Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to application filed on 7/31/2020. Claim 1 is independent. Claims 1-20 are currently pending.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of copending Application No. 16/944822 (reference application), claims 1-18 of copending Application No. 16/945180 and claims 1-5 of copending Application No. 16/945115. Although the claims at issue are not identical, they are not patentably distinct from each other because same features of subject matter appears in both application and organized in different claims.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-8, 14 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Gudov et al. (US 20180316714 A1), hereinafter Gudov, in view of Chen et al. (US 20190098029 A1), hereinafter Chen.

Regarding claim 1, Gudov teaches a method of operating (FIG. 1 and 3, para. 0013) an Internet of Things device (para. 0025, Internet of Things device) comprising: providing electrical power to electrical circuitry in the Internet of Things device;
communicatively coupling the Internet of Things device (FIG. 1 and para. 0025, Internet of Things Device) to a computer network using circuitry of a transceiver and a communications module (FIG. 1 and para. 0025, an electronic device (including a computing device) which is connected to a data transmission network (such as the Internet) and is able to send data by means of that network. Examples of a network node might be: ... loT (Internet of Things) devices. Thus an electronic device includes a transceiver and a communication module in order to communicate with the Internet);
operating a detection circuit to monitor a level of activity of the communications module (FIG. 3 and para. 0029, detect that the computing device 140 is under a DDoS attack using a variety of known techniques of detecting denial of service attacks including based on analysis of the data being received by the computing device 140 via the data transmission network 105. Para. 0026, A parameter of the data being sent is used herein to describe information characteristic of the data being sent by the network node, ..., the number of connections established between the network node and the computing device, the number of POST requests being transmitted per second, the number of TCP connections established, and also derivatives of the aforementioned parameters);
determining if the level of activity of the communications module (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second) exceeds a threshold value (FIG. 3 and para. 0063 and 0071, the danger rating of the network node exceeds the established threshold value); and
curtailing a volume of communications between the Internet of Things device and the computer network if the level of activity of the communications module exceeds the threshold value (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value. Para. 0068, Upon exceeding the threshold value, the blocking module 130 carries out a limiting of the data transmittal between the network node 101 and the computing device 140).
Gudov may not explicitly disclose operating a detection circuit to indirectly monitor a level of activity. However, in an analogous art, Chen teaches operating a detection circuit to indirectly monitor a level of activity (para, 0035, DDoS attack detector 218 aggregates data in current local flow information 246 with data in valid current local flow information messages 254 for each defined time period 226 to form aggregated flow information 240. Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined lime period 226).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).

Regarding claim 2, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the computer network is a wide-area network (WAN) (para. 0096, network connections can form a local-area computer network (LAN) 50 and a wide-area computer network (WAN)).

Regarding claim 3, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the Internet of Things device is coupled to the computer network (para. 0025, Internet of Things devices connect to a data transmission network) using a wired connection and the transceiver comprises an interface to a wired network connection (para. 0096, when networks are used, the computer system 20 may employ a modem 54 or other modules well known to those of ordinary skill in the art that enable communications with a wide-area computer network such as the Internet. The modem 54, which may be an internal or external device, may be connected to the system bus 23 by a serial port 46).

Regarding claim 4, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the Internet of Things device is coupled to the computer network (para. 0025, Internet of Things devices connect to a data transmission network) and the transceiver comprises a transceiver to communicatively couple the Internet of Things device to a network connection (para. 0025, Internet of Things devices connect to a data transmission network).
In addition, Chen teaches using a wireless connection and the transceiver comprises a wireless transceiver (para. 0019 and 0022, clients communicates using wireless communication links to network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).

Regarding claim 5, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein monitoring the level of activity of the communications module comprises the volume of communications between the transceiver and the computer network are curtailed if the level exceeds a threshold (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value. In another exemplary aspect, the limiting of data transmission is understood to mean a limiting of the channel capacity between the network node 101 and the computing device 140).
In addition, Chen teaches monitoring a level of electrical power supplied to the electrical circuitry; and the level of electrical power supplied to the electrical circuitry (para. 0035, DDoS attack detector 218 aggregates data in current local flow information 246 with data in valid current local flow information messages 254 for each defined time period 226 to form aggregated flow information 240. Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined time period 226. The current flow information can be obvious to one of ordinary skill in the art to understand as power information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).

