Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 have been canceled. Claims 21-40 have been newly added.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 10-14-2020 has been considered. Please see attached PTO-1449. 
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 21-24, 26, 29-32 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Mircescu et al. (US Publication No. 2016/0173450) in view of Younger et al. (US Publication No. 2009/0019314).
	As per claim 21, Mircescu discloses a computer-implemented method comprising: sending, by an agent running in an Internet of Things (IoT) environment comprising a plurality of IoT devices, [device configuration information] and security data to a cloud security service providing IoT security threat protection (paragraph [0081], “agent 41…perform a security assessment of client system 12…and may send security assessment data to configuration server 52 or security server 50”, paragraph [0101], IoT device) , wherein the [device configuration information] and security data relate to an IoT device of the plurality of IoT devices (paragraph [0101], protecting devices known as Internet of Things (IoT)); generating, [based on the device configuration information], a recommendation for improving the security posture of the IoT device (paragraph [0081], the server(s) forward a security indicator which includes among others, an indicator of whether a particular software object is up to date, and indicator of a strength of a password used to protect client system); generating, [based on the security data], a security alert indicating potential malicious activity in the IoT environment (paragraph [0094], [0104] “send an even notification [security alert] …informing the user…that a security event has occurred”); and  causing display of a graphical user interface (GUI) including an indication of the recommendation [and the security alert] (paragraph [0081], the server(s) forward a security indicator to administration device for display to the user/administrator. Security indicators displayed to the user/ administrator include, among the others, and indication of whether a particular software object executing on client system is up to date and an indicator of a strength of a password used to protect client system  (it is noted that such indicators recommending for example,  if the software needs to be updated or not)).
	Mircescu does not explicitly disclose sending device configuration information, relating to IoT device;	generating based on the device configuration information a recommendation. Further while Mircescu discloses generating and sending security alert, Mircescu does not explicitly disclose generating, based on the security data, a security alert; and displaying the security alert. 
	However, in an analogous art, Younger discloses sending device configuration information relating to network device  (paragraph [0050], [0051] and  [0054] the information collection module 409 of the network management tool 301 collecting  a wide  variety of information from network devices and sending to advisor module); generating based on the device configuration information a recommendation (paragraph [0051], in response to receiving information the advisor module provides a set of recommendation. Paragraph [0053]-[0054], the advisor module provide recommendation for upgrading the network device); generating, based on the security data, a security alert (page 6, Table 1, advisor module 403 indicates recommendation (alerts)  if determines no PC protection software present on devices); and displaying the security alert (figure 5, “network alerts: 8 alerts”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu with Younger. This would have been obvious because person having ordinary skill in the art would have been motivated to monitor and analyze  the configuration and usage of devices and then provide suggestion to improve the performance of the devices.
	As per claim 29., Mircescu discloses a computer-implemented method comprising:	 obtaining, by an Internet of Things (IoT) security service, device data related to an IoT device located in a computer network comprising a plurality of IoT devices (paragraph [0081], “agent 41…perform a security assessment of client system 12…and may send security assessment data to configuration server 52 or security server 50”, paragraph [0101], IoT devices); generating, based on the device data, at least one recommendation for improving the security posture of the IoT device (paragraph [0081], the server(s) forward a security indicator to administration device for display to the user/administrator. Security indicators displayed to the user/ administrator include, among the others, and indication of whether a particular software object executing on client system is up to date and an indicator of a strength of a password used to protect client system  (it is noted that such indicators recommending for example,  if the software needs to be updated or not)) and generating at least one security alert indicating potential malicious activity (paragraph [0094], “send an even notification [security alert] …informing the user…that a security event has occurred”); and causing display of a graphical user interface (GUI) including an indication of the recommendation for improving the security posture of the IoT device (paragraph [0081], the server(s) forward a security indicator to administration device for display to the user/administrator).
