DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
      Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 10/26/2020 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 7-12 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2016/0248746 A1 to James et al. (hereinafter “James”), and further in view of US-PGPUB No. 2021/0335505 A1 Tedaldi et al. (hereinafter “Tedaldi”)
Regarding claim 1:
James discloses: 
A computer-implemented method for provisioning an Internet of Things (IoT) device, the method comprising: 
receiving, at a device provisioning system, an event schema for the IoT device, wherein the event schema includes one or more event types collected by the IoT device (see James ¶11: “… a computer-implemented method for establishing trust in a device when provisioning the device. The method includes receiving a provisioning request associated with the device …”,  
¶12: “… determining distinguishing information associated with a first device in response to a first provisioning request; selecting at least one authorization template included in a template database based on the distinguishing information”, 
¶39: “… entities often require the IoT device … to present an authorization credential that identifies the types of interactions in which the IoT device … can engage.”, and 
¶115: “The authorization template database … includes … any number of authorization templates … Each of the authorization templates … includes one or more authorizations that specify types of interactions that are permitted for the IoT devices … that match the corresponding device profile.”); 
comparing the one or more event types from the event schema with a plurality of combinations of one or more event types in a device type schema list to identify a match between the one or more event types in the event schema from the IoT device and one of the plurality of combinations of one or more event types in the device type schema list (see James ¶115: “The authorization template database … includes … any number of authorization templates … Each of the authorization templates … includes one or more authorizations that specify types of interactions that are permitted for the IoT devices … that match the corresponding device profile.”); 
provisioning the IoT device with validated credentials based on the assigned device type (see James ¶123: “…  the authorization authority … receives an authorization credential request … for provisioning the authorization credentials … onto the IoT device …”, and  
¶47: “… the distinguishing information may be or a function of the IoT device … on the network … or a device type (e.g., controller) associated with the IoT device …”).
However, James failed to explicitly disclose the following limitation taught by Tedaldi: 
 in response to identifying a match, assigning a device type to the IoT device based on a correlation in the device type schema list for the device type and the matched combination of one or more event types (see Tedaldi ¶76: “Each device classification rule specifies one or more attributes from a set of attributes and being configured to assign a device type to an endpoint in a network when the endpoint exhibits the one or more attributes specified by that rule.”); 
 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of James to incorporate the functionality of the device classification service to implement device classification rules to assign a device type to an IoT device, as disclosed by Tedaldi, such modification would provide timely patching of vulnerable devices, mitigation of potential large-scale exploits, and asset management.

Regarding claim 2:
The combination of James and Tedaldi disclose: 
The computer-implemented method of claim 1, wherein provisioning the IoT device comprises: 
sending the assigned device type to an IoT platform (see James ¶110-111: “… the IoT device transmits an authorization credential request … to the authorization authority … The authorization credential request … includes identifying information for the IoT device …  and requests the authorization credential … for the IoT device … Upon receiving the authorization credential request … the authorization credential engine … verifies the identity of the IoT device … the authorization authority … may implement the device identification engine … to establish trust in the IoT device …”, and  
¶114: “… the authorization credential engine … determines distinguishing information that is associated with the IoT device … the distinguishing information may be … a device type (e.g., controller).”); and
receiving, from the IoT platform, the validated credentials for the IoT device (see James ¶121: “… the authorization authority … transmits the authorization credential … to the IoT device … for installation onto the IoT device … The IoT device … may install the authorization credential … the IoT device … may store the authorization credential …”).

Regarding claim 3:
The combination of James and Tedaldi disclose: 
The computer-implemented method of claim 1, wherein receiving the event schema comprises receiving the event schema together with a provisioning request and credentials hardcoded in the IoT device (see James ¶80: “… the manufacturer of the IoT device … may provision the EPID private key … onto the IoT device … during the device manufacturing process.”,  
¶76: “… each of the EPID private keys … may be associated with a single EPID public key …”, and  
¶125: “The authorization credential engine … identifies distinguishing information that is associated with the IoT device … The distinguishing information may be any information that is consistent with distinguishing between the authorization templates … the distinguishing information may be the Enhanced Privacy Identification (EPID) public key … “, and see also FIGURE 10).  

Regarding claim 4:
The combination of James and Tedaldi disclose:
The computer-implemented method of claim 1, wherein receiving the event schema for the IoT device comprises receiving the event schema from an IoT platform P201808100US01Page 26 of 32which forwarded the event schema from the IoT device to the device provisioning system (see James p121: “… the authorization authority … transmits the authorization credential … to the IoT device … for installation onto the IoT device … the IoT device … may store the authorization credential … in the memory … and prevent any other IoT device … from reading the memory …”).  
Regarding claim 7:
The combination of James and Tedaldi disclose:
The computer-implemented method of claim 1, further comprising validating credentials of the IoT device at the device provisioning system (see James ¶136: “… the provisioning service identifies an authentication item that is associated with the provisioning request … the provisioning service performs verification operations based on the authentication item. … if the authentication item is a digital signature that is signed using an EPID private key, then the provisioning service may validate the digital signature using a corresponding EPID public key.”). 

