DETAILED ACTION
The following claims are pending in this office action: 1-6, 8-12, and 16-20
The following claims are amended: 1-4, 6, 8-9, 11, and 16-20
The following claims are new: -
The following claims are cancelled: 7, and 13-15
Claims 1-6, 8-12, and 16-20 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Interpretation and Rejections Withdrawn
The 35 U.S.C. § 112(f) interpretations are withdrawn based on the amendments.
The 35 U.S.C. § 112(b) rejections are withdrawn based on the amendments.
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 06/09/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Applicant notes: Independent claims 1 and 9 are amended to include additional limitations including “a security analytics framework for a chip or particular integrated circuit (IC)”, “a risk predictor of the security analytics framework for the chip or particular IC”, “context information for a particular application of the chip or particular IC”, “a current security configuration of the security analytics framework for the chip or particular IC”, “wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC that a data scavenger of the security analytics framework captures”, “a particular security configuration for the security analytics framework for the chip or particular IC”, and “security analytics framework for the chip or particular IC, wherein the at least one component comprises the data scavenger, wherein the particular security configuration updates the first configuration to a second configuration of elements of interests of the plurality of elements of interest on the chip or particular IC that the data scavenger captures”. These and any other new limitations have been mapped to Garvey et al. (US Pub. 2020/0267057) in view of Salunke et al. (US Pub. 2019/0373007) and in view of Loubet Moundi (US Pub. 2017/0053140) below and rejected accordingly.  
Independent claim 9 is amended in a similar way to claim 1 and is mapped to Garvey et al. (US Pub. 2020/0267057) in view of Salunke et al. (US Pub. 2019/0373007) and in view of Loubet Moundi (US Pub. 2017/0053140) below and rejected accordingly.  
Dependent claims 1-6, 8, 10-12, and 16-20 depend on independent claims 1 and 9.  The amended elements in the claims have been mapped to Garvey et al. (US Pub. 2020/0267057) in view of Salunke et al. (US Pub. 2019/0373007) and in view of Loubet Moundi (US Pub. 2017/0053140) below and rejected accordingly.  below, and so any additional features to the dependent claims are rejected accordingly.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 9, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Garvey et al. (US Pub. 2020/0267057) (hereinafter “Garvey”) in view of Salunke et al. (US Pub. 2019/0373007) (hereinafter “Salunke”) and in view of Loubet Moundi (US Pub. 2017/0053140) (hereinafter “Loubet”)

