Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

DETAILED ACTION
This communication is in response to Application No. 17/208,889 filed on 22 March 2021. This application claims FOR priority to KR10-2020-0176184 filed on 16 December 2020.  	Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claim is directed towards “a computer-readable recording medium…” as recited in the claim. However, the specification did not define what type of medium is included in a computer readable medium. For instance, paragraph 0106 of Applicant’s specification states “any type of computer readable recording medium well known in the art.” According to MPEP 2111, examiner obliged to give the terms or phrases their broadest interpretation definition awarded by one of an ordinary skill in the art unless applicant has provided some indication of the definition of the claimed terms or phrases. Therefore, examiner interprets the computer readable recording medium including any type of medium which includes carrier medium such as signals. Signals are directed to a non-statutory subject matter.   	Thus, claim 20 is rejected under 35 U.S.C. 101 for directing to a non-statutory subject matter. The examiner further notes that the term computer readable storage media has been used by those of ordinary skill in the art to include signals.  Refer to U.S. Patent 6,286,104 (col. 3, lines 50-56 define storage medium is carrier wave signal) as an example. Applicant is advised to amend to “a non-transitory computer-readable recording medium” to overcome this rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 19 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 19 recites the limitation "the method of claim 18." Claim 18 is directed to an apparatus. Thus, there is insufficient antecedent basis for this limitation in the claim. For the purpose of this examination, Examiner interprets the claim to mean “the apparatus of claim 18.”

	Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 11, 12, 16-18, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US PGPUB 2021/0306354 A1 to Raghuramu et al.
Regarding Claim 1, Raghuramu discloses a method performed by a computing device for monitoring an abnormal behavior of a plurality of loT devices (FIG. 3 step 306, 0078, and 0083 provides for a network monitor device 280 for monitoring anomalies/abnormal behavior of IoT devices 234 and 236) comprising:  	determining abnormality of a behavior of each of the plurality of loT devices based on traffic data representing the behavior of each of the plurality of loT devices (0081, 0083, and 0092 provides for network monitor device 280 determining anomalies of behavior of IoT devices 234 and 236 based on network traffic, wherein the network traffic represents the behavior of the IoT devices 234 and 236); 	clustering the behavior of each of the plurality of loT devices based on the traffic data and a result of the determining the abnormality (0083 and 0094-0095 provides for clustering similar behavior of IoT devices based on network traffic pattern and determining anomalies); and  	generating data for representing a plurality of clusters formed as a result of the clustering (FIG. 4 and 0113-0114 provides for generating GUI 400 for representing a plurality of cluster 402-410 as a result of clustering based on similar behavior) such that a first cluster corresponding to a normal behavior cluster and a second cluster corresponding to an abnormal behavior cluster are displayed on different planes, the first cluster and the second cluster being divided based on the result of the determining the abnormality (Examiner interprets this to be an intended use limitation).
Regarding Claim 11, Raghuramu discloses the method of claim 1,  	wherein generating the data for representing the plurality of clusters comprises 	generating an individual indicator representing the behavior of the each of the plurality of loT devices included in a target cluster (FIG. 4 and 0113 provides for generating a color representing the behavior of each of the devices in each cluster).
Regarding Claim 12, Raghuramu discloses the method of claim 11,  	wherein generating the individual indicator comprises  	generating data for highlighting the individual indicator representing the behavior, the highlighting being based on a duration of the behavior (FIG. 4 and 0113 provides for generating a color representing the behavior of each of the devices in each cluster, wherein an anomalous cluster is highlighted red and the other clusters are colored blue).
Regarding Claim 16, Raghuramu discloses the method of claim 1 further comprises  	regenerating the data for representing the plurality of clusters at each predetermined time interval (FIG. 6, 0020, 0037, and 0057 provides for various time periods).
Regarding Claim 17, Raghuramu discloses the method of claim 16,  	wherein regenerating the data for representing the plurality of clusters comprises 	gradually representing a process of changing display data for the plurality of clusters (FIG. 6 and 0020, 0037, and 0057 provides for user-configurable time periods).
Regarding Claim 18, similar rejection where the method of claim 1 teaches the apparatus of claim 18.
