Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informalities: Paragraph 0043 is inconsistent and contradicts with paragraph 0042.  Paragraph 0042 states “If there is a signature match, the operations proceed to the second stage 370.”, stage 370 according to figure 3b is the activation of the hybrid IDS. However, in paragraph 0043 it mentions “At 373, a hybrid detection agent is activated when there is no signature match from operation 364, above.” Which clearly contradicts both paragraph 0042 and figure 3b. Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 3, 11, and 17 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventors, at the time the application was filed, had possession of the claimed invention. The specification fails to disclose activating the anomaly detection when a new signature is detected. The specification [para.0043] states that when a new signature is detected, stage 380 or threat mitigation is applied and when a new signature is not detected, the second technique is used: “At operation 377, a determination is made as to whether the monitored gateway parameters indicate a new attack. If not, the process reverts to operation 373. If a new attack is detected, the process proceeds to the third stage 380.” For the purpose of examination, the claim is interpreted based on the specification [para.0043] and Fig.3B, step 377, i.e. “using the second technique comprises using the second technique when a new network intrusion signature is NOT detected.”
Claims 3, 11, and 17 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claims contain subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. When there is no signature.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 9-11, 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over SOHAIL (US-20200403991-A1) in view of PARK (US-20180309818-A1), hereinafter SOHAIL-PARK.
Regarding claim 1, SOHAIL teaches “A method for detecting an intrusion event in a network of computing devices, the method comprising: at a gateway device in the network, monitoring device performance and context parameters of the …… device using live data traffic and operational parameters;” ([SOHAIL, para. 0018] “FIG. 1 is a high-level schematic illustration of a computing system which implements a system for detecting anomalous activity within a network environment based on power consumption of devices operating within the network environment, according to an exemplary embodiment of the disclosure. The computing system 100 comprises a device network 110, a communications network 130, and a computing platform 140 which is coupled to the device network 110 via the communications network 130. The device network 110 comprises a plurality of devices 120-1, 120-2, . . . , 120-d (collectively referred to as devices 120 or IoT devices 120) and one or more gateways 124. Each device 120-1, 120-2, . . . , 120-d comprises a power consumption monitoring and reporting module 122, as well as other components as discussed below.”) ([SOHAIL, para. 0032] “the device network 110 comprises one or more nodes (e.g., the gateway node 124), which implement a network activity and communications monitoring system that is configured to collect and stream certain types of network-related information to the computing platform 140, wherein such network-related information is used in conjunction with the power consumption data to detect for anomalous behaviors and activities within the device network 110. For example, such network-related information includes, but is not limited to, monitored network activity in the device network 110, monitored communication patterns between different devices 120 in the device network 110, monitored behaviors of the devices 120 and other nodes in the device network 110, etc. In some embodiments, the gateway node 124 is configured to perform functions such as dynamic IoT device discovery and profiling using known techniques, e.g., by viewing all inbound and outbound network traffic, and identifying any device (e.g., specific make and model) that connects to the device network 110.”) ([SOHAIL, para. 0051] “The anomaly detection engine 223 implements methods to process streaming data (e.g., network activity data, power consumption data, etc.) received from the IoT devices 120 and the device network 110 to detect for possible anomalous activity related to security breaches (intrusion detection) such as sniffer attacks, denial-of-service attacks, man-in-the-middle attacks, etc., using behavioral patterns that are stored in the database of learned behavioral patterns 229.”) defining a steady-state operation based on expected performance of the device performance and context parameters; ([SOHAIL, abstract] “a method includes collecting power consumption data of a plurality of devices operating within a network and determining trust scores for the plurality of devices based, at least in part, on the collected power consumption data. The trust score for a device provides a measure of trustworthiness of the device exhibiting normal operating behavior within the network. Each device is assigned to one of a plurality of trust tiers based on the determined trust scores, wherein each trust tier specifies an authentication level for devices assigned to the trust tier.”) ([SOHAIL, para. 0016] “various types of information such as power consumption/usage of IoT devices, communication patterns between IoT devices, etc., are utilized to generate trust scores for the IoT devices. The trust score for a given device (e.g., IoT device) provides a quantitative measure or indication of how trustworthy the device is with regard to exhibiting normal behavior within a given network environment.”) comparing the steady-state operation to the monitored device performance