Regarding claim 6, the combination of Gudov and Chen teaches all of the limitations of claim 5, as described above. Gudov further teaches wherein the volume of communications between the Internet of Things device and the computer network are curtailed if the exceeds the threshold power value (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value.
In another exemplary aspect, the limiting of data transmission is understood to mean a limiting of the channel capacity between the network node 101 and the computing device 140) for a predetermined period of time (FIG. 38 and para. 0071, at the moment of the expiration of the lifetime of at least one change in the danger rating of the network node the blocking module 130 in step 308 again checks whether the rating exceeds the established threshold value).
In addition, Chen teaches the level of electrical power exceeds the threshold power value (para. 0035, Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined time period 226. Based on the analysis of aggregated flow information 240, if DDoS attack detector 218 determines that the amount of network data packet flow to data processing system 200 or another data processing system from a plurality of different data processing systems exceeds defined flow threshold value 242 for defined time period 226, then DDoS attack detector 218 detects that that particular data processing system is under a DDoS attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).

Regarding claim 7, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches monitoring the level of activity of the communications module comprises monitoring a transmission time of the communications module (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted; para 0038, the number of bytes being transmitted, and para. 0039, the number of packets being transmitted) and the volume of communications between the Internet of Things device and the computer network are curtailed if the transmission time of the communications module exceeds the threshold value (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value. In another exemplary aspect, the limiting of data transmission is understood to mean a limiting of the channel capacity between the network node 101 and the computing device 140).

Regarding claim 8, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches monitoring the level of activity of the communications module during a period of time when the Internet of Things device is active to thereby establish an active communications module threshold value when the Internet of Things device is active (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second); and wherein curtailing the volume of communications between the Internet of Things device and the computer network is defined further as curtailing the volume of communications between the Internet of Things device and the computer network if the level of activity of the communications module exceeds the active communications module threshold value when the Internet of Things device is active (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value (Para. 0068, Upon exceeding the threshold value, the blocking module 130 carries out a limiting of the data transmittal between the network node 101 and the computing device 140).

Regarding claim 14, the combination of Gudov and Chen teaches all of the limitations of claim 6, as described above. Gudov further teaches wherein monitoring the level of activity of the communications module during a period of time when the Internet of Things device is active comprises: monitoring the level of activity of the communications module (FIG. 3 and para. 0029, detect that the computing device 140 is under a DDoS attack using a variety of known techniques of detecting denial of service attacks including based on analysis of the data being received by the computing device 140 via the data transmission network 105. Para. 0026, A parameter of the data being sent is used herein to describe information characteristic of the data being sent by the network node, the number of connections established between the network node and the computing device, the number of POST requests being transmitted per second, the number of TCP connections established, and also derivatives of the aforementioned parameters) to thereby establish an active communications module threshold value when the Internet of Things device is active (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second).
In addition, Chen teaches during a plurality of periods of time when the Internet of Things device is active (para, 0035, DDoS attack detector 218 aggregates data in current local flow information 246 with data in valid current local flow information messages 254 for each defined time period 226 to form aggregated flow information 240. Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined time period 226).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).

Regarding claim 17, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the threshold value of the level of activity of the communications module has an initial value, the method further comprising programming the initial value into a memory of the Internet of Things device during manufacture of the Internet of Things device (para. 0051, the rating determination module 125 can assign a "default value" to the network node 101 for the danger rating of the network node).

Regarding claim 18, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the threshold value of the level of activity of the communications module has an initial value (para. 0051, the rating determination module 125 can assign a "default value" to the network node 101 for the danger rating of the network node), the method further comprising the Internet of Things device having a set-up mode in which the initial value is programmed into a memory of the Internet of Things device during the set­ up mode (para. 0027, danger rating of a network node can be changed by applying at least one filter to the parameters of the data being sent. A filter is a software component which can be realized in the form of a rule which, along with a number of criteria, corresponds to a set of actions, such as changing the danger rating of the network node, which are carried out if the parameters of the data being sent meet the criteria of the filter).