Regarding Claim 20, similar rejection where the method of claim 1 teaches the computer-readable recording medium of claim 20.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 7, 8, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Raghuramu as applied to claims 1 and 18 above, and further in view of US PGPUB 2017/0310691 A1 to Vasseur et al 
Regarding Claim 2, Raghuramu discloses the method of claim 1. 	Raghuramu doesn’t explicitly disclose wherein the clustering comprises, generating a vector corresponding to the behavior of each of the plurality of loT devices based on the traffic data and the result of the determining the abnormality; reducing a dimension of the vector to a predetermined dimension; and clustering the behavior of each of the plurality of loT devices based on a dimension-reduced vector. 	Vasseur, in a similar field of endeavor, discloses generating a vector corresponding to the behavior of each of the plurality of loT devices based on the traffic data and the result of the determining the abnormality (0033 and 0074-0075 provides for generating a vector corresponding to the behavior of devices in an Internet of Things network based on traffic and anomaly detection); 	reducing a dimension of the vector to a predetermined dimension (0052 and 0105 provides for dimensionality reduction using PCA, or Principal Component Analysis); and  	clustering the behavior of each of the plurality of loT devices based on a dimension-reduced vector (0052 and 0105 provides for classifying the behavior into a sub-optimal number of classes, i.e. clustering the behavior, based on the reduced dimension of the considered spaces, i.e. a dimension-reduced vector, to reduce the number of behavioral edge patterns). 	One of ordinary skill in the art before the effectively filed date of the claimed invention would have recognized the ability to utilize the teachings of Vasseur for representing connections in a low dimensional space. The low dimensionality spaces of Vasseur, when implemented with the enhanced clustering analysis of the Raghuramu system, will allow one of ordinary skill in the art to perform dimensionality reduction, in order to define a normal region in a space with a high number of dimensions/features. Therefore, the examiner concludes it would have been obvious to one of ordinary skill in the art before the effective filing date of the application to utilize low dimensionality spaces of Vasseur with the enhanced clustering analysis of the Raghuramu system for the desirable purpose of differentiating between noise and relevant anomalies in a network.
Regarding Claim 3, the Raghuramu/Vasseur system discloses the method of claim 2 further comprises  	extracting, from the traffic data, an origination country of traffic (Vasseur, 0080 and 0084 provides for refining data based on country) or a destination county of the traffic. 	Same motivation as claim 2.
Regarding Claim 4, the Raghuramu/Vasseur system discloses the method of claim 2 further comprises  	extracting, from the traffic data, port information related to traffic, the port information including an originating port or a destination port (Raghuramu, 0021 provide for destination port and source port).
Regarding Claim 7, the Raghuramu/Vasseur system discloses the method of claim 2,  	wherein reducing the dimension of the vector to the predetermined dimension comprises reducing the dimension of the vector to two dimensions using PCA (Principal Components Analysis) (Vasseur, 0052 and 0105 provides for dimensionality reduction using PCA, or Principal Component Analysis). 	Same motivation as claim 2.
Regarding Claim 8, the Raghuramu/Vasseur system discloses the method of claim 2,  	wherein clustering the behavior of each of the plurality of loT devices based on the dimension-reduced vector comprises clustering the behavior of each of the plurality of loT devices using DBSCAN (Density-Based Spatial Clustering of Applications with Noise) (Vasseur, 0051-0052 provides for DBSCAN clustering algorithm). 	Same motivation as claim 2.
Regarding Claim 19, similar rejection where the method of claim 2 teaches the apparatus of claim 19.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over the Raghuramu/Vasseur system as applied to claim 4 above, and further in view of NPL Service Name and Transport Protocol Port Number Registry (hereafter IANA).
