Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-4, 6, 8, 11-14, 16, and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by RYABENKIY (US-20210006583-A1).
Regarding claim 1, RYABENKIY teaches “A method of detecting and blocking malicious attacks on a computer network, the method comprising: receiving, by a memory constrained gateway in communication with the computer network, a communication request from at least one device; ([RYABENKIY, Abstract] “Systems and methods of vulnerability detection for at least one internet of things (IoT) device in a computer network, including monitoring communication in the computer network to detect at least one IoT device, determining type and behavior of the detected at least one IoT device”) ([RYABENKIY, Para. 0030] “The vulnerability detection system 200 may include a computer network 210 with at least one IoT device 201 coupled to a communication module 202 (e.g., a gateway server communicating via wireless communication, such as Wi-Fi or Bluetooth). The communication module 202 may be also in communication with an external network (e.g., the internet) thereby allowing the at least one IoT device 201 to send data to and/or receive data from external sources. For example, a computer network 210 may be an internal network of a smart home that includes twenty IoT devices 201.”) identifying, by the gateway, a type of the at least one device based on the received communication request; ([RYABENKIY, Para. 0031] “In some embodiments, vulnerability detection system 200 may include at least one monitoring device 203, in communication with the computer network 210 (e.g., via the communication module 202) and configured to analyze data from the at least one IoT device 201.”) ([RYABENKIY, Para. 0048] “In some embodiments, the at least one monitoring device 203 may monitor 401 communication in the computer network 210 to detect at least one IoT device 201, and determine 402 type and/or behavior 211 of the detected at least one IoT device 201.”) verifying, by the gateway, that the device is of an allowed type from a predetermined list of allowed device types; ([RYABENKIY, Para. 0034] “In some embodiments, data transferred between the server 205 and the at least one monitoring device 203 may include at least one predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port), allowed IP range, number of packets in communication, size of packets in communication, and allowed status. For example, at least one predetermined rule 204 may check if the type of IoT device is ‘X’, then allow communication through port ‘Y’, or if communication is not in an allowed protocol, block communication, or if the MAC address is not an allowed MAC address, block communication, and the like.”) checking, by the gateway, at least one signature of the received communication request of the allowed device to detect malicious signatures; ([RYABENKIY, Para. 0034] “In some embodiments, data transferred between the server 205 and the at least one monitoring device 203 may include at least one predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port), allowed IP range, number of packets in communication, size of packets in communication, and allowed status. For example, at least one predetermined rule 204 may check if the type of IoT device is ‘X’, then allow communication through port ‘Y’, or if communication is not in an allowed protocol, block communication, or if the MAC address is not an allowed MAC address, block communication, and the like.”) and blocking, by the gateway, communication requests from devices with at least one malicious signature, ([RYABENKIY, Para. 0049] “In case that the determined behavior of the at least one IoT device 201 violates at least one predetermined rule 204 for the corresponding device profile 208, the at least one monitoring device 203 and/or server 205 may block 404 communication between the at least one IoT device 201 and the computer network 210. In some embodiments, communication between the at least one IoT device 201 and at least one monitoring device 203 and/or server 205 may be blocked.”) ([RYABENKIY, Para. 0050] “In some embodiments, the predetermined rule 204 may include at least one of: allowed protocols, allowed media access control (MAC) addresses, allowed ports, allowed IP range, number of packets in communication, size of packets in communication, and allowed status.”) wherein the at least one signature is determined as malicious when the at least one signature appears in a malicious signature database coupled to the gateway, ([RYABENKIY, Para. 0049] “In some embodiments, the at least one monitoring device 203 and/or server 205 may check 403 in at least one vulnerability database 206 in communication with the computer network 210, for a device profile 208 corresponding to the type of the detected at least one IoT device 201. In case that the determined behavior of the at least one IoT device 201 violates at least one predetermined rule 204 for the corresponding device profile 208, the at least one monitoring device 203 and/or server 205 may block 404 communication between the at least one IoT device 201 and the computer network 210. In some embodiments, communication between the at least one IoT device 201 and at least one monitoring device 203 and/or server 205 may be blocked.”) and wherein the predetermined list comprises device types that are allowed to communicate with the computer network. ([RYABENKIY, Para. 0034] “In some embodiments, data transferred between the server 205 and the at least one monitoring device 203 may include at least one predetermined rule 204 on allowed values of: type of IoT device”).

Regarding claim 11, this claim is a system claim corresponding to method claim 1. Therefore, claim 11 is rejected in a similar manner as in the rejection of 1.  RYABENKIY further teaches ([RYABENKIY, Para. 0008] “There is thus provided, in accordance with some embodiments of the invention, a vulnerability detection system”).


