DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 5-12 and 14-18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Mermoud et al. (US 20200344203 A1, hereinafter Mermoud).
Regarding claim 1, Mermoud discloses in Figs. 1-6, a method to generate a hyper context associated with a computing device 402 (Abstract, FIG. 6; para. [0063], liens 2-15, a service maintains a database of media access control (MAC) addresses of devices in a network and their associated telemetry data captured from the network. The service identifies a new MAC address being used by a particular device in the network. The service matches telemetry data associated with the new MAC address with telemetry data in the database associated with another MAC address, by using the telemetry data associated with the new MAC address as input to a machine learning-based classifier. The service determines, based on the matching, that the MAC address in the database associated with the matched telemetry data has been updated to the new MAC address by the particular device…), the method comprising: 
accessing communication data associated with the computing device 402 (paras. [0038], device classification process 248 may assess the captured telemetry data on a per-flow basis… device classification process 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions. For example, traffic flows may be grouped based on their sources, destinations, temporal characteristics…; [0042], networking device that captures the flow telemetry data may also compute any number of statistics or metrics regarding the traffic flow. For example, CE-2 may determine the start time, end time, duration, packet size(s), the distribution of bytes within a flow, etc., associated with the traffic flow by observing packets 302…; and [0066], device classification process 248 may receive device telemetry data 510 regarding any number of devices undergoing device type classification. Such device telemetry data 510 may include, for example, the MAC addresses of the devices, traffic features captured from the devices' traffic (e.g., which protocols were used, source or destination information, which applications were executed by the devices, etc.), timing information (e.g., when the devices communicate, sleep, etc.), mobility information for the devices, and/or any other information regarding the devices that can be used to infer their device types. For example, device telemetry data 510 may take the form of a feature vector  in which each dimension represents the presence or absence of a certain protocol in the traffic of the device such as, but not limited to, IPv6, IPv4, IGMPv3, IGMPv2, ICMPv6, ICMP, HTTP/XML, HTTP, etc…); 
extracting one or more features associated with the computing device 402 from the communication data (para. [0067], lines 1-5, device labeler 504 use device telemetry data 510 to output a device type classification 512 for a device under scrutiny, thereby allowing the receiving entity to apply network policies to the device, based on its device type classification 512…);  
detecting a type of the computing device 402 (paras. [0057], lines 1-5, device classification service may even trigger active scanning of the network and SNMP scanning when the default community string is set to public. This can be done, for example, to retrieve the MAC address of the device or other types of information…; [0062], lines 4-8, techniques herein can also detect security threats, such as MAC address spoofing. As would be appreciated, tracking devices across MAC address updates…; [0066], mobility information for the devices, and/or any other information regarding the devices that can be used to infer their device types; [0068], lines 1-7, MAC addresses are often used to uniquely identify devices in a network, as well as MAC address updates…; [0072], lines 1-13, MAC update detector 506 may monitor device feature database 502, to determine whether a new MAC address on the network can be matched to a previous one in database 502. To do so, MAC update detector 506 may train a machine learning-based classifier that takes as input an aggregate vector [XA(t), XB(t+l)] and predicts if A==B, possibly with a measure of uncertainty…construct a training dataset of positive examples [XA(t), XA(t+l)] and negative examples [XA(t), XB(t+l)], where A is clearly identified as the same device at time t and t+l, thus ensuring that B is a different device…); 
detecting an operating system associated with the computing device (paras. [0045], lines 5-15, device classification service 408 is configured to take as input telemetry data 410 captured by networking device 406 regarding network traffic associated with endpoint device 402 and, based on the captured telemetry, identify the device type 412 of endpoint device 402. For example, device type 412 may indicate the operating system (e.g., iOS, Android, etc.), manufacturer (e.g., Apple, Samsung, etc.), make (e.g., iPhone, etc.), model (e.g., 5s, 6, 7, etc.), function (e.g., thermostat, temperature sensor, etc.), or any other information that can be used to categorize endpoint device 402…; [0062], lines 4-8, detecting device types via MAC address); 
detecting a control associated with the computing device 402 (paras. [0045], lines 5-15, device type 412 of endpoint device 402…may indicate the …function (e.g., thermostat, temperature sensor, etc.), or any other information that can be used to categorize endpoint device 402…; [0057], lines 1-5; [0062], lines 4-8, detecting device types via MAC address);
detecting a functionality of the computing device 402 (paras. [0045], lines 5-15, device type 412 of endpoint device 402…may indicate the … make (e.g., iPhone, etc.)…or any other information that can be used to categorize endpoint device 402…; [0057], lines 1-5; [0062], lines 4-8, detecting device types via MAC address); 
detecting an ownership of the computing device 402 (paras. paras. [0036], nearest neighbor (NN) techniques; [0045], lines 5-15, device type 412 of endpoint device 402…may indicate the … make (e.g., iPhone, etc.)…or any other information that can be used to categorize endpoint device 402…; [0057], lines 1-5; [0062], lines 4-8, detecting device types via MAC address); and 
defining a hyper context associated with the computing device 402, wherein the hyper context is comprised of a type context (paras. . [0057], lines 1-5; [0062], lines 4-8; [0066]; [0072], lines 1-13), a category context (paras. [0038]-[0042], [0066], device classification process 248 may assess the captured telemetry data on a per-flow basis… traffic flows may be grouped based on their sources, destinations, temporal characteristics), an operating system context (paras. [0045], lines 5-15; [0062], lines 4-8), an ownership context (paras. [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8), a connectivity context (paras. [0016]-[0018], Site Type A: a site connected to the network (e.g., via a private or VPN link) using a single CE router and a single link, with potentially a backup link (e.g., a 3G/4G/5G/LTE backup connection)…), and a control context (paras. [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8).