Regarding Claim 5, the Raghuramu/Vasseur system discloses the method of claim 4. 	The Raghuramu/Vasseur system doesn’t explicitly disclose based on a type of the port being a well-known port type, designating a port number as the port information, and based on the type of the port being a registered port type or a dynamic port type, designating a predetermined character string as the port information. 	IANA, in a similar field of endeavor, discloses based on a type of a port being a well-known port type, designating a port number as port information (pg. 1, Reference, RFC 6335 provides for designating System Ports (0-1023) as a well-known port type, designating a port number as per its IANA assignment), and  	based on the type of the port being a registered port type or a dynamic port type, designating a predetermined character string as the port information (pg. 1, Reference, RFC 6335 provides for designating User Ports (1024-49151) as a registered port type or designating the Dynamic and/or Private Ports (49152-65535) as a dynamic port type, designating service identifiers as the port information). 	One of ordinary skill in the art before the effectively filed date of the claimed invention would have recognized the ability to utilize the teachings of IANA for designating assignments based on the International Assigned Numbers Authority. The port assignment of the IANA, when implemented with the enhanced clustering analysis of the Raghuramu/Vasseur system, will allow one of ordinary skill in the art to perform extract port information from devices in a cluster, in order to define the communications transmitted to/from the device. Therefore, the examiner concludes it would have been obvious to one of ordinary skill in the art before the effective filing date of the application to utilize the port assignment of the IANA with the enhanced clustering analysis of the Raghuramu/Vasseur system for the desirable purpose of organizing a network architecture to better identify anomalies.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over the Raghuramu/Vasseur system as applied to claim 4 above, and further in view of US PGPUB 2021/0203605 A1 to Shon et al.
Regarding Claim 6, the Raghuramu/Vasseur system discloses the method of claim 2. 	The Raghuramu/Vasseur system doesn’t explicitly disclose one-hot encoding an information of a protocol associated with the traffic data. 	Shon, in a similar field of endeavor, discloses one-hot encoding an information of a protocol associated with the traffic data (0036-0038 provides for one-hot encoding of categorical data, such as a protocol, and representing an item as true or false). 	One of ordinary skill in the art before the effectively filed date of the claimed invention would have recognized the ability to utilize the teachings of Shon for utilizing the one-hot encoding method. The one-hot encoding of the Shon system, when implemented with the enhanced clustering analysis of the Raghuramu/Vasseur system, will allow one of ordinary skill in the art to transform character or categorical data to a relevant binary vector, in order to eliminate the influence of computation bias. Therefore, the examiner concludes it would have been obvious to one of ordinary skill in the art before the effective filing date of the application to utilize the one-hot encoding of the Shon system with the enhanced clustering analysis of the Raghuramu/Vasseur system for the desirable purpose of reducing the amount of computation for a deep-learning model and therefore improving accuracy of the results of the deep-learning model.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over the Raghuramu/Vasseur system as applied to claim 2 above, and further in view of US PGPUB 2020/0112571 A1 to Koral et al.
Regarding Claim 9, the Raghuramu/Vasseur system discloses the method of claim 2,  	wherein determining the abnormality of the behavior of each of the plurality of loT devices based on the traffic data representing the behavior of each of the plurality of loT devices comprises  	generating a score representing the abnormality of the behavior of each of the plurality of loT devices (Raghuramu, 0012 and 0094 provides for generating risk scores based on behavior in network traffic patterns of IoT devices). 	The Raghuramu/Vasseur system doesn’t explicitly disclose wherein generating the data for representing the plurality of clusters comprises generating the data for displaying the dimension-reduced vector corresponding to the behavior of each of the plurality of loT devices and the score in a three-dimensional space. 	Koral, in a similar field of endeavor, discloses generating data for displaying a dimension-reduced vector corresponding to behavior of each of a plurality of loT devices and a score in a three-dimensional space (0029, 0052, 0082, and 0096 provides for representing anomalous network traffic data by applying PCA to reduce a vector corresponding to behavior of IoT devices and the distance/score is shown in a feature space of three dimensions). 	One of ordinary skill in the art before the effectively filed date of the claimed invention would have recognized the ability to utilize the teachings of Koral for utilizing a principal component analysis (PCA) to reduce a feature spaces of anomalies to three dimensions for visualization in a graph. The three dimensions graph of the Koral system, when implemented with the enhanced clustering analysis of the Raghuramu/Vasseur system, will allow one of ordinary skill in the art to transform the anomalies into three-dimensional visualization, in order to graph anomalous traffic in a network. Therefore, the examiner concludes it would have been obvious to one of ordinary skill in the art before the effective filing date of the application to utilize the three dimensions graph of the Koral system with the enhanced clustering analysis of the Raghuramu/Vasseur system for the desirable purpose of visually displaying the anomalous of a network.
