Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/942,188 filed on 7/29/2020. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 3/10/2022, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 4-9, 12, 14-18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Roskind (US 9,860,324) in view of Crabtree et al. (US  2018/0159852).

	As per claim 1, Roskind teaches a method comprising: detecting a connection request from a second computer device of a computer network (Roskind, Col. 1 Line 62 – Col. 2 Line 1 recites “ The memory includes instructions that, when executed by the one or more processors, cause the one or more processors to facilitate the steps of receiving a first token with a first request for data from a computing device located at a first network address, the first token being associated with a second network address previously associated with the computing device,”); 
	collecting one or more new data sets related to the second computer device, wherein each data set of the one or more new data sets comprises one or more second data attributes extracted from network traffic data of the second computer device (Roskind, Col. 2 Lines 1 – 7 recites “the first token and the first request for data being received without establishing a network connection with the computing device through one or more round-trip network communications, determining that the first token is a valid token, determining that the first token is not associated with the first network address, generating a second token for the computing device”).
	But fails to teach comparing the one or more new data sets related to the second computer device with one or more time series data sets maintained in a database comprising a plurality of time series data sets collected at different points in time, wherein each time series data set is associated to a previously known computer device of the computer network and comprises one or more first data attributes extracted from network traffic data of the previously known computer device; calculating one or more value scores related to the plurality of time series data sets based on comparing the one or more new data sets related to the second computer device with the one or more time series data sets of the plurality of time series data sets; and determining a device association score based on the one or more value scores related to the plurality of time series data sets, wherein the device association score determines an association level between the previously known computer device and the second computer device of the computer network.
	However, in an analogous art Crabtree teaches comparing the one or more new data sets related to the second computer device with one or more time series data sets maintained in a database comprising a plurality of time series data sets collected at different points in time, wherein each time series data set is associated to a previously known computer device of the computer network and comprises one or more first data attributes extracted from network traffic data of the previously known computer device; calculating one or more value scores related to the plurality of time series data sets based on comparing the one or more new data sets related to the second computer device with the one or more time series data sets of the plurality of time series data sets; and determining a device association score based on the one or more value scores related to the plurality of time series data sets, wherein the device association score determines an association level between the previously known computer device and the second computer device of the computer network (Crabtree, Paragraph 0011 recites “According to another aspect of the invention, a method for contextual and risk-based multi-factor authentication is provided, comprising the steps of: (a) monitoring and recording a network's traffic data, with a multi-dimensional time series data server; (b) serving the traffic data to other modules, with the multi-dimensional time series data server; (c) receiving the traffic data from the multi-dimensional time series data server, with a directed computation graph module; (d) determining a network traffic baseline from the traffic data, with the directed computation graph module; (e) determining a required verification score needed before granting access by a user to network resource based at least in part by the network traffic baseline, with the directed computation graph module; and (f) requiring a user to use a plurality of verification methods to earn enough verification score in order to gain access to the network resource.” By having a baseline for network traffic, it would read on if the traffic is known and can make a determination on if access should be granted or not).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

	As per claim 4, Roskind in combination with Crabtree teaches the method according to claim 1, Roskind further teaches wherein the first data attributes and the second data attributes extracted from the network traffic data comprise one or more of: a Media Access Control (MAC) address, a hostname, a transmission sequence number, a communication timestamp, a communication protocol, a source port, a server name indication, a Transmission Control Protocol (TCP) window size, a total length of packet, a referrer, and any network-based identifier data (Roskind, Col. 8 Lines 13-22 recites “On receiving an initial data request without a source address token from the client device 104, the server device 102 may extract the current network address of the client device 104 from packet headers received from the client device and generate a source address token associated with the current network address of the client device. The network address associated with the token may be an actual internet protocol address, internet packet exchange address, host address, media access control address, domain name, uniform resource locator, or the like.”).

	As per claim 5, Roskind in combination with Crabtree teaches the method according to claim 1, Crabtree further teaches setting one or more primary identifier values related to the previously known computer device based on the one or more first data attributes; wherein determining the device association score is further based on the one or more primary identifier values (Crabtree, Paragraph 0008 recites “According to another embodiment, the verification score is based at least in part by a security-level associated with resources being accessed by the user. According to another embodiment, the verification score is based at least in part by the origin of the user's connection” and Paragraph 0011 recites “According to another aspect of the invention, a method for contextual and risk-based multi-factor authentication is provided, comprising the steps of: (a) monitoring and recording a network's traffic data, with a multi-dimensional time series data server; (b) serving the traffic data to other modules, with the multi-dimensional time series data server; (c) receiving the traffic data from the multi-dimensional time series data server, with a directed computation graph module; (d) determining a network traffic baseline from the traffic data, with the directed computation graph module; (e) determining a required verification score needed before granting access by a user to network resource based at least in part by the network traffic baseline, with the directed computation graph module; and (f) requiring a user to use a plurality of verification methods to earn enough verification score in order to gain access to the network resource.” By having a baseline for network traffic, it would read on if the traffic is known and can make a determination on if access should be granted or not).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

