Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	The instant office action is in response to communication filed on 08/02/2021.

3.	Claims 1-20 are pending of which claims 1, 11 and 20 are independent.

Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 09/29/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto. 

Internet Communications

5.	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http://www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.
Double Patenting

6.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970);and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

7.	Claims 1-20 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-20 of U.S. Patent No 11,115,823 B1 (hereinafter refereed as ‘823 US Patent). Although the conflicting claims are not identical, they are not patentably distinct from each other.
The following is referring to the independent claim


[Symbol font/0xB7]  	As per independent claims 1, 11 and 20 
Independent claims 1,11 and 20 of the instant application and claims 1,9 and 17, of the ‘823 US Patent recite similar limitation. The above independent claims, namely claims 1, 11and 20 of the instant/present application would have been obvious over claims 1, 9 and 17 of the ‘823 US Patent because each and every element of the above independent claims 1 of the present application is anticipated by the corresponding independent claim 1 of the ‘823 US Patent.
The following is referring to the dependent claims

[Symbol font/0xB7]  	Referring to dependent claims 2-10 and 12-19,
Claims 2-10 and 12-19 of the instant application is also anticipated by claims 2-8,10-16 and 18-20 of the ‘823 US Patent since the corresponding claims further recite similar/same limitation of the same subject matter.
‘823 US Patent
Current application No. 17/391,134
1. A method for classifying a device on a network, the method comprising: receiving network activity data associated with a device on a network; extracting at least one feature from the network activity data associated with the device on the network; providing the at least one extracted feature as input to a classifier executing a machine learning model configured to classify the device as an internet-of-things (IoT) device or a non-IoT device based on the at least one extracted feature; receiving a label indicating that the device is an IoT device or a non-IoT device from the classifier executing the machine learning model; and executing at least one security measure upon receiving the label that the device is an IoT device, wherein the at least one security measure includes banning the IoT device from the network, isolating the IoT device, or setting a limit on data able to be sent from the IoT device.
8. The method of claim 1 further comprising updating the machine learning model with the received label.
1. A method comprising: performing, by one or more computing devices: receiving network activity data associated with a plurality of devices in a network, including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device; extracting one or more features from the network activity data, wherein the one or more features are included in a training data set; providing the training data set including the one or more features as input to a machine learning model; training the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, using the machine learning model to identify another device in the network as another IoT device; and in response to the identifying of the other IoT device, applying one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device.  
4. The method of claim 3 further comprising performing at least one feature engineering technique to enhance the at least one extracted training feature prior to training the machine learning model.

2. The method of claim 1, further comprising the one or more computing devices performing a feature engineering technique to transform the one or more features prior to training the machine learning model.  
3. The method of claim 2 further comprising extracting at least one training feature from the network activity data associated with the at least one training device, wherein the machine learning model is trained based on the at least one extracted training feature.
4. The method of claim 3 further comprising performing at least one feature engineering technique to enhance the at least one extracted training feature prior to training the machine learning model.


3. The method of claim 2, wherein the feature engineering technique includes one or more of: calculating an average of an extracted feature, calculating a standard deviation of the extracted feature, filtering a portion of the network activity data, and combining the network activity data with historical data.   
5. The method of claim 1 wherein the at least one feature includes at least one of connection history of the device, duration of a device connection, ports used by the device, timestamps of connections made by the device, connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and services utilized by the device.

4. The method of claim 1, wherein the one or more features includes at least one of: connection history of a device, duration of a device connection, ports used by the device, timestamps of connections made by the device, connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and one or more services utilized by the device.   

5. The method of claim 1, wherein the machine learning model includes one or more of: a logistic regression model, a Support Vector Machine (SVM) model, and a random forest model.  
8. The method of claim 1 further comprising updating the machine learning model with the received label.

6. The method of claim 1, further comprising the one or more computing devices performing: storing device data about the other IoT device in a database, wherein the device data indicates a classification of the other IoT device determined by the label.  
7. The method of claim 6 further comprising: detecting anomalous network activity associated with the IoT device; and issuing an alert using a user interface upon detecting the anomalous activity associated with the IoT device.
7. The method of claim 1, further comprising the one or more computing devices performing: generating additional labels for additional devices in the network based on additional network activity data of the additional devices; and retraining the machine learning model using the additional labels and additional network activity data.  

