DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is responsive to the communication filed on 05/17/2022; claim(s) 1- 20 is/are pending herein; claim(s) 1, 18, & 20 is/are independent claim(s).
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Response to Arguments
Applicant’s arguments, see Remarks, filed 05/17/2022, with respect to the amended limitation of the independent claims have been fully considered and are persuasive. Therefore, the outstanding 103 rejection has been withdrawn.  
However, upon further consideration, a new ground(s) of rejection is made in view of discovery of new prior art US 20200195508 A1 to Benjamin (please see domestic priority to us-provisional-application US 62778761 filed on 2018/12/12; however, the filing date of the instant application is 10/23/2019) and its combination with prior cited Elsner reference as fully discussed below in the new ground of rejection. Specifically, the disclosure of the Benjamin is relied for the amended/challenged features of the independent claims.
Claim Rejections - 35 USC § 103
Claim(s) 1- 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Benjamin (US 20200195508 A1 which claims priority benefit to US 62778761 filed on 2018/12/12) in view of Elsner et al. (US 20190349391 A1, reference of the record).
Regarding claim 1, Benjamin teaches a computing system [device management system 122 (shown in fig. 1) and its computer environment such as “FIG. 4 is a block diagram illustrating an example of a computing device or computer system 400 which may be used in implementing the embodiments of the network disclosed above”] comprising: one or more processors [e.g., processor of system 400] and one or more computer-readable hardware devices having stored thereon computer-executable instructions that are structured such that, when executed by the one or more processors, configure the computing system to monitor operations of a plurality of different types of devices [IoT devices whose details are “1unknown” shown in fig. 1] to determine and alert when operation of devices has varied from usual operation, the computing system configured to: (Figs. 1, 4 & [0018, 0041]);
collect [operations 202/210 in fig. 2 and/or 302] operation logs [collected data for the each of the devices such as “traffic data”, “sniffing packets” and other data that are accessible to the device management system 122] associated with operations of a plurality of devices that have reported operations over a network, each operation log corresponding to a multidimensional dataset2 [more than one data item for each monitored IoT devices wherein the collected data include more than one characters/attributes such as IP address, MAC address, packet size, subsequent measurement] generated by a device among the plurality of devices during operation of the device (Figs. 2- 3, [0044, 0049]), 
wherein there is no knowledge [“unknown” or “the discovered and clustered devices may be anonymous despite their presence and general behavior being known”] ahead of time about what type of each device in the plurality of devices is ([0018, 0035]);
 map each device to a position [“the distance between the centroid”, the word distance can suggest/imply using of a position information of the multidimensional space (e.g., 2D) as well] in a multidimensional space [e.g., 2D] based on the multidimensional dataset of a corresponding operation log, group [operations 208/214/308, e.g., “the initial clustering performed by the device management system 122”] the plurality of devices into multiple groups [“the discovered devices are assigned to clusters or groups which may then be used to facilitate various security-and inventory-related functions.”] based on their positions in the multidimensional space ([0015, 0033, 0047, 0051]); 
for each of at least some of the multiple groups [“groups”/ “clusters”] of devices, define [“the initial clustering performed by the device management system 122 may be used to establish a baseline or similar standard for the behavior of devices of the same type within the network environment 100”] a standard operation [initial “baseline” for each cluster/group] for the corresponding group of devices based on the multidimensional datasets of the corresponding operation logs generated by the corresponding group of devices ([0017, 0047-0048, 0050]); and
 for at least one of the groups for which the standard operation is defined, monitor operation of a plurality of devices in that group to determine that operation of one of the monitored devices in that group has varied from the defined standard operation for that group and in response to determining [“At operation 216”] that operation of one of the monitored devices has varied [“device management system 122 analyzes the new clustering to identify devices that have migrated to new clusters”] from the defined standard operation, alert [“At operation 218, one or more responsive actions may be initiated in response to determining the migrated devices may be compromised”] about the monitored device varying from the defined standard operation ([0049-0052]).
Examiner acknowledges that one may argue Benjamin does not necessarily expressly teach (or anticipate) using “positions in the multidimensional space” as part of the mapping and grouping/clustering of the monitored devices although it may suggest it as outlined above. Put differently, Benjamin does not necessarily teach claimed element “position” and “their positions” as recited in the claim and shown with italic emphasis above. 
Elsner is directed to one or more processor performing machine learning-based technique for user behavior analysis that detects when users deviate from expected behavior using learned cluster from the training data (Abstract). Specifically, Elsner teaches a processor configured to:
collect ["a training set is then obtained”] operation logs corresponding to a multidimensional dataset and map each device/user to a position [the 2D graph of fig. 6 clearly shows the mapping and grouping is based on the position as in applicant’s figs. 4- 7] in a multidimensional space based on the multidimensional dataset [fig. 6 is a 2d graph dataset] of a corresponding operation log and group ["users are identified with one or more defined groups"] the plurality of devices into multiple groups based on their positions in the multidimensional space ([0050, 0054, 0060, 0062]). Elsner further teaches when behavior of one or more user deviate from the defined standard operation by a threshold distance [“the behavior of a user 604 deviates from his or her defined LDAP group” from group 1 to group 2], alert about varying from the define standard operation is generated ([0050]). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to (1) combine the teachings of Elsner and Benjamin because they both are related to a processor flagging anomalous behavior of the monitored multidimensional dataset and (2) have the system of Benjamin to map each device to a position in a 2D graphical space and use position information of the multidimensional dataset of the operation log of each of its monitored anonymous devices as part of its clustering/grouping of the devices. Doing so security analysist can easily visualize different clusters/groups and the behavior of the devices of the corresponding group (Elsner, [0004]). Furthermore, Elsner teaches missing details for Benjamin about how its generated groups/clusters can be graphed (fig. 6 of Elsner) to show their relative similarities and differences and how the movement/migrations of one or more devices (users using the devices) from one cluster to another cluster as part of determining abnormal behaviors/characters. 

