Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02-07-2022 has been entered. 

Response to Amendments
The amended claims 1 – 7, 10 – 16, 19 and 20 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Alperovitch et al (US 8606910), hereafter Alp and Zimmer et al (US 11049039), hereafter Zim have been fully considered and are persuasive. Claim(s) 8, 9, 17 and 18 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 7, 10 – 16, 19 and 20 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment

(Currently Amended)	A network edge device configured to connect one or more endpoint devices to a network, the network edge device comprising:
switching circuitry configured to switch traffic including packets from the one or more endpoint devices to corresponding application services over the network; and
processing circuitry configured to monitor the traffic from the one or more endpoint devices, analyze with a model to classify the one or more endpoint devices into a corresponding trust level of a plurality of trust levels, and route the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered, by altering a path of the traffic, outside of the network edge device, away from its intended destination, to restricted zones for evaluation thereof,
wherein a data set of training traffic is obtained from network data that has suspicious/attacking traffic removed therefrom with the suspicious/attacking traffic determined based on known suspicious behavioral patterns, and the data set with the suspicious/attacking traffic removed therefrom is examined and labeled to retrain the model for detection of unknown suspicious behavioral patterns.

(Original)	The network edge device of claim 1, wherein the traffic is monitored through collection of one or more of network measurements and non-network measurements of each of the one or more endpoint devices.

(Previously Presented)	The network edge device of claim 2, wherein
the network measurements include any of timings and sizes of  data packets, timings and headers of data packets, and timings and content of control packets, and
the non-network measurements include CPU, memory, and file system utilizations; host identifiers; operating system logs; classification  is done with one of labeled supervised, unlabeled supervised, and unsupervised machine learning.

(Original)	The network edge device of claim 1, wherein the network edge device is configured to provide network connectivity to the one or more endpoint devices.  

(Original)	The network edge device of claim 1, wherein, for initial connectivity of an endpoint device, the endpoint device is classified in a suspicious trust level and moved based on continuous monitoring.

(Original)	The network edge device of claim 1, wherein the one or more endpoint devices are classified by comparing behavior relative to a group of similar types of devices. 

(Original)	The network edge device of claim 1, wherein the processing circuitry is configured to continually monitor the traffic from the one or more endpoint devices, update the corresponding trust level based thereon, and reroute the traffic based on an updated trust level. 

(Canceled)

(Canceled) 

(Currently Amended)	A non-transitory computer-readable medium comprising instructions that, when executed, cause a processor to perform the steps of:
	obtaining a model that was trained, with a data set of training traffic, for detection of unknown suspicious behavioral patterns, wherein the data set of training traffic is obtained from network data that has suspicious/attacking traffic removed therefrom with the suspicious/attacking traffic determined based on known suspicious behavioral patterns, and wherein the data set of training traffic with the suspicious/attacking traffic removed therefrom is examined and labeled for retraining the model;
monitoring traffic, including packets, received by a network edge device from one or more endpoint devices destined for corresponding application services over a network, wherein the network edge device is configured to connect the one or more endpoint devices to the network;
	classifying, by analyzing the monitored traffic with the model, the one or more endpoint devices into a corresponding trust level of a plurality of trust levels; and
	causing routing of the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered, by altering a path 

(Original)	The non-transitory computer-readable medium of claim 10, wherein the monitoring traffic includes
collecting one or more of network measurements and non-network measurements of each of the one or more endpoint devices.

(Previously Presented)	The non-transitory computer-readable medium of claim 11, wherein
the network measurements include any of timings and sizes of  data packets, timings and headers of data packets, and timings and content of control packets, and
the non-network measurements include CPU, memory, and file system utilizations; host identifiers; operating system logs; classification  is done with one of labeled supervised, unlabeled supervised, unsupervised machine learning.

(Original)	The non-transitory computer-readable medium of claim 10, wherein the monitoring, the classifying, and the causing are performed by a network edge element that is configured to provide network connectivity to the one or more endpoint devices.  

(Original)	The non-transitory computer-readable medium of claim 10, wherein, for initial connectivity of an endpoint device, the endpoint device is classified in a suspicious trust level and moved based on continuous monitoring.

(Original)	The non-transitory computer-readable medium of claim 10, wherein the one or more endpoint devices are classified by comparing behavior relative to a group of similar types of devices. 

(Original)	The non-transitory computer-readable medium of claim 10, further comprising
continually monitoring the traffic from the one or more endpoint devices, updating the corresponding trust level based thereon, and rerouting the traffic based on an updated trust level.

(Canceled)

(Canceled)

(Currently Amended)	A method comprising:
	obtaining a model that was trained, with a data set of training traffic, for detection of unknown suspicious behavioral patterns, wherein the data set of training traffic is obtained from network data that has suspicious/attacking traffic removed therefrom with the suspicious/attacking traffic determined based on known suspicious behavioral patterns;
monitoring traffic including packets, by a network edge device configured to connect one or more endpoint devices to a network, from one or more endpoint devices, destined for corresponding application services over the network;
analyzing the monitored traffic with the model, the one or more endpoint devices into a corresponding trust level of a plurality of trust levels; and
	causing routing of the traffic from each of the one or more endpoint devices based on its corresponding trust level including an untrusted level where the traffic is steered, by altering a path of the traffic, outside of the network edge device, away from its intended destination, to restricted zones for evaluation thereof.

(Original)	The method of claim 19, wherein the monitoring traffic includes
collecting one or more of network measurements and non-network measurements of each of the one or more endpoint devices.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Alp teaches C2L44-46, 64-66, Figs. 1A, 1B: reputation based routing systems provides backbone communications facilities for the network to communicate data packets between entities; C2L46-50: routers typically inspect packets from originating entities to extract destinations associated with the data packets and retrieve routing information associated with the destinations before communicating the data packets to the recipient or to another router; C2L55-57: reputation based prioritization system then prioritizes the traffic based upon reputation information associated with the device; C2L52-54: reputation information provides an indication of whether the traffic associated with the data packets is non-reputable category and (C10L19-26, 15L7-15) if the communication is 

Further, a second prior art of record Zim teaches C2L4-8: comparing the operations, interfaces and characteristics... and (C9L62-63) perform context identification and classification based on aggregated data (C1L58-61) to identify and classify characteristics, and assign reputation scores or profiles across various networked devices (C9L3-14) among various or larger profiles.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: network edge device includes switching circuitry configured to switch traffic from one or more endpoint devices to corresponding application services over a network and processing circuitry configured to monitor the traffic from the one or more endpoint devices, analyze the monitored traffic to classify the one or more endpoint devices into a corresponding trust level of a plurality of trust levels and route the traffic from each of the one or more endpoint devices based on its corresponding trust level where a data set of training traffic is obtained from network data that has suspicious / attacking traffic removed therefrom with the suspicious/attacking traffic determined based on known suspicious behavioral patterns, and the data set with the suspicious/attacking traffic removed therefrom is examined and labeled to retrain the model for detection of unknown suspicious behavioral patterns.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 19 mutatis mutandis.  Claim(s) 8, 9, 17 and 18 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 




/BADRINARAYANAN /Examiner, Art Unit 2496.