	Mircescu does not explicitly disclose the device data including data reflecting device configurations and reflecting operation of the IoT device; and generating based on the device data at least one security alert and causing display of an indication of the security alert. However, in an analogous art, Younger discloses the device data including data reflecting device configurations and reflecting operation of the IoT device (paragraph [0051], in response to receiving information the advisor module provides a set of recommendation. Paragraph [0054], the collection module determine existing software installed on network devices, inventory hardware devices, local disk , resource or file system information of the device); and generating based on the device data at least one security alert (page 6, Table 1, advisor module 403 indicates recommendation (alerts)  if determines no PC protection software present on devices) and causing display of an indication of the security alert(figure 5, “network alerts: 8 alerts”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu with Younger. This would have been obvious because person having ordinary skill in the art would have been motivated to monitor and analyze  the configuration and usage of devices and then provide suggestion to improve the performance of the devices.
	As per claim 22, Mircescu furthermore discloses the agent executes on the IoT device and logs, processes, and sends the device configuration and security data to the cloud security service ( figure 6, paragraph [0049] and [0081], “utility agent 41 configured to provide security services may perform a security assessment of client system 12 (e.g., a local malware scan) and may send security assessment data to configuration server 52 or security server 50”, paragraph [0083], agent logs (monitors and reports) usage of the system).
	As per claim 23, Mircescu furthermore discloses wherein the security data is collected by the cloud security service  (paragraph [0081], “security assessment data sent to configuration server 52 or security server 50”). Younger furthermore discloses the device configuration information is collected by the cloud security service (paragraph [0050], [0051] and  [0054]  a wide  variety of information sent to advisor module). The motivation is similar to the motivation provided in the independent claim 21.
	As per claim 24 and 32 Younger furthermore discloses, wherein the data includes device profile data including at least one of: an indication of a device type, software running on the IoT device, software versions running on the IoT device, device network configurations, device encryption configurations (paragraph [0054], table 1, determine existing software inventory installed on network devices, corresponding to software running on the IoT device), wherein the data further includes device activity data including one or more of network traffic data, application data, file modification data, and device error activity (paragraph [0054], determine real time performance characteristics of the network, determine resource or file system information (application data)).
	The motivation is similar to the motivation provided in independent claim 22 and 29.
	As per claim 26 and 34, Mircescu furthermore discloses causing execution of an action to occur relative to the IoT device, the action including one or more of: rebooting the IoT device, sending a software update to the IoT device, modifying one or more network or system configurations associated with the IoT device, collecting additional data from the IoT device (paragraph [0081], “updating software…for respective client system”, corresponding to sending a software update ).
	As per claim 30, Mircescu furthermore discloses the device data is collected by an on-device agent running on the IoT device ( figure 6, paragraph [0049] and [0081], “utility agent 41 configured to provide security services may perform a security assessment of client system 12 (e.g., a local malware scan) and may send security assessment data to configuration server 52 or security server 50”).
	As per claim 31, Younger further discloses, wherein the device data is collected by the IoT security service (paragraph [0050], [0051] and  [0054]  a wide  variety of information sent to advisor module). The motivation is similar to the motivation provided in the independent claim 29.

	Claims 25 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Mircescu in view of Younger, further in view of Brady et al. (US Publication No. 2018/0247515).
	As per claim 25 and 33, Mircescu in view of Younger discloses all limitation of claim as applied to claim 21 and 29 above. Mircescu in view of Younger does not explicitly disclose, but in an analogous art, Brady discloses, wherein the security alert is associated with a severity level (paragraph [0016], alert scoring scheme used to indicate the severity of an alert condition when it arises on a remote unattended IoT device).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu and Younger with Brady. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to indicate the severity of a breach of an alert limit.
	
	Claims 27 and 35 are rejected under 35 U.S.C. 103 as being unpatentable over Mircescu in view of Younger, in view of Chen (US Publication No. 2021/0112092), further in view of Israel et al. (US Publication No. 2018/0248893).
	As per claim 27 and 35, Mircescu in view of Younger discloses all limitations of claim as applied to claims 21 and 29 above. Mircescu in view of Younger does not explicitly disclose, but in an analogous art Chen discloses identifying, based on the security/device data and a defined IoT kill chain, a stage of the IoT kill chain  (paragraph [0042]-[0043], [0073], the APTDS maps each piece of the threat data to a corresponding APT attack phase, where the APT attack phase is defined based on kill chain model. The APT attack process divided into a plurality of detectable APT attack phases based on the kill chain model. For each piece of the threat data, APTDS map the piece of the threat data to the corresponding APT attack phase based on features of the threat data).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu and Younger with Chen. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to perform prevention for a network entity associated with a piece of threat data based on prevention strategies corresponding to a plurality of Advanced Persistent Threat  attack phases.
