DETAILED ACTION
1.	This action is responsive to the communications filed on 04/25/2022.
2.	Claims 1-20 are pending in this application.
3.	Claims 1, 8, 15, have been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s argument with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection.
Although a new ground of rejection has been used to address limitations of claims 1, 8, 15, a response is considered necessary for several of applicant's arguments since reference Luo will continue to be used to meet several claimed limitations.
a.	In the rejection of independent claims 1, 8, and 15, the Office Action at page 4 relies on Luo at paragraphs [0152, 0153] for teaching "receiving..." and "activating..." as recited in a previous version of the claims. However, Applicant submits that the cited portions of Luo fail to teach or suggest "receiving, by the edge device and from the IoT device, an indication to activate the virtualized copy of the IoT device; activating, by the edge device and based on the indication, the virtualized copy of the IoT device," as recited in the amended claims, at least because the cited portions of Luo make no mention of activating the honeypot, much less based on an indication from the IoT device to do so, as claimed. 
The Office Action at page 4 asserts that Luo at paragraphs [0152, 0153] teaches the above claim limitations, stating (emphasis added) "Paragraph 152, a request is sent from an attacker to an IP address that is associated with a honeypot instance for IoT devices. Paragraph 153, determining a response to the request by actively probing (i.e., activating) physical IoT devices on the Internet." 
Here, Applicant notes that the described request in Luo is received from an attacker - not from the IoT device of which the honeypot is emulating. Furthermore, Applicant notes that the request received is not an indication from the IoT device to activate the honeypot, 9XRPS920190046-US-NPas claimed. The Office's citation of Luo's description of actively probing physical IoT devices on the Internet in order for the honeypot to learn how the IoT device responds so that the honeypot may better mimic the IoT device is a disclosure that fails to teach or suggest the claimed element of activating the virtualized copy of the IoT device. In fact, Applicant submits that Luo is completely silent as to activating the honeypot at all, much less based on an indication to do so received from the IoT device, as claimed (Applicant’s remarks, Pages 8-10).

In response: The examiner respectfully disagrees.
In Luo, the honeypot is an emulation of the IoT device. The honeypot is only activated after an ‘active probing’ session where the honeypot collects information for the IoT devices by sending out a request for response from the IoT device. When the responses come back from the IoT device, if one of the responses are deemed as a higher probability that is it is from an attacker (i.e., indication), the honeypot will then generate a response (i.e., honeypot is activated) for the IoT device based on learned knowledge.
Therefore, the rejection is respectfully maintained.

b.	The Cited References Do Not Teach Or Suggest Dependent Claims 2, 9, and 16 In the rejection of dependent claims 2, 9, and 16, the Office Action at page 6 relies on Luo at paragraphs [0022, 0152] for teaching or suggesting "wherein hosting, on the edge device, the virtualized copy of an IoT device includes hosting a copy of a software stack of the IoT device." Applicant disagrees, at least because the cited portions of Luo make no mention at all of the honeypot including a copy of a software stack of the IoT device, as claimed, and instead explicitly teaches against such elements. Specifically, Luo at XRPS920190046-US-NPleast at paragraphs [0037, 0048] describes the honeypot as not actually running the system / software of the IoT device and instead describes the honeypot as merely imitating the responses of the IoT device (Applicant’s remarks, Pages 11-12).

