DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Priority
The claim for priority from US Provisional 62/822,564 filed on 22 March 2019 is duly noted.

Claim Objections
Claims 5, 8, and 9 are objected to because of the following informalities:  
In claim 5, line 5: “analyzing using a computing device the tuples” should read – analyzing, using a computing device, the tuples–;
In claim 8, line 1: “charactering” should read –characterizing–;
In claim 9, line 1: “comprises comprising” should read –comprises–.
Appropriate correction is required.

Drawings
The drawings are objected to because in figure 5, label 28 does not appear to correspond to an element.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 3, 5-10, 13-15, 17, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-6, 12, 14, and 18 of U.S. Patent No. 10,681,075 B2 in view of Killcommons (US Patent 7,028,182 B1). 
The ‘075 patent discloses the instant application except updating the database. Killcommons discloses creating a distributed database and updating it by inputting new information (col. 10, lines 36-44; col. 16, lines 16-30). Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by analyzing the traffic by determining certificates and updating the database. Killcommons recites motivation by disclosing that analyzing traffic and updating the database provides privacy and protection while keeping up to date with new structures joining the network (col. 10, lines 36-42; col. 16, lines 14-16). It is obvious that the teachings of Killcommons would have improved the teachings of Sheleheda by analyzing traffic and updating the database in order to provide privacy and protection while keeping up to date.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-4, 10, 13-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sheleheda et al. (US 2010/0162399 A1 and Sheleheda hereinafter) in view of Killcommons (US Patent 7,028,182 B1), and further in view of Jiang et al. (US 2017/0163736 A1 and Jiang hereinafter).
As to claim 1, Sheleheda discloses a system and method for monitoring and protecting home and small office networks from botnet and malware activity, the system and method having:
capturing network traffic over a network connection at a network connected device (0008, lines 5-6, 12-14); 
characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates (0009, lines 2-4, 16-18).
Sheleheda fails to specifically disclose:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates; 
analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database.
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses a system and method for secure network for transfer of medical information, the system and method having:
analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database (col. 10, lines 36-44; col. 16, lines 16-30).
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by analyzing the traffic by determining certificates and updating the database. Killcommons recites motivation by disclosing that analyzing traffic and updating the database provides privacy and protection while keeping up to date with new structures joining the network (col. 10, lines 36-42; col. 16, lines 14-16). It is obvious that the teachings of Killcommons would have improved the teachings of Sheleheda by analyzing traffic and updating the database in order to provide privacy and protection while keeping up to date.

Sheleheda in view of Killcommons fails to specifically disclose:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons, as taught by Jiang.
Jiang discloses a system and method for implementation of secure socket layer intercept, the system and method having:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates (0040, lines 7-9).
Given the teaching of Jiang, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons with the teachings of Jiang by maintaining a database identifying certificates and IP addresses. Jiang recites motivation by disclosing that a database of certificates and IP addresses is maintained in order to establish a SSL session (0038-0039). It is obvious that the teachings of Jiang would have improved the teachings of Sheleheda in view of Killcommons by maintaining a database of certificates and IP addresses in order to establish a SSL session.

As to claim 15, Sheleheda discloses:
a network connection for connecting to the network (0031, lines 1-8); 
a non-transitory machine readable storage medium (0027, lines 3-8); 
a hardware processor operatively connected to the network connection and the machine readable storage medium (0031, lines 1-8); 
wherein the non-transitory machine readable storage medium contains instructions for the hardware processor (0027, lines 1-8) for capturing network traffic over a network connection at a network connected device (0008, lines 5-6, 12-14), and characterizing at least one of the Internet Protocol addresses associated with one of the digital certificates based on the number of Internet Protocol addresses associated with the one of the digital certificates (0009, lines 2-4, 16-18).
Sheleheda fails to specifically disclose:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates, analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database.
Nonetheless, these features are well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
analyzing the network traffic by determining the digital certificates associated with Internet Protocol addresses associated with the network traffic and a number of Internet Protocol addresses associated with each of the digital certificates and updating the database (col. 10, lines 36-44; col. 16, lines 16-30).
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by analyzing the traffic by determining certificates and updating the database. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

Sheleheda in view of Killcommons fails to specifically disclose:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons, as taught by Jiang.
Jiang discloses:
maintaining a database identifying a plurality of digital certificates and a number of Internet Protocol addresses associated with each of the plurality of digital certificates (0040, lines 7-9).
Given the teaching of Jiang, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons with the teachings of Jiang by maintaining a database identifying certificates and IP addresses. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Jiang to the teachings of Sheleheda in view of Killcommons.

