Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
2.	This Office Action is issued in response to the Amendment filed on 07/26/2022.
Claims 1-15 are pending in this Office Action.
Claims 2 and 13 have been amended.

Response to Arguments
3.	Claim Objections: The previous claim objections have been withdrawn in response to claim amendments.
35 U.S.C. §103: Applicant’s arguments regarding 35 U.S.C. § 103 Claim Rejections have been fully considered but they are not persuasive.
a. Regarding Applicant’s arguments "wherein the security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly following a compromisation of the device, and the security monitoring and control circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the analytics circuit, the security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device,"  Applicant states: “In Xu it is the hub that identifies that the device has been compromised, and then the hub causes CIDER to reboot the device. Xu is directed to the concept of dominance where the hub can dominate the device no matter how compromised it is. So there is no analytic circuit on the device to detect a compromise of the system, but rather this is performed by the hub” and “The Examiner also cites Lietz as teaching the analytics circuit configured to detect an anomaly, but Xu teaches that the hub determines anomalies on the device and then uses its dominance to restore the device to normal operation. Hence, there is no reason to look to Lietz to insert a feature on the device that is already present in the hub. Hence, Xu fails to teach at least this feature of the claims.” (pages 6 and 7 of Applicant’s Remarks)
Examiner respectfully disagrees because Applicant is attacking the references individually.  One cannot show non-obviousness by attacking references individually where the rejections are based on combination of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir.1986). The claim limitations are obvious over the Xu and Lietz references; therefore, the combination of Xu and Lietz should be considered.  Referring to pages 3-4 of the Office Action dated 04/26/2022, i).Xu discloses CIDER circuit is implemented to help devices communicating with the hub and enable the hub to recover control of all managed devices even after a complete compromise.  With control recovered, the hub may subsequently issue firmware updates to patch the vulnerability or change the security setting that led to the exploit and evict the adversary from the device.  The previous Office Action states: “Xu discloses CIDERs are implemented in circuit boards, but Xu does not disclose the circuit comprises a security monitoring and control circuit with an analytics circuit configured to detect an anomaly.”  ii). Lietz discloses an asset with self-security monitoring and control and with analytics functions.  The asset is configured to self-monitor and self-repair (Lietz, Fig. 1 with associated text as cited in previous Office Action).  The combination of Xu’s teaching in i) and Lietz’s teaching in ii) would have an obvious and predictable result of the CIDER circuit with self-security monitoring and control and analytics functions configured to self-detect an anomaly and therefore, the limitations “ wherein the security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly following a compromisation of the device, and the security monitoring and control circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the analytics circuit, the security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device,"  would be obvious with the combination of Xu and Lietz’s teachings.
b.  Applicant states: “Claim 1 further recites "security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device." It is unclear from the portions of Xu cited in the office action how Xu teaches this feature of claim 1.”
Examiner’s response: Again, it is the combination of Xu and Lietz’s teachings that should be considered.  i.) Xu discloses reestablishing communication between the device and the hub to mitigate the compromisation of the device (as cited in page 4, lines 9-10 of Office Action dated 04/26/2022:  Xu, page 4, Section A, Problem Statement, lines 1-8) “Our goal is to enable the hub to unconditionally recover control of all managed devices even after a complete compromise of the device firmware: a property commonly called availability.  With control recovered, the hub may subsequently issue firmware updates to patch the vulnerability or change the security settings that led to the exploit and evict the adversary from the device. It may further request evidence from the device that the updates have been applied correctly.”  Note: Page 3 of Office Action dated 04/26/2022 also indicates communication between CIDER and the hub tunnels through the REE. ii). Lietz’s teaching of an asset with self-security monitoring and control and with analytics functions.  The asset is configured to self-monitor and self-repair as presented previously.  Hence, the combination of Xu and Lietz’s teachings makes the obviousness of the limitation “security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device."
Therefore, Applicant’s arguments of claim 1 is not persuasive.  Applicant’s arguments of claims 2-15 are based on arguments of claim 1 above; accordingly, they are not persuasive for at least the same reasons described above.