As per claim 1, Garvey teaches a method to provide moderation to a security analytics ([Garvey, para. 0074] “The anomaly detection process further includes selecting a set of one or more sample values … analyzed one by one and/or in sequences”: security analytics) framework ([para. 0044] “Fig. 1 illustrates example system 100 for automatically detecting, summarizing, and responding to anomalous time series signals”: a framework that includes the security analytics) for a chip or particular integrated circuit (IC), ([para. 0168] “the techniques described herein are implemented by… one or more application-specific integrated circuits”; [Fig. 1] as the system includes the target, the target is an integrated circuit) the method comprising: sending a first model ([para. 0067] “an anomaly detection system may train, define or otherwise include [send] a baseline model [first model] representing expected patterns of behavior”) to a risk predictor of the security analytics framework for the chip or particular IC, ([para. 0056] “anomaly detector 131 [risk predictor] may output a set of data that indicates which sample data points within a given time series are anomalous [predicting risk]… determined from [sending] a baseline model“) wherein the first model includes context information for a particular application of the chip or particular IC; ([para. 0071] “baseline models representing active sessions, I/O latency, average response time, and/or other metrics“ [context information for a particular application of the IC, the particular application being “different patterns of behavior [use]” of the CPU])
receiving operational data of the chip or particular IC; ([Garvey, para. 0071] “Agents 114a-j comprise hardware and/or software logic for capturing time series measurements [operational data] from a corresponding target … and sending these metrics to the data collector”; “an agent may include one or more hardware sensors, such as microelectromechanical (MEMs) accelerometers, thermometers, pressure sensors, heart rate monitors, etc., that capture time series measurements of a physical environment and/or resource” [operational data])
sending the second model to at least the risk predictor; ([Garvey, para. 0092] “the formula above [calculation of risk: see para. 0090 – “the summarization process includes identifying a set of anomalies” … “the summarization process further includes calculating the relative severity of the anomalies”] may be supplemented [sending]… different baseline models are used [second model]; [para. 0054] “functions described with respect to one component may instead be performed by another component” therefore, the anomaly detector/risk predictor performs the summarization process that receives the different models)
determining whether to make an adjustment to a current security configuration of the security analytics framework for the chip or particular IC ([Garvey, para. 0061] “response interface 134 may provide an interface though which a resource configuration [current security configuration] may be modified [determining whether to make an adjustment]”) based on at least the received operational data; ([para. 0061] “one or more responsive actions may be invoked… automatically based on the generated summaries” [a determination based on at least the received operation data – see para. 0078-79: a summary is generated from the scavenged time series data])
sending the particular security configuration to at least one component of the security analytics framework for the chip or particular IC, ([Garvey, para. 0061] “Response interface 134 may interact [sending] with other components of the system [to at least one component] … through which a resource may be … restarted [the particular security configuration]”) wherein the at least one component comprises the data scavenger, ([Fig. 1] the components of the security analytics framework includes Data Collector 120 [data scavenger]) and the plurality of items of interest on the chip or particular IC that a data scavenger of the security analytics framework captures.  ([para. 0051] “Data collector 120 includes logic for aggregating sample data captured by agents 114a-j into a set of one or more time series signals or data objects [a plurality of items of interest]”.  Changing a first configuration to a second configuration of elements of interest is taught by Loubet below)
Garvey does not clearly teach performing training on one or more stored models including the first model using the received operational data to generate at least a second model; wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determining a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.
However, Salunke teaches performing training on one or more stored models including the first model using the received operational data to generate at least a second model.  ([Salunke, para. 0100] “Fig. 9 illustrates an example evolution [training] of a baseline model in accordance with one or more embodiments; [para. 0101] “a baseline model [second model] may be trained [generated] by fitting a non-seasonal model [first model] to the training dataset [received operational data]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey with the teachings of Salunke to include performing training on one or more stored models including the first model using the received operational data to generate at least a second model.  One of ordinary skill in the art would have been motivated to make this modification because by updating baseline models over time, a baseline model may evolve and become more accurate over time.  (Salunke, para. 0040)
Garvey in view of Salunke does not clearly teach wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determining a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and sending the particular security configuration to at least one component of the security analytics framework for the chip or particular IC, wherein the at least one component comprises the data scavenger, wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.
However, Loubet teaches wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest ([Loubet, para. 0036] “security configurations [first configuration] are chosen among the group [comprises one or more elements of interest] formed by clock frequency settings, clock configuration settings, side-channel protections, random process configurations [a plurality of elements of interest]”) on the chip or particular IC; ([para. 0008] “a dynamic change of security configurations [a current security configuration] in an integrated circuit product [particular IC]”)
determining a particular security configuration for the security analytics framework for the chip or particular IC ([Loubet, para. 0031-0032] “detecting a specific communication mode, selecting a specific security configuration [determining a particular security configuration] associated with a communication mode” [the limitation ‘analytics framework’ is broadly interpreted as a communication mode in light of the specification as a communication mode “can combine monitoring and intelligence to help defeat attackers seeking to extract information from a chip or system” – see para. 0021 of the specifications of the instant application]) based on at least the received operational data; and ([para. 0048] “during such executions, a specific event occurs [operational data]”.  [Para. 0049 and para. 0055] This specific event is used to increment a transaction counter which is used to change the security configuration)
wherein the particular security configuration updates the first configuration to a second configuration ([Loubet, para. 0054; para. 0070] “the method comprises a change [update] of security configuration”; “the step of TG triggering the change of security configuration… from CF0 [first configuration] to CFN+1 [second configuration]) of elements of interest of the plurality of elements of interest on the chip or particular IC. ([para. 0036] “security configurations [first configuration] are chosen among the group [comprises one or more elements of interest] formed by clock frequency settings, clock configuration settings, side-channel protections, random process configurations [a plurality of elements of interest]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke with the teachings of Loubet to include wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determining a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.  One of ordinary skill in the art would have been motivated to make this modification because such changes in the security configuration introduce a discontinuity and render non exploitive the curves/data obtained after this discontinuity.  (Loubet, para. 0011)

As per claim 2, Garvey in view of Salunke and Loubet teaches claim 1.
Garvey also teaches wherein receiving the operational data of the chip or particular IC comprises: receiving the operational data from at least a data scavenger of the security analytics framework for the chip or particular IC system.  ([Garvey, para. 0051] “Data collector 120 [data scavenger] may …  provide [receiving ] the time series data [operational data] to anomaly management services [security analytics framework)