Regarding claim 2 and 12,  RYABENKIY teaches all limitations of claim 1 and 11. RYABENKIY further teaches “further comprising checking if data of the received communication request corresponds to at least one allowed device.” ([RYABENKIY, Para. 0034] “may include at least one predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port), allowed IP range, number of packets in communication, size of packets in communication, and allowed status. For example, at least one predetermined rule 204 may check if the type of IoT device is ‘X’, then allow communication through port ‘Y’, or if communication is not in an allowed protocol, block communication, or if the MAC address is not an allowed MAC address, block communication, and the like.”)


Regarding claim 3 and 13, RYABENKIY teaches all limitations of claim 2 and 12. RYABENKIY further teaches “wherein the data of the received communication request is checked for at least one of port number of the at least one device and origin of communication.” ([RYABENKIY, Para. 0034] “predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port),”) ([RYABENKIY, Para. 0038] “The monitoring device 203 may monitor the at least one IoT device 201 to collect data on at least one of: communication time and/or date (e.g., last login), IP/Mac address, version number, traffic throughput frequency, protocols, ports, etc.”) ([RYABENKIY, Para. 0032] “for instance upon determination that IP address of at least one IoT device 201 exceeds a predetermined range or that an IoT device 201 tries to communicate via a restricted port.”).


Regarding claim 4 and 14, RYABENKIY teaches all limitations of claim 1 and 11. RYABENKIY further teaches “further comprising blocking, by the gateway, communication to devices unidentified with an allowed type.” ([RYABENKIY, Para. 0032] “In some embodiments, the at least one monitoring device 203 may be configured to block communication with at least one IoT device 201 upon determination that the at least one IoT device 201 violates at least one predetermined rule 204,”). ([RYABENKIY, Para. 0034] “In some embodiments, data transferred between the server 205 and the at least one monitoring device 203 may include at least one predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port), allowed IP range, number of packets in communication, size of packets in communication, and allowed status. For example, at least one predetermined rule 204 may check if the type of IoT device is ‘X’, then allow communication through port ‘Y’, or if communication is not in an allowed protocol, block communication, or if the MAC address is not an allowed MAC address, block communication, and the like.”).

Regarding claim 6 and 16, RYABENKIY teaches all limitations of claim 5 and 15. RYABENKIY further teaches “further comprising retrieving the at least one communication rule from a server in communication with the computer network.” ([RYABENKIY, Para. 0008] “a server, in communication with the computer network and configured to facilitate communication between the at least one monitoring device and the at least one vulnerability database. In some embodiments, data transferred between the server and the at least one monitoring device includes at least one predetermined rule with a global device profile with basic allowed values for at least one of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports, allowed IP range, number of packets in communication, size of packets in communication, and allowed status.”).



Regarding claim 8 and 18, RYABENKIY teaches all limitations of claim 1 and 11. RYABENKIY further teaches “wherein the communication request is received at a gateway server of the computer network.” ([RYABENKIY, Para. 0030] “The vulnerability detection system 200 may include a computer network 210 with at least one IoT device 201 coupled to a communication module 202 (e.g., a gateway server communicating via wireless communication, such as Wi-Fi or Bluetooth). The communication module 202 may be also in communication with an external network (e.g., the internet) thereby allowing the at least one IoT device 201 to send data to and/or receive data from external sources. For example, a computer network 210 may be an internal network of a smart home that includes twenty IoT devices 201.”)