7. The method of claim 6 further comprising: detecting anomalous network activity associated with the IoT device; and issuing an alert using a user interface upon detecting the anomalous activity associated with the IoT device.
8. The method of claim 1, further comprising the one or more computing devices performing: generating additional labels for additional devices in the network based on additional network activity data of the additional devices; and retraining the machine learning model using the additional labels and additional network activity data.  
6. The method of claim 1 further comprising, upon receiving a label indicating that the device is an IoT device, elevating the IoT device to a watch list for further monitoring.

9. The method of claim 1, further comprising the one or more computing devices performing: in response to the identifying of the other IoT device, elevating the other IoT device to a watch list for further monitoring.  
7. The method of claim 6 further comprising: detecting anomalous network activity associated with the IoT device; and issuing an alert using a user interface upon detecting the anomalous activity associated with the IoT device.

10. The method of claim 6 further comprising the one or more computing devices performing: detecting anomalous network activity associated with the other IoT device; and issuing an alert using a user interface upon detecting the anomalous activity associated with the other IoT device.  
9. A system for classifying a device on a network, the system comprising: an interface for receiving network activity data associated with a device on a network; and a processor executing instructions stored on memory to provide: a feature extraction module configured to extract at least one feature related to the network activity data associated with the device on the network, and a classifier executing a machine learning model configured to: receive the at least one extracted feature as input, and provide a label indicating that the device is an internet-of-things (IoT) device or a non-IoT device, wherein the processor is further configured to execute at least one security measure upon receiving the label that the device is an IoT device, wherein the at least one security measure includes banning the IoT device from the network, isolating the IoT device, or setting a limit on data able to be sent from the IoT device.

11. A system comprising: one or more computing devices configured to: receive network activity data associated with a plurality of devices in a network, including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device; extract one or more features from the network activity data, wherein the one or more features are included in a training data set; provide the training data set including the one or more features as input to a machine learning model; train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, use the machine learning model to identify another device in the network as another IoT device; and in response to the identifying of the other IoT device, apply one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device.  
14. The system of claim 9 wherein the processor is further configured to, upon the classifier providing a label indicating that the device is an IoT device, elevate the IoT device to a watch list for further monitoring.

12. The system of claim 11, wherein the one or more computing devices are configured to: monitor the network over one or more wide area networks (WANs); and collect the network activity data from the network over the one or more WANs.  
12. The system of claim 11 wherein the classifier is further configured to perform at least one feature engineering technique to enhance the at least one extracted training feature prior to training the machine learning model.

13. The system of claim 11, wherein the one or more computing devices are configured to: perform a feature engineering technique to transform the one or more features prior to training the machine learning model.  
12. The system of claim 11 wherein the classifier is further configured to perform at least one feature engineering technique to enhance the at least one extracted training feature prior to training the machine learning model.

14. The system of claim 13, wherein to perform the feature engineering technique, the one or more computing devise is configured to: calculate an average of an extracted feature, calculate a standard deviation of the extracted feature, filter a portion of the network activity data, or combine the network activity data with historical data.  
13. The system of claim 9 wherein the at least one feature includes at least one of connection history of the device, duration of a device connection, ports used by the device, timestamps of connections made by the device, connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and services utilized by the device.


15. The system of claim 11, wherein the one or more features includes at least one of: connection history of a device, duration of a device connection, ports used by the device, timestamps of connections made by the device, connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and one or more services utilized by the device.  

16. The system of claim 11, wherein the machine learning model includes one or more of: a logistic regression model, a Support Vector Machine (SVM) model, and a random forest model.  
14. The system of claim 9 wherein the processor is further configured to, upon the classifier providing a label indicating that the device is an IoT device, elevate the IoT device to a watch list for further monitoring.

17. The system of claim 1, wherein the one or more computing devices are configured to: store device data about the other IoT device in a database, wherein the device data indicates a classification of the other IoT device determined by the machine learning model.  
10. The system of claim 9 wherein the machine learning model is trained based on network activity data associated with at least one training device labeled as an IoT device or a non-IoT device.

20. The method of claim 19 further comprising retraining the machine learning model based on the classification of the unlabeled device as IoT device or a non-IoT device.

