may be ; 
generating an activity-based network profile for each device of the plurality of devices based at least in part on the identified one or more services that communicated with each respective device of the plurality of devices, wherein the activity-based network profile for a given device of the plurality of devices: (i) identifies the one or more services that communicated with the given device for each service that communicated with the given device, (ii) identifies other devices of the plurality of devices that communicate with a respective service on the given device, and (iii) provides a local fraction metric based at least in part on one or more network metrics of the other devices of the plurality of devices that communicate with the respective service on the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, ;
clustering the devices into a plurality of clusters based at least in part on a functional characterization of the devices derived from the activity-based network profiles (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614); and 
ranking the devices within one or more clusters based on one or more of network activity and network exposure (Figure 22 of Harris discloses searching for risk scores by peer group)
ranking the devices within one or more clusters based at least in part on factors of: a total number of services exported; a number of external IP addresses that access each device; and a total number of IP addresses that access the network (Paragraph [0315] of Harris discloses the peer group comparative statistics include a total counter value and the number of deviations value computed for the source IP address and user pair and a maximum value, a minimum value, a mean value, a standard deviation value, and a population size value for the peer group for each variable of the variables indicated by the fourth indicator. For example, the total counter value for the variable DistinctInternalDstIpmeasure is a number of unique internal destination IP addresses contacted by the source IP address and user pair during the last reporting time period. The total counter value for the variable DistinctExternalDstIpmeasure is a number of unique external destination IP addresses contacted. The total counter value for the variable WebProxyDstIpmeasure is a number of unique external destination IP addresses connected through a web proxy server.); 
computing a [product] of the factors (Paragraph [0307] of Harris discloses a weighted rank for each variable is computed by multiplying the computed rank by the weight defined for the selected variable.  Paragraph [0308] of Harris discloses the computed weighted rank is added to the combined weighted rank value); and 
generating an [ordered] rank of devices from high to low [product] value, [such that the rank of the devices is ordered from high risk to low risk] (Figure 22 of Harris discloses searching for risk scores by peer group).
Harris does not explicitly disclose a product of the factors.

Examiner recites the same rationale to combine used for claim 1.
Harris does not explicitly disclose ordered and such that the rank of the devices is ordered from high risk to low risk.
However, Pandian discloses this.  Paragraph [0179] of Pandian discloses devices are filtered, sorted, and/or grouped based on the respective risk scores associated with the devices. For example, devices associated with higher risk scores (indicating higher level of risk) may be sorted to appear first, while devices associated with lower risk scores may be sorted to appear last.
Examiner recites the same rationale to combine used for claim 1.

As to Claim 18, Harris-Yumer-Pandian discloses the apparatus of claim 17, wherein the activity-based network profile for the given device further identifies a device type of the given device and wherein the clustering is further based on the device type such that a plurality of devices having one or more of a substantially similar functional characterization and a substantially similar device type are grouped together, wherein the functional characterization assigns the device type to each device (Paragraph [0373] of Harris .

