DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-13 have been examined. 

Priority
Acknowledgement is made of the applicant’s claim to priority to the provisional application 63/033012, filed 06/01/2020.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/25/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter. Claim 13 is directed to a computer program product embodied in a tangible computer readable storage medium. It is within the scope of one of ordinary skill in the art to construe the computer program product embodied in a tangible computer readable storage medium to be a transitory medium. A transitory medium is non-statutory. Therefore, claim 13 is non-statutory. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-13 are rejected under 35 U.S.C. 103 as being unpatentable over applicant provided prior art US 20200120004 to Kohout et al (hereinafter Kohout) and KR20190046018A to Yun et al (hereinafter Yun).
Examiner’s Note: The examiner used an English translation of KR20190046018A. The English translation is attached to the end of original document. 
As per claims 1, 12 and 13, Kohout teaches:
A system, comprising: a processor (Kohout: [0031]: Device 200 comprises one or more processors 220) configured to: 
receive a byte (Kohout: [0044] The networking device that captures the flow telemetry data may also compute any number of statistics or metrics regarding the traffic flow. For example, CE-2 may determine the start time, end time, duration, packet size(s), the distribution of bytes within a flow, etc., associated with the traffic flow by observing packets 302. [0047]: The techniques herein allow for the automatic identification of the types of IoT devices on a network); 
use the received pattern to determine a classification for the IoT device (Kohout: [0035]: In one embodiment, traffic analysis process 248 may assess captured telemetry data regarding one or more traffic flows involving the device, to determine the device type associated with the device); and 
provide the classification to a security appliance configured to apply a policy to the IoT device based at least in part on the classification (Kohout: [0087]: For example, the service may provide the device type to a network security system that imposes a certain access control policy or other security policy to the traffic of the device); and 
a memory coupled to the processor and configured to provide the processor with instructions (Kohout: [0031]: Device 200 comprises one or more processors 220, and a memory 240 interconnected by a system bus 250. [0033] The memory 240 comprises a plurality of storage locations that are addressable by the processor(s) 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein).
Kohout teaches a distribution of bytes within a flow but does not explicitly teach: byte frequency pattern. However, Yun teaches:
byte frequency pattern (Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log. [0078]: In this case, one byte may have 256 values ranging from 0x00 to 0xFF. Accordingly, the byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet. [0015]: In this case, the step of learning the local detection model may include analyzing each byte of the plurality of packets to generate byte frequency data including the number of appearances for each byte).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Yun in the invention of Kohout to include the above limitations. The motivation to do so would be to provide a network traffic monitoring technology for detecting cyber threats, cyber attacks, and security incidents occurring in devices used in a specific network (Yun: [0006]).

As per claim 2, Kohout in view of Yun teaches:
The system of claim 1 wherein the byte frequency pattern comprises a byte flow distribution (Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log. [0078]: In this case, one byte may have 256 values ranging from 0x00 to 0xFF. Accordingly, the byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet).
The examiner provides the same rationale to combine prior arts Kohout and Yun as in claim 1 above. 

As per claim 3, Kohout in view of Yun teaches:
The system of claim 1 wherein the byte frequency pattern is received from a data appliance configured to monitor the IoT device (Kohout: [0043]: [0043] In further embodiments, the device may also assess the payload of the packet to capture information about the traffic flow. For example, router CE-2 or another device may perform deep packet inspection (DPI) on one or more of packets 302, to assess the contents of the packet. [0044] The networking device that captures the flow telemetry data may also compute any number of statistics or metrics regarding the traffic flow. For example, CE-2 may determine the start time, end time, duration, packet size(s), the distribution of bytes within a flow, etc., associated with the traffic flow by observing packets 302. Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log).
The examiner provides the same rationale to combine prior arts Kohout and Yun as in claim 1 above.

As per claim 4, Kohout in view of Yun teaches:
The system of claim 1 wherein the classification is determined based at least in part on a threshold match (Kohout: [0051]: In general, the techniques herein allow for the generation of a high-level device profile from network traces (e.g., web proxy logs, NetFlow records, etc.) for a particular device type that is independent of the specific network environment and can be shared among individual networks. Such a behavioral profile is also referred to herein as a prototype and can be used to classify unknown devices. Notably, a device type can be associated with the unknown device based on the type associated with its nearest prototype, if its similarity is below a predefined threshold for some applicable similarity. Also, [0086]).