18. The system of claim 1, wherein the one or more computing devices are configured to: retrain the machine learning model using additional labels of devices in the network and additional network activity data received from the network.  
14. The system of claim 9 wherein the processor is further configured to, upon the classifier providing a label indicating that the device is an IoT device, elevate the IoT device to a watch list for further monitoring.
19. The method of claim 1, wherein the one or more computing devices are configured to: in response to the identifying of the other IoT device, elevate the other IoT device to a watch list for further monitoring.  
9. A system for classifying a device on a network, the system comprising: an interface for receiving network activity data associated with a device on a network; and a processor executing instructions stored on memory to provide: a feature extraction module configured to extract at least one feature related to the network activity data associated with the device on the network, and a classifier executing a machine learning model configured to: receive the at least one extracted feature as input, and provide a label indicating that the device is an internet-of-things (IoT) device or a non-IoT device, wherein the processor is further configured to execute at least one security measure upon receiving the label that the device is an IoT device, wherein the at least one security measure includes banning the IoT device from the network, isolating the IoT device, or setting a limit on data able to be sent from the IoT device.

20. One or more non-transitory computer-readable media storing program instructions that when executed on one or more processors cause the one or more processors to: receive network activity data associated with a plurality of devices in a network, including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device; extract one or more features from the network activity data, wherein the one or more features are included in a training data set; provide the training data set including the one or more features as input to a machine learning model; train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, use the machine learning model to identify another device in the network as another IoT device; and in response to the identifying of the other IoT device, apply one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device.  





Claim Rejections - 35 USC § 103

8.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
9.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
10.	A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

12.	Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ochoa et al. (Pub. No.: US 2020/0211721 A1, hereinafter refer as to Ochoa) in view of He et al. (Pub. No.: US 2019/0086988 A1, hereinafter refer as to He).

Ochoa provides method of determining identity of unknown internet-of-things (IoT) device in communication network. Ochoa further provide analyzing the device network behavior may include (i) analyzing the unlabeled feature vector of one of the communication sessions using the single session classifier of the selected machine learning based classifier to output the probability, (ii) comparing the probability with the classification threshold, and (iii) if the probability is higher than the classification threshold, (iv) classifying the communication session as being generated by a particular IoT device from the known IoT device list associated with the single session classifier, and (v) determining the identity of the unknown IoT device from the classification.

He provides method for managing machine learning using mobile devices such as mobile phone, smart phone and tablet device. Machine learning module use a particular machine model/classifier/algorithm, such as a K-nearest neighbor classifier, a naive Bayesian classifier, a logical regression classifier, a neural network classifier, a support vector machine (SVM) classifier, a decision tree classifier, a maximum entropy classifier, a kernel density estimation classifier, and/or another type of classifier

As per claim 1, a method comprising: performing, by one or more computing devices: receiving network activity data associated with a plurality of devices in a network (para. 0001 discloses identifying devices connected in a network, and more particularly, to methods for determining an identity of an unknown Internet-of-Things (IoT) device in a communication network, for example), including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device (fig. 7 is a flow diagram showing an exemplary method of determining the identity of an unknown IoT device after the non-IoT devices have been identified according to the alternative device identification process of fig. 6, for example); extracting one or more features from the network activity data (para. 0008 discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example), wherein the one or more features are included in a training data set; providing the training data set including the one or more features as input to a machine learning model (para. 0016 discloses network behavior of each one of the plurality of IoT devices, associating the extracted plurality of features with the corresponding identity of each one of the plurality of IoT devices, for example); (para. 0095 discloses device identification process 600 for classifying whether a device is IoT or non-IoT); and in response to the identifying of the other IoT device, applying one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device (para. 0019 discloses a processor arranged to determine the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior. Each machine learning based classifier of the set is trained by a dataset including a plurality of features representing network behavior of a respective known IoT device from the list and the known IoT device's identity, for example).  