In response: The examiner respectfully disagrees. 
In paragraph 37 of Luo, Luo discloses an issue with high interaction honeypots where they may be abused by an attacker. In paragraph 48, Luo discloses simulating the behavior of IoT devices but does not say that the simulating does not include running the system or software. Luo does disclose that the honeypot instance for IoT devices sends a response to the attacker, where the attacker is unable to detect that the response is associated with an emulated IoT device (Paragraph 22). The intelligent honeypot of Luo is a form of a high interaction honeypot, which includes full-fledged operating systems and use real systems for the attacker to interact with (Paragraph 31). As the high interaction honeypot is an emulation of the IoT device, this full fledged operating system and real system of the honeypot would be of the IoT device in order to make the attacker think it is coming legitimately from the IoT device and not the high interaction honeypot. 
Therefore, the rejection is respectfully maintained. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Luo et al. (US 2019/0081980) in view of Maresca (US 2017/0195345) and White et al. (US 2021/0051177).
Regarding claim 1, Luo disclosed:
A method of edge device assisted mitigation of attacks, the method comprising (Paragraph 29, using an intelligent interaction honeypot for IoT devices that processes requests and code sent from the attackers (i.e., mitigates). Paragraph 152, honeypot instance for IoT devices is executed on a server (i.e., edge device)): 
hosting, on an edge device, a virtualized copy of an Internet-of-Things (IoT) device (Paragraph 22, an attacker being unable to detect that the response is associated with an emulated (i.e., virtualized copy) IoT device. Paragraph 44, Figure 1, showing all components of the intelligent honeypot, which together share data through a learning process. Paragraph 152, the honeypot instance for IoT devices is implemented using a virtual machine instance executed on a server that emulates of the IoT device); 
receiving, by the edge device and from the IoT device, an indication to activate the virtualized copy of the IoT device (Paragraph 23, the honeypot for IoT devices collects information for the physical IoT devices by performing active probing which includes sending a request to receive a plurality of responses (i.e., indication) from each of the IoT devices. One of the responses is selected based on automated machine learning of the active probing of the IoT devices. Paragraph 28, determining which response to select based on learning which responses result in a higher probability that it is from an attacker. Paragraph 48, the honeypot generates a response (i.e., activate) to the attacker based on learned knowledge); 
activating, by the edge device and based on the indication, the virtualized copy of the IoT device (Paragraph 153, the honeypot instance for IoT devices is then automatically generated (i.e., activating) by using the active probing of physical IoT devices and using machine learning); 
applying, by the virtualized copy of the IoT device, security policies to incoming traffic (Paragraph 65, when the traffic is captured, filtering out requests containing exploit code (i.e., security policy)); and 
While Luo disclosed mitigating attacks (see above), Luo did not explicitly disclose publish-subscribe denial of service (DOS) attacks and applying security policies to incoming traffic received from one or more subscription topics.
However, in an analogous art, Maresca disclosed publish-subscribe denial of service attacks (Paragraph 5, in publish/subscribe systems, a DoS attack is used by an attacker to attempt to overwhelm the infrastructure by sending a large number of malicious requests);
applying security policies to incoming traffic received from one or more subscription topics (Paragraph 5, a large number of malicious requests targeting topics with large fan out at subscription time. Paragraphs 32-33, Figure 2, system for detecting, preventing, and mitigating a DoS attack. Implementing a defense pipeline that includes two main stages, detection and mitigation. The mitigation state deals with the attacks and applies a set of specified reaction policies (i.e., security policies). Paragraph 64, the detector has the ability to decide whether to block and completely filter out certain incoming events, in case it recognizes incessant attempts).
	One of ordinary skill in the art would have been motivated to combine the teachings of Luo with Maresca because the references involve mitigation of attacks, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the applying security policies of Maresca with the teachings of Luo in order to continuously detect and manage DoS attacks in order to reduce the efficacy of malicious attacks (Maresca, Paragraph 63).
	While Luo and Maresca disclose blocking and filtering malicious events (see above), Luo and Maresca did not explicitly disclose transmitting, by the virtualized copy of the IoT device to the IoT device, sanitized traffic obtained from the received incoming traffic.
	However, in an analogous art, White disclosed transmitting, by the virtualized copy of the IoT device to the IoT device, sanitized traffic obtained from the received incoming traffic (Figure 5, showing multi-access server 502 (i.e., virtualized copy of IoT device) including a virtualized device management client 504 and the IoT device 204 including a localized device management client 506. Paragraph 62, localized device management client 506 contacting virtualized device management client 504 via communication link 508. Figure 12, Paragraphs 101-102, showing the multi-access server 502 including a security virtualization system 1000. The security virtualization system intercepts data that is transmitted to the IoT device from an application server to apply one or more security services in accordance with a policy for the IoT device. For example, scanning the intercepted data for malicious data or detecting whether the intercepted data may be part of an attempt to overwhelm, compromise, or intrude upon the IoT device. The security virtualization system delivers sanitized data to the IoT device. The sanitized data is a version of the intercepted data where malicious data has been removed if such was detected). 
