Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is responsive to communications filed on 06/14/2021. Claims 38-59 are pending.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to 

Claims 38, 42, 44-49, 53 and 55-58 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2018/0191746 (“De Knijf”), and further in view of U.S. Pub. No. 2019/0020663 (“Bartos”).

Regarding claim 38, De Knijf teaches a method for classifying Internet of Things (IoT) devices, the method comprising: 
receiving network flow counter data from at least one network traffic flow for at least one unknown IoT device in a network (Fig. 2, 220; “The device statistic can include various combinations of one or more of statistical amount of inbound or outbound network traffic, a type of network traffic, a source and destination port of a packet, a destination address of the packet, time between the packet arrival and transmission, a duration of a connection, and the like,” ¶ [0006]); 
applying one or more classifiers to the at least one statistical attribute, wherein the one or more classifiers function to identify the unknown IoT device as a reference IoT device type based on the at least one statistical attribute (“The system can further comprise a behavior analyzer configured to receive the data stream of the devices, compare behavioral data of the data stream of the devices with a behavior profile of at least one functional group and, based on the comparison, assign a device type associated with the at least one functional group to the devices,” ¶ [0006]); and 
216, the device type, and optionally brand and model of the previously unknown devices, can be updated when the categorization confidence exceeds a predetermined or configurable threshold. Newly updated unknown IoT devices can be assigned to a known device functional group database,” ¶ [0040]).
De Knifj fails to teach constructing at least one waveform based on the network flow counter data and at least one network flow rule; and computing at least one statistical attribute of the at least one waveform at one or more time intervals. Bartos teaches constructing at least one waveform based on the network flow counter data and at least one network flow rule (“the device may generate one or more time series of characteristics of client-server communications observed in a network for a particular client in the network. Such characteristics may include, for example, the number of bytes observed at different times in the communications, the number of flows observed at different times in the communications, the number of packets observed at different times in the communications, and/or any other characteristics of the client-server communications that can be determined from captured traffic data logs regarding the communications,” ¶ [0098]; “traffic analysis 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions. For example, traffic flows may be grouped based on their sources, destinations, temporal characteristics (e.g., flows that occur around the same time, etc.), combinations thereof, or based on any other set of flow characteristics,” ¶ [0041]); and computing at least one statistical attribute of the at least one waveform at one or more time intervals (“the device may 

Regarding claim 49, De Knifj teaches a system for classifying Internet of Things (IoT) devices, the system comprising electronic circuitry (Fig. 3; ¶¶ [0043]-[0046]) configured to: 
receive network flow counter data from at least one network traffic flow for at least one unknown IoT device in a network (Fig. 2, 220; “The device statistic can include various combinations of one or more of statistical amount of inbound or outbound network traffic, a type of network traffic, a source and destination port of a packet, a destination address of the packet, time between the packet arrival and transmission, a duration of a connection, and the like,” ¶ [0006]); 
apply one or more classifiers to the at least one statistical attribute, wherein the one or more classifiers function to identify the unknown IoT device as a reference IoT device type based on the at least one statistical attribute (“The system can further 
label the unknown IoT device as the reference device type if the one or more classifiers identifies the unknown IoT device as the reference IoT device type (Fig. 2, 216; “At block 216, the device type, and optionally brand and model of the previously unknown devices, can be updated when the categorization confidence exceeds a predetermined or configurable threshold. Newly updated unknown IoT devices can be assigned to a known device functional group database,” ¶ [0040]).
De Knifj fails to teach constructing at least one waveform based on the network flow counter data and at least one network flow rule; and computing at least one statistical attribute of the at least one waveform at one or more time intervals. Bartos teaches constructing at least one waveform based on the network flow counter data and at least one network flow rule (“the device may generate one or more time series of characteristics of client-server communications observed in a network for a particular client in the network. Such characteristics may include, for example, the number of bytes observed at different times in the communications, the number of flows observed at different times in the communications, the number of packets observed at different times in the communications, and/or any other characteristics of the client-server communications that can be determined from captured traffic data logs regarding the communications,” ¶ [0098]; “traffic analysis 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions. For example, traffic 

Regarding claims 42 and 53, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches that the at least one network flow rule is generated based on one or more of: an upstream and a downstream DNS flow; an upstream and a downstream NTP flow; at least one downstream SSDP flow; an upstream and a downstream remote network flow; or an upstream local network flow (De Knijf: “Data stream monitor 106 can capture the data flow of devices in the local network 102 such as IoT devices 110-117, monitor nodes 118-119, computer 120, and any other devices on local network 102,” ¶ [0020]; “The device statistic can include various combinations 400 and server 402 may include, but are not limited to, HTTP(S) request-response pairs, a single TCP or UDP communication, a NetFlow message, domain name system (DNS) request-response pairs, or any other type of network traffic,” ¶ [0046]).

Regarding claims 44 and 55, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches that the network flow counter data includes at least one of: a packet or a byte count of a network flow rule (Bartos: “Such characteristics may include, for example, the number of bytes observed at different times in the communications, the number of flows observed at different times in the communications, the number of packets observed at different times in the communications, and/or any other characteristics of the client-server communications that can be determined from captured traffic data logs regarding the communications,” ¶ [0098]).

