DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
      Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 06/16/2022 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 
Response to Arguments
Applicant’s arguments, see Remarks, filed 08/30/2022, with respect to the rejection(s) of independent claims 1, 8 and 15 under 35 USC § 103 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 7-12 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2016/0248746 A1 to James et al. (hereinafter “James”), and further in view of US-PGPUB No. 2019/0387011 A1 to Du et al. (hereinafter “Du”)
Regarding claim 1:
James discloses: 
A computer-implemented method for provisioning an Internet of Things (IoT) device (¶11: “… a computer-implemented method for establishing trust in a device when provisioning the device.”), the method comprising: 
receiving, at a device provisioning system (¶27: “… Internet of Things (IoT) system 100 …”), an event schema for the IoT device (¶12: “… determining distinguishing information associated with a first device in response to a first provisioning request …”), wherein the event schema includes one or more event types collected by the IoT device (¶125: “The distinguishing information may be any information that is consistent with distinguishing between the authorization templates 940 included in the authorization template database 930”); 
comparing (¶115: “The device profile query 920 performs matching operations …”) the one or more event types from the event schema with a plurality of combinations of one or more event types in a device type schema list (¶115: “… authorization template database 940.”) to identify a match between the one or more event types in the event schema from the IoT device and one of the plurality of combinations of one or more event types in the device type schema list (¶115: “The device profile query 920 performs matching operations between the distinguishing information and device profiles … included in the authorization template database 940. Each device profile is associated with one or more of the authorization templates 940. Each of the authorization templates 940 includes one or more authorizations that specify types of interactions that are permitted for the IoT devices 150 that match the corresponding device profile.”); 
provisioning the IoT device with validated credentials based on the assigned device type (¶123: “…  the authorization authority … receives an authorization credential request … for provisioning the authorization credentials … onto the IoT device …”, and  
¶47: “… the distinguishing information may be or a function of the IoT device … on the network … or a device type (e.g., controller) associated with the IoT device …”); and 
However, James does not explicitly disclose the following limitations taught by Du:
in response to identifying a match, assigning a device type to the IoT device (Du, ¶106: “The IoT device profiling engine 716 can detect whether an IoT device profile exists in the IoT device profiles datastore 708 for the IoT device …”) based on a correlation in the device type schema list for the device type and the matched combination of one or more event types (Du, ¶106: “… based on actual behavior derived from activity data structures in the IoT device activity instances datastore 704 and feature values determined by the IoT device personality definition engine 702”); 
Updating the device type schema list based on the received event schema for the iot device (Du, ¶102: “The IoT device personality definition engine 702 … defines a personality of an IoT device using activities associated with the IoT device from the IoT device activity instances datastore 704 and domain knowledge from the domain knowledge datastore 706 … facilitates profiling of an IoT device by creating, reading, updating, and/or deleting (CRUDing) IoT device profile data structures in the IoT device profiles datastore 708.”, see Fig. 7 for an IoT device profiling system). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of James to incorporate the functionality of the IoT device personality definition engine to define a personality of an IoT device using activities associated with the IoT device and be able to perform creating, reading, updating and/or deleting operations of the IoT device profile data structures in the IoT device profiles datastore, as disclosed by Du, such modification would allow the system to create and/or update IoT device profiles during IoT device controller failures, or when accidental loss of device profiles occurs.
Regarding claim 2:
The combination of James and Du disclose: 
The computer-implemented method of claim 1, wherein provisioning the IoT device comprises: 
sending the assigned device type to an IoT platform (James ¶110-111: “… the IoT device transmits an authorization credential request … to the authorization authority … The authorization credential request … includes identifying information for the IoT device …  and requests the authorization credential … for the IoT device … Upon receiving the authorization credential request … the authorization credential engine … verifies the identity of the IoT device … the authorization authority … may implement the device identification engine … to establish trust in the IoT device …”, and ¶114: “… the authorization credential engine … determines distinguishing information that is associated with the IoT device … the distinguishing information may be … a device type (e.g., controller).”); and
receiving, from the IoT platform, the validated credentials for the IoT device (James ¶121: “… the authorization authority … transmits the authorization credential … to the IoT device … for installation onto the IoT device … The IoT device … may install the authorization credential … the IoT device … may store the authorization credential …”).
Regarding claim 3:
The combination of James and Du disclose: 
The computer-implemented method of claim 1, wherein receiving the event schema comprises receiving the event schema together with a provisioning request and credentials hardcoded in the IoT device (James ¶80: “… the manufacturer of the IoT device … may provision the EPID private key … onto the IoT device … during the device manufacturing process.”,  
¶76: “… each of the EPID private keys … may be associated with a single EPID public key …”, and ¶125: “The authorization credential engine … identifies distinguishing information that is associated with the IoT device … The distinguishing information may be any information that is consistent with distinguishing between the authorization templates … the distinguishing information may be the Enhanced Privacy Identification (EPID) public key … “, and see also FIGURE 10).  
Regarding claim 4:
The combination of James and Du disclose:
The computer-implemented method of claim 1, wherein receiving the event schema for the IoT device comprises receiving the event schema from an IoT platform P201808100US01Page 26 of 32which forwarded the event schema from the IoT device to the device provisioning system (James p121: “… the authorization authority … transmits the authorization credential … to the IoT device … for installation onto the IoT device … the IoT device … may store the authorization credential … in the memory … and prevent any other IoT device … from reading the memory …”).  