Regarding claim 9: 
The combination of James and Tedaldi disclose: 
The device provisioning system of claim 8, wherein the processor is configured to validate credentials of the IoT device (see James ¶110: “…  the authorization credential engine … verifies the identity of the IoT device …”). 

Regarding claims 8 and 10-12:
Claims 8 and 10-12 substantially recite the same limitations as claims 1 and 2-4, respectively, in the form of a device implementing the corresponding method, therefore they are rejected under the same rationale. 

Regarding claims 15 and 17-18:
Claims 15 and 17-18 substantially recite the same limitations as claims 1 and 2-3, respectively, in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore they are rejected under the same rationale. 

Regarding claim 16:
Claim 16 substantially recites the same limitation as claim 9 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale.



Claims 5, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over James, Tedaldi and further in view of US-PGPUB No. 2021/0193334 A1 to Turrin et al. (hereinafter “Turrin”)
Regarding claim 5:
The combination of James and Tedaldi disclose the computer-implemented method of claim 1, but failed to explicitly disclose the following limitations taught by Turrin: 
 in response to not identifying a match, forwarding credentials received from the IoT device to a device manufacturer of the IoT device (see Turrin ¶50: “If a model is not found, a lean device is created … and a model is requested … a request for a model is transmitted to the manufacturer of the IoT device.”); 
receiving a device type for the IoT device from the device manufacturer (see Turrin ¶50: “… in response to the request, a manufacturer can provide a model for the IoT device …”); and 
updating the device type schema based on the event schema for the IoT device and the device type received from the device manufacturer (see Turrin ¶51: “… the digital twin can be updated with data provided in the received IoT data.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of James and Tedaldi to incorporate the functionality of the process to transmit a request for a model to the manufacturer of the IoT device, as disclosed by Turrin, such modification would allow the system to provision the IoT device when a match is not found within the template database. 

Regarding claim 13:
Claim 13 substantially recites the same limitation as claim 5 in the form of a device implementing the corresponding method, therefore it is rejected under the same rationale. 


Regarding claim 19:
Claim 19 substantially recites the same limitation as claim 5 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale. 

Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over James, Tedaldi and further in view of US-PGPUB No. 2018/0316511 A1 Meyer et al. (hereinafter “Meyer”)
Regarding claim 6:
The combination of James and Tedaldi disclose the computer-implemented method of claim 1, but failed to explicitly disclose the following limitations taught by Meyer: 
logging receipt of the event schema for the IoT device in a provisioning log (see Meyer ¶102-103: “… the provisioning controller … may determine that the device … is authorized by verifying against previously stored information its database … then the provisioning controller … stores the installation status data with the log information associated with the device …”, and  
¶106: “… the provisioning controller … continues the audit trail or audit log for all of the system … activities associated with each particular device …”); 
logging a schema statement for the identified match in the provisioning log (see Meyer ¶102-103: “… the provisioning controller … may determine that the device … is authorized by verifying against previously stored information its database … then the provisioning controller … stores the installation status data with the log information associated with the device …”, and  
¶106: “… the provisioning controller … continues the audit trail or audit log for all of the system … activities associated with each particular device …”); and 
logging provisioning of the IoT device without logging the validated credentials (see Meyer ¶57: “… produce audit logs, records, reports, and the like, of the secure provisioning process, which may be used to analyze and resolve later-discovered problems.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of James and Tedaldi to incorporate the functionality of the provisioning controller to log all system activities associated with the onboarding process of an IoT device, as disclosed by Meyer, such modification would allow the system to store valuable log information for purposes of failure recovery, and mitigation of security issues, where the logs can be analyzed to resolve such discovered problems. 
. 

Regarding claim 14:
Claim 14 substantially recites the same limitation as claim 6 in the form of a device implementing the corresponding method, therefore it is rejected under the same rationale. 

Regarding claim 20:
Claim 20 substantially recites the same limitation as claim 6 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Kumar et al. (US-PGPUB No. 2019/0058586-A1)- disclosed device authentication and onboarding of devices in an Internet of Things (IoT) network. 
Behm et al. (USPAT No. 11245577-B2)- disclosed methods, systems, and computer-readable media for template-based onboarding of internet-connectible devices. 
Lattin et al. (US-PGPUB No 20180137261-A1)- disclosed systems, methods and devices system for securely provisioning one or more computerized devices.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491

/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491