DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on June 08, 2022 has been entered. Claims 1 and 11 are amended and new claims 21-29 have been added. Claims 1-29 are pending. 

Response to Arguments
Applicant’s arguments filed June 8, 2002 have been considered but are moot in view of a new ground of rejection. 
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-29 are rejected under 35 U.S.C. 103 as being unpatentable over 2016/0267408 A1 [hereinafter Singh] in view of Spurlock US 2013/0247190 A1 and further in view of Aghdaie et al. US 10,459,827 B1 [hereinafter Aghdaie].
As per claims 1 and 11, Singh discloses a method of detecting undesirable behavior of an Internet-of-Things (loT) device (see, e.g., paragraph [0007] the method comprising:
	associating a first subset of patterns of a superset of patterns with a first IoT device profile of a plurality of IoT device profiles [paragraph 0041];  
attributing the first IoT device profile to a first IoT device (see, e.g., paragraph [0041]-"normal behavior patterns... (‘behavior profile’) for each entity");  
detecting first IoT device events, the first IoT device events including one or more network sessions of the first IoT device (see, e.g., paragraph [0282]- “events, e.g., from
devices or sensors. "; paragraph [0284]-"network"; see also paragraphs [0282]-[0289]);  
	generating an activity data structure from the first IoT device events and from other events [paragraph 0282]; 
	determining an activity of the first IoT device based on the activity data structure [paragraph 0282];  
	applying the first subset of patterns to the activity of the first IoT device [paragraph 0282];
	generating an alert when the application of the first subset of patterns to the activity of the first IoT device is indicative of undesirable behavior for a device to which the first IoT device profile is attributed [paragraphs 0255 and 0277]. 
	In the same field of endeavor Spurlock teaches a method of detecting undesirable behavior of a device comprising: generating an activity data structure from a first device events and from other events, wherein the generated activity data structure comprises a labeled collection of events, and wherein at least one of the other events comprises a non-network event (i.e., activities such as writing to a file, modifying a memory space, creating a registry etc., paragraphs 0017-0024). It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Spurlock within the system of Singh in order to enhance security of the system by generating comprehensive activity data. 
	In the same field of endeavor, Aghadie teaches a machine learning anomaly detection system including abstracting at least one of a first IoT device events or other events wherein the abstracting of the at least one of the IoT device events or other events includes at least one of: (1) aggregating a plurality of events, (2) enriching at least one event, or (3) translating at least one event [column 7, lines 4-column 8, line 39]. It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Aghadier within the system of Singh and Spurlock in order to enhance security of the system by aggregating event data and detect anomaly. 

	As per claims 2 and 12, Singh further teaches the method wherein the first IoT device profile is attributed to the first IoT device prior to deployment of the first IoT device [paragraphs 0041-0043]. 
	
	As per claims 3 and 13, Singh further teaches the method wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device [paragraphs 0041-0043]. 
 
	As per claims 4 and 14, Singh further teaches the method, wherein the first IoT device profile is attributed to the first IoT device after deployment of the first IoT device, and the first IoT device profile is a default IoT device profile that is dynamically modified using available data [paragraphs 0041-0043]. 

	As per claims 5 and 15, Singh further teaches the method wherein the first IoT device events are detected using passive monitoring [paragraphs 0282-0289]. 

	As per claims 6 and 16, Singh further teaches the method wherein the first IoT device events are detected using packet headers in messages sent to or from the first IoT device [paragraph 0286]. 
 
	As per claims 7 and 17, Aghdaie further teaches the method wherein the first IoT device events are aggregated to form one or more composite first IoT device events using machine learning [column 7, lines 4-column 8, line 39].
 
	As per claims 8 and 18, Aghdaie further teaches the method wherein the first IoT device events are aggregated to form one or more composite first IoT device events using a device implemented as part of a local area network (LAN) that includes the first IoT device [column 7, lines 4-column 8, line 39]. 
 
	As per claims 9 and 19, Singh further teaches the method wherein the first IoT device does not have a history of previously exhibited undesirable behavior, and the undesirable behavior includes anomalous behavior of the first IoT device [paragraph 0277].  
 
	As per claims 10 and 20, Singh further teaches the method wherein the first IoT device has a history of previously exhibited undesirable behavior, and the undesirable behavior includes normal behavior of the first IoT device [paragraph 0277]. 

	As per claim 21, Aghdaie further teaches the method wherein a plurality of discrete events aggregated to form one or more composite events using machine learning [column 7, lines 4-column 8, line 39]. It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Aghadier within the system of Singh and Spurlock in order to enhance security of the system by aggregating event data and detect anomaly. 

	As per claim 22, Aghdaie further teaches the method wherein the one or more composite events are formed using common factor aggregation (i.e., individual data set within a table which share same data aggregation rule, column 7, lines 4-column 8, line 39). It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Aghadier within the system of Singh and Spurlock in order to enhance security of the system by aggregating event data and detect anomaly. 

	As per claims 23-27, Aghdaie further teaches the method wherein a common factor used in the common factor aggregation incudes a device profile/operating system vendor/an operating system version/an application/communication via a particular subnetwork common to a plurality of devices (i.e., individual data set within a table which share same data aggregation rule, column 7, lines 4-column 8, line 39). It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Aghadier within the system of Singh and Spurlock in order to enhance security of the system by aggregating event data and detect anomaly. 

	As per claims 28 and 29, Aghdaie further teaches the method wherein enriching the at least one event includes associating data with an another event (i.e., data associated with operation, column 6, lines 49-67). It would have been obvious to one having ordinary skill in the art before the filing date of the application to employ the teachings of Aghadier within the system of Singh and Spurlock in order to enhance security of the system by associating event data and detect anomaly. 




Conclusion
 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435