Since Applicant’s arguments are not persuasive, the previous 35 U.S.C. § 103 Claim Rejections have been maintained.

Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-5, and 7-15 are rejected under 35 U.S.C. 103 as being unpatentable over Xu et al. (Applicant’s provided Non Patent Literature “Dominance as a New Trusted Computing Primitive for the Internet of Things”), hereinafter “Xu” in view of Lietz et al. (US 2015/0381651), hereinafter “Lietz”.
Regarding claim 1, Xu discloses a device comprises: 
at least one host application; a rich execution environment; at least one interface operably coupled to the REE for communicating with a remote server (page 3, right column, line 44- page 3, left column, line 16: IoT devices connect over the internet to one or more back-end server/hubs;  High-end devices may feature multicore 64-bit CPUs running at GHz clock rates, several GBs of DRAM, external storage devices and a full operating system such as Lixux -REE-allowing them to run multiple applications);
wherein the device is characterised in that:
a security sub-system comprises [a security monitoring and control] circuit coupled to the REE and connectable to the remote server via the REE and the at least one interface (page 1, Abstract, lines 27-30, page 2, right column, lines 24-30: when a device is compromised, CIDER-a security subsystem- could still communicate with the hub; page 7, lines 3-9 of Section IV-Implementation: CIDER is implemented on circuits)
wherein [the security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly] following a compromisation of the device, and the [security monitoring and control] circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the [analytics circuit], the [security monitoring and control circuit] is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device (page 1, right column, second paragraph: operating systems and applications on IoT devices are vulnerable.  Page 4, Section A. Problem Statement, lines 1-8; Section B. Security Primitives and Protocols).
Xu discloses CIDERs are implemented in circuit boards as presented above, but Xu does not explicitly disclose the circuit comprises a security monitoring and control circuit with an analytics circuit configured to detect an anomaly.   However, an asset with security monitoring and control and analytics functions configured to detect an anomaly is known in the art and Lietzs’ teaching is an example (Fig. 1 with associated text: Virtual asset 121 with asset agent 123- security monitoring and control and self-monitoring module 124-analytics). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Xu’s teaching of keeping a secure connection with a remote server to recover a compromised device with Lietzs’ teaching of an asset with security monitoring and control and analytics functions configured to detect an anomaly to have a security monitoring and control circuit with an analytics circuit configured to detect an anomaly. The motivation to do so would be for protecting and repairing an asset from damage by security threats as taught by Lietz (paragraphs [0004]-[0005]).
Regrading claim 2, Xu and Lietz disclose the device of Claim 1 wherein the analytics circuit is configured to monitor the device's activity and detects an anomaly following a compromisation of the device, by identifying a change in data or behavior of the device's activity (Lietz, paragraphs [0042]-[0047]: monitoring changing upon detecting malicious patterns or signatures).
Regrading claim 3, Xu and Lietz disclose the device of Claim 2 wherein the analytics circuit is configured to detect an anomaly following a compromisation of the device, by comparing the monitored data or behavior of the device's activity with a trained or pre- determined model of normal data (Lietz, paragraph [0046]: comparing monitored data with historic/expected data).
Regrading claim 4, Xu and Lietz disclose the device of Claim 1 wherein the security monitoring and control circuit is configured to employ the re-established secure connection to the remote server for deployment of at least one of: at least one update, or at least one execution of a remote command received from the remote server on the device (Xu, Abstract, lines 27-30: CIDER assists installing patched firmware on the devices; page 2, right column, lines 24-27 and page 4, left column, section A. Problem statement: remote administrator unconditionally recovers and configures a device for firmware update.  Lietz, paragraph [0051]: establishing secure communication channel to receive security updates/patches from external or third party).
Regrading claim 5, Xu and Lietz disclose the device of Claim 4 wherein the security monitoring and control circuit, subsequent to detecting a compromisation, is configured to perform periodic checks for the at least one update to be applied to at least one component or circuit within the device, and obtain said at least one update from a monitoring and analytics service circuit within or coupled to the remote server (Lietz, paragraph [0066]: monitoring for security update).