	One of ordinary skill in the art would have been motivated to combine the teachings of Luo and Maresca with White because the references involve mitigation of attacks, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the transmitting of White with the teachings of Luo and Maresca in order to more efficiently communicate with IoT devices (White, Paragraph 29).
	Regarding claims 8, 15, the claims are substantially similar to claim 1 and are therefore rejected under the same rationale. 
	Regarding claims 2, 9, 16, the limitations of claims 1, 8, 15, have been addressed. Luo, Maresca, and White disclosed:
	wherein hosting, on the edge device, the virtualized copy of an IoT device includes hosting a copy of a software stack of the IoT device (Luo, Paragraph 22, the attacker is unable to detect that the response is associated with an emulated (i.e., virtualized copy) IoT device. Paragraph 152, honeypot instances emulating various IoT devices. As the IoT devices are emulated, a copy of the software stack is included).
	Regarding claims 3, 10, 17, the limitations of claims 1, 8, 15, have been addressed. Luo, Maresca, and White disclosed:
	wherein receiving, from the IoT device, the indication to activate the virtualized copy of the loT device includes receiving a report of a DoS attack on the IoT device (Maresca, Paragraph 22, automatically spot patterns, alert, log, and react or even proactively act to prevent DoS attacks).
	For motivation, please refer to claim 1.
	Regarding claims 4, 11, 18, the limitations of claims 1, 8, 15, have been addressed. Luo, Maresca, and White disclosed:
	wherein activating, by the edge device, the virtualized copy of the IoT device includes subscribing, by the virtualized copy of the IoT device, to one or more topics subscribed to by the IoT device (Luo, Paragraph 29, using an intelligent interaction honeypot for IoT devices that processes requests and code sent from the attackers. Paragraph 152, the honeypot instance for IoT devices is implemented using a virtual machine instance executed on a server (i.e., edge device) that emulates (i.e., is a copy) of the IoT device. Maresca, Paragraph 94, the mitigator is activated based on the detection algorithm. Paragraph 95, the mitigator’s responsibilities include subscription and publication requests).
	For motivation, please refer to claim 1.
	Regarding claims 5, 12, 19, the limitations of claims 1, 8, 15, have been addressed. Luo, Maresca, and White disclosed:
	wherein applying, by the virtualized copy of the IoT device, security policies to incoming traffic received from the one or more subscription topics includes: identifying an application-specific threat in the incoming traffic (Luo, Paragraph 65, when the traffic is captured, filtering out requests containing exploit code (i.e., application-specific threat. Maresca, Paragraph 5, a large number of malicious requests targeting topics with large fan out at subscription time. Paragraphs 32-33, Figure 2, system for detecting, preventing, and mitigating a DoS attack); and 
implementing an application-specific security policy that mitigates the identified threat (Maresca, Paragraphs 32-33, Figure 2, system for detecting, preventing, and mitigating a DoS attack. Implementing a defense pipeline that includes two main stages, detection and mitigation. The mitigation state deals with the attacks and applies a set of specified reaction policies (i.e., application-specific security policy)).
For motivation, please refer to claim 1.
Regarding claims 6, 13, 20, the limitations of claims 1, 8, 15, have been addressed. Luo, Maresca, and White disclosed:
further comprising: providing a discoverable service for application-specific traffic filtering to the IoT device (Luo, Paragraph 152, a request is sent from an attacker to an IP address that is associated with a honeypot instance for IoT devices (i.e., discoverable); 
authenticating the edge device to the IoT device (Luo, Paragraph 138, authentication returned from the web server to the IoT device); 
installing the virtualized copy of the IoT device (Luo, Paragraph 152, executing the honeypot instance on the server);
establishing a cryptographic communication channel with the IoT device (White, Paragraph 113, subsequent to the applying of the security service, sanitized data is delivered to the IoT device by way of a secure connection between the security virtualization system and the IoT device. Paragraph 139, security service 1306 (which is part of security virtualization system) is applied to the intercepted data by decrypting incoming messages and encrypting outgoing messages. Securing the data using an encryption scheme…before being passed along to an IoT device).
For motivation, please refer to claim 1.
Regarding claims 7, 14, the limitations of claims 1, 8, have been addressed. Luo, Maresca, and White disclosed:
wherein the edge device is at least one of an edge server, a router, and a routing switch, and wherein the IoT device is an end-point device (Luo, Paragraph 2, IoT device is a network embedded device (i.e., end-point device). Paragraph 152, the honeypot instance for IoT devices is implemented using a virtual machine instance executed on a server (i.e., edge server) that emulates of the IoT device).




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663. The examiner can normally be reached M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.C.N/Examiner, Art Unit 2451 


/Chris Parry/Supervisory Patent Examiner, Art Unit 2451