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over RYABENKIY (US-20210006583-A1) in view of CALDWELL (US10491611B2).
Regarding claim 5 and 15, RYABENKIY teaches all limitations of claim 1 and 11. RYABENKIY further teaches “further comprising receiving, by the gateway, at least one communication rule corresponding to the identified type, wherein the received at least one communication rule comprises at least one condition for inspection, the at least one condition for inspection comprising information from a group consisting of: known vulnerabilities for the identified type, protocol of the at least one device, port number of the at least one device, origin of communication, number of bytes to inspect for each session, predefined signature …..” ([RYABENKIY, Para. 0030] “The vulnerability detection system 200 may include a computer network 210 with at least one IoT device 201 coupled to a communication module 202 (e.g., a gateway server communicating via wireless communication, such as Wi-Fi or Bluetooth).”) ([RYABENKIY, Para. 0031] “In some embodiments, vulnerability detection system 200 may include at least one monitoring device 203, in communication with the computer network 210 (e.g., via the communication module 202) and configured to analyze data from the at least one IoT device 201.”) ([RYABENKIY, Para. 0034] “data transferred between the server 205 and the at least one monitoring device 203 may include at least one predetermined rule 204 on allowed values of: type of IoT device, allowed protocols, allowed media access control (MAC) addresses, allowed ports (e.g., source port and/or destination port), allowed IP range, number of packets in communication, size of packets in communication, and allowed status. For example, at least one predetermined rule 204 may check if the type of IoT device is ‘X’, then allow communication through port ‘Y’, or if communication is not in an allowed protocol, block communication, or if the MAC address is not an allowed MAC address, block communication, and the like.”). ([RYABENKIY, Para. 0046] “According to some embodiments, once a vulnerability is detected in an IoT device 201, for instance with updated profile on vulnerability database 206 and/or registered on a decentralized blockchain network associated with the vulnerability detection system 200, additional communication sessions with that IoT device 201 may be blocked (e.g., by server 205. In some embodiments, all IoT devices having profile similar to the detected vulnerability of IoT device may be also blocked.”) ([RYABENKIY, Para. 0049] “In some embodiments, the at least one monitoring device 203 and/or server 205 may check 403 in at least one vulnerability database 206 in communication with the computer network 210, for a device profile 208 corresponding to the type of the detected at least one IoT device 201.”)
However, RYABENKIY does not teach “priority of the at least one communication rule”
In analogous teaching, CALDWELL teaches “priority of the at least one communication rule” ([CALDWELL, Col. 10 lines 22-36] “FIG. 3 is a flow chart of a method 300 of intrusion radiation protection, according to one implementation. User-defined policies can be configured into a classification hierarchy …… The method 300 can include three levels of a classification hierarchy: whitelist and black list processing 305, global and default security policies 310, and appliance processing 315. Within each level of the hierarchy lie individual policies appropriate for that level of classification.”) ([CALDWELL, Col. 10 lines 37-44, Col. 10 lines 55-59, Col. 11 lines 8-11 ] “The whitelist and blacklist processing 305 are the first level of the hierarchical classification. The whitelist and blacklist processing 305 can apply zone-specific classification and control of packet traffic. The device can receive an IP packet (Step 320). The device can identify whether a security policy generally allows traffic from the zone where the IP packet originated; i.e., the zone appears in a whitelist (Step 330) ……. The blacklist may similarly comprise a list, table, array, flat file, database, or any other type and form of data structure for storing one or more IP addresses or ranges of addresses, and may be stored in a memory of the device …… The device can log, block, and/or drop any IP packet from a zone appearing in the blacklist (Step 345). The device can forward any IP packets from zone not appearing in either the whitelist or the blacklist on to the next level of classification.”) ([CALDWELL, Col. 11 lines 12-21, Col. 11 lines 29-35] “The global and default security policies 310 are the second level of the hierarchical classification. The global and default security policies 310 can process IP packets from zones not generally allowed or blocked based on the whitelists and blacklists. The global default security policies 310 can process IP packets in the following sequence according to a classification hierarchy: global rules (Step 350), user-defined Access Control Lists (ACLs) (Step 355), security zone policy (Step 360), and default Firewall (FW) policy (Step 365) …… In some implementations, packets may not match allow or drop rules within the security policies classification hierarchy 310, and/or may match a rule requiring further inspection or processing of the packet, such as deep packet inspection, decryption, or other features performed by one or more appliances.”).
Thus, given the teaching of CALDWELL, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a communication rule having priority over other communication rules as taught by CALDWELL into the teaching of a method of detecting and blocking malicious attacks on a network taught by RYABENKIY. One of ordinary skill in the art would have been motivated to do so because CALDWELL recognizes the need to detect and stop attacks from outside and within a computer network. ([CALDWELL, Col 2 lines 54-56]  “In any network deployment, security risk is not limited to attacks from external networks; rather it is necessary to consider risks from within the network as well.”) ([CALDWELL, Col. 2 lines 60-63 ] “If any element or host within the internal network is compromised, it could threaten the entire network. An attacker can take control of the network, disrupt it to varying degrees”) ([CALDWELL, Col. 3 lines 23-26] “The system can detect, prevent, and record security incidents based on provisioned logic and heuristics. IRP can include the Deep Packet Inspection (DPI) in its implementation.”).


Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over RYABENKIY (US-20210006583-A1) in view of BHALERAO (US-20150150073-A1).
Regarding claims 7 and 17, RYABENKIY teaches all limitations of claim 5 and 15. However, RYABENKIY does not teach “further comprising deleting the at least one communication rule once the communication with the at least one device stops.”.
In analogous teaching, BHALERAO teaches “further comprising deleting the at least one communication rule once the communication with the at least one device stops.” ([BHALERAO, para. 0053] “After communication ends between the requesting client device and the destination client device using the security policy, the policy server 100 and/or the client devices may delete the security policy. The security policy may be deleted in response to tearing down the communication channel. In one example, the security policy is deleted after a predetermined time passes after the communication channel has been torn down.”).
Thus, given the teaching of BHALERAO, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of deleting communication rule once communication with a device ends as taught by BHALERAO into the teaching of a method of detecting and blocking malicious attacks on a network taught by RYABENKIY. One of ordinary skill in the art would have been motivated to do so because BHALERAO recognizes the need for secure security between network devices ([BHALERAO, Abstract] “smart virtual private network includes a secure communication session using a security level or security algorithm that is variable and defined as a function of the two client devices.”) ([BHALERAO, para. 0059] “generate a security policy based on at least the security configuration stored in the client database. The security policy may be the most secure common security algorithm included in both the entry for the originating client device and the entry for the remote client device.”).

Claim 9, 10, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over RYABENKIY (US-20210006583-A1) in view of COOLEY (US-20140075554-A1).
Regarding claim 9 and 19, RYABENKIY teaches all limitations of claim 1 and 11. However, RYABENKIY does not teach “further comprising initiating hardware acceleration.” 
In analogous teaching, COOLEY teaches “further comprising initiating hardware acceleration.” ([COOLEY, para. 0043] “At step 310 one or more of the systems described herein may divert the traffic flow to a hardware accelerator in response to determining that the traffic flow is trustworthy. For example, at step 310 diversion module 112 may, as part of computing device 202 in FIG. 2, divert traffic flow 210 to hardware accelerator 230 (e.g., a device within and/or connected to computing device 202) in response to determining that traffic flow is trustworthy 210.”) ([COOLEY, para. 0044] “As used herein, the phrase “hardware accelerator” may refer to any module, device, and/or subsystem capable of handling a traffic flow and/or stream. In some examples, the hardware accelerator may be installed on a path between a network switch and a processor (e.g., the computing resource). In some examples, the hardware accelerator may perform one or more functions for the traffic flow instead of the computing resource.”)
Thus, given the teaching of COOLEY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of hardware acceleration as taught by COOLEY into the teaching of a method of detecting and blocking malicious attacks on a network taught by RYABENKIY. One of ordinary skill in the art would have been motivated to do so because COOLEY recognizes the benefits of packet inspection and hardware accelerators to mitigate malicious packets ([COOLEY, para. 0001] “In order to protect computing systems from undesired and/or illegitimate network traffic, some traditional systems may perform deep packet inspections, analyzing the content and/or characteristics of network packets in transit.”) ([COOLEY, para. 0049] “retrieve data from the hardware accelerator useful for describing a directionality of the traffic flow”).

Regarding claim 10 and 20, RYABENKIY teaches all limitations of claim 1 and 11. However, RYABENKIY does not teach “further comprising performing automatic deep packet inspection of the received communication request.”.
In analogous teaching, COOLEY teaches “further comprising performing automatic deep packet inspection of the received communication request.” ([COOLEY, para. 0020] “sampling one or more packets of a traffic flow to analyze (e.g., using software-based deep packet inspection) to determine that the traffic flow is trustworthy and diverting the traffic flow to a hardware accelerator in response to determining that the traffic flow is trustworthy, the systems and methods described herein may effectively analyze network traffic without consuming the computing resources necessary to inspect each packet of network traffic.”) ([COOLEY, Abstract] “A computer-implemented method for performing selective deep packet inspection may include 1) identify a traffic flow that includes a stream of data packets, 2) sample at least one packet from the stream of data packets, 3) analyze the sampled packet using a computing resource to determine whether the traffic flow is trustworthy, 4) determine that the traffic flow is trustworthy based on analyzing the sampled packet”).
The same motivation to modify RYABENKIY with COOLEY as in the rejection of claims 9 and 19, applies. 

The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
ENDERBY (US-7853689-B2) discloses a system and method for the multi-stage analysis of incoming packets. Three stages are used, each of which addresses a particular category of threat by examining the headers and/or payload of each packet (“deep packet inspection”). If any of the first three stages detects a possible attack, then the packet or packets that have been flagged are routed to a central verification facility. In an embodiment of the invention, the verification facility is a server, coupled with a database. Here, suspect packets are compared to entries in the database to more comprehensively determine whether or not the packets represent an attempt to subvert the information processing system.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                         
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434