As to claims 2 and 16, Sheleheda discloses:
performing an action based at least partially on the number of Internet Protocol addresses associated with the one of the digital certificates (0009, lines 2-18; 0038, lines 1-5; 0039, lines 1-2).

As to claims 3 and 17, Sheleheda discloses:
wherein the characterizing comprises characterizing the at least one Internet protocol addresses as a security threat (0008, lines 6-9; 0009, lines 16-18).

As to claims 4 and 18, Sheleheda discloses:
wherein the action comprises blocking network traffic associated with the at least one of the Internet Protocol addresses associated with the one of the digital certificates (0039, lines 10-15).

As to claim 10, Sheleheda discloses:
wherein the action comprises reconfiguring a firewall to prevent network connections to the at least one of the Internet Protocol addresses (0034-0035).

As to claim 13, Sheleheda fails to specifically disclose:
wherein the certificates comprise secure sockets layer (SSL) server certificates.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
wherein the certificates comprise secure sockets layer (SSL) server certificates (col. 10, lines 36-42). 
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

Jiang also discloses:
wherein the certificates comprise secure sockets layer (SSL) server certificates (0026, lines 13-16).
Given the teaching of Jiang, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons with the teachings of Jiang by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Jiang to the teachings of Sheleheda in view of Killcommons.

As to claim 14, Sheleheda fails to specifically disclose:
wherein the certificates comprise transport layer security (TLS) server certificates.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
wherein the certificates comprise transport layer security (TLS) server certificates (col. 10, lines 36-42). 
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

Jiang also discloses:
wherein the certificates comprise transport layer security (TLS) server certificates (0026, lines 13-16).
Given the teaching of Jiang, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons with the teachings of Jiang by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Jiang to the teachings of Sheleheda in view of Killcommons.
As to claim 20, Sheleheda fails to specifically disclose:
wherein the digital certificates comprise at least one of secure sockets layer (SSL) server certificates and transport layer security (TLS) server certificates.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
wherein the digital certificates comprise at least one of secure sockets layer (SSL) server certificates and transport layer security (TLS) server certificates (col. 10, lines 36-42). 
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

Jiang also discloses:
wherein the digital certificates comprise at least one of secure sockets layer (SSL) server certificates and transport layer security (TLS) server certificates (0026, lines 13-16).
Given the teaching of Jiang, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons with the teachings of Jiang by using SSL certificates. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Jiang to the teachings of Sheleheda in view of Killcommons.

Claim(s) 5-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sheleheda in view of Killcommons and Jiang as applied to claim 1 above, and further in view of Kakadia et al. (US 2014/0293804 A1 and Kakadia hereinafter).
As to claim 5, Sheleheda discloses:
representing the network traffic over the network connection as a set of tuples wherein each of the tuples defines a session and includes at least a source Internet Protocol address, a destination Internet Protocol address, and a destination port; associating timestamps with each of the set of tuples (0033, lines 4-8; 0034, lines 3-7; 0035, lines 4-11).
Sheleheda in view of Killcommons and Jiang fails to specifically disclose:
analyzing using a computing device the tuples using the timestamps based on frequency of connections and based on the certificates associated with the source Internet Protocol address and the number of Internet Protocol addresses associated with the server certificate.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons and Jiang, as taught by Kakadia.
Kakadia discloses a system and method for backhaul network performance monitoring using segmented analytics, the system and method having:
analyzing using a computing device the tuples using the timestamps based on frequency of connections and based on the certificates associated with the source Internet Protocol address and the number of Internet Protocol addresses associated with the server certificate (0039, lines 1-7; 0043, lines 7-12).
Given the teaching of Kakadia, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons and Jiang with the teachings of Kakadia by analyzing the tuples using timestamps. Kakadia recites motivation by disclosing that analyzing tuples using timestamps allows for packets to be monitored and evaluated according to thresholds (0048). It is obvious that the teachings of Kakadia would have improved the teachings of Sheleheda in view of Killcommons and Jiang by analyzing tuples using timestamps in order to monitor and evaluate packets according to thresholds.

As to claim 6, Sheleheda fails to specifically disclose:
wherein the analyzing the set of tuples comprises performing a Fourier analysis.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
wherein the analyzing the set of tuples comprises performing a Fourier analysis (col. 15, lines 51-55). 
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by using a Fourier analysis. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

As to claim 7, Sheleheda fails to specifically disclose:
wherein the Fourier analysis is a discrete Fourier transform.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda, as taught by Killcommons.
Killcommons discloses:
wherein the Fourier analysis is a discrete Fourier transform (col. 15, lines 51-55).
Given the teaching of Killcommons, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda with the teachings of Killcommons by using a discrete Fourier transform. Please refer to the motivation recited above with respect to claim 1 as to why it is obvious to apply the teachings of Killcommons to the teachings of Sheleheda.

