Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
	Claims 4-8 are pending. Claims 4 and 7 have been amended. 
 Respond to amendments
	Applicant’s amendment filed on 05-16-2022  has been considered and entered.	
Response to Arguments
	Applicant's amendments/arguments filed on 05-16-2022 have been fully considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	Claims 4-8 are rejected under 35 U.S.C. 103 as being unpatentable over Weingart et al. (US Patent No.10,650,652) in view of Almurayh (US Patent No.9,712,549), in view of Munro et al. (US Publication No. 2018/0020015), further in view of Back et al. (US Patent No. 10,432,658).
	As per claim 4 and 7,  Weingart discloses an integrated security system for providing physical and electronic security for a facility based on profile anomalies, comprising: a wired or wireless network system (WWNS) (column 4, lines 58-59, wired or wireless network 106a, and column 22, lines 37-38, wired or wireless links 524, 526, 528, 532, 584 and 566); a physical security alarm system (PSAS) configured for collecting intrusion data from physical security sensors via a WWNS (column 4, lines 58-67, “control unit server 104a communicate over a short range wired or wireless connection over network 106a with connected devices such as …one or more sensors 114a to receive sensor data descriptive if events detected” and column 22, lines 42-47 “sensors 520…may continuously transmit sensed values to the controller 512”); and a router configured for (i) connecting the WWNS to a remote network and (ii) providing the electronic security (column 17, lines 25-28 and 32-34,“network module 514 is a communication device configured to exchange communication over the network 505…the network module 514 may transmit alarm data over a wireless data channel”). 
	Weingart does not explicitly disclose, a security sensor gateway (SSG) for performing real-time monitoring of the traffic traversing the WWNS and the intrusion data collected from the sensors; 
wherein the SSG is configured to: (i) analyze the monitored traffic and collected intrusion data to develop a traffic pattern, the traffic pattern including egress/ingress activity and traffic volume; and (ii) create a security system baseline responsive to the traffic pattern; and detect, based on the traffic pattern a local activity of a specified device on the WWNS with a device connected to another network that is blacklisted by the integrated security system and remote from the WWNS.
	However, in an analogous art, Almurayh discloses a security sensor gateway (SSG) for performing real-time monitoring of the traffic traversing the WWNS and the intrusion data collected from the sensors (column 5, lines 32-42, “the detector module 202 continuously monitors the one or more sensors to detect a change in the status or the smart appliances…the processing circuitry of the detector module 202 is configured to detect instances of cyber-attack on the at least one smart appliance”); wherein the SSG is configured to: (i) analyze the monitored traffic and collected intrusion data to develop a traffic pattern and (ii) create a security system baseline responsive to the traffic pattern (column 5, line 57-column 6, line 5, “[t]he normal or abnormal status of the at least one smart appliance 114 determined by the detector module is output to the learner module 204 and informer module 206…[t]he learner module 204 employs machine learning technique…to determine patterns of use and patterns of status change of the at last one smart appliance 114 in the home…the learner module 204 determine a normal bassline status for the at least one smart appliance 114”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Weingart to include  a security sensor gateway (SSG) for performing real-time monitoring of the traffic traversing the WWNS and the intrusion data collected from the sensors; wherein the SSG is configured to (i) analyze the monitored traffic and collected intrusion data to develop patterns and (ii) create security system baselines responsive to the patterns, as thought by Almurayh. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to detect anomalous events and cyber- attacks on the network.
	While Weingart in view of Almurayh discloses  analyze the monitored traffic and collected intrusion data to develop a traffic pattern, Weingart in view of Almurayh does not explicitly disclose, the traffic pattern including egress/ingress activity and traffic volume. However, traffic pattern including egress/ingress activity and traffic volume is old and well known in the art, as illustrated by Munro (paragraph [0037], “[f]or each network instance, incoming and outgoing traffic [egress/ingress activity] is collected …,the network flows contain the following data: timestamp, session duration, protocol, source IP address, source port, destination IP address, destination port, number of bytes, number of packets [traffic volume]”. Claim 1, “..collect instances of network data from the one or more network elements;.. analyze the instances of network data and produce a historical behavioral pattern for each of the instances of network data…compare the current behavioral pattern to a corresponding historical behavioral pattern…”). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Weingart and Almurayh with Munro. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of filtering incoming and outgoing traffic to detect anomalies and intrusion in the network.
	Weingart in view of Almurayh and Munro does not explicitly disclose, but in an analogous art, Back discloses, detect, based on the traffic pattern a local activity of a specified device on the WWNS with a device connected to another network that is blacklisted by the integrated security system and remote from the WWNS (figure 1 and column 21, lines 23-26, intercepting a communication from client device 110 to a malicious system 150, column 8, lines 1, blacklist, and lines 33-35). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Weingart, Almurayh and Munro, to include detecting, based on the traffic pattern a local activity of a specified device on the WWNS with a device connected to another network that is blacklisted by the integrated security system and remote from the WWNS , as thought by Back.
	This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of identifying malicious network traffic based on a list of known malicious sources.
	As per claim 5 and 8, Almurayh furthermore discloses the integrated security system of claim 4, wherein the SSG is further configured to (i) compare the real-time monitored traffic and the collected intrusion data with the security system baselines to produce a threat anomaly detection level  (column 7, lines 62, “the detector module 202 may determine that the status of the smart appliance 114 is anomalous if the amount of deviation from the normal baselined status is greater than a predetermined threshold , such as a medium or high amount of deviation”) and (ii) trigger a security alert when the threat anomaly detection level exceeds a predetermined threshold (figure 3, column 8, lines 3-5, if it is determined that the status of the mart appliance 114 is anomalous issuing and alert at step 308). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Weingart, Back, Munro and Almurayh, in order to detect anomalous events and cyber- attacks on the network.
	As per claim 6, Weingart furthermore discloses a remote monitoring station to respond to the triggered security alert (column 23, lines 25-27 and 39-41,“the central alarm statin server 570 may be configured to monitor alerting events…the central station server 570 may route alerting data to the terminal 572 and 574 to enable an operator to process the alerting data”).
References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Tzadikario (US Publication No. 2006/0107321), discloses A computer-implemented method for mitigating attacks of malicious traffic in a computer network includes receiving a set of attack sequences, including first traffic sequences suspected of containing the malicious traffic, analyzing the attack sequences so as to automatically extract a regular expression that matches at least a portion of the attack
sequences in the set, and comparing second traffic sequences to the regular expression in order to identify the second traffic sequences that contain the malicious traffic.	
	Eslambolchi et al., (US Publication No. 2016/0255104), discloses , a system for identifying a network intrusion includes four modules. The first module monitors network transmissions and creates a model of regular network activity. The second module receives the model of regular network activity and sets a threshold for irregular usage based on the model. The third module receives the threshold, compares a value of a candidate inter-nodal transmission of the network to the threshold, and identifies a potential intrusion when the value exceeds the threshold. The fourth module analyzes a transmission behavior of one or more nodes of the candidate inter-nodal transmission and identifies the network intrusion.

Conclusion

      	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437