DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Ellis (US 2017/0093915 A1).

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: the “network administration engine; domain knowledge datastore; IoT device demographics generation engine; IoT personality datastore; personality classification engine; signal correlation engine; new personality discovery engine; personality aware enrichment engine; and offline modeling engine” in claims 12-22.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. For instance, paragraphs [0027]-[0030] of the specification describing engines and datastores.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ridley (US 2018/0115574 A1) in view of Muddu (US 9,516,053 B1), Kuperman (US 2017/0244737 A1) and Pierce (US 9,961,096 B1) and Ellis (US 2017/0093915 A1).

Regarding claim 1, Ridley discloses: A method comprising: 
for a first device included in a plurality of Internet of Things (IoT) devices:
Refer to at least [0020] of Ridley with respect to IoT devices.
performing common factor aggregation of enriched metadata derived from event parameters associated with a plurality of IoT devices to obtain aggregated metadata permutations; 
Refer to at least FIG. 2, [0024]-[0026], and [0035]-[0039] of Ridley with respect to obtaining network traffic metadata; vectorized metadata. 
Refer to at least [0031] of Ridley with respect to obtaining and storing metadata for multiple devices. 
defining a personality, including data samples associated with the personality, using the aggregated metadata permutations, and prior personality data set feedback from a new personality profile discovery engine; 
classifying the personality using the data samples and IoT personality models, wherein the personality has a signal associated therewith; 
Refer to at least FIG. 3, [0006], [0032], and [0034]-[0035] of Ridley with respect to analyzing and classifying the obtained metadata, as well as other information, for use in creating behavior profiles for IoT devices. The profiles may be continually updated.
correlating the signal to reach a verdict and, if the personality is a bad personality, providing bad personality feedback associated with the personality to the network administration engine; 
Refer to at least [0006], [0033] and [0035] of Ridley with respect to said correlating.
Refer to at least [0034], [0036], and [0058] of Ridley with respect to supervised learning and user feedback. The feedback is used to further update profiles. 
Ridley specifies storing multiple sets of metadata and profiles, and further specifies typical and atypical behavior for profiles, but does not disclose: using machine learning to obtain domain knowledge, including knowledge regarding at least one bad IoT personality that models one or more behavior patterns indicative of undesired behavior , from a network administration engine;  the domain knowledge; identifying a context of the device in operation at least in part by analyzing packets sent to and from the device, determining a set of events associated with the device and occurring within a window, and aggregating a plurality of events within the window based on the identified context; wherein the first device has at least a first behavior aggregation factor and a second behavior aggregation factor and wherein a second device included in the plurality of IoT devices has a third behavior aggregation factor that is different from the first and second behavior aggregation factors; obtained by performing the common factor aggregation. However, Ridley in view of Muddu discloses: using machine learning to obtain domain knowledge, including knowledge, from a network administration engine;  the domain knowledge.
Refer to at least FIG. 69 and Col. 102, Ll. 24-44 of Muddu with respect to gathering data from external and internal sources; e.g., blacklist data. 
wherein the first device has at least a first behavior aggregation factor and a second behavior aggregation factor and wherein a second device included in the plurality of IoT devices has a third behavior aggregation factor that is different from the first and second behavior aggregation factors; obtained by performing the common factor aggregation.
Refer to at least FIG. 65 and Col. 97, Ll. 31-Col. 98, Ll. 40 of Muddu with respect to weighting associated with network devices, and its use in aggregating network devices’ metrics. 
Ridley-Muddu in view of Kuperman discloses: regarding at least one bad IoT personality that models one or more behavior patterns indicative of undesired behavior.
Refer to at least the abstract, [0054], [0063], [0074], and [0076] of Kuperman with respect to training a classifier using known malicious and known non-malicious client device data.
Ridley-Muddu-Kuperman in view of Pierce discloses: identifying a context of the device in operation at least in part by analyzing packets sent to and from the device, determining a set of events associated with the device and occurring within a window, and aggregating a plurality of events within the window based on the identified context;
Refer to at least FIG. 6A and Col. 21, Ll. 64-Col. 23, Ll. 19 of Pierce with respect to a behavioral vector and context which is used in starting data collection for an observational data set.
Ridley-Muddu-Kuperman-Pierce does not specify: and wherein the first, second, and third behavior aggregation factors correspond to tags that describe particular behaviors that can be selectively used to identify other devices included in the plurality of IoT devices. However, Ridley-Muddu-Kuperman-Pierce in view of Ellis discloses: and wherein the first, second, and third behavior aggregation factors correspond to tags that describe particular behaviors that can be selectively used to identify other devices included in the plurality of IoT devices. 
Refer to at least FIG. 2, [0016]-[0017], and [0026] of Ellis with respect to tag parameters corresponding to respective devices and behaviors. 
The teachings of Ridley, Muddu, Kuperman, and Pierce each concern event collection, behavior analysis, and classification, and are considered to be within the same field of endeavor and combinable as such. Ellis further concerns security policy for network-connected devices, and is likewise considered to be combinable. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ridley to further include additional data from internal and external sources (including known malicious and known non-malicious data) for at least the purpose of increasing profile accuracy and/or the rate of detection. It further would have been obvious to include triggering collection windows based on a behavioral vector and context for at least the purpose of increasing efficiency (i.e., targeted data collection when it is most pertinent). It further would have been obvious to include tag tables incorporating device behaviors for at least the reasons discussed in the cited portions of Ellis (e.g., “because examples disclosed herein allow each device to have unique parameter tags to define device behavior, IoT solutions may be implemented without concern that certain types of personal information will be disclosed without permission and/or that certain types of personal information will be outside user control”).

Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning building behavior profiles).

Regarding claim 3, Ridley-Muddu-Kuperman-Pierce-Ellis discloses: The method of claim 1, comprising enriching raw metadata to obtain the enriched metadata.
Refer to at least [0006], [0046], and [0054] of Ridley with respect to additional data such as temporal information and beacon information.
Refer to at least FIG. 33 and Col. 65, Ll. 10-15 of Muddu with respect to enriching event data.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 4, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning obtaining metadata).

Regarding claim 5, Ridley-Muddu-Kuperman-Pierce-Ellis discloses: The method of claim 1, wherein the aggregated metadata permutations are aggregated over a data rollup window that varies based on the context of the IoT device.
Refer to at least [0006] and [0032] of Ridley with respect to building a profile over a period of time deemed necessary to provide an accurate representation for a given device.

Regarding claim 6, Ridley-Muddu-Kuperman-Pierce-Ellis discloses: The method of claim 1, comprising: performing offline modeling using the data samples; updating the IoT personality models with the offline modeling.
Refer to at least 116 in FIG. 1 of Ridley with respect to storing data and analysis.
Refer to at least [0032] of Ridley with respect to continually updating profiles.
Refer to at least Col. 51, Ll. 55-64 of Muddu with respect to providing analysis results as needed (i.e., obtaining events, performing analysis, and remediation may be provided separately).
This claim would have been obvious because the substitution of one known element for another (updating models constantly, periodically, based on request, and/or on a set schedule) would have yielded predictable results to one of ordinary skill in the art at the time.

Regarding claim 7, it is rejected for substantially the same reasons as claim 6 above,

Regarding claim 8, Ridley-Muddu-Kuperman-Pierce-Ellis discloses: The method of claim 1, comprising: recognizing behavior patterns of the IoT device using either or both learned state-transition learning and deep learning.
Refer to at least [0034] of Ridley with respect to a behavioral profile comprising a state machine. 

Regarding claim 9, it is rejected for substantially the same reasons as claims 1 and 8 above (i.e., the citations concerning machine learning).

Regarding claim 10, Ridley-Muddu-Kuperman-Pierce-Ellis discloses: The method of claim 1, comprising: computing a degree of risk of undesirable behavior; generating the bad personality alert if the degree of risk of undesirable behavior exceeds an actionable intelligence threshold.
Refer to at least [0058] and [0036] of Ridley with respect to remedial actions such as generating an alert. 

Regarding claim 11, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning supervised learning and user feedback for machine learning).

Regarding independent claim 12, it is substantially similar to independent claim 1 above, but is in system form. Accordingly, claim 12 is rejected for substantially the same reasons as claim 1 above.

Regarding claims 13-21, they are substantially similar to claims 2-11 above, and are therefore likewise rejected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432