and context parameters; ([SOHAIL, para. 0054] “In some embodiments, the learned behavioral patterns database 229 comprises “normal behavior profiles” which comprise signatures or patterns of normal network activities and/or normal device behavior. In such instances, the anomaly detection engine 223 is configured to compare the normal behavior profiles with a current set of streaming data in database 227 to detect certain network activities and device behaviors as being “abnormal” when such network activities and device behaviors deviate from one or more normal behavior profiles by statistically significant amounts.”) ([SOHAIL, para. 0046] “In some embodiments, the power profiles comprise vendor-created power profiles that provide information regarding normal ranges of power usage of various types of vendor-specific devices (e.g., wireless sensor devices) for different applications and/or configurations of the IoT devices. The vendor-created power profiles provide an initial baseline of power usage information which can be compared against the actual power consumption (e.g., average power over a period of time) of a given IoT device 120 within the device network 110 to determine if the given IoT device 120 is consuming a normal or abnormal amount of power for a given application and/or configuration.”) and activating a hybrid network intrusion detection technique, the hybrid network intrusion detection technique determining a presence of an intrusion event based on a comparison result of the comparing the steady-state operation to the monitored device performance and context parameters. ([SOHAIL, para. 0051] “The anomaly detection engine 223 implements methods to process streaming data (e.g., network activity data, power consumption data, etc.) received from the IoT devices 120 and the device network 110 to detect for possible anomalous activity related to security breaches (intrusion detection) such as sniffer attacks, denial-of-service attacks, man-in-the-middle attacks, etc., using behavioral patterns that are stored in the database of learned behavioral patterns 229.”) ([SOHAIL, para. 0058, Fig. 3] “FIG. 3 is a flow diagram of a method for detecting anomalous activity within a network environment based on power consumption of devices operating within the network environment, according to an exemplary embodiment of the disclosure. In particular, FIG. 3 illustrates an exemplary mode of operation of the power consumption analysis and anomaly detection system 220 for detecting anomalous activity within a network of sensor nodes based on reported power consumption/usage of the sensor nodes operating within the network ……. The streaming power consumption data is stored in the streaming data database 227 using suitable indexing techniques to associate power consumption data with corresponding sensor nodes that report the power consumption data to the power consumption analysis and anomaly detection system 220. ”) ([SOHAIL, para. 0059, Fig. 3] “The collected power consumption data is processed to determine if any sensor node is exhibiting abnormal power consumption (block 302). In one embodiment, this process can be implemented by the power consumption behavior analysis engine 221 processing the collected power consumption data against learned behavioral patterns of power consumption of the sensor nodes, which are stored in the learned behavioral patterns database 229, or otherwise using baseline or updated power profiles of the sensor nodes, which are stored in the power profiles database 228.”) ([SOHAIL, para. 0060, Fig. 3] “A determination is made as to whether any of the sensor nodes currently operating within the sensor network are detected as exhibiting abnormal power consumptions (block 304). If a given sensor node is not detected as exhibiting abnormal power consumption (negative determination in block 304), the sensor node is allowed to continue passing data within the sensor network and storing data in the backend distributed data storage system 170 of the computing platform 140 (block 306). On the other hand, when a given sensor node is detected as exhibiting abnormal power consumption (affirmative determination in block 304), the alert and notification module 225 sends an alert to the management node 150 of the computing platform 140 and the given node is marked as “suspect” for a security analysis (block 308).”) ([SOHAIL, para. 0061, Fig. 3] “A security analysis is then performed to confirm whether or not the marked sensor node is actually exhibiting abnormal behavior (block 310). This security analysis can be performed manually by a system administrator, or performed automatically (or semi-automatically) using other anomaly detection methods and/or manual review methods to verify the results of the initial detection. If the results of the security analysis confirm that the given sensor node is not exhibiting abnormal behavior (negative determination in block 312), the sensor node is allowed to continue passing data within the sensor network and storing data in the backend distributed data storage system 170 of the computing platform 140 (block 306). On the other hand, if the results of the security analysis confirm that the given sensor node is actually exhibiting abnormal behavior (affirmative determination in block 312), the sensor node is prevented/blocked from passing data within the sensor network or storing data”) [Examiner’s note: The hybrid detection as mentioned in SOHAIL is a two part method that first performs a determination of abnormal power consumption then performs a deeper security analysis.] 
However, SOHAIL does not teach “monitoring device performance and context parameters of the gateway device”. SOHAIL only teaches of monitoring by a gateway IOT devices. 
