DETAILED ACTION
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This Office Action is in response to the amendment filed on 11/05/2021; claim(s) 1- 20 is/are pending in this application; claim(s) 1, 18, & 20 is/are independent claim(s). 
	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Response to Arguments
	Applicant’s arguments, see Remarks, page 11, filed 11/05/2021, with respect to the amended limitations of independent claims have been fully considered and are persuasive.  Therefore, the outstanding 102 rejection has been withdrawn.  
	However, upon further consideration, a new ground(s) of rejection is made in view of discovery of new art and its combination as shown below. Specifically, Elsner is relied on to map the argued features. More particularly, Elsner teaches, inter alia:
	[0050], To this end, FIG. 6 depicts the basic operating principle of the behavior analysis and modeling technique of this disclosure. As depicted in the top half FIG. 6, …As will be seen, the technique of this disclosure exploits these differences in access patterns to facilitate a determination regarding user behavior being analyzed. Thus, and as depicted in the bottom portion of FIG. 6, the basic operation of the system detects if the behavior of a user 604 deviates from his or her defined LDAP group. To this end, the system clusters users, preferably using real access pattern data, and then flags the user 604 (from the engineering LDAP group 600) for deviating towards the marketing LDAP group 602. If such deviation is identified, a given action (e.g., issuing an alert) is taken

    PNG
    media_image1.png
    553
    643
    media_image1.png
    Greyscale

Claim Objections
	In view of the received amendment to the claims, the outstanding claim objections are withdrawn.

Claim Rejections - 35 USC § 101/112
	In view of the received amendment to the claims, the outstanding claim rejections under 101 & 112(b) are withdrawn.

Claim Rejections - 35 USC § 103

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ektare et al1. [Ektare] (US 20190098028 A1) in view of Elsner et al. [Elsner] (US 20190349391 A1).

