Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Information Disclosure Statement PTO-1449 
 	The Information Disclosure Statements submitted by applicant on 06-02-2020, 03-02-2021 and 11-15-2021 have been considered. Please see attached PTO-1449. 
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims  1, 4, 5, 7-10, 13, 14, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Yu et al. (US Patent No.9,060018 ) in view of Poder et al. (US Publication No.2016/0234232), further in view of Vankov et al. (US Publication No. 2009/0052333).
	As per claim 1, 10 and 19, Yu discloses a method for defending a network of electronic devices from cyberattacks (column 1, lines 24-36), the method comprising: obtaining information about a plurality of devices and information about communication links between the plurality of devices and surrounding environment (column 2, lines 25-42, the system tracks traffic information for communications received or initiated by  the internal computer 102a-f for specified time  period. In tracking the traffic information, the system detects a communication link through which an internal computer has communicated with an external computer(surrounding environment)); determining types of the communication links using [heuristic rules] ( column 14, lines 35-46, a traffic detection module receives data traffic information, data traffic information includes information on recipient and transmitting computers, transmission time and success, and communication transmission frequency(type))
comparing the types of communication links using corresponding link profiles; identifying one or more similar communication links based on the comparison; generating a cluster of devices by combining a subset of the plurality of devices, wherein the cluster includes one or more devices having one or more similar communication links (figure 5, column 14, line 55 to column 16, line 7, the system identifies communication link profiles for a set of internal computers. The communication profiles reflect all external computer that each internal computer has communicated with during a specified time period. The system groups all internal computes having identical communication link profile into clusters. It is noted that grouping/clustering elements having characteristic similarity, requires and includes comparing the elements’ characteristics to identify similarity. As such, Yun in order to group the internal computes having identical communication link profile into clusters must first perform compering and identifying similar communication links); generating a surrounding environment profile for the generated cluster of devices (column 9, lines 50-57, generated matrix 304 includes communication patterns of the external computers 206a-d,with each of the external computers 206a-d); and when a cyberattack is detected on one of the devices in the cluster, in order to defend all devices in the cluster from the cyberattack (column 15, lines 28-45, the system detects malware attacks and restrict communication between the internal computer and external computers).
	Yu does not explicitly disclose determining communication links using heuristic rules, and    when attack is detected modifying the surrounding environment profile for the cluster devices. However, in an analogous art, Poder discloses when attack is detected modifying the surrounding environment profile for the cluster devices (paragraph [0065]-[0066],“communication with the device 151  may be flagged as suspicious…the communication profile of the smart device 117 may be updated by the local office 103 to reflect this disapproval of the device 151, and/or the communication exchange may be blocked or limited …these actions may include modifying , expanding, granting , revoking, or keeping the same one or more network permissions associated with a device or with a portion of network 100(e.g., a premises, two or more devices, a link, etc.)”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Yu with Poder. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of enhancing security on a network by preventing or limiting threating and/or threatened devices from communicating via the network.
	While Yu discloses determining types of the communication links (as noted above) Yu in view of Poder does not explicitly disclose using heuristics rules for determining. However, using heuristic rules for determining communication link is old and well known as illustrated by Vankov (paragraph [0032], “a heuristic rule, such as a rule based on the number of connected links on a node can be used”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Yu and Poder with Vankov. This would have been obvious because one of ordinary skill in the art would have been motivated to use the well known heuristic rules in order to classify a link or node.
	As per claim 4 and 13, Yu furthermore disclose, wherein the link profile comprises an N-dimensional vector of communication link characteristics (column 15, lines 13-19, the system plot the data points for the internal computers in a multi-dimensional coordinate space. The multi-dimensional coordinate space have one dimension for each element within a single communication link profile).
	As per claim 5 and 14, Yu furthermore disclose, wherein the communication link characteristics comprise one or more of: one or more rules for forming the network connection between an electronic device and the environment surrounding the electronic device, duration of the network connection established between the electronic device and the environment surrounding the electronic device, type of the network connection between the electronic device and the environment surrounding the electronic device, stability of the network connection between the electronic device and the environment surrounding the electronic device, geolocation of the network connection between the electronic device and the environment surrounding the electronic device, one or more characteristics of the network traffic exchanged between the electronic device and the environment surrounding the electronic device (column 2, lines 23-34, the system tracks traffic information between the  internal and external computers for specified time period, which corresponds to the limitation of duration of the network connection established between the electronic device and the environment surrounding the electronic device) .
	As per claim 7 and 16, Yu furthermore discloses, wherein two communication links are identified as similar if the distance between the N-dimensional vector of a first communication link and the N- dimensional vector of a second communication link in N-dimensional space is less than a threshold value (column 16, lines 34-40, the system associates each column of the k by m matrix with an external computer and subsequently maps each column into the k-dimensional coordinate space. The system then group the mapped data points into clusters, and column 10, lines 4-11,the system sets a threshold similarity value for use by the system in grouping two or more columns having non-identical values (representing two or more external computers having non-identical communication link patterns) into a computer cluster. For example, looking at FIG. 3B, the matrix 324 can have 300 rows (k=300), and the system can set a threshold of 5, such that the system groups columns having five or less dissimilar element values).