Ochoa fails to explicitly disclose training the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, using the machine learning model to identify another device in the network as another IoT device.
He discloses training the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, using the machine learning model to identify another device in the network as another IoT device para. 0098 Model type field 686 may identify a particular model, classifier, and/or algorithm associated with the particular machine learning module 470 or 570. For example, model type field 686 may identify the particular model, classifier, and/or algorithm as a K-nearest neighbor classifier, a naive Bayesian classifier, a logical regression classifier, a neural network classifier, an SVM classifier, a decision tree classifier, a maximum entropy classifier, a kernel density estimation classifier, and/or another type of classifier. Furthermore, model type field 686 may identify whether the particular model, classifier, and/or algorithm is trained using supervised learning (e.g., a labeled training set) or unsupervised learning (e.g., an unlabeled training set).
Ochoa and He are analogous art because they both are directed to a machine learning process is performed (880) using the selected machine learning model and data inputs by the wireless communication device and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of Ochoa with the specified features of He because they are from the same field of endeavor.
In view of the above, having the method of Ochoa and then given the well- established teaching of He, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of He with the teachings of Ochoa in order for managing machine learning using mobile devices such as mobile phone, smart phone and tablet device (HE: para. 0020). 

Regarding claim 2, the combination of Ochoa as modified by He discloses comprising the one or more computing devices performing a feature engineering technique to transform the one or more features prior to training the machine learning model (para. 0008 of Ochoa discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example). 

Regarding claim 3, the combination of Ochoa as modified by He discloses wherein the feature engineering technique includes one or more of: calculating an average of an extracted feature, calculating a standard deviation of the extracted feature, filtering a portion of the network activity data, and combining the network activity data with historical data (fig. 2 of He show Communication interface 260 may include a logical component that includes input and/or output ports, input and/or output systems, and/or other input and output components that facilitate the transmission of data to other devices. For example, communication interface 260 may include a network interface card (e.g., Ethernet card) for wired communications and/or a wireless network interface (e.g., a WiFi) card for wireless communications, for example).
 	Examiner applied the same motivational statement as set forth above in claim 1.

Regarding claim 4, the combination of Ochoa as modified by He discloses wherein the one or more features includes at least one of: connection history of a device (fig. 2 of He show Communication interface 260 may include a logical component that includes input and/or output ports, input and/or output systems, and/or other input and output components that facilitate the transmission of data to other devices. For example, communication interface 260 may include a network interface card (e.g., Ethernet card) for wired communications and/or a wireless network interface (e.g., a WiFi) card for wireless communications, for example), duration of a device connection, ports used by the device, timestamps of connections made by the device (para. 0093 of He disclose masked values, along with timestamps indicating a time when the original parameter values were obtained, may be used to perform machine learning processes. For example, the masked data values may be sent to machine learning system 140, for example), connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and one or more services utilized by the device (fig. 1 of He show network 130 may include an Internet Protocol Multimedia Sub-system (IMS) network. An IMS network may include a network for delivering IP multimedia services as specified by 3GPP and may provide media flows between UE device 110 and external IP networks or external circuit-switched networks, for example and fig. 2 show interface 260 may include an antenna assembly that includes one or more antennas to transmit and/or receive RF signals, for example).
Examiner applied the same motivational statement as set forth above in claim 1.

Regarding claim 5, the combination of Ochoa as modified by He discloses wherein the machine learning model includes one or more of: a logistic regression model, a Support Vector Machine (SVM) model, and a random forest model (para. 0071 of He discloses each machine learning module 470 may use a particular machine model/classifier/algorithm, such as a K-nearest neighbor classifier, a naive Bayesian classifier, a logical regression classifier, a neural network classifier, a support vector machine (SVM) classifier, a decision tree classifier, a maximum entropy classifier, a kernel density estimation classifier, and/or another type of classifier, for example). 
Regarding claim 6, the combination of Ochoa as modified by He discloses the one or more computing devices performing: storing device data about the other IoT device in a database, wherein the device data indicates a classification of the other IoT device determined by the machine learning model (para. 0008 of Ochoa discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example).

Regarding claim 7, the combination of Ochoa as modified by He discloses the one or more computing devices performing: generating additional labels for additional devices in the network based on additional network activity data of the additional devices; and retraining the machine learning model using the additional labels and additional network activity data (fig. 6E of He and furthermore para. 0098 of He discloses model type field 686 may identify whether the particular model, classifier, and/or algorithm is trained using supervised learning (e.g., a labeled training set) or unsupervised learning (e.g., an unlabeled training set)).  
Examiner applied the same motivational statement as set forth above in claim 1.