In analogous teaching, PARK teaches “monitoring device performance and context parameters of the gateway device”. ([PARK, para. 0180] “Gateway logger 622 can be configured to generate and/or store a log of the activity of gateway 502a. Gateway logger 622 can be configured to store a log of all faults that gateway 502a may encounter. Further, gateway logger 622 can be configured to monitor gateway performance and create a log of gateway performance. Gateway performance may include network usage, processing usage, memory usage, etc. In some embodiments, requests received from building server 504 and/or devices 11 can be logged by gateway logger 622. The requests may be a request to read data from devices 11, operate devices 11 in a particular manner, etc. In some embodiments, gateway logger 622 can periodically send the logs stored by gateway logger 622 to building server 504. In various embodiments, building server 504 can query gateway logger 622 for fault data.”).
Thus, given the teaching of PARK, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of monitoring a gateway as taught by PARK into the teaching of a method to detect intrusion events by monitoring device performance and context as taught by SOHAIL. One of ordinary skill in the art would have been motivated to do so because PARK recognizes the need to monitor functionalities of gateways in a network in case of any abnormal activity. ([PARK, para. 0001] “Gateways can act as isolated network links, and thus, devices connected to a gateway can be dependent on the functionality of a single gateway to be connected to a particular network. If a gateway goes offline or experiences a fault, all of the devices connected to the gateway may go offline.”) ([PARK, para. 0048] “By maintaining a logical representation of the gateways and devices in the building on the building server, various gateway faults can be handled by the building server. Further, a user may be able to remotely configure the various gateways and devices and view the current configuration of the various gateways and devices …… In this way, one gateway may take over the duties of the gateway that has become unresponsive and prevents the devices of the unresponsive gateway from becoming permanently and/or temporarily unavailable.”)

Regarding claim 9, this claim recites a non-transitory computer readable medium storing instruction that when executed perform the features of claim 1. Therefore, claim 9 is rejected in a similar manner as in the rejection of claim 1. 

Regarding claim 15, this claim recites features similar to those recited in claim 1, Therefore, claim 15 is rejected in as similar manner as in the rejection of claim 1. SOHAIL further teaches “A server device for detecting an intrusion event in a network of computing devices, comprising:   an interface unit configured to receive information; a data storage device storing instructions for detecting an intrusion event in a network of computing devices; and a processor configured to execute the instructions to” ([SOHAIL, para. 0035] “FIG. 2 schematically illustrates a server node which can be implemented in the computing platform 140 of FIG. 1, according to an exemplary embodiment of the disclosure. More specifically, FIG. 2 illustrates a server node 200 which comprises processors 202, storage interface circuitry 204, network interface circuitry 206, virtual resources 208, system memory 210, and local storage resources 216. The system memory 210 comprises one or more of volatile memory 212 and non-volatile memory 214. In addition, the server node 200 comprises a power consumption analysis and anomaly detection system 220”) ([SOHAIL, para. 0038] “The storage interface circuitry 204 enables the processors 202 to interface and communicate with the system memory 210, the storage resources 216, and other local storage and off-infrastructure storage media, using one or more standard communication and/or storage control protocols to read data from or write data to volatile and non-volatile memory/storage devices.”). ([SOHAIL, para. 0037] “The processors 202 comprise one or more types of hardware processors that are configured to process program instructions and data to execute a native operating system (OS) and applications that run on the server node 200.”)