Regarding claim 2, Mermoud discloses the method of claim 1, wherein the communication data includes packet data, WiFi radio data, Bluetooth data, or Bluetooth Low Energy data (paras. [0016]-[0018]; [0070], Power over Ethernet (PoE) classifiers used for fingerprinting devices, based on their power consumptions).

Regarding claim 4, Mermoud discloses the method of claim 1, wherein detecting a type of the computing device comprises: 
running one or more type-detection rules (para. [0072]); 
generating a weighted matrix of predicted types (para. [0072]); 
running a trained machine learning type-detection mode (para. [0048], lines 4-7, the device classification can be achieved by applying a trained machine learning-based classifier to the captured telemetry data for an endpoint device…); 
generating a prediction responsive to the running (para. [0072]); 
adding the prediction to the weighted matrix; normalizing one or more weights (para. [0073]); 
computing a probability for the computing device (para. [0075], lines 6-8, MAC update detector 506 may select the one with the highest probability score or the lowest uncertainty, as determined by the classifier…); 
predicting a type of the computing device based on a value of the probability (paras. [0072]; [0075], lines 1-6, a new MAC address seen on the network may behave similarly to a plurality of MAC addresses in device feature database 502, meaning that MAC update detector 506 may match the telemetry data 510 for the new MAC address to that of multiple MAC addresses.…);  and 
computing a device category responsive to the prediction (para. [0075], lines 8-14, When MAC update detector 506 confirms a match, it may restore all states for that device from its history. For example, if device labeler 504 previously labeled the device as being an iPhone, under its previous MAC address, MAC update detector 506 may also associate this device type label with its new MAC address.…)

Regarding claim 5, Mermoud discloses the method of claim 1, wherein detecting an operating system associated with the computing device comprises: 
running one or more operating system detection rules (paras. [0045], lines 5-15; [0062], lines 4-8; [0072]); 
generating a weighted matrix of predicted operating systems (para. [0072]); 
running a machine learning operating system detection model (paras. [0048], lines 4-7; [0079]); 
generating a prediction by the machine learning operating system detection model (paras. [0048], lines 4-7; [0079]); 
adding the prediction to the weighted matrix (paras. [0048], lines 4-7; [0079]); 
normalizing one or more weights associated with the weighted matrix (paras. [0048], lines 4-7; [0073]; [0079]-[0080]);
calculating a probability for each operating system (paras. [0072]; [0075], lines 1-6); and 
predicting a device operating system responsive to the calculating (paras. [0072]; [0075], lines 1-6).

Regarding claim 6, Mermoud discloses the method of claim 1, wherein detecting a control associated with the computing device comprises: 
running one or more control-detection rules (para. [0072]);  
generating a weighted matrix of predicted control (para. [0072]);
normalizing one or more weights associated with the weighting matrix (paras. [0048], lines 4-7; [0073]; [0079]-[0080]);
calculating a probability to determine automatic operation versus user-controlled operation for the computing device (paras. [0045], lines 5-15; [0062], lines 4-8; [0072]); and 
determining a device control responsive to the calculation (para. [0075], lines 8-14.