Regarding claim 8, the combination of Ochoa as modified by He discloses the one or more computing devices performing: generating additional labels for additional devices in the network based on additional network activity data of the additional devices (para. 0001 of Ochoa discloses identifying devices connected in a network, and more particularly, to methods for determining an identity of an unknown Internet-of-Things (IoT) device in a communication network, for example); and retraining the machine learning model using the additional labels and additional network activity data (para. 0008 of Ochoa discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example); 

Regarding claim 9, the combination of Ochoa as modified by He discloses the one or more computing devices performing: in response to the identifying of the other IoT device, elevating the other IoT device to a watch list for further monitoring (para. 0008 of Ochoa discloses machine learning based classifier of the set is trained by a dataset including a plurality of features representing network behavior of a respective known IoT device from the list and the known IoT device's identity. The plurality of features is associated with the corresponding device network behavior of the generated network traffic, for example).

Regarding claim 10, the combination of Ochoa as modified by He discloses the one or more computing devices performing: detecting anomalous network activity associated with the other IoT device; and issuing an alert using a user interface upon detecting the anomalous activity associated with the other IoT device (para. 0008 of Ochoa discloses the plurality of features is associated with the corresponding device network behavior of the generated network traffic, for example).   

As per claim 11, Ochoa discloses a one or more computing devices configured to: receive network activity data associated with a plurality of devices in a network (para. 0001 discloses identifying devices connected in a network, and more particularly, to methods for determining an identity of an unknown Internet-of-Things (IoT) device in a communication network, for example), including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device (para. 0095 discloses device identification process 600 for classifying whether a device is IoT or non-IoT); extract one or more features from the network activity data, wherein the one or more features are included in a training data set (para. 0008 discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example); after the training, use the machine learning model to identify another device in the network as another IoT device; and in response to the identifying of the other IoT device (para. 0016 discloses network behavior of each one of the plurality of IoT devices, associating the extracted plurality of features with the corresponding identity of each one of the plurality of IoT devices, for example), apply one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device (para. 0095 discloses device identification process 600 for classifying whether a device is IoT or non-IoT) 

Ochoa fails to explicitly disclose provide the training data set including the one or more features as input to a machine learning model; train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices.

He discloses provide the training data set including the one or more features as input to a machine learning model; train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices (para. 0032 discloses a machine learning process may refer to a process of training the classifier using supervised (e.g., a labeled data set) or unsupervised learning (e.g., an unlabeled data set), using a trained classifier to arrive at a decision, prediction, and/or inference using a particular data set, and/or updating or refining a trained classifier using a particular data set, for example).

Ochoa and He are analogous art because they both are directed to a machine learning process is performed (880) using the selected machine learning model and data inputs by the wireless communication device and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of Ochoa with the specified features of He because they are from the same field of endeavor.

In view of the above, having the method of Ochoa and then given the well- established teaching of He, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of He with the teachings of Ochoa in order for managing machine learning using mobile devices such as mobile phone, smart phone and tablet device (HE: para. 0020). 

Regarding claim 12, the combination of Ochoa as modified by He discloses wherein the one or more computing devices are configured to: monitor the network over one or more wide area networks (WANs); and collect the network activity data from the network over the one or more WANs (para. 0008 of Ochoa discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example). 

Regarding claim 13, the combination of Ochoa as modified by He discloses wherein the one or more computing devices are configured to: perform a feature engineering technique to transform the one or more features prior to training the machine learning model (fig. 6E of He and furthermore para. 0098 of He discloses model type field 686 may identify whether the particular model, classifier, and/or algorithm is trained using supervised learning (e.g., a labeled training set) or unsupervised learning (e.g., an unlabeled training set)). 
Examiner applied the same motivational statement as set forth above in claim 11.
 
 Regarding claim 14, the combination of Ochoa as modified by He discloses wherein to perform the feature engineering technique, the one or more computing devise is configured to: calculate an average of an extracted feature, calculate a standard deviation of the extracted feature, filter a portion of the network activity data, or combine the network activity data with historical data (fig. 2 of He show Communication interface 260 may include a logical component that includes input and/or output ports, input and/or output systems, and/or other input and output components that facilitate the transmission of data to other devices. For example, communication interface 260 may include a network interface card (e.g., Ethernet card) for wired communications and/or a wireless network interface (e.g., a WiFi) card for wireless communications, for example).
   