As per claim 3, Garvey in view of Salunke and Loubet teaches claim 1.  
Garvey also teaches wherein receiving the operational data of the chip or particular IC comprises: receiving the operational data from at least a data analyzer of the security analytics framework for the chip or particular IC.  ([Garvey, para. 0051] “correlation analytic 132 [data analyzer] identifies correlations between disparate time series based on overlapping anomaly time ranges”. [Para. 0054] The functions described with respect to one component [providing operational data] may instead be performed by another component)

As per claim 4, Garvey in view of Salunke and Loubet teaches claim 1.  
Garvey also teaches wherein receiving the operational data of the chip or particular IC comprises: receiving the operational data from at least the risk predicator.  ([Garvey, para. 0056] “anomaly detector 131 [risk predictor] may output a set of data that indicates which sample data points within a given time series are anomalous [predicting risk]; [Para. 0054] The functions described with respect to one component [providing operational data] may instead be performed by another component)

As per claim 5, Garvey in view of Salunke and Loubet teaches claim 4.  
Garvey also teaches wherein the operational data from the risk predictor comprises a numerical value that indicates a threat score.  ([Garvey, para. 0038] “summaries [operational data from the risk predictor] are assigned a score [numerical value] based on the relative severities of the anomalies being summarized…  lower-scored anomalies, which may include false positives, may be ignored or addressed in a manner that optimizes efficiency [indicates a threat score]”)