	As per claim 6, Roskind in combination with Crabtree teaches the method according to claim 1, Crabtree further teaches , wherein one or more matching algorithms are used in one or more steps of: comparing the one or more new data sets related to the second computer device with one or more time series data sets of the plurality of time series data sets; calculating the one or more value scores related to each of the plurality of time series data sets; and determining the device association score (Crabtree, Paragraph 0011 recites “According to another aspect of the invention, a method for contextual and risk-based multi-factor authentication is provided, comprising the steps of: (a) monitoring and recording a network's traffic data, with a multi-dimensional time series data server; (b) serving the traffic data to other modules, with the multi-dimensional time series data server; (c) receiving the traffic data from the multi-dimensional time series data server, with a directed computation graph module; (d) determining a network traffic baseline from the traffic data, with the directed computation graph module; (e) determining a required verification score needed before granting access by a user to network resource based at least in part by the network traffic baseline, with the directed computation graph module; and (f) requiring a user to use a plurality of verification methods to earn enough verification score in order to gain access to the network resource.” By having a baseline for network traffic, it would read on if the traffic is known and can make a determination on if access should be granted or not).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

	As per claim 7, Roskind in combination with Crabtree teaches the method according to claim 1, Crabtree further teaches wherein comparing the one or more new data sets related to the second computer device with the one or more time series data sets further comprises using distance comparison and/or dynamic value matching (Crabtree, Paragraph 0011 recites “According to another aspect of the invention, a method for contextual and risk-based multi-factor authentication is provided, comprising the steps of: (a) monitoring and recording a network's traffic data, with a multi-dimensional time series data server; (b) serving the traffic data to other modules, with the multi-dimensional time series data server; (c) receiving the traffic data from the multi-dimensional time series data server, with a directed computation graph module; (d) determining a network traffic baseline from the traffic data, with the directed computation graph module; (e) determining a required verification score needed before granting access by a user to network resource based at least in part by the network traffic baseline, with the directed computation graph module; and (f) requiring a user to use a plurality of verification methods to earn enough verification score in order to gain access to the network resource.” And Paragraph 0006 recites “In a typical embodiment, a server may be configured to dynamically determine a necessary verification score that must be obtained by a user before the user may access requested resources. The score may be based on context and risks associated with the connection request, such as, connection origin, how unusual the connection request is determined to be by the server, and the like. The user may then collect verification points via a plurality of verification methods to gain access.” By having a baseline for network traffic, it would read on if the traffic is known and can make a determination on if access should be granted or not).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

	As per claim 8, Roskind in combination with Crabtree teaches the method according to claim 7, Crabtree further teaches wherein the distance comparison comprises one or more of: a numerical and/or alphanumerical comparison to previous time series values to determine a distance between the first data attributes and the second data attributes; comparing a distance to time offset from time series to determine a relative match; and determining a non-match to establish negative associations (Crabtree, Paragraph 0011 recites “According to another aspect of the invention, a method for contextual and risk-based multi-factor authentication is provided, comprising the steps of: (a) monitoring and recording a network's traffic data, with a multi-dimensional time series data server; (b) serving the traffic data to other modules, with the multi-dimensional time series data server; (c) receiving the traffic data from the multi-dimensional time series data server, with a directed computation graph module; (d) determining a network traffic baseline from the traffic data, with the directed computation graph module; (e) determining a required verification score needed before granting access by a user to network resource based at least in part by the network traffic baseline, with the directed computation graph module; and (f) requiring a user to use a plurality of verification methods to earn enough verification score in order to gain access to the network resource.” By having a baseline for network traffic, it would read on if the traffic is known and can make a determination on if access should be granted or not).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