	Mircescu in view of Younger and Chen does not explicitly disclose, but in an analogous art, Israel discloses a stage of IoT kill chain associated with the security alert (paragraph [0053],“mapping each alert to a stage in the kill chain”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu, Younger and Chen with Israel. This would have been obvious because one of ordinary skill in the art would have been motivated to detect cyber attack by correlating  different groups of alerts that correspond to valid cyber-kill chain into clusters of groups of alerts. 

	Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Mircescu in view of Younger, further in view of Gong et al. (US Publication No. 2016/0065601).
	As per claim 28, Mircescu in view of Younger discloses all limitation of claim as applied to claim 21 above. Mircescu in view of Younger does not explicitly disclose, but in an analogous art, Gong discloses calculating, based on one or more identified security threat facilitators and one or more security threat indicators, a breach likelihood score indicating a likelihood that the IoT device has been compromised (paragraph [0030], “a data collector is configured to correlate one or more first order indicators of compromise with the one or more second order indicators of compromise based on network patterns/data received from one or more data collectors …. Further, the data collector is configured to generate a risk score based on the correlation result”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu and Younger with Gong. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of detecting threat activity on a network.

	Claims 36-39 are rejected under 35 U.S.C. 103 as being unpatentable over Mircescu in view of Younger, further in view of Weingarten et al. (US Publication No. 2019/0052659).
	As per claim 36,  Mircescu discloses a system comprising: a first one or more electronic devices to implement a cloud security service providing Internet of Things (IoT) security threat protection (paragraph [0101], protecting devices known as Internet of Things (IoT)), the cloud security service including instructions that upon execution cause the cloud security service to: obtain [device configuration] information related to an IoT device located in a computer network comprising a plurality of IoT devices and security data reflecting operation of the IoT device IoT security threat protection (paragraph [0081], “agent 41…perform a security assessment of client system 12…and may send security assessment data to configuration server 52 or security server 50”, paragraph [0101], IoT devices); generate,[based on the device configuration information], a recommendation for improving the security posture of the IoT device  (paragraph [0081], the server(s) forward a security indicator to administration device. Security indicators  include, among the others, and indication (recommendation) of whether a particular software object executing on client system is up to date and an indicator of a strength of a password used to protect client system  (it is noted that such indicators recommending for example,  if the software needs to be updated or not)); generate, [based on the security data], a security alert indicating potential malicious activity in the computer network (paragraph [0094], [[0104] “send an even notification [security alert] …informing the user…that a security event has occurred”), and cause display of a graphical user interface (GUI) including an indication of the recommendation  (paragraph [0081], the server(s) forward a security indicator to administration device for display to the user/administrator. Security indicators displayed to the user/ administrator include, among the others, and indication of whether a particular software object executing on client system is up to date and an indicator of a strength of a password used to protect client system  (it is noted that such indicators recommending for example,  if the software needs to be updated or not)). 
	Mircescu does not explicitly disclose obtain device configuration information; generate, based on the device configuration information, a recommendation; generate, based on the security data, a security alert; cause display of a graphical user interface (GUI) including the security alert; a second one or more electronic devices to implement an IoT agent, the IoT agent including instructions that upon execution cause the IoT agent to: collect the device configuration information and the security data from the IoT device; and  send the configuration information and the security data to the cloud security service. 	However, in an analogous art, Younger discloses, obtain device configuration information (paragraph [0050], [0051] and  [0054] the information collection module 409 of the network management tool 301 collect  a wide  variety of information and sent to advisor module); generate, based on the device configuration information, a recommendation ( paragraph [0051], in response to receiving information the advisor module provides a set of recommendation. Paragraph [0053]-[0054], the advisor module provide recommendation for upgrading the network device); generate, based on the security data, a security alert (page 6, Table 1, advisor module 403 indicates recommendation (alerts)  if determines no PC protection software present on devices); and cause display of a graphical user interface (GUI) including the security alert (figure 5, “network alerts: 8 alerts”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu with Younger. This would have been obvious because person having ordinary skill in the art would have been motivated to monitor and analyze  the configuration and usage of devices and then provide suggestion to improve the performance of the devices.