Regarding Claim 10, the Raghuramu/Vasseur/Koral system discloses the method of claim 9,  	wherein generating the data for representing the plurality of clusters comprises 	generating the data such that the first cluster is displayed in a space where a z- axis value is positive in the three-dimensional space, and the second cluster is displayed in the space where the z-axis value is negative in the three-dimensional space (Koral, 0096 provides for the processing system may apply a principal component analysis (PCA) to reduce to two or three dimensions for visualization in the graph). 	Same motivation as claim 9.

Claims 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over the Raghuramu system as applied to claims 1 and 11 above, and further in view of US PGPUB 2020/0396147 A1 to Han et al.
Regarding Claim 13, Raghuramu discloses the method of claim 11. 	Raghuramu doesn’t explicitly disclose wherein generating the individual indicator comprises generating display data for highlighting the individual indicator representing a behavior of an loT device that has been newly identified as falling into the target cluster. 	Han, in a similar field of endeavor, discloses generating display data for highlighting an individual indicator representing a behavior of an loT device that has been newly identified as falling into a target cluster (0115 provides for generating perspectives for highlighting anomaly events representing basic events with correlating insights, i.e. a behavior of a device that has been newly identified as falling into a target cluster). 	One of ordinary skill in the art before the effectively filed date of the claimed invention would have recognized the ability to utilize the teachings of Han for sampling target metrics in temporal perspectives. The temporal-based detection technique of the Han system, when implemented with the enhanced clustering analysis of the Raghuramu system, will allow one of ordinary skill in the art to review the anomalies based on time, in order to identify correlations behind basic events and identify devices failing into clusters. Therefore, the examiner concludes it would have been obvious to one of ordinary skill in the art before the effective filing date of the application to utilize the temporal-based detection technique of the Han system with the enhanced clustering analysis of the Raghuramu system for the desirable purpose of visually displaying the anomalous behavior of a network.
Regarding Claim 14, Raghuramu discloses the method of claim 1. 	Raghuramu doesn’t explicitly disclose wherein generating the data for representing the plurality of clusters comprises generating the data for highlighting a target cluster based on the number of behaviors of loT devices that have been newly identified as falling into the target cluster per unit time. 	Han, in a similar field of endeavor, discloses generating data for highlighting a target cluster based on a number of behaviors of loT devices that have been newly identified as falling into the target cluster per unit time (0115 provides for generating perspectives for highlighting anomaly events representing basic events with correlating insights, i.e. a number of behaviors of loT devices that have been newly identified as falling into the target cluster per unit time). 	Same motivation as claim 13.
Regarding Claim 15, Raghuramu discloses the method of claim 1. 	Raghuramu doesn’t explicitly disclose wherein generating the data for representing the plurality of clusters comprises in response to recognizing a behavior of a loT device that has been newly identified as falling into the second cluster, generating the data for highlighting the second cluster. 	Han, in a similar field of endeavor, discloses in response to recognizing a behavior of a loT device that has been newly identified as falling into the second cluster, generating the data for highlighting the second cluster (0115 provides for generating perspectives for highlighting anomaly events representing basic events with correlating insights, i.e. a number of behaviors of loT devices that have been newly identified as falling into the target cluster per unit time). 	Same motivation as claim 13.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US PGPUB 2021/0344695 A1 to Palani et al discloses an anomaly detection utilizing supervised algorithms.
US PGPUB 2018/0191758 A1 to Abbaszadeh et al discloses measuring data in a low dimensional vector space.
US PGPUB 2021/0144167 A1 to Glukhov et al discloses anomaly detection algorithms.
US PGPUB 2018/0212989 A1 to Mavani discloses port reservations via the Internet Assigned Numbers Authority (IANA).
US Patent 11,108,621 B1 to Shirvani et al discloses a new motif is expected fall in the abnormal cluster when an anomaly is detected.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCHQUITA GOODWIN whose telephone number is (571)272-5477. The examiner can normally be reached M-F 9am - 5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia Dollinger can be reached on (571) 272-4170. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SCHQUITA D GOODWIN/Examiner, Art Unit 2459