Regrading claim 7, Xu and Lietz disclose the device of Claim 1 wherein, in response to a detection of a compromisation of the REE, the security monitoring and control circuit performs an action to place the device into a trusted operational state (Xu, page 5, Section C. A Simple Dominance Scheme, lines 33-34: booting a firmware image that is approved by the hub).
Regrading claim 8, Xu and Lietz disclose the device of Claim 7 wherein, the security monitoring and control circuit performs an action to place the device into a trusted operational state by performing one of the following: rebooting at least a part of the device; running a self-check routine of the device's circuits and components; limiting one or more capabilities of the device whilst maintaining some functionality; forcing the device to boot a trusted image that enables device maintenance (Xu, page 5, Section C. A Simple Dominance Scheme, lines 33-34: booting a firmware image that is approved by the hub); communicating with the remote server; and allowing the device to receive a secure update or command from the remote server (Xu, Abstract, lines 27-30: CIDER assists installing patched firmware on the devices; page 2, right column, lines 24-27 and page 4, left column, section A. Problem statement: remote administrator unconditionally recovers and configures a device for firmware update.  Lietz, paragraph [0051]: establishing secure communication channel to receive security updates/patches from external or third party).
Regrading claim 9, Xu and Lietz disclose the device of Claim 7 wherein, the security monitoring and control circuit performs an action to place the device into a trusted operational state based on at least one user-configurable attribute or user-configurable parameter in the security monitoring and control circuit (Xu, Abstract, lines 27-30: After the administrator has identified the compromise and produced an updated firmware image- user-configurable attribute-, CIDER assists administrator installing patched firmware on the devices; page 2, right column, lines 24-27 and page 4, left column, section A. Problem statement: remote administrator unconditionally recovers and configures a device for firmware update.)
Regrading claim 10, Xu and Lietz disclose the device of any preceding Claim 1 wherein the security monitoring and control circuit is implemented as one of the following: separate hardware or firmware part of the device, physically isolated from the REE (Xu, page 7, lines 3-9 of Section IV-Implementation: CIDER is implemented on separated circuits); configured to run as part of a hypervisor that runs on hardware coupled to the REE; configured to run in a trusted virtual machine on a hypervisor; configured to run in a secure system and isolated from the REE by an application.
Regarding claim 11, it claims similar subject matters to claim 1; therefore, claim 11 is rejected at least for the same reasons as claim 1.
Regarding claims 12-15, they claim similar subject matters to claims 1-4 respectively; therefore, claims 12-15 are rejected at least for the same reasons as claims 1-4 respectively.
6.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Xu et al. (Applicant’s provided Non Patent Literature “Dominance as a New Trusted Computing Primitive for the Internet of Things”), hereinafter “Xu” in view of Lietz et al. (US 2015/0381651), hereinafter “Lietz” in view of Ponsini (US 2020/0184089), hereinafter “Ponsini”.
Regrading claim 6, Xu and Lietz disclose the device of Claim 1.  Xu and Lietz do not explicitly disclose wherein the security monitoring and control circuit comprises at least one of: at least one timer comprising at least one timer threshold, at least one counter comprising at least one counter threshold, and detection of a compromisation of the REE is identified following a detection of anomalous behaviour of one or more untrusted component(s) of the device that exceeds the at least one timer threshold or the at least one counter threshold.  However, utilizing a timer with a threshold in determining compromise is known in the art and Ponsini’s teaching is an example (paragraph [0047]).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Xu and Lietzs’ teachings of keeping a secure connection with a remote server to recover a compromised device and an asset with security monitoring and control and analytics functions configured to detect an anomaly with Ponsini’s teaching of utilizing a timer with a threshold in determining compromise.  The motivation to do so would be to establish and maintain a security policy for a device as taught by Ponsini (paragraph [0006]).
Conclusion

7.	THIS ACTION IS MADE FINAL.  
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279.  The examiner can normally be reached on Monday-Thursday 8:00 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THANH T LE/           Examiner, Art Unit 2495