Regarding claim 19, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the threshold value of the level of activity of the communications module has an initial value (para. 0051, the rating determination module 125 can assign a "default value" to the network node 101 for the danger rating of the network node); the method further comprising the Internet of Things device receiving threshold data provided by another Internet of Things device communicatively connected to the computer network and programming the initial value into a memory of the Internet of Things device using the threshold data provided by another Internet of Things device (FIG. 1 and para. 0028, a database 135 of network nodes communicatively connected to the rating determination module 125; para. 0050, determine the danger rating of a network node by assignment of the danger rating of the network node by means of a database 135 of network nodes, and also changing the danger rating of the network node on the basis of the parameters of the data being sent).

Claims 9-13, 15, 16 and 20 rejected under 35 U.S.C. 103 as being unpatentable over Gudov in view of Chen, as applied in the claims above, further in view of Nucci (US 7584507 B1).

Regarding claim 9, the combination of Gudov and Chen teaches all of the limitations of claim 8, as described above. Gudov further teaches wherein monitoring the level of activity of the communications module (FIG. 3 and para. 0029, detect that the computing device 140 is under a DDoS attack using a variety of known techniques of detecting denial of service attacks including based on analysis of the data being received by the computing device 140 via the data transmission network 105. Para. 0026, A parameter of the. data being sent is used herein to describe information characteristic of the data being sent by the network node, the number of connections established between the network node and the computing device, the number of POST requests being transmitted per second, the number of TCP connections established, and also derivatives of the aforementioned parameters), and establishing a first active parameter threshold value when the communication module is at a first activity level (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second) exceeds a threshold value (FIG. 3 and para. 0063 and 0071, the danger rating of the network node exceeds the established threshold value) and wherein curtailing the volume of communications of the communication module on the computer network includes curtailing the volume of communications between the Internet of Things device and the computer network if the level of activity of the communications module exceeds the first active parameter threshold value when the communications module is at the first activity level or curtailing the volume of communications between the Internet of Things device and the computer network if the level of activity of the communications module exceeds the second active parameter threshold value when the communications module is at the second activity level (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value. Para. 0068, Upon exceeding the threshold value, the blocking module 130 carries out a limiting of the data transmittal between the network node 101 and the computing device 140).
The combination Gudov and Chen may not explicitly disclose monitoring multiple levels of activity of the communication module, and establishing a second parameter threshold value when the communication module is at a second activity level. However, in an analogous art, Nucci teaches monitoring multiple levels of activity of the communication module, and establishing a second parameter threshold value when the communication module is at a second activity level (col 3 In 13-45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 10, the combination of Gudov, Chen and Nucci teaches all of the limitations of claim 9, as described above. Nucci further teaches wherein the first activity level has a first operational parameter and the second activity level has a second operational parameter greater than the first operational parameter (col 3 In 13-45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks. Thus low volume attacks has lower parameter than high volume attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 11, the combination of Gudov, Chen and Nucci teaches all of the limitations of claim 10, as described above. Nucci further teaches wherein the first activity level is a trickle activity level (col 3 In 13- 45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks. Thus low volume attacks may be trickle activity level).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 12, the combination of Gudov, Chen and Nucci teaches all of the limitations of claim 10, as described above. Nucci further teaches wherein the first activity level is a normal activity level (col 3 In 13- 45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks. Thus high volume attacks may be normal activity level).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 13, the combination of Gudov, Chen and Nucci teaches all of the limitations of claim 10, as described above. Nucci further teaches wherein the second activity level is a hyper activity level (col 3 In 13-45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks. Thus high volume attacks .may be hyper activity level).