Claim(s) 8 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sheleheda in view of Killcommons and Jiang as applied to claim 2 above, and further in view of Dennison et al. (US Patent 9,043,894 B1 and Dennison hereinafter).
As to claim 8, Sheleheda in view of Killcommons and Jiang fails to specifically disclose:
wherein the characterizing comprises charactering the at least one of the Internet Protocol addresses as being associated with malware beaconing.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons and Jiang, as taught by Dennison.
Dennison discloses a system and method for malicious software detection, the system and method having:
wherein the characterizing comprises charactering the at least one of the Internet Protocol addresses as being associated with malware beaconing (col. 23, lines 28-38, 46-49, 64-col. 24, line 5).
Given the teaching of Dennison, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons and Jiang with the teachings of Dennison by identifying IP addresses as associated with malware beaconing. Dennison recites motivation by disclosing that determining devices to be related to beaconing malware allows it to be proactively removed, thus providing security to the system (col. 23, lines 54-58). It is obvious that the teachings of Dennison would have improved the teachings of Sheleheda in view of Killcommons and Jiang by identifying IP addresses as associated with malware beaconing in order to allow it to be proactively removed and provide security to the system.

As to claim 9, Sheleheda in view of Killcommons and Jiang fails to specifically disclose:
wherein the action comprises comprising displaying to a user the at least one Internet Protocol addresses associated with the malware beaconing.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons and Jiang, as taught by Dennison.
Dennison discloses:
wherein the action comprises comprising displaying to a user the at least one Internet Protocol addresses associated with the malware beaconing (col. 23, lines 28-38, 46-49).
Given the teaching of Dennison, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons and Jiang with the teachings of Dennison by identifying IP addresses as associated with malware beaconing. Please refer to the motivation recited above with respect to claim 8 as to why it is obvious to apply the teachings of Dennison to the teachings of Sheleheda in view of Killcommons and Jiang.

	Claim(s) 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sheleheda in view of Killcommons and Jiang as applied to claim 1 above, and further in view of Cruz Mota et al. (US 2015/0326609 A1 and Cruz Mota hereinafter).
As to claim 11, Sheleheda in view of Killcommons and Jiang fails to specifically disclose:
wherein the characterizing comprises characterizing the at least one Internet protocol addresses as not being associated with an Internet of Things (IoT) device.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons and Jiang, as taught by Cruz Mota.
Cruz Mota discloses a system and method for designating a voting classifier using distributed learning machines, the system and method having:
wherein the characterizing comprises characterizing the at least one Internet protocol addresses as not being associated with an Internet of Things (IoT) device (0061, lines 13-16).
Given the teaching of Cruz Mota, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons and Jiang with the teachings of Cruz Mota by determining the IP address as not associated with an IoT device. Cruz Mota recites motivation by disclosing that an IP address not associated with an IoT device may be used to detect an attack (0061). It is obvious that the teachings of Cruz Mota would have improved the teachings of Sheleheda in view of Killcommons and Jiang by determining the IP address as not associated with an IoT device in order to detect an attack.

Claim(s) 12 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sheleheda in view of Killcommons and Jiang as applied to claim 1 above, and further in view of Luo et al. (US 2021/0194926 A1 and Luo hereinafter).
As to claims 12 and 19, Sheleheda in view of Killcommons and Jiang fails to specifically disclose:
wherein the characterizing comprises characterizing the at least one Internet protocol addresses as potentially being associated with an Internet of Things (IoT) device.

Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Sheleheda in view of Killcommons and Jiang, as taught by Luo.
Luo discloses a system and method for intelligent-interaction honeypot for IoT devices, the system and method having:
wherein the characterizing comprises characterizing the at least one Internet protocol addresses as potentially being associated with an Internet of Things (IoT) device (claim 1).
Given the teaching of Luo, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Sheleheda in view of Killcommons and Jiang with the teachings of Luo by determining an IP address as potentially associated with an IoT device. Luo recites motivation by disclosing that determining an IP address as associated with an IoT device allows for the determination of an attack and response to an attacker (claim 1). It is obvious that the teachings of Luo would have improved the teachings of Sheleheda in view of Killcommons and Jiang by determining an IP address as associated with an IoT device in order to determine an attack and response.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Ellam (WO 2019/017879 A1) discloses a system and method for activity detection based on time difference metrics.
Fehrman et al. (US 2017/0187736 A1) discloses a system and method for malware beaconing detection.
Lin (US Patent 9,038,178 B1) discloses a system and method for detection of malware beaconing activities.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/SARAH SU/Primary Examiner, Art Unit 2431