As per claim 9, Garvey teaches a moderator system to moderate a security analytics ([Garvey, para. 0074] “The anomaly detection process further includes selecting a set of one or more sample values … analyzed one by one and/or in sequences”: security analytics) framework ([para. 0044] “Fig. 1 illustrates example system 100 for automatically detecting, summarizing, and responding to anomalous time series signals”: a framework that includes the security analytics) for a chip or particular integrated circuit (IC), ([para. 0168] “the techniques described herein are implemented by… one or more application-specific integrated circuits”; [Fig. 1] as the system includes the target, the target is an integrated circuit) the moderator system comprising: a moderator controller; ([para. 0168] “the techniques described herein are implemented by … device that incorporated hard-wired and/or program logic to implement the techniques” [a controller]; [para. 0144] system 100 takes “automatic actions … to correct performance degradation and mitigate [moderate] any damage that might be caused by the anomalous behavior”)
an interface for communicating with components of the security analytics framework, ([Garvey, para. 0169] “Computer system 1000 includes bus 1002 or other communication mechanism for communicating information”]) the components of the security analytics framework comprising a data scavenger, a data analyzer; and a risk predictor; and ([para.0044] “System 100 generally comprises data collector 120 [a data scavenger], anomaly management services 130…”; [para. 0054] “anomaly management services 130 may include correlation analytic 132 [data analyzer], anomaly detector 131 [risk predictor]”)
wherein the moderator controller comprises one or more processors and a local storage having instructions stored thereon that when executed direct the moderator system to: ([Garvey, para. 0173] “Computer system 1000 may implement the techniques described…processor 1004 executing one or more sequences of one or more instructions contained in main memory 1006…Execution of the sequences of instructions contained in main memory 1006 causes processor 1004 to perform the process steps described herein”])
send, via the interface, ([Garvey, para. 0169] “Computer system 1000 includes bus 1002 or other communication mechanism for communicating information”]) a first model to the risk predictor, ([para. 0067] “an anomaly detection system may train, define or otherwise include [send] a baseline model [first model] representing expected patterns of behavior”) wherein the first model includes context information for a particular application of the chip or particular IC; ([para. 0056] “anomaly detector 131 [risk predictor] may output a set of data that indicates which sample data points within a given time series are anomalous [predicting risk]… determined from [sending] a baseline model“)
receive, via the interface, ([Garvey, para. 0169] “Computer system 1000 includes bus 1002 or other communication mechanism for communicating information”]) operational data of the chip or particular IC; ([para. 0071] “Agents 114a-j comprise hardware and/or software logic for capturing time series measurements [operational data] from a corresponding target … and sending these metrics to the data collector”; “an agent may include one or more hardware sensors, such as microelectromechanical (MEMs) accelerometers, thermometers, pressure sensors, heart rate monitors, etc., that capture time series measurements of a physical environment and/or resource” [operational data])
send, via the interface, ([Garvey, para. 0169] “Computer system 1000 includes bus 1002 or other communication mechanism for communicating information”]) the second model to at least the risk predictor; ([para. 0092] “the formula above [calculation of risk: see para. 0090 – “the summarization process includes identifying a set of anomalies” … “the summarization process further includes calculating the relative severity of the anomalies”] may be supplemented [sending]… different baseline models are used [second model]; [para. 0054] “functions described with respect to one component may instead be performed by another component” therefore, the anomaly detector/risk predictor performs the summarization process that receives the different models)
determine, whether to make an adjustment to a current security configuration of the security analytics framework for the chip or particular IC ([Garvey, para. 0061] “response interface 134 may provide an interface though which a resource configuration [current security configuration] may be modified [determining whether to make an adjustment]”) based on at least the received operational data; ([para. 0061] “one or more responsive actions may be invoked… automatically based on the generated summaries” [a determination based on at least the received operation data – see para. 0078-79: a summary is generated from the scavenged time series data])
send, via the interface, ([Garvey, para. 0169] “Computer system 1000 includes bus 1002 or other communication mechanism for communicating information”]) the particular security configuration to at least one component of the components of the security analytics framework, ([para. 0061] “Response interface 134 may interact [sending] with other components of the system [to at least one component] … through which a resource may be … restarted [the particular security configuration]”) wherein the at least one component comprises the data scavenger, ([Fig. 1] the components of the security analytics framework includes Data Collector 120 [data scavenger]) and the plurality of elements of interest on the chip or particular IC that the data scavenger captures.  ([para. 0051] “Data collector 120 includes logic for aggregating sample data captured by agents 114a-j into a set of one or more time series signals or data objects [a plurality of items of interest]”.  Changing a first configuration to a second configuration of elements of interest is taught by Loubet below)
Garvey does not clearly teach a data resource storing one or more models of particular operation of the chip or particular IC; perform training on the one or more stored models including the first model using the received operational data to generate at least a second model; wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determine a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.
However, Salunke teaches a data resource storing one or more models of particular operation of the chip or particular IC; ([Garvey, para. 0064] “data repository 140 includes volatile and/or non-volatile storage for storing data that is generated … by baselining and anomaly detection services 130”; [para. 0045] “Baselining and anomaly detection services 130 may comprise logic for generating baseline models”)
perform training on the one or more stored models including the first model using the received operational data to generate at least a second model; ([Salunke, para. 0100] “Fig. 9 illustrates an example evolution [training] of a baseline model in accordance with one or more embodiments; [para. 0101] “a baseline model [second model] may be trained [generated] by fitting a non-seasonal model [first model] to the training dataset [received operational data]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey with the teachings of Salunke to include a data resource storing one or more models of particular operation of the chip or particular IC; perform training on the one or more stored models including the first model using the received operational data to generate at least a second model.  One of ordinary skill in the art would have been motivated to make this modification because by updating baseline models over time, a baseline model may evolve and become more accurate over time.  (Salunke, para. 0040)
	Garvey in view of Salunke does not clearly teach wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determine a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.
	However, Loubet teaches wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest ([Loubet, para. 0036] “security configurations [first configuration] are chosen among the group [comprises one or more elements of interest] formed by clock frequency settings, clock configuration settings, side-channel protections, random process configurations [a plurality of elements of interest]”) on the chip or particular IC; ([para. 0008] “a dynamic change of security configurations [a current security configuration] in an integrated circuit product [particular IC]”)
determine a particular security configuration for the security analytics framework for the chip or particular IC ([Loubet, para. 0031-0032] “detecting a specific communication mode, selecting a specific security configuration [determining a particular security configuration] associated with a communication mode” [the limitation ‘analytics framework’ is broadly interpreted as a communication mode in light of the specification as a communication mode “can combine monitoring and intelligence to help defeat attackers seeking to extract information from a chip or system” – see para. 0021 of the specifications of the instant application]) based on at least the received operational data; and ([para. 0048] “during such executions, a specific event occurs [operational data]”.  [Para. 0049 and para. 0055] This specific event is used to increment a transaction counter which is used to change the security configuration)
wherein the particular security configuration updates the first configuration to a second configuration ([Loubet, para. 0054; para. 0070] “the method comprises a change [update] of security configuration”; “the step of TG triggering the change of security configuration… from CF0 [first configuration] to CFN+1 [second configuration]) of elements of interest of the plurality of elements of interest on the chip or particular IC. ([para. 0036] “security configurations [first configuration] are chosen among the group [comprises one or more elements of interest] formed by clock frequency settings, clock configuration settings, side-channel protections, random process configurations [a plurality of elements of interest]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke with the teachings of Loubet to include wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC; determining a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC.  One of ordinary skill in the art would have been motivated to make this modification because such changes in the security configuration introduce a discontinuity and render non exploitive the curves/data obtained after this discontinuity.  (Loubet, para. 0011)

