DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This office action is in reply to amendment filed on December 21, 2021. Claims 1, 11, 17 and 18 have been amended. Claims 1-20 are pending. 

Response to Arguments
Applicant’s arguments with respect to claims 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over 2016/0267408 A1 [hereinafter Singh] in view of Spurlock US 2013/0247190 A1. 
As per claims 1 and 11, Singh discloses a method of detecting undesirable behavior of an Internet-of-Things (loT) device (see, e.g., paragraph [0007] the method comprising:

attributing the first IoT device profile to a first IoT device (see, e.g., paragraph [0041]-"normal behavior patterns... (‘behavior profile’) for each entity");  
detecting first IoT device events, the first IoT device events including one or more network sessions of the first IoT device (see, e.g., paragraph [0282]- “events, e.g., from
devices or sensors. "; paragraph [0284]-"network"; see also paragraphs [0282]-[0289]);  
	generating an activity data structure from the first IoT device events and from other events [paragraph 0282]; 
	determining an activity of the first IoT device based on the activity data structure [paragraph 0282];  
	applying the first subset of patterns to the activity of the first IoT device [paragraph 0282];
	generating an alert when the application of the first subset of patterns to the activity of the first IoT device is indicative of undesirable behavior for a device to which the first IoT device profile is attributed [paragraphs 0255 and 0277]. 
	In the same field of endeavor Spurlock teaches a method of detecting undesirable behavior of a device comprising: generating an activity data structure from a first device events and from other events, wherein the generated activity data structure comprises a labeled collection of events, and wherein at least one of the other events comprises a non-network event (i.e., activities such as writing to a file, modifying a memory space, creating a registry etc., paragraphs 0017-0024). It would have been obvious to one having ordinary skill 

	As per claims 2 and 12, Singh further teaches the method wherein the first IoT device profile is attributed to the first IoT device prior to deployment of the first IoT device [paragraphs 0041-0043]. 
	
	As per claims 3 and 13, Singh further teaches the method wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device [paragraphs 0041-0043]. 
 
	As per claims 4 and 14, Singh further teaches the method, wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device, and the first IoT device profile is a default IoT device profile that is dynamically modified using available data [paragraphs 0041-0043]. 

	As per claims 5 and 15, Singh further teaches the method wherein the first IoT device events are detected using passive monitoring [paragraphs 0282-0289]. 


 
	As per claims 7 and 17, Singh further teaches the method wherein the first IoT device events are aggregated to form one or more composite first IoT device events using machine learning [paragraph 0271]. 
 
	As per claims 8 and 18, Singh further teaches the method wherein the first IoT device events are aggregated to form one or more composite first IoT device events using a device implemented as part of a local area network (LAN) that includes the first IoT device [paragraph 0271]. 
 
	As per claims 9 and 19, Singh further teaches the method wherein the first IoT device does not have a history of previously exhibited undesirable behavior, and the undesirable behavior includes anomalous behavior of the first IoT device [paragraph 0277].  
 
	As per claims 10 and 20, Singh further teaches the method wherein the first IoT device has a history of previously exhibited undesirable behavior, and the undesirable behavior includes normal behavior of the first IoT device [paragraph 0277]. 

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435