	As per claim 9, Roskind in combination with Crabtree teaches the method according to claim 7, Crabtree further teaches wherein the dynamic value matching comprises one or more of: comparing the first data attributes and the second data attributes on a byte-by-byte basis to establish a pattern match; and comparing to a full time series data set to find a direct positive match, or to establish one or more known negative matches (Crabtree, Paragraph 0034 recites “All captured data are then analyzed to predict the normal usage patterns of network nodes such as internal users, network connected systems and equipment and sanctioned users external to the enterprise boundaries for example off-site employees, contractors and vendors, just to name a few likely participants. Of course, normal other network traffic may also be known to those skilled in the field, the list given is not meant to be exclusive and other possibilities would not fall outside the design of the invention. Analysis of network traffic may include graphical analysis of parameters such as network item to network usage using specifically developed programming in the graphstack service 145, 145a, analysis of usage by each network item may be accomplished by specifically predeveloped algorithms associated with the directed computational graph module 155, general transformer service module 160 and decomposable service module 150, depending on the complexity of the individual usage profile at step 201. These usage pattern analyses, in conjunction with additional data concerning an enterprise's network topology; gateway firewall programming; internal firewall configuration; directory services protocols and configuration; and permissions profiles for both users and for access to network resources and/or sensitive information, just to list a few non-exclusive examples may then be analyzed further within the automated planning service module 130, where machine learning techniques which include but are not limited to information theory statistics 130a may be employed and the action outcome simulation module 125, specialized for predictive simulation of outcome based on current data 125a may be applied to formulate a current, up-to-date and continuously evolving baseline network usage profile at step 202. This same data would be combined with up-to-date known cyberattack methodology reports, possibly retrieved from several divergent and exogenous sources through the use of the multi-application programming interface aware connector module 135 to present preventative recommendations to the enterprise decision makers for network infrastructure changes, physical and configuration-based to cost effectively reduce the probability of a cyberattack and to significantly and most cost effectively mitigate data exposure and loss in the event of attack at steps 203 and 204.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Crabtree’s contextual and risk-based multi-factor authentication with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a score helps with determining the similarities of network traffic to determine if access should be granted.

Regarding claims 12 and 20, claims 12 and 20 are directed to an apparatus and a non-transitory readable medium associated with the method of claim 1. Claims 12 and 20 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claim 14, claim 14 is directed to a similar apparatus associated with the method of claim 5 respectively. Claim 14 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 15, claim 15 is directed to a similar apparatus associated with the method of claim 6 respectively. Claim 15 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 16, claim 16 is directed to a similar apparatus associated with the method of claim 7 respectively. Claim 16 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 17, claim 17 is directed to a similar apparatus associated with the method of claim 8 respectively. Claim 17 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 18, claim 18 is directed to a similar apparatus associated with the method of claim 9 respectively. Claim 18 is similar in scope to claim 9, respectively, and are therefore rejected under similar rationale. 


Claims 2, 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Roskind (US 9,860,324) and Crabtree et al. (US  2018/0159852) and in further view of Yasukawa et al. (US 2015/0149651).

	As per claim 2, Roskind in combination with Crabtree teaches the method according to claim 1, but fails to teach wherein the one or more new data sets related to the second computer device and the one or more time series data sets of the plurality of time series data sets are related to a specific network protocol used on the computer network.
	However, in an analogous art Yasukawa teaches wherein the one or more new data sets related to the second computer device and the one or more time series data sets of the plurality of time series data sets are related to a specific network protocol used on the computer network (Yasukawa, Paragraph 0028 recites “New and/or known devices 140 may be responding to the request according to used protocol. According to an embodiment, the generic protocol unit 110 may be arranged to determine, if the newly connected device 140 is supported by the specific protocol unit 130. The generic protocol unit 110 may also determine that a new fragment is required for the specific protocol unit 130. If it is determined that a new fragment is required, the determination of which fragment that is required may be performed by the local schema unit 200. The determination may be based upon information about the protocol, device vendor, device id, etc. When the local schema unit 200 has determined which fragment that is required to enable communication between the generic application 150 and the newly connected device 140, the generic protocol unit 110 may retrieve the fragment from the local schema unit 200, and install the fragment in the specific protocol unit 130. According to an embodiment, a specific protocol unit 130 may for example support any of TCP/UDP IP (Transfer Control Protocol/User Datagram Protocol/Internet Protocol), UPnP (Universal Plug and Play), Bonjour, Z-wave, ZigBee, CoAP (Constrained Application Protocol), TR069 (Technical Report 069), plain text (e.g. txt files), XML (eXtensible markup Language), or JSON (JavaScript Object Notation), e-mail, http (Hypertext Transfer protocol), https (http secure), ftp (file transfer protocol), SIP (Session Initiation Protocol), Bluetooth, or proprietary protocols such as ANT+, not limiting other protocols to be used.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Yasukawa’s system, method and computer program product for protocol adaptation with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a determining similar protocols helps to determine if a connection is compatible.