Regarding claim 1, Ektare teaches a computing system [system of fig. 1 with IoT Management Visualization System 108 that implements2 various subsystems including the sub-system 2200 shown in fig. 22] comprising: ([0232])
one or more processors; and one or more computer readable hardware devices having stored thereon computer executable instructions that are structured such that, when executed by the one or more processors, configure the computing system to perform a method for monitoring operations of a plurality of different types of devices to determine and alert [“presentation of assessed risk levels of IoT devices…abnormal IoT device behaviors presented”] when operation of devices has varied from usual operation ([0029-0035, 0069-0070]), the computing system configured to:
- collect operation logs associated with operations of a plurality of devices that have reported operations over a network each operation log corresponding to a multi-dimensional dataset generated by a device among the plurality of devices during operation of the device (Fig. 1, [0055, 0068, 0206, 0237]);
- 
the IoT devices are grouped into an IoT device dimension group according to IoT device dimensions using the IoT device profiles”; “functions to automatically define IoT device dimension groups.”] based on IoT device dimensions 
- for each of at least some of the multiple groups of devices, define a standard [“normal operational behavior”] operation for the corresponding group of 
- for at least one of the groups for which the standard operation is defined, monitor operation of a plurality of devices in that group to determine that operation of one of the monitored devices in that group has varied [“it deviates past a threshold amount from normal operational behavior of either it or associated IoT devices”. The associated devices can be understood (by PHOSITA based on entire disclosure of Ektare) as devices of the group] from the defined standard operation for that group and in response to determining that operation of one of the monitored devices has varied from the defined standard operation, alert [“present an alert to a user indicating the IoT device has deviated from normal operation behavior”] about the monitored device varying from the defined standard operation ([0055, 0070, 0076, 0256, 0260]).
While Ektare is directed to determining abnormal behaving IoT devices [the pluralities of the IoT devices 104-1 to 104-n, fig. 1, para. 0039, 005], wherein some of the devices can be mobile devices (“Examples of IoT devices include thermostats, mobile devices, biological managers, sensory devices, and functionality performing devices”) 
Therefore, Ektare does not teach features shown above with 
(i) map each device to a position in a multi-dimensional space based on the multidimensional dataset of a corresponding operation log;
(ii) its grouping the devices into multiple groups is based on their positions in the multi-dimensional space;
(iii) its defined standard operation for the corresponding group of devices is based on the multi-dimensional datasets of the corresponding operation logs generated by the corresponding group of devices as claimed.
Elsner is directed to a machine learning-based technique for user behavior analysis to detect when users deviate from expected behavior by building a model and using the model to identify users that deviate from their expected group behavior (Abstract, fig. 6). Specifically, Elsner teaches a computing system [device that executes the method of fig. 7] configured to:
- collect [“a training set is then obtained. To this end, and at step (2), preferably low-level category security events are ingested from a log server 702 for these users” in fig. 7] operation logs associated with operations of a plurality of users that have reported operations over network, each operation log corresponding to a multi-dimensional dataset [fig. 6 shows data log corresponds to two or multi-dimensional in the similar manner as in applicant’s figs. 4-7] generated by a device among the plurality of users during operation of the users ([0050, 0054]);
the users are clustered into n clusters (typically, the total number of LDAP groups)” and fig. 6 clearly shows they are in different positions] each user to a position [“empirical distribution 714 for the Jaccard distances (D.sub.J) is computed across all users and all dates”] in a multi-dimensional space based on the multidimensional dataset of a corresponding operation log, group [“users are identified with one or more defined groups”] the plurality of users into multiple groups based on their positions in the multi-dimensional space (Fig. 6, [0050, 0060, 0062, 0065]);
- for each of at least some of the multiple groups of users, define a standard operation [the group’s boundary/area within the circle as shown in fig. 6] for the corresponding group of users based on the multi-dimensional datasets of the corresponding operation logs generated by the corresponding group of devices and for at least one of the groups for which the standard operation is defined, monitor operation of a plurality of users in that group to determine that operation of one of the monitored users in that group has varied from the defined standard operation for that group and in response to determining [“user is then flagged… such case, preferably a given action is taken, e.g., an alert is delivered to a user interface”] that operation of one of the monitored users has varied from the defined standard operation, alert [“particular user's behavior is sufficiently deviant, his or her learned group and LDAP group typically will differ, and depending on the degree of that difference (given the configurable threshold), an alert is generated”] about the monitored device varying from the defined standard operation (Fig. 7, [0062-0066]).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to (1) combine the teachings of Elsner and 

Regarding claim 2, Ektare further teaches the computing system accordance with Claim 1, wherein the defined standard operation of each of the plurality of devices is at least in part based, for least some of the plurality of devices, on a standard communication pattern [pattern during “packets can be analyzed using deep packet”] between the device and a cloud service ([0105, 0126, 0192], figs. 4, 8).

Regarding claim 3, Ektare further teaches the computing system m accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a cloud service command identity or type [“data traffic to and from an IoT device”] issued by the device to a cloud service ([0127, 0147, 0222]).

Regarding claim 4, Ektare further teaches the computing system m accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is packet type of data packets”] of message exchanged between the device and a cloud service ([0206-0207]).