Regarding claim 7:
The combination of James and Du disclose:
The computer-implemented method of claim 1, further comprising validating credentials of the IoT device at the device provisioning system (James ¶136: “… the provisioning service identifies an authentication item that is associated with the provisioning request … the provisioning service performs verification operations based on the authentication item. … if the authentication item is a digital signature that is signed using an EPID private key, then the provisioning service may validate the digital signature using a corresponding EPID public key.”). 
Regarding claim 9: 
The combination of James and Du disclose: 
The device provisioning system of claim 8, wherein the processor is configured to validate credentials of the IoT device (James ¶110: “…  the authorization credential engine … verifies the identity of the IoT device …”). 
Regarding claims 8 and 10-12:
Claims 8 and 10-12 substantially recite the same limitations as claims 1 and 2-4, respectively, in the form of a device implementing the corresponding method, therefore they are rejected under the same rationale. 
Regarding claims 15 and 17-18:
Claims 15 and 17-18 substantially recite the same limitations as claims 1 and 2-3, respectively, in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore they are rejected under the same rationale. 
Regarding claim 16:
Claim 16 substantially recites the same limitation as claim 9 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale.
Claims 5, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over James, Du and further in view of US-PGPUB No. 2021/0193334 A1 to Turrin et al. (hereinafter “Turrin”)
Regarding claim 5:
The combination of James and Du discloses the computer-implemented method of claim 1, but failed to explicitly disclose the following limitations taught by Turrin: 
 in response to not identifying a match, forwarding credentials received from the IoT device to a device manufacturer of the IoT device (Turrin ¶50: “If a model is not found, a lean device is created … and a model is requested … a request for a model is transmitted to the manufacturer of the IoT device.”); 
receiving a device type for the IoT device from the device manufacturer (Turrin ¶50: “… in response to the request, a manufacturer can provide a model for the IoT device …”); and 
updating the device type schema based on the event schema for the IoT device and the device type received from the device manufacturer (Turrin ¶51: “… the digital twin can be updated with data provided in the received IoT data.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of James and Du to incorporate the functionality of the process to transmit a request for a model to the manufacturer of the IoT device, as disclosed by Turrin, such modification would allow the system to provision the IoT device when a match is not found within the template database. 
Regarding claim 13:
Claim 13 substantially recites the same limitation as claim 5 in the form of a device implementing the corresponding method, therefore it is rejected under the same rationale. 
Regarding claim 19:
Claim 19 substantially recites the same limitation as claim 5 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale. 
Claims 6, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over James, Du and further in view of US-PGPUB No. 2018/0316511 A1 Meyer et al. (hereinafter “Meyer”)
Regarding claim 6:
The combination of James and Du discloses the computer-implemented method of claim 1, but failed to explicitly disclose the following limitations taught by Meyer: 
logging receipt of the event schema for the IoT device in a provisioning log (Meyer ¶102-103: “… the provisioning controller … may determine that the device … is authorized by verifying against previously stored information its database … then the provisioning controller … stores the installation status data with the log information associated with the device …”, and  
¶106: “… the provisioning controller … continues the audit trail or audit log for all of the system … activities associated with each particular device …”); 
logging a schema statement for the identified match in the provisioning log (Meyer ¶102-103: “… the provisioning controller … may determine that the device … is authorized by verifying against previously stored information its database … then the provisioning controller … stores the installation status data with the log information associated with the device …”, and  ¶106: “… the provisioning controller … continues the audit trail or audit log for all of the system … activities associated with each particular device …”); and 
logging provisioning of the IoT device without logging the validated credentials (Meyer ¶57: “… produce audit logs, records, reports, and the like, of the secure provisioning process, which may be used to analyze and resolve later-discovered problems.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of James and Du to incorporate the functionality of the provisioning controller to log all system activities associated with the onboarding process of an IoT device, as disclosed by Meyer, such modification would allow the system to store valuable log information for purposes of failure recovery, and mitigation of security issues, where the logs can be analyzed to resolve such discovered problems. 
Regarding claim 14:
Claim 14 substantially recites the same limitation as claim 6 in the form of a device implementing the corresponding method, therefore it is rejected under the same rationale. 
Regarding claim 20:
Claim 20 substantially recites the same limitation as claim 6 in the form of a computer readable storage medium to store instructions that are executed by the corresponding method, therefore it is rejected under the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Wood (US-PGPUB No. 2020/0162556-A1)- disclosed systems and methods that enhance the ability of IoT Application Platforms and IoT devices, while reducing the need for bandwidth and operation and management of point-to-point communications between each IoT Application Platform with each registered IoT device for providing a particular IoT service or informational update to that IoT device, addressing the IoT device operational data updates as required for the IoT device to perform the IoT services and operations. 
Swierk et al. (US-PGPUB No 2018/0234326-A1)- disclosed systems and methods described herein may augment or enhance the identity of a device by measuring various hardware and software-based interactions with it and tracking them over time to establish a pattern of device characteristics and behavior. Once the behavioral pattern is established, then deviations from that pattern may be detected and preventive and corrective actions taken to protect against malicious behavior.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.H./Examiner, Art Unit 2491           

/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491