 Regarding claim 15, the combination of Ochoa as modified by He discloses wherein the one or more features includes at least one of: connection history of a device, duration of a device connection, ports used by the device, timestamps of connections made by the device, connection states of the device, number of packets communicated to or from the device, bytes transmitted to or from the device, source IP address of connection involving the device, destination IP address of a connection involving the device, and one or more services utilized by the device (fig. 1 of He show network 130 may include an Internet Protocol Multimedia Sub-system (IMS) network. An IMS network may include a network for delivering IP multimedia services as specified by 3GPP and may provide media flows between UE device 110 and external IP networks or external circuit-switched networks, for example and fig. 2 show interface 260 may include an antenna assembly that includes one or more antennas to transmit and/or receive RF signals, for example). 
Examiner applied the same motivational statement as set forth above in claim 11.
  	Regarding claim 16, the combination of Ochoa as modified by He discloses wherein the machine learning model includes one or more of: a logistic regression model, a Support Vector Machine (SVM) model, and a random forest model (para. 0071 of He discloses each machine learning module 470 may use a particular machine model/classifier/algorithm, such as a K-nearest neighbor classifier, a naive Bayesian classifier, a logical regression classifier, a neural network classifier, a support vector machine (SVM) classifier, a decision tree classifier, a maximum entropy classifier, a kernel density estimation classifier, and/or another type of classifier, for example). 
Examiner applied the same motivational statement as set forth above in claim 11.
Regarding claim 17, the combination of Ochoa as modified by He discloses wherein the one or more computing devices are configured to: store device data about the other IoT device in a database, wherein the device data indicates a classification of the other IoT device determined by the machine learning model (para. 0032 of He discloses a machine learning process may refer to a process of training the classifier using supervised (e.g., a labeled data set) or unsupervised learning (e.g., an unlabeled data set), using a trained classifier to arrive at a decision, prediction, and/or inference using a particular data set, and/or updating or refining a trained classifier using a particular data set, for example).
Examiner applied the same motivational statement as set forth above in claim 11. 

Regarding claim 18, the combination of Ochoa as modified by He discloses wherein the one or more computing devices are configured to: retrain the machine learning model using additional labels of devices in the network and additional network activity data received from the network (para. 0032 of HE discloses a machine learning process may refer to a process of training the classifier using supervised (e.g., a labeled data set) or unsupervised learning (e.g., an unlabeled data set), using a trained classifier to arrive at a decision, prediction, and/or inference using a particular data set, and/or updating or refining a trained classifier using a particular data set, for example and furthermore para. 0098 Model type field 686 may identify a particular model, classifier, and/or algorithm associated with the particular machine learning module 470 or 570. For example, model type field 686 may identify the particular model, classifier, and/or algorithm as a K-nearest neighbor classifier, a naive Bayesian classifier, a logical regression classifier, a neural network classifier, an SVM classifier, a decision tree classifier, a maximum entropy classifier, a kernel density estimation classifier, and/or another type of classifier. Furthermore, model type field 686 may identify whether the particular model, classifier, and/or algorithm is trained using supervised learning (e.g., a labeled training set) or unsupervised learning (e.g., an unlabeled training set). 

Regarding claim 19, the combination of Ochoa as modified by He discloses wherein the one or more computing devices are configured to: in response to the identifying of the other IoT device, elevate the other IoT device to a watch list for further monitoring  (fig. 7 of He show if approval to send data to the server was not received (block 720--NO), a determination may be made as to whether the user has selected to give approval to consult or communicate with the server, use the server, or perform machine learning or verify machine learning predictions/recommendations (block 770), for example). 
Examiner applied the same motivational statement as set forth above in claim 11.
  