Therefore. it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 15, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches monitoring the level of activity of the communications module during a period of time when the Internet of Things device (FIG. 3 and para. 0029, detect that the computing device 140 is under a DDoS attack using a variety of known techniques of detecting denial of service attacks including based on analysis of the data being received by the computing device 140 via the data transmission network 105. Para. 0026, A parameter of the data being sent is used herein to describe information characteristic of the data being sent by the network node, the number of connections established between the network node and the computing device, the number of POST requests being transmitted per second, the number of TCP connections established, and also derivatives of the aforementioned parameters) to thereby establish an communications circuit threshold value when the Internet of Things device (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second); and curtailing the volume of communications between the Internet of Things device and the computer network if the level of activity of the communications module exceeds an established inactive parameter threshold value (FIG. 3 and para. 0063, blocking module 130 may be configured to limit the transmittal of data from the network node 101 to the computing device 140 based on the respective danger rating of the network node 101. In some exemplary aspects, the blocking module 130 may limit the transmittal of data responsive to determining that the value of the danger rating of the network node exceeds an established threshold value. Para. 0068, Upon exceeding the threshold value, the blocking module 130 carries out a limiting of the data transmittal between the network node 101 and the computing device 140).
In addition, Chen teaches during a plurality of periods of time when the Internet of Things device is active (para, 0035, DDoS attack detector 218 aggregates data in current local flow Information 246 with data in valid current local flow information messages 254 for each defined time period 226 to form aggregated flow information 240. Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined time period 226).
The combination of Gudov and Chen does not explicitly disclose Internet of Things device is inactive to thereby establish an inactive communications circuit threshold value when the Internet of Things device is inactive. However, in an analogous art, Nucci teaches Internet of Things device is inactive to thereby establish an inactive communications circuit threshold value when the Internet of Things device is inactive (col 3 In 13- 45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 16, the combination of Gudov, Chen and Nucci teaches all of the limitations of claim 15, as described above. Gudov further teaches monitoring the level of activity of the communications module during a period of time (FIG. 3 and para. 0029, detect that the computing device 140 is under a DDoS attack using a variety of known techniques of detecting denial of service attacks including based on analysis of the data being received by the computing device 140 via the data transmission network 105. Para. 0026, A parameter of the data being sent is used herein to describe information characteristic of the data being sent by the network node, the number of connections established between the network node and the computing device, the number of POST requests being transmitted per second, the number of TCP connections established, and also derivatives of the aforementioned parameters) to thereby establish the inactive communications circuit threshold value (para. 0033, the intercept module 120 determines the parameters of the data being sent, such as para. 0035, the number of SYN packets being transmitted per second; para. 0036, the number of TCP connections being established per second; para 0038, the number of bytes being transmitted per second, and para. 0039, the number of packets being transmitted per second).
In addition, Chen teaches during a plurality of periods of time when the Internet of Things device is active (para, 0035, DDoS attack detector 218 aggregates data in current local flow information 246 with data in valid current local flow information messages 254 for each defined time period 226 to form aggregated flow information 240. Aggregated flow information 240 provides a real-time current snapshot of the amount of network data packets flowing to different data processing systems via the network for defined time period 226).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov and Chen because it would help obtaining a complete real-time picture of network data flows corresponding to a DDoS attack on an ongoing basis (Chen, para. 0003).
Further in addition, Nucci teaches when the Internet of Things device is inactive (col 3 In 13-45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high­ volume attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Regarding claim 20, the combination of Gudov and Chen teaches all of the limitations of claim 1, as described above. Gudov further teaches wherein the threshold value of the level of activity of the communications module has an initial value and operation of the Internet of Things device begins operation using the initial value (para. 0051, the rating determination module 125 can assign a "default value" to the network node 101 for the danger rating of the network node).
The combination of Gudov and Chen does not explicitly disclose operating the Internet of Things device in a machine learning mode wherein the Internet of Things device learns normal operational values of the level of activity of the communications module; and replacing the initial value so that subsequent operation of the Internet of Things device uses the normal operational values of the level of activity of the communications module. However, in an analogous art, Nucci teaches operating the device in a machine learning mode wherein the device learns normal operational values of the level of activity of the communications module (col 3 In 13-45 and col 8 In 4-15, anomaly detection algorithms need to be adaptive, the algorithms should detect both low and high-volume attacks. Thus high volume attacks may be normal activity level); and replacing the initial value so that subsequent operation of the Internet of Things device uses the normal operational values of the level of activity of the communications module (col 20 In 51-65, a powerful machine learning algorithm that can analyze the spatial correlation of DDoS traffic feature. The network states "under attack" or "no attack" generate statistically different traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gudov, Chen and Nucci because anomaly detection algorithms need to be adaptive (Nucci, col 3 In 13-45).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/ 	Examiner, Art Unit 2437 



/MATTHEW SMITHERS/           Primary Examiner, Art Unit 2437