Regarding claim 2, 10, and 16, SOHAIL-PARK teach all limitations of claim 1, 9 and 15. SOHAIL further teaches “The method of claim 1, wherein the hybrid network intrusion detection technique comprises: comparing the steady-state operations and the device performance and context parameters to a known network intrusion signature to determine a match;” ([SOHAIL, para. 0053, Fig. 3] “In typical IoT applications that implement a network of wireless sensor devices, for example, the wireless sensors are constrained in power, memory, and processing power. As such, various types of attacks such as outlined above can result in significant, abnormal power consumption of the wireless sensor devices. In this regard, the power consumption/usage behavior of one or more of the devices can be used to generate signatures or behavior patterns that are maintained in the learned behavioral patterns database 229.”) ([SOHAIL, para. 0054, Fig. 3] “the learned behavioral patterns database 229 comprises “normal behavior profiles” which comprise signatures or patterns of normal network activities and/or normal device behavior. In such instances, the anomaly detection engine 223 is configured to compare the normal behavior profiles with a current set of streaming data in database 227 to detect certain network activities and device behaviors as being “abnormal” when such network activities and device behaviors deviate from one or more normal behavior profiles by statistically significant amounts”) and using a first technique to detect the intrusion event when the comparing does not indicate the match; ([SOHAIL, para. 0060, Fig. 3] “A determination is made as to whether any of the sensor nodes currently operating within the sensor network are detected as exhibiting abnormal power consumptions (block 304). If a given sensor node is not detected as exhibiting abnormal power consumption (negative determination in block 304), the sensor node is allowed to continue passing data within the sensor network and storing data in the backend distributed data storage system 170 of the computing platform 140 (block 306).”) and using a second technique to active an anomaly detection technique when the comparing does indicate the match. ([SOHAIL, para. 0060, Fig. 3] “when a given sensor node is detected as exhibiting abnormal power consumption (affirmative determination in block 304), the alert and notification module 225 sends an alert to the management node 150 of the computing platform 140 and the given node is marked as “suspect” for a security analysis (block 308).”) ([SOHAIL, para. 0061, Fig. 3] “A security analysis is then performed to confirm whether or not the marked sensor node is actually exhibiting abnormal behavior (block 310). This security analysis can be performed manually by a system administrator, or performed automatically (or semi-automatically) using other anomaly detection methods and/or manual review methods to verify the results of the initial detection. If the results of the security analysis confirm that the given sensor node is not exhibiting abnormal behavior (negative determination in block 312), the sensor node is allowed to continue passing data within the sensor network and storing data in the backend distributed data storage system 170 of the computing platform 140 (block 306). On the other hand, if the results of the security analysis confirm that the given sensor node is actually exhibiting abnormal behavior (affirmative determination in block 312), the sensor node is prevented/blocked from passing data within the sensor network or storing data in the backend distributed data storage system 170 of the computing platform 140 (block 314). An additional security check or compliance check can then be performed to rectify the detected abnormal behavior of the sensor node (block 316).”).

Regarding claim 3, 11, and 17, SOHAIL-PARK teach all limitations of claim 2, 10, and 16. SOHAIL further teaches “wherein using the second technique comprises using the second technique when a new network intrusion signature is detected.” ([SOHAIL, para. 0055] “In other embodiments, the learned behavioral patterns database 229 comprises “abnormal behavior profiles” which comprise signatures or patterns of known abnormal network activities and/or abnormal device behavior. In such instances, the anomaly detection engine 223 is configured to compare the abnormal behavior profiles with a current set of streaming data in the database of streaming data 227 to detect certain network activities and device behaviors that are known to be abnormal when such network activities and device behaviors are determined to positively correspond to one or more abnormal behavior profiles within a predefined statistical range.”) ([SOHAIL, para. 0060] “On the other hand, when a given sensor node is detected as exhibiting abnormal power consumption (affirmative determination in block 304), the alert and notification module 225 sends an alert to the management node 150 of the computing platform 140 and the given node is marked as “suspect” for a security analysis (block 308).”) ([SOHAIL, para. 0061] “A security analysis is then performed to confirm whether or not the marked sensor node is actually exhibiting abnormal behavior (block 310). This security analysis can be performed manually by a system administrator, or performed automatically (or semi-automatically) using other anomaly detection methods and/or manual review methods to verify the results of the initial detection”).

Claims 4, 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over SOHAIL-PARK in view of SEDJELMACI (“A Lightweight Anomaly Detection Technique for Low-Resource IoT Devices: A Game-Theoretic Methodology”), hereinafter SOHAIL-PARK-SEDJELMACI.
Regarding claim 4, 12 and 18, SOHAIL-PARK teach all limitations of claim 2, 10, and 16. However, SOHAIL-PARK does not teach “wherein the anomaly detection technique is activated using a game theory approach”.
In analogous teaching SEDJELMACI teaches “wherein the anomaly detection technique is activated using a game theory approach”. ([SEDJELMACI, abstract] “To achieve a high detection rate, the anomaly detection technique relies on a learning algorithm to model the normal behavior of a node and when a new attack pattern (often known as signature) is detected, it will be modeled with a set of rules. This latter is used by the signature detection technique for attack confirmation. However, the activation of anomaly detection for low-resource IoT devices could generate a high-energy consumption, specifically when this technique is activated all the time. Using game theory and with  the help of Nash equilibrium, anomaly detection is activated only  when a new attack’s signature is expected to occur. This will  make a balance between accuracy detection and energy  consumption. Simulation results show that the proposed anomaly  detection approach requires a low energy consumption to detect  the attacks with high accuracy (i.e. high detection and low false  positive rates).”). 