As per claim 20, Ochoa discloses a One or more non-transitory computer-readable media storing program instructions that when executed on one or more processors cause the one or more processors to: receive network activity data associated with a plurality of devices in a network (para. 0019 discloses the apparatus also includes a processor arranged to determine the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example), including a first device labeled as an Internet-of-Things (IoT) device and a second device labeled as a non-IoT device (fig. 7 depicted IoT device after the non-IoT, for example); extract one or more features from the network activity data, wherein the one or more features are included in a training data set (para. 0008 discloses extracting device network behavior from the generated network traffic, and determining the identity of the unknown IoT device from a list of known IoT devices by applying a selected machine learning based classifier from a set of machine learning based classifiers to analyze the device network behavior, for example); provide the training data set including the one or more features as input to a machine learning model (para. 0016 discloses network behavior of each one of the plurality of IoT devices, associating the extracted plurality of features with the corresponding identity of each one of the plurality of IoT devices, for example); and in response to the identifying of the other IoT device, apply one or more security measures to the other IoT device including banning the other IoT device form the network, isolating the other IoT device, or limiting data sent by the other IoT device (para. 0004, 0069, for example).   

Ochoa fails to explicitly disclose train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training, use the machine learning model to identify another device in the network as another IoT device.

He discloses provide train the machine learning model using the training data set to classify unlabeled devices as IoT or non-IoT devices; after the training (para. 0012 discloses analyzing unlabeled feature vectors of consecutive communication sessions using the single session classifier of the selected machine learning based classifier to output corresponding probabilities, for example) use the machine learning model to identify another device in the network as another IoT device (para. 0030 discloses Training of a machine learning model may be performed on the wireless communication device or on another device, for example). 
Ochoa and He are analogous art because they both are directed to a machine learning process is performed using the selected machine learning model and data inputs by the wireless communication device and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of Ochoa with the specified features of He because they are from the same field of endeavor.

In view of the above, having the method of Ochoa and then given the well- established teaching of He, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of He with the teachings of Ochoa in order for managing machine learning using mobile devices such as mobile phone, smart phone and tablet device (HE: para. 0020). 

Pertinent Art
13.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

 Sivaraman et al. (WO 2020/118376 A1) provides communication network to generate device behavior data representing network traffic behaviours of the networked devices at different time granularities. The device behavior data is processed to classify the networked devices as IoT devices (110) and others of the networked devices as non-IoT devices (112). An IoT device type data that represent the predetermined network traffic characteristics of respective known IoT device types is accessed. The device behavior data of the IoT devices and the IoT device type data are processed to classify each of the IoT devices as a corresponding known IoT device types. The IoT device is classified as being in a corresponding operating state based on network traffic behaviours of the IoT device at different time granularities for each of the IoT devices classified as a corresponding known IoT device type.

Guedalia et al. (US 2014/0244834 A1) provide the non-IoT devices detected and registered into the IoT network at block may include barcoded devices, Bluetooth devices, RF devices, RFID tagged devices, IR devices, or any other suitable device that can communicate over a short range interface (e.g., an air interface) and that the supervisor device can observe, monitor, control, or otherwise manage. Additionally, the other physical objects that may be detected and registered into the IoT network may include non-IoT devices that do not have communication capabilities. For example, the supervisor device or other IoT devices may have appropriate scanner or reader mechanisms that can detect shapes, sizes, colors, or other observable features associated with the non-communicating physical objects to the non-communicating physical objects, which may then be registered into the IoT network. Moreover, certain IoT devices, communicating non-IoT devices, and/or non-communicating physical objects may be explicitly registered into the IoT network at block in response to a user providing a command that adds the device and/or objects to the IoT network to the supervisor device or based on other automatic detection capabilities (e.g., in response to a user placing an online order to purchase a particular object and subsequently determining that the object has been delivered to the home).

Duerk (US Patent 10,091,100 B1) provides the apparatus has a processing platform (106) which includes a virtual switch (112) which separates traffic received from endpoint devices over first network into first and second portions. The first portion of received traffic comprising internet of things (IoT) data traffic from first subset of endpoint devices identified as respective IoT endpoint devices. The second portion of received traffic comprising non-IoT data traffic from second subset of endpoint devices are not identified as respective IoT endpoint devices. The first portion of traffic is subject to one or more additional processing operations in message buffer and given additional processing operations comprises a local triggering operation. The particular message of first portion identified by local triggering operation as requiring automated local response is returned to virtual switch for delivery to local endpoint device.

Conclusion
14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932. The examiner can normally be reached Mon.-Fri. 9:00 AM - 5:30 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





A.G.
October 20, 2022
/ABIY GETACHEW/         Primary Examiner, Art Unit 2434