Regarding claim 2, Benjamin further teaches/suggests the computing system in accordance with Claim 1, wherein the defined standard operation of each of the plurality of devices is at least in part based, for least some of the plurality of devices, on a standard communication pattern between the device and a cloud service ([0025, 0040, 0051]).
Regarding claim 3, Benjamin further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a cloud service command identity or type [“communicate with one or more servers”] issued by the device to a cloud service ([0026, 0051]).
Regarding claim 4, Benjamin further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a type of message exchanged between the device and a cloud service ([0026, 0051], claim 4).
Regarding claim 5, Benjamin further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a size of message exchanged between the device and a cloud service ([0025]).
Regarding claim 6, Benjamin further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a usual frequency of messages exchanged between the device and a cloud service ([0025, 0046], claim 4).
Regarding claim 7, Benjamin further teaches/suggests the computing system in accordance with Claim 2, wherein the defined standard operation of each of the plurality of devices is based on multiple operational communication pattern characteristics including, for least some of the plurality of devices, a protocol used to exchange messages between the device and a cloud service ([0025- 0026]).
Regarding claim 8, Benjamin further teaches/suggests the computing system in accordance with Claim 1, the defined standard operation of each of the plurality of devices being based on multiple operational characteristics, each of which corresponds to one dimension in the multidimensional space, collecting of the operation logs comprising placing an identifier [means that is used to detect migration of one or more devices from one cluster to another cluster] for each of the plurality of devices in multidimensional space ([0017, 0025, 0030, 0033]).
Regarding claim 9, Benjamin further teaches/suggests the computing system in accordance with Claim 8, the grouping the plurality of devices based on the reported operations to thereby form multiple groups of devices grouped by operational similarity comprising:
grouping the plurality of devices based on how their identifiers cluster within the multidimensional space ([0025, 0030, 0033]).
Regarding claim 10, Benjamin further teaches/suggests the computing system in accordance with Claim 9, the monitoring operation of a plurality of devices in a particular group to determine that operation of one of the monitored devices in the particular group has varied from the defined standard operation for that group:
monitoring movement of position of identifiers of the particular group within the multidimensional space to determine that the identifier for the one of the monitored devices has moved away [“may be migrated to a different cluster”] from a cluster associated with the particular group ([0017, 0033]).
Regarding claim 11, Benjamin further teaches/suggests the computing system in accordance with Claim 1, the monitoring resulting in a determination that multiple of the plurality of devices have varied from defined standard operation, the computing system further configured to:
estimate [only one device or other devices also migrated] whether the variances are causally [“the number or proportion of similar devices that have made the same migration”] related ([0017, 0051]).
Regarding claim 12, Benjamin further teaches/suggests the computing system in accordance with Claim 11, the alerting comprising reporting regarding the causal relation ([0048, 0051]).
Regarding claim 13, Benjamin further teaches/suggests the computing system in accordance with Claim 11, the alerting comprising reporting an estimated cause [security violation or other issue like inventory function] of the variance ([0022, 0031]).

Regarding claim 14, Benjamin further teaches/suggests the computing system in accordance with Claim 1, each of at least some of the plurality of devices being connected to a cloud computing environment either directly, or through a proxy computing system (fig. 1).
Regarding claim 15, Benjamin further teaches/suggests the computing system in accordance with Claim 1, the computing system [management system 122] is part of a cloud computing service (Fig. 1).
Regarding claim 16, Benjamin in view of Elsner further teaches the computing system in accordance with Claim 1, the grouping of the plurality of devices based on the reported operations to thereby form multiple groups of devices grouped by operational similarity comprising: estimating a probability that each of at least some of the plurality of devices are in each of at least one of the plurality of groups (Elsner, [0062]).
Regarding claim 17, Benjamin in view of Elsner further teaches the computing system in accordance with Claim 16, such that the determination that a device has varied from the defined standard operation for a group also results in a change in estimated probability that the device is within the group (Elsner [0060- 0062]).
Regarding claim 18, Benjamin in view of Elsner teaches/suggests invention of this claim for the similar reasons as set forth in claim 1.
Regarding claim 19, Benjamin further teaches/suggests the method in accordance with Claim 18, the method being performed without [the method 200 does not requiring updating the software of the devices to categorize them in appropriate cluster and initiate response of migration] updating software on any of the plurality of devices ([0018, 0035], fig. 2).
Regarding claim 20, Benjamin in view of Elsner teaches/suggests invention of this claim for the similar reasons as in claim 1.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
De Knijf (US 20180191593 A) teaches a system and method for determining unknown device types using a comparative analysis and grouping the devices into a multiple functional groups ([004, 0037]).
Contacts	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANTOSH R. POUDEL whose telephone number is (571)272-2347.  The examiner can normally be reached on Monday - Friday (8:30 am - 5:00 pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thomas Lee can be reached on 571-272-3667.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SANTOSH R POUDEL/Primary Examiner, Art Unit 2115                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 [0018] “notably, specific details regarding the discovered devices (such as their type, make, model, manufacturer, etc.) may be unknown because such information is generally not included in network traffic.”
        2 please refer to Spec, para. 0036 for the additional description for the word “multi-dimensional” (e.g., 2D data that can be plotted in a 2D graph).