	As per claim 8 and 17, Yu furthermore discloses, wherein generating the cluster of devices comprises comparing the N-dimensional vectors of the communication links associated with the plurality of devices and assigning a device to a respective cluster if the N-dimensional vector associated with the device falls within a radius of the corresponding cluster (column 10, line 58- column 11 line 9, “the component matrix 302 has two columns, therefore that the system represents each row of the matrix 302 as a two-dimensional data point, with the first column mapped along an X dimension and the second column mapped along a Y dimension of a two-dimensional coordinate…the system can set a cluster radius to a threshold value of 1.5, such that each data point within a cluster is within a distance of 1.5 of all other data points in the cluster. In some implementations, the system can group clusters recursively”).
	As per claim 9 and 18, Poder furthermore discloses, wherein modifying the surrounding environment profile comprises modifying one or more characteristics of the one or more communication links to defend all devices in the cluster from the cyberattack (paragraph [0065],“actions may include modifying , expanding, granting , revoking, or keeping the same one or more network permissions associated with a device or with a portion of network 100(e.g., a premises, two or more devices, a link, etc.)”). The motivation to combine the references is similar to the motivation provided in claim 1.

	Claims 2, 3, 11, 12  and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yu n view of Poder, in view of Vankov, further in view of Shabtai et al. (US Publication No. 2021/0021616).
	As pe claim 2, 11 and 20,   Yu in view of Poder and Vankov discloses all limitations of claim as applied to claim 1 above. Yu in view of Poder and Vankov does not explicitly disclose  but in an analogous art, Shabtai explicitly discloses, wherein the heuristic rules are generated based on one or more characteristics of the communication links having a known type (paragraph [0156]-[0160], generate the network foot print of the known object, enrich the foot print graph with available information on nodes and links, extract features from the foot print graphs of the known objects, train a machine learning classifier)  and wherein the heuristic rules are used to identify a type of an unknown communication link (paragraph [0110], malicious foot print detector detecting unknown object base on the trained Machine Learning module).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Yu, Poder and Vankov with Shabtai. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to enable detection of unknown threats at early stage of the threat lifecycle.
	As per claim 3 and 12, Yu in view of Poder and Vankov discloses all limitations of claim as applied to claim 1 above. Yu in view of Poder and Vankov does not explicitly disclose  but in an analogous art, Shabtai discloses, the types of the communication links are determined using a machine learning model  (paragraph [0155]-[0156], learning from known objects and detecting traffic flow containing the known object (link)) and wherein the machine learning model comprises one of: a decision-making tree model, a neural net model, a clustering model (paragraph [0146], Deep Neural Network, which corresponds to a neural net model).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Yu, Poder and Vankov with Shabtai. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to improve detection time of malicious activities. 

Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Yu in view of Poder in view of Vankov, further in view of Yaginuma (US Publication No. 2002/0049685).
	As per claim 6 and 15, Yu in view of Poder and Vankov discloses all limitations of claim as applied to claim 1 above. Yu in view of Poder and Vankov does not explicitly disclose  wherein comparing the types of communication links further comprises comparing the N-dimensional vector of the communication link having an unknown type with the N-dimensional vector of the communication link having a known type. However, in an analogous art, Yaginuma discloses comparing the N-dimensional vector of the data having an unknown type with the N-dimensional vector of the data having a known type (paragraph [0067], a multidimensional space formed by attributes of the known data and the unknown data and  the similarity between unknown data and known data in a multi-dimensional space is computed).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Yu, Poder and Vankov with Yaginuma. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in order to determine similarity or differences between complex data elements.
	It is noted that Yaginuma instead of communication link having known and unknow type disclose data having known and unknown data type. However, the process of N-dimensional comparison does not depend on type being data or communication link. One of ordinary skill in the art clearly recognizes that the comparison process would have been performed the same regardless of the type of the data. Therefore, such modification would have been obvious and predictable to one of ordinary skill in the art, providing the benefit of flexibility and customization for  performing multi-dimensional comparison between variety of data types.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Altman (US Publication No. US 2008/0239976) discloses a method for monitoring communication includes intercepting one or more communication links, which are part of a communication system that includes a plurality of the communication links. Data content that is carried by the one or more communication links is decoded. First and second mathematical fingerprints related to the one or more intercepted communication links are computed by evaluating statistical characteristics of the data content decoded from the one or more communication links. The first and second fingerprints are compared to produce a matching result, and a predefined action is performed with respect to the one or more communication links responsively to the matching result.
	Miserendino et al. (US Publication No. 2017/0032279) discloses, a system and method for batched, supervised, in-situ machine learning classifier retraining for malware identification and model heterogeneity. The method produces a parent classifier model in one location and providing it to one or more in-situ retraining system or systems in a different location or locations, adjudicates the class determination of the parent classifier over the plurality of the samples evaluated by the in-situ retraining system or systems, determines a minimum number of adjudicated samples required to initiate the in-situ retraining process, creates a new training and test set using samples from one or more in-situ systems, blends a feature vector representation of the in-situ training and test sets with a feature vector representation of the parent training and test sets, conducts machine learning over the blended training set, evaluates the new and parent models using the blended test set and additional unlabeled samples, and elects whether to replace the parent classifier with the retrained version.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437