Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 11-15-2021, 03-02-2021 and 06-01-2020 have been considered. Please see attached PTO-1449. 
Objection to specification (abstract)

	The abstract must be as concise as the disclosure permits, preferably not exceeding 150 words in length. The abstract may not include other parts of the application or other material.(MPEP 608.01 (b)).

	The abstract has been objected to for the following informalities:

	The abstract should be 150 words or less. The abstract exceeds 150 word. Appropriate correction required.
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
s 1, 4, 7, 8, 11, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Yu et al. (US Patent No. 9,060,018 ) in view of Reybok, JR. et al. (US Publication No.2017/0171231).
	As per claims 1, 8 and 15, Yu discloses a method for analyzing relationships between clusters of devices, the method comprising: selecting a first device from a first cluster of devices and selecting a second device from a second cluster of devices;  obtaining information related to a first communication link associated with the first device (column 2, lines 37-40, “the system can detect a communication link 108a through which an internal computer 102 has communicated with an external computer 106a”. Column 2, lines 20-22 recites the internal computers 102a-f can be distributed among different geographic location) and obtaining information related to a second communication link associated with the second device (“[d]etection of a communication link 108b between an internal computer 102b and the external computer 106a indicates that the internal computer 102b communicated with the external computer 106a”); computing a similarity metric representing a similarity between the first communication link and the second communication link based on the obtained information (figure 2, column 6, lines 41-59, creating matrix indicating if computer 102a-f has communicated with the external computer by assigning a first value of 1 if computer 102a-f has communicated with external computer and assigning a value 0 if computer 102a-f has not communicated with the external computer. The values 1 and 0 representing communication links similarities between computer 102a-f ); determining a relationship between the first cluster and the second cluster using the computed similarity metric (column 11, lines 47-49 and columns 16, line 61-colum 17, line 8, distances between clusters have been identified, the system can create larger clusters from smaller clusters by grouping cluster that are closest in distance to each other); and when a cyberattack is detected on one of the devices in the first cluster or the second cluster the system restrict communication within the computer network in order to defend the first cluster and the second cluster from cyber attack (column 15, lines 28-30 and 42-45, detecting malware attack and restrict communications).

	While Yu discloses when a cyberattack is detected on one of the devices in the first cluster or the second cluster, communication is restricted, Yu does not explicitly disclose  but in an analogous art, Reybok discloses once cyber attack is detected modifying protection of all devices in the first cluster and the second cluster based on the determined relationship in order to defend the first cluster and the second cluster from the cyberattack (paragraph [0030], “identify and/or automatically deploy mitigation measures (e.g., a firewall rule) for the new network threat. A quick response to new network threats enabled by information sharing among many client networks may decrease the exposure of the client networks to these new networks threats and enhance network security for the client networks”; paragraph [0034], “hub also maintains stored affiliations between various client networks, i.e., linking them together as groups. This information is used to correlate attacks, identify net threat indicators, and provide actionable information to specific entities (i.e., networks) regarding possible attack… the hub formulates message(s) to convey an alert (e.g., including the indicator) to one or more of the client networks in the group… , where it is anticipated the client will take some sort of action, e.g., search for presence of the threat, optionally configure networks to mitigate the threat).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yu to include, once cyber attack is detected modifying protection of all devices in the first cluster and the second cluster based on the determined relationship in order to defend the first cluster and the second cluster from the cyberattack, as discloses by Reybok. This would have been obvious because one of ordinary skill in the art would have been motivated to decrease the exposure of the client network to new networks threats and enhance network security for the client networks. 
	As per claim 4,11 and 18, Yu furthermore discloses, wherein two communication links are identified as similar if the distance between an N-dimensional vector of characteristics of a first communication link and an N-dimensional vector of characteristics of a second communication link in N-dimensional space is less than a threshold value (column 3, lines 51-57, column 15, lines 4-27, “the system can set a threshold of N to indicate that computers having communication link profiles that differ by no more than N communication links are grouped into the same computer cluster”).
	As per claim 7, Yu furthermore discloses generating an intercluster link profile using the computed similarity metric (column 9, lines 50-57, component matrix 302 summarizes communication patterns for the internal computers 202a-f with each of the internal computer 202a-f represent d by a row of the first component matrix 303”).

	Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Yu et al. in view of Reybok, JR. et al., further in view of Rao et al. (US Publication No.  2019/0123985)
	As per claim 2, 9 and 16, Yu in view of Reybok teaches all limitations of claim as applied to claims 1, 8 and 15 above. Yu furthermore discloses, the devices are grouped into the first cluster and the second cluster based on a similarity of corresponding communication links (column 3, lines 38-48, computers 102a and 102 b having identical communication link profiles are grouped in to a computer cluster 110 a, and computer 102c and 102d having identical communication link profiles are grouped into computer cluster 110b). Yu in view of Reybok does not explicitly disclose but in an analogous art, Rao discloses, the first cluster of devices comprises a first home network and the second cluster of devices comprises a second home network (figure 3, paragraph [0075]-[0076], first network (home network) node cluster 304, second network (home network) cluster 308, each associated with plurality of tenants). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yu and Reybok to include the first cluster of devices comprises a first home network and the second cluster of devices comprises a second home network, as disclosed by Rao. This would have been obvious because one of ordinary skill in the art would have been motivated to collect and monitor data traffic between different and separate networks. 

	Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Yu et al. in view of Reybok, JR. et al., further in view of Pidathala et al. (US Publication No.  2015/0007312).
As per claim 3, 10 and 17, Yu in view of Reybok teaches all limitations of claim as applied to claim 1, 8 and 15 above. Yu in view of Reybok does not explicitly teach, wherein the information related to the first communication link and the second communication link is obtained using heuristic rules and wherein the heuristic rules are generated based on one or more characteristics of the communication links having a known type. However, in an analogous art, Pidathala discloses by implementing  the well known and widely used heuristic rules obtaining the information related to the first communication link and the second communication link  and wherein the heuristic rules are generated based on one or more characteristics of the communication links having a known type (paragraph [0025],  link analysis module perform a link analysis on the many different links (first link, second links) using link heuristics and the link heuristics is generated over a period of time based on the analysis of many different links).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yu and Rybok to include, the information related to the first communication link and the second communication link is obtained using well known heuristic rules and wherein the heuristic rules are generated based on one or more characteristics of the communication links having a known type, as though by Pidathala. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in order to achieve the predictable result of accurately detecting suspicious characteristics of new malicious and malware activities.
	
	Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yu et al. in view of Reybok, JR. et al., further in view of Oren et al. (US Patent No. 10,659,310).
	As per claim 5, 12 and 19, Yu in view of Reybok teaches all limitations of claim as applied to claim 1, 8 and 15 above. Yu in view of Reybok does not explicitly teach, but in an analogous art Oren discloses, wherein the relationship between the first cluster and the second cluster is determined based on detected communication links between the first cluster and the second cluster (column 5, lines 27-31, “each connection may represent one of different possible types of relationships like a physical connection, a logical connection, a dependency  relationship”, and column 7, lines 59-60, “macro-cluster 150 has relationship 186 with the macro-cluster 160”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yu and Reybok to include determining the relationship between the first cluster and the second cluster based on detected communication links between the first cluster and the second cluster, as disclosed by Oren. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to discover mapping relationships between macro-clusters of computer network topology.
	As per claim 6, 13 and 20, Oren furthermore discloses, wherein the first cluster includes one or more subclusters of devices and the second cluster includes one or more subclusters of devices and wherein determining the relationship between the first cluster and the second cluster further comprises determining a relationship between the one or more subclusters of the first cluster and the one or more subclusters of the second cluster (column 4, lines 7-15, the relationship is any relationship between network object 110b (subcluster of first cluster) and network object 110  (subcluster of the second cluster)). The motivation to combine is similar to the motivation applied for claim 5, 12 and 19.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Parandhgheibi et al. (US Patent No. 10,728,119) discloses, application dependency mapping (ADM) can be automated in a network. The network can analyze the network data and process data to determine respective feature vectors for nodes. A feature vector may represent a combination of the features corresponding to the network data and the features corresponding to the process data of a node. The network can compare the similarity of the respective feature vectors and determine each node's cluster based on similarity measures between nodes.
		Chen et al. (US Publication No. 2021/0219308 discloses, an electronic device and method for a wireless communication system. 1n an embodiment, a plurality of terminal devices are grouped based on .


Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437