As per claim 17, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey also teaches wherein the chip or particular IC is in a network component ([Garvey, para. 0045] “Components of system 100 may be implemented on one or more digital devices…. Examples of digital devices include … a route, a switch”)

As per claim 20, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey also teaches wherein the chip or particular IC is in a set top box.  ([Garvey, para. 0045] “Components of system 100 may be implemented on one or more digital devices…. Examples of digital devices include … a set-top box”)

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Garvey in view of Salunke and Loubet as applied to claims 1 and 9 above, and further in view of Matrosov et al. (US Pub. 2019/0370473) (hereinafter “Matrosov”).  

As per claim 8, Garvey in view of Salunke and Loubet teaches claim 1.  
Garvey in view of Salunke and Loubet does not clearly teach sending an updated model to a data analyzer ([Matrosov, Fig. 2; para. 0044; para. 0046] the machine learning engine is updated based on training vectors and sent to the vulnerability engine [a data analyzer] which analyzes the topology by a ML model to identify vulnerable portions of code) of the security analytics framework for the chip or particular IC, ([para. 0012] “computer systems include one or more processors” [a chip or particular IC]; [para. 0016] a code analyzer [analytics framework] that implements machine learning to detect vulnerabilities [security] in computer code) wherein the updated model comprises a predefined metric that the data analyzer uses to identify patterns. ([para. 0025; para. 0044] the vulnerability engine, using the model identifies, based on a pattern analysis [identify patterns], portions of topology where security procedures may be bypassed; [para. 0028; Fig. 4; para. 0034] the model is based on [comprised of] feature vectors of topology for different contexts that may cause vulnerabilities to an attack [a predefined security metric] which the vulnerability engine may compare its feature vectors for a topology against to find vulnerable patterns)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke and Loubet with the teachings of Matrosov to include sending an updated model to a data analyzer of the security analytics framework for the chip or particular IC, wherein the updated model comprises a predefined metric that the data analyzer uses to identify patterns.  One of ordinary skill in the art would have been motivated to make this modification because “One advantage of analyzing code 144 based on topology 212 is that … training ML modeling 202 based on training vectors 232 derived from topology 212 produces an ML model 202 that is generally applicable to many different types code”, for example, different operations performed by the chip or particular IC. (Matrosov, para. 0034)

As per claim 16, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

Claims 6 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Garvey in view of Salunke and Loubet as applied to claims 1 and 9 above, and further in view of Wang et al. (US Pub. 2015/0373043) disclosed in the IDS dated 10/25/2021 (hereinafter “Wang”).  

As per claim 6, Garvey in view of Salunke and Loubet teaches claim 1.  
Garvey in view of Salunke and Loubet does not clearly teach receiving, by an application programming interface, data from a third party indicating a global model; and sending the global model to at least the risk predictor.  
However, Wang teaches receiving, by an application programming interface, ([Wang, para. 0024] “modules [for example, the global threat intelligence module]… may be… an application programming interface”) data from a third party ([para. 0035] “log information [information] from different network devices {e.g. third-party log sources}”) indicating a global model; and ([para. 0075] “…. global model(s) received from the global threat intelligence module…”)
 sending the global model to at least the risk predictor.  ([Wang, para. 0075] “The local threat intelligence module 345 may adapt the result of the global model(s) received from the global threat intelligence module 330 using data local to the data analysis engine 220” [refined local threat intelligence includes the global model].  [Para. 0058] “each data analysis engine 220 includes an entity risk modeling”.  [Para. 0061] “risk modeling engine 340 [risk predictor] may take as inputs refined local threat intelligence {e.g., received from the local threat intelligence module 345}” [sending the global model to the risk predictor as the refined local threat intelligence includes the global model])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke and Loubet with the teachings of Wang to receiving, by an application programming interface, data from a third party indicating a global model; and sending the global model to at least the risk predictor.  One of ordinary skill in the art would have been motivated to make this modification because by including the API, a centralized controller allows customers to share and leverage security intelligence amongst each other and improve customer knowledge in incident response.  ([Wang, para. 0046])

As per claim 11, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey in view of Salunke and Loubet not teach an update model application programming interface (API), wherein the update model API receives a model from a third party to update a particular component of the security analytics framework for the chip or particular IC.
However, Wang teaches an update model application programming interface (API), ([Wang, para. 0024] the data analysis engine is software in the form of an API) wherein the update model API receives a model from a third party ([Wang, para. 0060] data is received from the centralized controller by the data analysis engine, a global model [from a third party] and information of the modeling to adapt the local model) to update a particular component of the security analytics framework for the chip or particular IC.  ([para. 0046] local modeling of the data analysis engine [a particular component] may be refined [updated] based on information received from the centralized controller. [Para. 0046-0047] “the data analysis engine is adapted to … conduct analytics [analytics framework] … malicious activity [security] of the endpoint devices [for the chip or particular IC – see para 0023: an ASIC is a sensor; Fig. 2A endpoint devices include sensors])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Garvey in view of Salunke and Loubet and Wang for the same reasons as disclosed above.  