As to Claim 19, Harris discloses a non-transitory processor-readable storage medium having stored therein program code of one or more software programs, wherein the program code when executed by at least one processing device causes the at least one processing device to perform the following steps: 
identifying device communications over at least one network of an enterprise (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the destination IP address value and destination port of the network flow, a number of packets of the network flow, a total number of bytes of the network flow, a minimum packet length of the network flow, a maximum packet length of the network flow, a number of network flows between the source and destination IP addresses of the network flow, IP type of service value, input interface value, output interface value, TCP flags seen for the network flow, etc.); 
evaluating the device communications to identify one or more services that communicated with, using the at least one network, a plurality of devices of the enterprise connected to the at least one network (Paragraph [0052] of Harris discloses the network flow record may be exported to network activity data capture device(s) 104, for example, using UDP or stream control transmission protocol (SCTP). The network flow record may include a start time and date of the network flow, a last (or most recent) time and date of the network flow, the IP protocol value of the network flow, the source IP address value and source port of the network flow, the destination IP address value and destination port of the network flow, a number of packets of the network flow, a total number of bytes of the network flow, a minimum packet length of the network flow, a maximum packet length of the network flow, a number of network flows between the source and destination IP addresses of the network flow, IP type of service value, input interface value, output interface value, TCP flags seen for the network flow, etc.); 
generating an activity-based network profile for each device of the plurality of devices based at least in part on the identified one or more services that communicated with each respective device of the plurality of devices, wherein the activity-based network profile for a given device of the plurality of devices: (i) identifies the one or more services that communicated with the given device for each service that communicated with the given device, (ii) identifies other devices of the plurality of devices that communicate with a respective service on the given device, and (iii) provides a local fraction metric based at least in part on one or more network metrics of the other devices of the plurality of devices that communicate with the respective service on the given device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis ;
clustering the devices into a plurality of clusters based on a functional characterization of the devices derived from the activity-based network profiles (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, ; and 
ranking the devices within one or more clusters based on one or more of network activity and network exposure (Figure 22 of Harris discloses searching for risk scores by peer group)
ranking the devices within one or more clusters based at least in part on factors of: a total number of services exported; a number of external IP addresses that access each device; and a total number of IP addresses that access the network (Paragraph [0315] of Harris discloses the peer group comparative statistics include a total counter value and the number of deviations value computed for the source IP address and user pair and a maximum value, a minimum value, a mean value, a standard deviation value, and a population size value for the peer group for each variable of the variables indicated by the fourth indicator. For example, the total counter value for the variable DistinctInternalDstIpmeasure is a number of unique internal destination IP addresses contacted by the source IP address and user pair during the last reporting time period. The total counter value for the variable DistinctExternalDstIpmeasure is a number of unique external destination IP addresses contacted. The total counter value for the variable WebProxyDstIpmeasure is a number of unique external destination IP addresses connected through a web proxy server.); 
computing a [product] of the factors (Paragraph [0307] of Harris discloses a weighted rank for each variable is computed by multiplying the computed rank by the weight defined for the selected variable.  Paragraph [0308] of Harris discloses the computed weighted rank is added to the combined weighted rank value); and 
generating an [ordered] rank of devices from high to low [product] value, [such that the rank of the devices is ordered from high risk to low risk] (Figure 22 of Harris discloses searching for risk scores by peer group).
Harris does not explicitly disclose a product of the factors.
However, Yumer discloses this.  Column 11 lines  1-30 of Yumer disclose calculation module 110 may calculate the network risk score according to the following formula: SUM(ApplicationActivity*ApplicationThreatLevel), such that ApplicationActivity and ApplicationThreatLevel are multiplied as a product for each hacking tool downloaded by organization computers over the period of time and then all of these products are added together.  In other examples, one or more of the summation operations may be replaced by a multiplication operation (and vice versa).
Examiner recites the same rationale to combine used for claim 1.
Harris does not explicitly disclose ordered and such that the rank of the devices is ordered from high risk to low risk.
However, Pandian discloses this.  Paragraph [0179] of Pandian discloses devices are filtered, sorted, and/or grouped based on the respective risk scores associated with the devices. For example, devices associated with higher risk scores (indicating higher level of risk) may be sorted to appear first, while devices associated with lower risk scores may be sorted to appear last.
Examiner recites the same rationale to combine used for claim 1.

As to Claim 20, Harris-Yumer-Pandian discloses the non-transitory processor-readable storage medium of claim 19, wherein the activity- based network profile for the given device further identifies a device type of the given device and wherein the clustering is further based on the device type such that a plurality of devices having one or more of a substantially similar functional characterization and a substantially similar device type are grouped together, wherein the functional characterization assigns the device type to each device (Paragraph [0373] of Harris discloses clustering algorithms include the k-means algorithm, Ward's minimum-variance algorithm, a hierarchical algorithm, a median algorithm, McQuitty's similarity analysis algorithm, etc. as understood by a person of skill in the art. For illustration, SAS/STAT® 13.1 provides clustering procedures (e.g., ACECLUS, CLUSTER, DISTANCE, FASTCLUS, MODECLUS, TREE, VARCLUS) to cluster device summary data 614 into groups or clusters, suggested by the data, not defined a priori, such that objects in a given cluster tend to be similar to each other in terms of the network behavior captured in device summary data 614).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Harris-Yumer-Pandian and further in view of US Pub. No. 2013/0007236 to Besehanic (hereinafter “Besehanic”).

As to Claim 7, Harris-Yumer-Pandian discloses the method of claim 1, wherein the ranking the devices within each cluster based at least in part on the network activity orders the devices assigned to a given cluster based at least in part on one or more network metrics of devices that communicated with only the services related to a main function of the given cluster.

It would have been obvious to one of ordinary skill in the art at the time of effective filing of the invention to combine the clustering system as disclosed by Harris-Yumer-Pandian, with ranking the devices as disclosed by Besehanic.  One of ordinary skill in the art would have been motivated to combine to apply a known technique to a similar device. Harris and Besehanic are directed toward network data analysis and as such it would be obvious to use the techniques of one in the other.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN S MAI whose telephone number is (571)270-5001.  The examiner can normally be reached on Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 

/KEVIN S MAI/Primary Examiner, Art Unit 2456