Regarding claim 7, Mermoud discloses the method of claim 1, wherein detecting a functionality of the computing device comprises: 
running function-detection rules (paras. [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8; [0072]), generating a weighted prediction matrix (para. [0072]), wherein the weighted prediction matrix includes a type of the computing device (para. [0072]), an operating system associated with the computing device (para. [0072]), and a control associated with the computing device (paras. [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8); 
generating a prediction using a trained machine learning model(para. [0072]);
adding the prediction to the weighted prediction matrix (para. [0073]); 
normalizing one or more numerical weights associated with the prediction (paras. [0048], lines 4-7; [0073]; [0079]-[0080]);
calculating a probability for a plurality of functions associated with the prediction (paras. [0072]; [0075], lines 1-6); and 
detecting a functionality of the computing device as a function with a substantially maximum probability (para. [0075], lines 6-8,).

Regarding claim 8, Mermoud discloses the method of claim 1, further comprising classifying the computing device, wherein the computing device is classified as a corporate device, an employee-owned device, a visitor device, a transient device, or a neighboring device (paras. [0036], nearest neighbor (NN) techniques; [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8).

Regarding claim 9, Mermoud discloses the method of claim 8, wherein the classification is performed on a basis of an average visibility over time associated with the computing device, and an average visibility to one or more sensors (paras. [0036], nearest neighbor (NN) techniques; [0045], lines 5-15; [0057], lines 1-5; [0062], lines 4-8; [0066], temporal characteristics).

Regarding claim 10, Mermoud discloses the method of claim 1, wherein the communication data includes data associated with a wireless communication protocol or a wired communication protocol (paras. [0014], Transmission Control Protocol/Internet Protocol (TCP/IP) wired protocol; [0016]-[0018], wireless connection).

Claim 11 incorporates substantively all the limitations of claim 1 in apparatus form rather than method form and is rejected under the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3 and 19 is rejected under 35 U.S.C. 103 as being unpatentable over Mermoud in view of Connell et al. (US 20190190920 A1, hereinafter Connell).
Regarding claim 3, Mermoud discloses the method of claim 1, wherein the features include a manufacturer (para. [0045], lines 5-15, manufacturer (e.g., Apple, Samsung, etc.)), a device host name (para. [0040], hostname of server 154), a list of top sites visited (para. [0077], lines 11-21, the service maintains a database of media access control (MAC) addresses of devices in a network and their associated telemetry data captured from the network. In general, the telemetry data stored in the database may be of any form that is expected to remain the same after a MAC address update by a device. Example telemetry data may include, but is not limited to, any or all of the following: the application(s) executed by the device, mobility patterns of the device, the HTTP user agent specified in traffic of the device, or a DHCP vendor class identifier used in traffic of the device…), a number of sites visited (para. [0077], lines 11-21), one or more top user-agents used (para. [0070], device feature database 502 may store device information such as DHCP vendor, HTTP user agent, applications executed by the devices (e.g., as identified from their captured traffic telemetry)…), one or more network features (paras. [0016]-[0018], one or more active hours (paras. [0038]; [0042], [0066], temporal characteristics), , and a realtime behavior profiling (paras. [0038]; [0042], [0066], temporal characteristics).
Mermoud fails to teach one or more operating system signatures and an hourly behavior profiling .
Connell, in the same or similar filed of endeavor, teach one or more operating system signatures (Abstract; para. [0016], lines 1-3, authentication service 18 generally operates by periodically collecting signature data 46 from each registered user device 30…) and an hourly behavior profiling (para. 0018], lines 2-5, changing from hour to hour or even moment to moment. In one embodiment, signature data 46 may be timestamped as it is collected and stored in the local database 33 and/or the signature database 26….).
Therefore, considering Connell and Mermoud’s teachings as a whole, one of ordinary skill in the art, before the effective filing date of Applicant’s claimed invention, would be motivated to store signature data 46 for a given device temporally in the signature database, which can be analyzed for use in later authenticating the device 30 (para. [0018], lines 5-8), in order to provide accurate, reliable, recordation of device data.

Regarding claim 19, Mermoud-Connell the apparatus of claim 18, wherein an operating system signature includes one or more unique sites visited by an operating system associated with the computing device (Connell, paras. [0016]-[0017]).
The motivation to further combine Connell remains same as in claim 3.

Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Mermoud in view of Marchal et al. (AUDI: Toward Autonomous IoT Device-Type Identification Using Periodic Communication, hereinafter Marchal) published by ieee.org.
Regarding claim 12, Mermoud discloses the apparatus of claim 11, discloses wherein the network gateway stores the communication data on the database.
Although Mermoud discloses wherein the network gateway stores the communicate data on the database (Abstract, lines 1-3, a service maintains a database of media access control (MAC) addresses of devices in a network and their associated telemetry data captured from the network…), but fails to teach wherein the network gateway receives the communication data from the computing device.
Marchal, in the same or similar field of endeavor, teaches the network gateway receives the communication data from the computing device (Fig. 1, p. 1403, II. System Model, §A. Model and Requirements, lines 1-6, a system model (Fig. 1) of a typical SOHO network where IoT devices connect to the Internet via an access gateway. The primary goal of AUDI is to enable the gateway to identify the type of devices connected to it. The identification relies on passively monitoring network communications from connected devices…). 
Therefore, considering Marchal and Mermoud’s teachings as a whole, one of ordinary skill in the art, before the effective filing date of Applicant’s claimed invention, would be motivated to implement the AUDI feature as taught by Marchal, for optimizing the autonomy, scalability stability and security (Fig. 1; p. 1403, II. System Model, §A. Model and Requirements) and therefore conserving resources.	

Regarding claim 13, Mermoud-Marchal discloses the apparatus of claim 12, wherein the network gateway includes a wireless sensor array and a network traffic sensor array (Marchal, Fig. 1; p. 1403, II. System Model, §B. AUDI System Design, lines 1-9, AUDI consists of an IoT Cloud Service and several IoT Gateways. IoT Gateway acts as the local access gateway to the Internet. IoT devices connect to it, e.g., over WiFi or ethernet. Apart from acting as a gateway router for connected devices in the local network, IoT Gateway hosts the AUDI Device Fingerprinting component which monitors the communication patterns of connected IoT devices to extract device fingerprints…).
The motivation to further combine Marchal remains same as in claim 12.

Claims 14 and 20 is rejected under 35 U.S.C. 103 as being unpatentable over Mermoud-Marchal and further in view of Aneja et al. (IoT Device Fingerprint using Deep Learning, hereinafter Aneja) published by ieee.org.
Regarding claim 14, Mermoud-Marchal discloses the apparatus of claim 13, but fails to explicitly teach the wireless sensor array includes a WiFi packet sniffer and a Bluetooth packet sniffer.
Aneja, in the same or similar field of endeavor, teaches wireless sensor array includes a WiFi packet sniffer and a Bluetooth packet sniffer (Fig. 2; §b. DFP Model 2, p. 177,  left column, Raspberry Pi as a router connected to the various users with sniffing and ping application capturing the ping packets used for communication by the devices with the router. A ping application [5, 4] on the router can be used to get the IAT for different devices on the network. IAT of ping packets can be compared to check the accuracy of schemes based on the different types of packets used among the devices…).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Aneja into the combined teachings of Mermoud-Marchal, because it discloses that, Network administrators also use sniffing tool as an anti-intrusion tool to control the access of the network by only trusted devices (p. 174) enhancing security.
	Furthermore, Mermoud and Marchal already discloses WiFi and Bluetooth packet data (Mermoud, paras. [0016]-[0018]; [0070], Power over Ethernet (PoE) classifiers used for fingerprinting devices, based on their power consumptions)) (Marchal, pp. 1407-1408, Our data collection setup in the laboratory network is shown in Fig. 4. We used hostapd on a laptop running Kali Linux to create an IoT Gateway acting as an access point with WiFi and Ethernet interfaces to which all IoT devices were connected. On the IoT Gateway we used tcpdump to collect network traffic packets, filtering out packets not related to a given device based on the device’s MAC address. Most of the devices used either WiFi or Ethernet. Some devices like smart light bulbs or sensors, used low-energy protocols like ZigBee, Z-Wave or Bluetooth Low Energy (BLE) to connect to a hub device which was then connected over WiFi or ethernet to the network …).

Regarding claim 20, Mermoud-Marchal-Aneja the apparatus of claim 18, wherein an active hour includes active hours (Mermoud, paras. [0038]; [0042], [0066], temporal characteristics) associated with the computing device 402 based on packet traffic data, and observed hours (Mermoud, paras. [0038]; [0042], [0066], temporal characteristics) associated with WiFi sniff data (Aneja, Fig. 2; §b. DFP Model 2, p. 177, left column).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
See PTO-892 Notice of References Cited.


	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THORNE E WAUGH whose telephone number is (571)270-0434. The examiner can normally be reached Monday-Friday 9AM-5:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached on (571)272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THORNE E WAUGH/Examiner, Art Unit 2457                                                                                               

/NICHOLAS R TAYLOR/Supervisory Patent Examiner, Art Unit 2443