As per claim 5, Kohout in view of Yun teaches:
The system of claim 4 wherein the received pattern is determined to be within a threshold of an existing byte frequency profile and in response the processor is configured to classify the IoT device with other devices associated with the profile (Kohout: [0044]: For example, CE-2 may determine … the distribution of bytes within a flow, etc., associated with the traffic flow by observing packets 302. [0086] At step 920, the traffic analysis service may associate a device type with the device, as described in greater detail above. In some embodiments, the service may do so by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. For example, in some embodiments, the service may cluster the histograms of traffic features for other devices into device clusters and, in turn, apply a device type label to representatives of the clusters. In turn, the service may deem the device under consideration to be of the same device type as the cluster representative with which the histogram for the device has the highest similarity measurement. Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log).
The examiner provides the same rationale to combine prior arts Kohout and Yun as in claim 1 above.

As per claim 6, Kohout in view of Yun teaches:
The system of claim 4 wherein the received pattern is determined to be outside a threshold of a plurality of existing byte frequency profiles and in response the processor is configured to generate a new profile (Kohout: [0067] When the traffic analysis service updates the device clusters, instead of re-computing the entire graph from scratch, it may simply use the medoids to represent the nodes of their corresponding clusters. For example, as shown in FIG. 6D, assume that the traffic analysis service has computed medoids M1 and M2, to represent device clusters 604 and 602, respectively. Now, assume that the service has computed behavioral profiles for new devices H5, H6, and H7 and represents them as new nodes in graph 600. In turn, the service may take a similar approach to the initial device cluster formations by calculating the pairwise similarities between the new nodes, as well as with the mediod representations of device clusters 602-604 and prune the edges with similarity measures below the defined threshold. As a result, as shown, a new device cluster 606 is formed from H6, and H7. Since H5 is deemed similar to medoid M1, it may be considered to be part of device cluster 604).

As per claim 7, Kohout in view of Yun teaches:
The system of claim 4 wherein the threshold match is based at least in part on a plurality of features (Kohout: [0086] At step 920, the traffic analysis service may associate a device type with the device, as described in greater detail above. In some embodiments, the service may do so by comparing the histogram of the traffic features from the telemetry data to histograms of traffic features associated with other devices. For example, in some embodiments, the service may cluster the histograms of traffic features for other devices into device clusters and, in turn, apply a device type label to representatives of the clusters. In turn, the service may deem the device under consideration to be of the same device type as the cluster representative with which the histogram for the device has the highest similarity measurement).

As per claim 8, Kohout in view of Yun teaches:
The system of claim 1 wherein the classification is determined based at least in part on a model (Kohout: [0035] In general, traffic analysis process 248 may execute one or more machine learning-based classifiers to classify a device in a network, based on its corresponding network traffic). 

As per claim 9, Kohout in view of Yun teaches:
The system of claim 8 wherein the model is trained using a set of features that include byte flow distribution information (Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log. [0078]: In this case, one byte may have 256 values ranging from 0x00 to 0xFF. Accordingly, the byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet. [0015]: In this case, the step of learning the local detection model may include analyzing each byte of the plurality of packets to generate byte frequency data including the number of appearances for each byte).
The examiner provides the same rationale to combine prior arts Kohout and Yun as in claim 1 above.

As per claim 10, Kohout in view of Yun teaches:
The system of claim 1 wherein the byte frequency pattern is determined based at least in part on a predefined number of packets in a flow (Yun: [0078]: In this case, one byte may have 256 values ranging from 0x00 to 0xFF. Accordingly, the byte frequency data may correspond to data indicating how many times a value from 0x00 to 0xFF appears in all bytes included in one packet).

As per claim 11, Kohout in view of Yun teaches:
The system of claim 1 wherein the byte frequency pattern is determined using a transport layer payload (Kohout: [0042]: Example captured features may include, but are not limited to, Transport Layer Security (TLS) information. [0043] In further embodiments, the device may also assess the payload of the packet to capture information about the traffic flow. Yun: [0077]: First, it is possible to generate byte frequency data including the number of appearances for each byte value by analyzing each byte of a plurality of packets corresponding to a communication section between two IPs based on a log).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20180139141 to Stepanek et al: In one embodiment, a networking device in a network detects an traffic flow conveyed in the network via the networking device. The networking device generates flow data for the traffic flow. The networking device performs a classification of the traffic flow using the flow data as input to a machine learning-based classifier. The networking device performs a mediation action based on the classification of the traffic flow.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438