Thus, given the teaching of SEDJELMACI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of using game theory to activate anomaly detection as taught by SEDJELMACI into the teaching of a method to detect intrusion events by monitoring device performance and context as taught by SOHAIL-PARK. One of ordinary skill in the art would have been motivated to do so because SEDJELMACI recognizes the benefits of game theory to increase the efficiency detection. ([SEDJELMACI, Section IV “Accuracy detection”] “According to Fig 1 (a), (b) and (c), we show that when the  number of sensor nodes and attackers increase, the accuracy  detection of both hybrid detection systems exceeds 90%. Furthermore, we found out that the accuracy detection of our lightweight detection system is close to the current hybrid detection systems. This is achieved even in a scaling mode, i.e. when the number of sensors and attackers increase. The accuracy of attack detection that our approach exhibits is attributed to the game theory concept since with the help of Nash equilibrium, we can predict the state in which the attacker can launch a new signature with a goal to carry out an attack without being detected. In this case, the IDS agent activates its anomaly detection against the suspected nodes and ejects the malicious attacker before raising a lethal cyber attack”)

Regarding claim 5, SOHAIL-PARK-SEDJELMACI teach all limitations of claim 4. SEDJELMACI further teaches “wherein the game theory approach utilizes a Nash equilibrium to activate the anomaly detection technique.” ([SEDJELMACI, Section 3, para. 2] “we determine, with the help of Nash Equilibrium (NE), the equilibrium state in which the IDS agent will activate its anomaly detection technique to train, classify and build a rule related to a new attack’s signature.”).
The same motivation to modify SOHAIL-PARK with SEDJELMACI as in the rejection of claim 4, applies. 

Claims 6-8, 13,14, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over SOHAIL-PARK in view of SIDDIQUI (US-10554507-B1), hereinafter SOHAIL-PARK-SIDDIQUI .
Regarding claim 6, 13, and 19, SOHAIL-PARK teach all limitations of claim 2, 10, and 16. SOHAIL does teaches monitoring device performance and context parameters and the steady-state operations; ([SOHAIL, para. 0032] “monitoring system that is configured to collect and stream certain types of network-related information to the computing platform 140, wherein such network-related information is used in conjunction with the power consumption data to detect for anomalous behaviors and activities within the device network 110. For example, such network-related information includes, but is not limited to, monitored network activity in the device network 110, monitored communication patterns between different devices 120 in the device network 110, monitored behaviors of the devices 120 and other nodes in the device network 110, etc.”) and determining whether the monitored device performance and context parameters are indicative of a new network intrusion event. ([SOHAIL, para. 0051] “the anomaly detection engine 223 implements intrusion detection methods in which the reported power consumption/usage of IoT devices”) ([SOHAIL, para. 0060] “when a given sensor node is detected as exhibiting abnormal power consumption (affirmative determination in block 304), the alert and notification module 225 sends an alert to the management node 150 of the computing platform 140 and the given node is marked as “suspect” for a security analysis (block 308).”) ([SOHAIL, para. 0061] “A security analysis is then performed to confirm whether or not the marked sensor node is actually exhibiting abnormal behavior (block 310) …… if the results of the security analysis confirm that the given sensor node is actually exhibiting abnormal behavior (affirmative determination in block 312), the sensor node is prevented/blocked from passing data within the sensor network or storing data in the backend distributed data storage system 170 of the computing platform 140 (block 314).”).
However, SOHAIL-PARK does not teach “simulating a network attack …… and based on the simulating, determining …. indicative of a new network intrusion event.”
