Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 16/924,508 is presented for examination by the examiner.  Claims 1-20 are pending. Claims 1, 3, 4, 10, 12, 18, and 20 are amended.

Response to Amendment

Claim Rejections - 35 USC § 112
Claim amendments overcome the rejection under this statute.


Response to Arguments
Applicant's arguments filed 8/1/22 have been fully considered but they are not persuasive.  Applicant alleges Sivanathan does not configure port forwarding policy based on network session information associated with the first device.  The first device was mapped to the home gateway in the prior art.  The broad term network session information can include destination IP addresses pertaining to a traffic flow that is of interest.  Sivanathan specifically teaches a port forwarding request consists of data exchanges characterized by a network rule that matches the destination IP address of the home gateway and its MAC address (§ III, C).  This request is sent to the home gateway.  Thus, the port forwarding policy on the gateway is based on network session information (IP/MAC address of the gateway) associated with the first device.  The prior art uses the network session information to detect traffic flows to/from the Internet. Sivanathan uses the IP address and MAC address of specific IoT devise (second device) as rules to monitor specific communications to a particular IoT device in side the network.  The second device is identified by its IP address and MAC address (rule that matches the IP/MAC address of the device (§ III, C).  Based on matching this policy the analysis engine (claimed processing device) receives mirrored copies of the traffic flow to be inspected, i.e. scanned.  This teaching anticipates the claimed “a scan of the second device based on the port forwarding policy and therefore the allegation that Sivanathan fails to disclose is unpersuasive.   Respectfully the rejection must be maintained.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-3, 5, 6, 8-14, 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by NPL entitled “"Low-cost flow-based security solutions for smart-home IoT devices” authored by Sivanathan et al., hereinafter Sivanathan.
As per claims 1, 10 and 18 Sivanathan teaches configuring a port forwarding policy on a first device [home gateway/router] based on a network session information information associated with the first device (IP/MAC address of home gateway) (§ III A & C); 
Identifying a second device [IoT] based on the network session information [IP/MAC address of a specific IoT device; § III, C]; 
performing, by a processing device, a scan of the second device [monitor Internet traffic flows to/from specific device; § III, C] based on the port forwarding policy [the policy matches, from traffic flows, rules for the IoT device which leads to decision to mirror the traffic to the analysis engine for scanning; § III, B & C); and 
storing the results of the scan [records § III B].
As per claims 2, 11, and 19, Sivanathan teaches performing an action based on the scan [installs rules, § III B].
As per claims 3, 12, and 20 Sivanathan teaches selecting the first device based on the first device performing network address translation (NAT) (§ III C), wherein the first device is communicatively coupled to the second device, and wherein the second device is configured to communicate through the first device (Fig. 2); 
accessing network session information associated with the first device, wherein the network session information comprises an address [IP address] associated with the second device (§ III C last ¶); and 
determining an identifier [MAC] associated with the second device based on the network session information (§ III C last ¶).
As per claims 5 and 13, Sivanathan teaches the first device is at least one of a router, a firewall, a switch, or a carrier grade (CG) NAT device (§ III C).
As per claims 6 and 14, Sivanathan teaches the port forwarding policy of the first device is configured using at least one of an application programming interface (API), command line interface (CLI), or a simple network management protocol (SNMP) interface (Fig. 3 and § III A).
As per claims 8 and 16, Sivanathan teaches the identifier of the second device comprises a unique identifier [private IP address of the IoT] comprising an IP address associated with the second device and an IP address associated with the first device [WAN address of the router] (Fig. 2 and SSDP scan). 
As per claims 9 and 17, Sivanathan teaches the unique identifier of the second device further comprises a media access control (MAC) address associated with the first device (§ III C and mac-gw known parameter § V – Remote access rules).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Sivanathan in view of CN 102984289 B to White et al., hereinafter White.

As per claim 4, Sivanathan teaches accessing the network session information associated with the first device (IP/MAC address of home gateway) (§ III A & C), wherein the network session information comprises an address associated with a third device [IP/MAC address of another IoT]; 
determining, with the processing device, an identifier associated with the third device based on the network session information [actual IP/MAC address of a specific IoT device; § III , C]; 
configuring an additional port forwarding policy on the first device based on the network session information associated with the first device [from traffic flows for the IoT device, the decision to mirror the traffic to the analysis engine for scanning; thus a port forwarding rule is added for this device to forward traffic;  § III, B & C]; 
performing an additional scan of the third device based on the additional port forwarding policy [monitor Internet traffic flows to/from specific device; § III, A, C]; and 
storing the results of the additional scan [records § III B]. For purposes of dependent claim 4, the steps are simply repeating the same process of claim 1 for a different IoT device the network. Its IP/MAC address residing traffic flows to/from remote host merit further analysis.
Sivanathan is silent in explicitly teaching the second device is a NAT device.  Notably, the second device’s relation to the third device is not present in the claim.  It is not stated whether or not the second device is between the first device and the third.  White teaches discovering mobile network devices behind multiple NAT’s (see abstract).  The router which has a NAT inside can still obtain information about devices behind other NAT’s on the network (see Fig. 4 and accompanying disclosure).  This shows that the gateway router of Sivanathan could have monitored IoT devices behind NATs and still provided the protection and analysis for traffic flows to them.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.    

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Sivanathan in view of USP Application Publication 2018/0234266 to Rudolph et al., hereinafter Rudolph.
As per claims 7 and 15, Sivanathan does not explicitly teach determining an operating system (OS) of the second device based on the network session information.  Sivanathan already teaches that the IoT devices send an XML file describing their functionalities (under SSDP scan section).  Rudolph teaches including the OS of the IoT device in the metadata (0134).  Including the OS in the XML is obvious and does not produce any unpredictable results.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  




Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431