	Mircescu  in view of Younger does not explicitly disclose, a second one or more electronic devices to implement an IoT agent, the IoT agent including instructions that upon execution cause the IoT agent to: collect the device configuration information and the security data from the IoT device; and  send the configuration information and the security data to the cloud security service. However, in an analogous art, Weingarten discloses a second one or more electronic devices to implement an IoT agent (paragraph [0005], “a plurality of agents, wherein each of the plurality of agents is installed on a target endpoint device, the target endpoint device being one of a plurality of endpoint devices forming an elastic computer network”) , the IoT agent including instructions that upon execution cause the IoT agent to: 
collect the device configuration information and the security data from the IoT device; and send the configuration information and the security data to the cloud security service (paragraph [0005], each agent monitors the operating system process and network communications of target endpoint to obtain a target endpoint data, and transmit the target endpoint data to a central server, the target endpoint data comprising information regarding at least one of the system processes or network processes to the target endpoint device, paragraph [0159], the endpoint data collected and transmitted includes, for example, internal activities of the endpoints, encrypted and non-encrypted data, inbound/outbound network traffic data, network usage, application usage, processor usage, time period usage, geographic location of the endpoints, corporate department, and/or the like ).
 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu and  Younger with Weingarten. This would have been obvious because person having ordinary skill in the art would have been motivated to verify activities and network communications of multiple target devices in order to provide security for a network of target devices.
	As per claim 37, Mircescu furthermore discloses the security data is collected by an on-device agent (paragraph [0081], “agent 41…perform a security assessment of client system 12…and may send security assessment data to configuration server 52 or security server 50”), and Younger furthermore discloses  wherein the device configuration information and the security data is collected by an on-device agent (paragraph [0050], [0051] and  [0054]  a wide  variety of information sent to advisor module).
	The motivation is similar to the motivation provided in independent claim 36.
	As per claim 38, Mircescu furthermore discloses wherein the security data is collected by the cloud security service  (paragraph [0081], “security assessment data sent to configuration server 52 or security server 50”). Younger furthermore discloses the device configuration information is collected by the cloud security service (paragraph [0050], [0051] and  [0054]  a wide  variety of information sent to advisor module). The motivation is similar to the motivation provided in the independent claim 36.
	As per claim 39, Mircescu furthermore discloses wherein the data includes device profile data including at least one of. an indication of a device type, software running on the computing device, software versions running on the computing device, device network configurations, device encryption configurations, and wherein the data further includes device activity data including one or more of network traffic data, application data, file modification data, and device error activity (paragraph [0081], “updating software…for respective client system”, corresponding to sending a software update ).

	Claim 40 is rejected under 35 U.S.C. 103 as being unpatentable over Mircescu in view of Younger, in view of Weingarten, further in view of Brady et al. (US Publication No. 2018/0247515).
	As per claim 40, Mircescu in view of Younger and Weingarten discloses all limitations of claim as applied to claim 36 above. Mircescu in view of Younger and Weingarten does not explicitly disclose, but in an analogous art, Brady discloses, wherein the security alert is associated with a severity level (paragraph [0016], alert scoring scheme used to indicate the severity of an alert condition when it arises on a remote unattended IoT device).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mircescu, Younger and Weingarten with Brady. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to indicate the severity of a breach of an alert limit.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Zhang, et al. (US Publication No. 2018/0270229, discloses systems and methods for identification. In certain aspects, packet data associated with a device can be analyzed and a score determined. The score and the threshold can be compared to determine a device identification for the device.
	Jain (US Publication  No. 2017/0099176), discloses a containerized architecture to secure and manage devices, such as "Internet of Things" devices. In various embodiments, one or more containerized applications are run, e.g., on an Internet of Things gateway. At least one of the containerized applications is a management agent configured to participate, in management of one or more other of said containerized applications.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437