Regarding claims 45 and 56, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches that the one or more time intervals are sampled at one or more of: equal time intervals, time intervals defined by a geometric sum, or a specified time interval (Bartos: “Other partitioning can entail grouping communications according to server, possibly coupled with other information such as server port, etc., and then each group split into partitions with equal time windows or sizes (e.g., number of flows, etc.),” ¶ [0074]).

Regarding claims 46 and 57, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches that computing the at least one statistical attribute comprises reducing the dimensionality of the at least one statistical attribute by at least one of removing redundant statistical attributes or combining statistical attributes (De Knijf: “The similarity score can be a weighted combination of the various network device statistics 108, or a vector formed from the network device statistics. These similarity scores are then combined in order to determine the device type,” ¶ [0039]).

Regarding claims 47 and 58, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches that the one or more classifiers includes at least one of: a one-class classifier or a multi-class classifier (De Knijf: “Previously considered statistical patterns such as, types of device, brand name of manufacturer, MAC address, model information may be determined. In some aspect, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like,” ¶ [0034]).

Regarding claims 48 and 59, De Knijf-Bartos teaches the invention of claims 38 and 49, and further teaches generating a plurality of consistency scores of the one or more classifiers over time to determine whether a consistency score threshold has been reached (De Knijf: “It should be noted that this learning process is a continuous process. That is, it is very likely that the behavior of devices will change over time and that new 126 regularly in order to update the estimates for normal behavior,” ¶ [0036]; “It should be noted that this learning process is a continuous process. That is, it is very likely that the behavior of devices will change over time and that new types of IoT devices will arise. As such, it is desirable to update the behavior database 126 regularly in order to update the estimates for normal behavior,” ¶ [0037]; “It should be noted that this learning process is a continuous process. That is, it is very likely that the behavior of devices will change over time and that new types of IoT devices will arise. As such, it is desirable to update the behavior database 126 regularly in order to update the estimates for normal behavior,” ¶ [0039]).

Claims 39-41 and 50-52 is/are rejected under 35 U.S.C. 103 as being unpatentable over De Knijf-Bartos as applied to claims 38 and 49 above, and further in view of U.S. Pat. No. 10,623,289 (“McCorkendale”).

Regarding claims 39 and 50, De Knijf-Bartos teaches the invention of claims 38 and 49, but fails to teach classifying a corresponding operating state of a labeled IoT device based on the at least one statistical attribute of the at least one waveform at one or more time intervals. McCorkendale teaches classifying a corresponding operating state of a labeled IoT device based on the behavioral characteristics of the device (“determine, at the networking device while passively monitoring the network traffic of the endpoint device, that the endpoint device is nonfunctional by detecting (a) an absence of the functional pattern in the network traffic of the endpoint device and/or (b) 
While McCorkendale does not disclose that the state is classified based on at least one statistical attribute of the at least one waveform at one or more time intervals, Bartos discloses determining the behavioral characteristics of a device based on at least one statistical attribute of the at least one waveform at one or more time intervals (Bartos: “the measures of behavioral similarity between the compared time windows may be provided as input to a machine learning-based malware detector. For example, feature vectors can be derived using any or all of the above techniques and concatenated into fixed-sized vectors representing communication from the client to a single server or communication from the client to a group of servers (e.g., summary statistics can be computed such as the mean and standard deviation, etc.),” ¶ [0094]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate state detection, as taught by McCorkendale, into De Knijf-Bartos, in order to return a device to a functional state upon detecting a state change to a non-functional state.

Regarding claims 40 and 51, De Knijf-Bartos-McCorkendale teaches the invention of claims 39 and 50, and further teaches that the operating state is based on network traffic behaviours (McCorkendale: “determine, at the networking device while passively monitoring the network traffic of the endpoint device, that the endpoint device is nonfunctional by detecting (a) an absence of the functional pattern in the network 

Regarding claims 41 and 52, De Knijf-Bartos-McCorkendale teaches the invention of claims 40 and 51, and further teaches that the network traffic behaviours indicate at least one of: a booting operating state, an active operating state, or an idle operating state (McCorkendale: “Endpoint devices may be in various functional or nonfunctional states during their lifetimes. As used herein, the term “functional state” and/or the term “functional” generally refers to any state or configuration of an endpoint device and/or a service running on the endpoint device in which the endpoint device and/or the service is operating properly, correctly, and as desired,” Col. 7, lines 37-65).

Claims 43 and 54 is/are rejected under 35 U.S.C. 103 as being unpatentable over De Knijf-Bartos as applied to claims 38 and 49 above, and further in view of U.S. Pub. No. 2018/0278500 (“Feamster”).

Regarding claims 43 and 54, De Knijf-Bartos teaches the invention of claims 38 and 49, but fails to teach that the at least one network flow rule is stored in a flow table on a programmable network switch. Feamster teaches at least one network flow rule is stored in a flow table on a programmable network switch (“Programmable switches such as OpenFlow switches make it possible to capture subsets of traffic by inserting rules in the switches that rely on simple match criteria in packet headers; software controllers update these rules and make it possible to update these rules in real-time, creating the 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JULIAN CHANG whose telephone number is (571)272-8631. The examiner can normally be reached Monday-Friday 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on (571)272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 

JULIAN CHANG
Examiner
Art Unit 2455



/Julian Chang/Examiner, Art Unit 2455 

/EMMANUEL L MOISE/Supervisory Patent Examiner, Art Unit 2455