In analogous teaching, SIDDIQUI teaches “simulating a network attack …… and based on the simulating, determining …. indicative of a new network intrusion event.” ([SIDDIQUI, Col. 14 lines 24-35] “As shown in FIG. 1A, the analysis monitoring service 145 receives, in a periodic or aperiodic manner, the operational metadata 150 from the second subsystem 160 (e.g., cluster management system 190). As an example, the operational metadata 150 may be directed to the overall health of one or more clusters (e.g., the cluster 185 1); cluster queue size or queue length; cluster or compute node workload; cluster or compute node geographic location; traffic restrictions on a cluster or compute node basis according to a particular traffic type (e.g., governmental versus commercial traffic, email versus web traffic, or traffic from customers with or exceeding a prescribed subscription level)”) ([SIDDIQUI, Col. 26 lines 51-57] “A portion of the metadata 122 may be used by an analytic compute node to retrieve the suspicious object 120 associated with the metadata 122 for processing within a virtual machine, monitoring behaviors of the object (and virtual machine) during such processing, and determining whether the object may be malicious based on these monitored behaviors (blocks 540 and 545).”) ([SIDDIQUI, Col. 24 lines 23-41] “Upon receipt of the suspicious object 120, the object analysis system 340 1 conducts an in-depth malware analysis, namely any combination of attack-oriented behavior (dynamic) analysis or static analysis, in order to determine a probability of the suspicious object 120 being associated with malware. Such operations may involve execution of the suspicious object 120 within a virtual machine operating with the object analysis system 340 1, where the virtual machine is configured with one or more software profiles (e.g., one or more software components including operating system, application(s), and/or plug-in(s)) allowing the virtual machine to execute the suspicious object 120 and monitor attack-oriented behaviors of the virtual machine, including any of the software components. Thereafter, the object analysis system 340 1 performs a correlation operation on the monitored attack-oriented behaviors (e.g., analyzes the monitored behaviors against known malicious behaviors and behavioral patterns) to determine if the suspicious object 120 is associated with a cyber-attack.”)
Thus, given the teaching of SIDDIQUI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of simulating network attacks as taught by SIDDIQUI into the teaching of a method to detect intrusion events by monitoring device performance and context as taught by SOHAIL-PARK. One of ordinary skill in the art would have been motivated to do so because SIDDIQUI recognizes the need to provide scalable and reliable malware detection. ([SIDDIQUI, Col. 1 lines 38-45] “malware detection appliance has a prescribed (and finite) amount of resources (for example, processing power) that, as resource capacity is exceeded, requires either the malware detection appliance to resort to more selective traffic inspection or additional malware detection appliances to be installed. The installation of additional malware detection appliances requires a large outlay of capital and network downtime”) ([SIDDIGUI, Col. 1 lines 50-52] “An improved approach that provides scalability, reliability, and efficient and efficacious malware detection at lower capital outlay is desirable.”)

Regarding claim 7, 14, and 20, SOHAIL-PARK-SIDDIQUI teaches all limitations of claim 6, 13, and 19. SOHAIL further teaches “further comprising instructing an intrusion detection system to disable the new network intrusion event.” ([SOHAIL, para. 0061] “On the other hand, if the results of the security analysis confirm that the given sensor node is actually exhibiting abnormal behavior (affirmative determination in block 312), the sensor node is prevented/blocked from passing data within the sensor network or storing data in the backend distributed data storage system 170 of the computing platform 140 (block 314). An additional security check or compliance check can then be performed to rectify the detected abnormal behavior of the sensor node (block 316).”) ([SOHAIL, para. 0066] “When a given sensor node is determined to be exhibiting anomalous behavior (affirmative determination in block 408), the given sensor node is blocked from passing data in the sensor network or storing data to the backend data storage system (block 410). On the other hand, if a given sensor node is not identified as exhibiting anomalous behavior (negative determination in block 408), the given sensor node is allowed to continue passing data in the sensor network and storing data to the backend data storage system (block 412).”)

Regarding claim 8, SOHAIL-PARK-SIDDIQUI teaches all limitations of claim 6. SOHAIL further teaches “further comprising: generating a new network intrusion signature based on the new network intrusion event; and storing the new network intrusion signature in a database of signatures for network intrusion events.” ([SOHAIL, para. 0053] “In typical IoT applications that implement a network of wireless sensor devices, for example, the wireless sensors are constrained in power, memory, and processing power. As such, various types of attacks such as outlined above can result in significant, abnormal power consumption of the wireless sensor devices. In this regard, the power consumption/usage behavior of one or more of the devices can be used to generate signatures or behavior patterns that are maintained in the learned behavioral patterns database 229.”).


The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
MCCALLAM (US-20040230834-A1) teaches of a steady state computer intrusion and misuse detection system. The system includes an agent manager that directs actions of software agents to collect computer performance parameters from the computer, and a data analyzer that summarizes the collected computer performance parameters and generates a user profile. The system further includes a comparator that compares the summarized computer performance data and the user profile and generates a prompt based on a set of criteria related to the computer performance data and the user profile.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434