As per claim 12, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey in view of Salunke and Loubet does not teach a data API, wherein the data API provides the received operational data to a third party.
However, Wang teaches a data API, wherein the data API provides the received operational data to a third party. ([Wang, para. 0046]  the data analysis engine API [data API] transmits at least a portion of information it has generated [operational data] to the centralized controller [a third party])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Garvey in view of Salunke and Loubet and Wang for the same reasons as disclosed above.  

Claims 10, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Garvey in view of Salunke and Loubet as applied to claim 9 above, and further in view of Sharp et al. (US Pub. 2014/0143826) (hereinafter “Sharp”).  

As per claim 10, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey in view of Salunke and Loubet not teach an encoder and decoder for encoding and decoding sensitive data transmitted and received via the interface.
However, Sharp teaches an encoder and decoder for encoding and decoding sensitive data transmitted and received via the interface. ([Sharp, para. 0085; para. 0137] a secure element is disclosed for initiating an eSIM [sensitive data – see para. 0046] transfer that decrypts and re-encrypts [an encoder and decoder for encoding and decoding] an eSIM received from the interface)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke and Loubet with the teachings of Sharp to include an encoder and decoder for encoding and decoding sensitive data transmitted and received via the interface.  One of ordinary skill in the art would have been motivated to make this modification because access-control data security may ensure that data and/or software associated with an access-control element [sensitive information] is protected from theft, misuse, corruption, publication and tampering by unauthorized activities and third parties.   (Sharp, para. 0044)

As per claim 18, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey in view of Salunke and Loubet not teach wherein the chip or particular IC is a system on a chip with at least one secure domain for sensitive information or cryptographic functions.
However, Sharp teaches wherein the chip or particular IC ([Sharp, para. 0160] the secure element is a eUICC [integrated circuit card – see para. 0025]) is a system on a chip ([para. 0137] the secure element [system] is an embedded element on a circuit board in an electronic device) with at least one secure domain for sensitive information or cryptographic functions. ([Para. 0137] the secure element comprises a secure processor executing software stored in a secure media inaccessible to all other components [a secure domain] that employs encryption [cryptographic functions] for the protection of its contents)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Garvey in view of Salunke and Loubet and Sharp for the same reasons as disclosed above.  

As per claim 19, Garvey in view of Salunke and Loubet teaches claim 9.  
Garvey in view of Salunke and Loubet not teach wherein the chip or particular IC comprises an integrated Services Identity Module (iSIM).
However, Sharp teaches wherein the wherein the chip or particular IC ([Sharp, para. 0160] the secure element is a eUICC [integrated circuit card – see para. 0025]) comprises an integrated Services Identity Module (iSIM).  ([Sharp, para. 0012] the secure element includes an access control element.  [Para. 0005] the access control element is an iSIM)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Garvey in view of Salunke and Loubet with the teachings of Sharp to include wherein the wherein the chip or particular IC comprises an integrated Services Identity Module (iSIM).  One of ordinary skill in the art would have been motivated to make this modification because access control elements such as an iSIM ensure secure communications by allowing a subscriber to authenticate to a cellular network and be allowed access to the cellular network.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Iyer et al. (US Pub. 2018/0316711) discloses a system for changing configuration settings for an application for the client based on a plurality of security threats that includes analyzing usage patterns of an application.  
Jun et al. (US Pub. 2017/0249099) discloses a method that adjusts configurations/modes of the security manager of an integrated circuit/chip packaged based on information accessible by the security manager.
Facon et al. "Hardware-enabled AI for embedded security: A new paradigm”; IEEE 2019 3rd International Conference on Recent Advances in Signal Processing, Telecommunications & Computing; March, 2019; pg. 80-84 discloses a smart monitor that is a device that acts as a security analytics framework for a chip/IC that predicts risk based on a configuration of different factors (i.e. voltage and temperature).  
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493           

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493