	As per claim 3, Roskind in combination with Crabtree and Yasukawa teaches the method according to claim 2, Yasukawa further teaches wherein the specific network protocol comprises one or more of: Dynamic Host Configuration Protocol Version 4 (DHCPv4), Dynamic Host Configuration Protocol Version 6 (DHCPv6), Multicast Domain Name Service (mDNS), Simple Service Discovery Protocol (SSDP), Universal Plug-n-Play Messages (UPnP Messages), and Internet Control Message Protocol Version 6 (ICMPv6) (Yasukawa, Paragraph 0028 recites “New and/or known devices 140 may be responding to the request according to used protocol. According to an embodiment, the generic protocol unit 110 may be arranged to determine, if the newly connected device 140 is supported by the specific protocol unit 130. The generic protocol unit 110 may also determine that a new fragment is required for the specific protocol unit 130. If it is determined that a new fragment is required, the determination of which fragment that is required may be performed by the local schema unit 200. The determination may be based upon information about the protocol, device vendor, device id, etc. When the local schema unit 200 has determined which fragment that is required to enable communication between the generic application 150 and the newly connected device 140, the generic protocol unit 110 may retrieve the fragment from the local schema unit 200, and install the fragment in the specific protocol unit 130. According to an embodiment, a specific protocol unit 130 may for example support any of TCP/UDP IP (Transfer Control Protocol/User Datagram Protocol/Internet Protocol), UPnP (Universal Plug and Play), Bonjour, Z-wave, ZigBee, CoAP (Constrained Application Protocol), TR069 (Technical Report 069), plain text (e.g. txt files), XML (eXtensible markup Language), or JSON (JavaScript Object Notation), e-mail, http (Hypertext Transfer protocol), https (http secure), ftp (file transfer protocol), SIP (Session Initiation Protocol), Bluetooth, or proprietary protocols such as ANT+, not limiting other protocols to be used.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Yasukawa’s system, method and computer program product for protocol adaptation with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of a determining similar protocols helps to determine if a connection is compatible.

	Regarding claim 13, claim 13 is directed to a similar apparatus associated with the method of claim 2 respectively. Claim 13 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. 


Claims 10, 11 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Roskind (US 9,860,324) and Crabtree et al. (US  2018/0159852) and in further view of Kao et al. (US 10,601,800).

	As per claim 10, Roskind in combination with Crabtree teaches the method according to claim 7, but fails to teach wherein comparing further comprises measuring a distance and dynamic match to most recent communication timeseries attributes and evaluating weight values for current communication in comparison with data maintained in the database.
	However, in an analogous art Kao teaches wherein comparing further comprises measuring a distance and dynamic match to most recent communication timeseries attributes and evaluating weight values for current communication in comparison with data maintained in the database (Kao, Claim 11 recites “value representing an extent of match between the traffic patterns of the historical network and the current network, wherein the weighted sum comprises a plurality of weights assigned to a plurality of factors for the authentication, wherein the weights are determined dynamically from a machine-learning algorithm that is configured to self- adjust the weights over time based on whether the corresponding factors are statistically more stable than other factors, and wherein the plurality of factors include a factor representing a difference between the identities of the one or more additional computing devices connected to the current network and the identities of the devices previously connected to the same network at a time of day that is about the same as that of the request; and determining, by the authentication device, a type of authentication protocol based on the risk score by increasing a complexity of the authentication protocol if the risk score is greater than a predetermined threshold.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kao’s Systems And Methods For User Authentication Using Pattern-based Risk Assessment And Adjustment with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of weighted scores is a more accurate way of pattern matching.

	As per claim 11, Roskind in combination with Crabtree teaches the method according to claim 7, but fails to teach wherein the step of comparing the one or more new data sets related to the second computer device with the one or more time series data sets further comprises evaluating quality of the one or more new data sets by using relative plot scoring, and wherein the device association score further determines a relative weight of the quality of the comparison and an absolute value of the comparison.
	However, in an analogous art Kao teaches wherein the step of comparing the one or more new data sets related to the second computer device with the one or more time series data sets further comprises evaluating quality of the one or more new data sets by using relative plot scoring, and wherein the device association score further determines a relative weight of the quality of the comparison and an absolute value of the comparison  (Kao, Claim 11 recites “value representing an extent of match between the traffic patterns of the historical network and the current network, wherein the weighted sum comprises a plurality of weights assigned to a plurality of factors for the authentication, wherein the weights are determined dynamically from a machine-learning algorithm that is configured to self- adjust the weights over time based on whether the corresponding factors are statistically more stable than other factors, and wherein the plurality of factors include a factor representing a difference between the identities of the one or more additional computing devices connected to the current network and the identities of the devices previously connected to the same network at a time of day that is about the same as that of the request; and determining, by the authentication device, a type of authentication protocol based on the risk score by increasing a complexity of the authentication protocol if the risk score is greater than a predetermined threshold.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kao’s Systems And Methods For User Authentication Using Pattern-based Risk Assessment And Adjustment with Roskind’s Rapid Establishment Of A Connection From Multiple Address Locations because the use of weighted scores is a more accurate way of pattern matching.

	Regarding claim 19, claim 19 is directed to a similar apparatus associated with the method of claim 11 respectively. Claim 19 is similar in scope to claim 11, respectively, and are therefore rejected under similar rationale. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439