Regarding claim 5, Ektare in view of Elsner further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a size [“packet type and data contained in data packets” and “amount of bandwidth an IoT device is consuming” as part of the packet inspection in the context of Ektare’s disclosure can be implicitly understood by PHOSITA as size of the packet ] of message exchanged between the device and a cloud service (Ektare, [0051, 0081] & Fig. 6 of Elsner).
Regarding claim 6, Ektare further teaches the computing system m accordance with Claim 2, wherein the defined standard [“normal” after inspection of the packets or data of the IoT device(s)] operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a usual frequency of messages exchanged between the device and a cloud service ([0051, 0057]).
Regarding claim 7, Ektare further teaches the computing system m accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least 
Regarding claim 8, Ektare in view of Elsner further teaches the computing system in accordance with claim 1, the defined standard operation of each of the plurality of devices being based on multiple operational characteristics, each of which corresponds to one dimension in the multi-dimensional space, collecting of the operation logs comprising placing an identifier for each of the plurality of devices in multi-dimensional space (Ektare, [0072-0073, 0218] & Elsner, [0050]).
Regarding claim 9, Ektare further teaches the computing system in accordance with Claim 8, the grouping the plurality of devices based on the reported operations to thereby form multiple groups of devices grouped by operational similarity comprising:
grouping [“device clustering”] the plurality of devices based on how their identifiers cluster within the multi-dimensional space ([0072, 0134, 0228, 0239]).
Regarding claim 10, Ektare in view of Elsner further teaches the computing system in accordance with Claim 9, the monitoring operation of a plurality of devices in a particular group to determine that operation of one of the monitored devices in the particular group has varied from the defined standard operation for that group:
monitoring movement of position of identifiers of the particular group within the multi-dimensional space to determine that the identifier for the one of the monitored devices has moved away [“IoT device dimensions include types of IoT…temporal location of an IoT device” and “access log can include an identification…locations of the user when accessing the IoT device”] from a cluster associated with the particular group (Ektare, [0072, 0080] & Elsner [0050]).
Regarding claim 11, Ektare further teaches the computing system in accordance with Claim 1, the monitoring resulting in a determination that multiple of the plurality of devices have varied from defined standard operation, the computing system further configured to:
estimate whether [identifying abnormal change vs expected change such as summer and winter operations of the thermostat] the variances are causally (occurrence of the first causing the second) related ([0163]).
Regarding claim 12, Ektare in view of Elsner further teaches the computing system m accordance with Claim 11, the alerting comprising reporting [“present risk assessment data to a user either or both periodically”] regarding the causal relation (Ektare, [0066-0068] & Elsner [0044]).
Regarding claim 13, Ektare in view of Elsner further teaches the computing system m accordance with Claim 11, the alerting comprising reporting an estimated cause [“determine the root cause of a network issue”] of the variance ([0046, 0066, 0073, 0159] & Elsner [0043]).
Regarding claim 14, Ektare further teaches the computing system in accordance with Claim 1, each of at least some of the plurality of devices being connected [connection of devices with system 108 using computer-readable medium 102 which can include a bus or other data conduit or plane… encompass a relevant portion of a WAN or other] to a cloud computing environment either directly, or through a proxy computing system (Fig. 1, [0028]).

Regarding claim 15, Ektare further teaches the computing system in accordance with Claim 1, the computing system is part of a cloud computing service ([0034, 0036, 0084]).
Regarding claim 16, Ektare in view of Elsner further teaches the computing system in accordance with Claim 1, the grouping of the plurality of devices based on the reported operations to thereby form multiple groups of devices grouped by operational similarity comprising:
estimating a probability that each of at least some of the plurality of devices are in each of at least one of the plurality of groups (Elsner, [062]).
Regarding claim 17, Ektare in view of Elsner further teaches/suggests the computing system in accordance with Claim 16, such that the determination that a device has varied from the defined standard operation for a group also results in a change in estimated probability that the device is within the group (Elsner [0060, 0062]). 
Regarding claim 18, Ektare in view of Elsner teaches/suggests invention of this claim for the similar reasons as set forth in claim 1.
Regarding claim 19, Ektare further teaches the method in accordance with Claim 18, the method being performed without [“visualization system 108 can automatically define IoT device management policies”; “dimension group can be generated automatically based on operational characteristics”] updating software on any of the plurality of devices ([0076, 0231, 0237]).
Regarding claim 20, Ektare in view of Elsner teaches/suggests invention of this claim for the similar reasons as in claim 1.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANTOSH R. POUDEL whose telephone number is (571)272-2347.  The examiner can normally be reached on Monday - Friday (8:30 am - 5:00 pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SANTOSH R POUDEL/           Primary Examiner, Art Unit 2115                                                                                                                                                                                             



    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Ektare is reference of the record.
        2 “system 2202 can be included as part of an applicable system for controlling presentation of data used in managing IoT devices in operation, such as the IoT device management visualization systems described in this paper”.