DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 6/09/2021, 11/18/2021, 1/20/2022, 3/01/2022, 4/14/2022, 5/17/2022, 7/11/2022, 7/31/2022, 8/03/2022, and 9/20/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Continuation
This application is a continuation application of US 16/538,787 (filed on Aug. 12, 2019 – now US Patent No. 11,087,005), which is a continuation application of US 15/357,989 (filed on Nov. 21, 2016 – now US Patent No. 10,380,348). The prosecution history and references cited in the above applications have been fully considered.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 11-20 of US Patent No. 10,380,348 and claims 1 and 10-18 of US Patent No. 11,087,005. Although the claims at issue are not identical, they are not patentably distinct from each other because claims of the conflicting patents contain every element of claims 1-19 of the instant application and thus anticipates the claims of the instant application. Therefore, claims 1-19 of the instant application are not patentably distinct from the earlier patent claims and is unpatentable over obvious-type double patenting. “A later patent claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). 
	For example, see the following comparison table between several corresponding claims:
Instant application (17/342,950)
Conflicting patent (10,380,348)
1. A system, comprising: 
11. A system comprising: 
a processor configured to:…and a memory coupled to the processor and configured to provide the processor with instructions.
one or more hardware processors; and memory storing instructions that, when executed by the one or more hardware processors, cause the system to perform:
analyze data packets transmitted to and from the IoT device; determine a risk level of the IoT device based at least in part on the data packet analysis;
analyzing data packets transmitted to and from an IoT device in operation of the IoT device in accessing network services through a network;
determine an Internet of Things (IoT) device profile applicable to an IoT device;
profiling the IoT device into an IoT device profile based on analysis of the data packets transmitted to and from the IoT device in operation of the IoT device in accessing the network services;

extracting IoT device risk factors from the IoT device profile; selecting assessment weights specific to the IoT device risk factors and specific to the IoT device based on characteristics of the network to apply in assessing a risk level of the IoT device;

applying the assessment weights to the IoT device risk factors according to specificity of the assessment weights to the IoT device risk factors to generate a risk score for the IoT device;
determine that the risk level exceeds a threshold and take a remedial action in response;
assessing the risk level of the IoT device based on the risk score; preventing the IoT device from accessing the network services through the network based on the risk score.


Instant application (17/342,950)
Conflicting patent (10,380,348)
1. A system, comprising:
10. A system comprising:
a processor configured to:…and a memory coupled to the processor and configured to provide the processor with instructions.
one or more hardware processors; and memory storing instructions that, when executed by the one or more hardware processors, cause the system to perform:
determine an Internet of Things (IoT) device profile applicable to an IoT device;

analyze data packets transmitted to and from the IoT device; 
analyzing data packets transmitted to and from a plurality of Internet of Things (IoT) devices; and for a first IoT device included in the plurality of IoT devices: 

generating one or more of an event log, a system log, and an access log for the first IoT device based on the analysis of data packets transmitted to and from the first IoT device;

creating a historical record for the first IoT device using the one or more of the event log, the system log, and the access log;

clustering, by an IoT device clustering engine, the first IoT device into a set of IoT devices that all share at least a first common clustering factor related to at least one of (1) a characteristic of the IoT devices in the set or (2) a characteristic of operation of the IoT devices in the set, wherein the set of IoT devices includes at least a second IoT device that is different from the first IoT device;

profiling, by an IoT device profiling engine, the first IoT device into an IoT device profile based at least in part on the historical record of the first IoT device and a result of the IoT device clustering engine;

extracting IoT device risk factors from the IoT device profile; assigning assessment weights to the IoT device risk factors;

applying the assessment weights to the IoT device risk factors to determine a risk score for the first IoT device, including by determining an operational performance deviation of the first IoT device based at least in part on a device profile of the second IoT device;
determine a risk level of the IoT device based at least in part on the data packet analysis; 
assessing a risk level of the first IoT device based on the risk score;
determine that the risk level exceeds a threshold and take a remedial action in response;
and presenting the risk level of the first IoT device as part of risk assessment data to a user associated with the first IoT device if the risk level is above a threshold.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
For step 1, a claim is determined whether it falls within one of the four statutory categories. Claims 1-18 are directed to a “system” comprising of a “processor” and “memory”, and claim 19 is directed to a “method”. Therefore, claims 1-19 fall within at least one of the statutory categories of invention and passes step 1.
For step 2A (Prong One), a claim is determined whether it recites an abstract idea, law of nature, or natural phenomenon. Independent claims 1 and 19 recite limitations for:
 “analyzing data packets…”;
“determine a risk level of the IoT device…”;
“determine that the risk level exceeds a threshold…”
However, the limitations fail to recite elements that would preclude them from being practically performed in the mind, or with pen/paper, under broadest reasonable interpretation. Limitation [A] is directed to “analyzing” data without any further context. The extent of how the data packets are analyzed is not clearly recited. The properties of data packets can be presented in various ways. For example, a human examining at a printout of what was included in a header of a data packet can be reasonably viewed as “analyzing data packets”. Limitations [B] and [C] also fail to recite further steps to what is included in the actual determination process. Like limitation [A], a human can mentally judge a “risk level” of an IoT device from supporting data. Limitation [C] is a simple comparison step that can be performed in the mind, e.g. comparing if a numerical value is larger or smaller than another numerical value. Thus, the independent claims present at least one limitation that falls within the “Mental Processes” and/or “Certain Method of Organizing Human Activities” grouping of abstract ideas. Accordingly, the independent claims recite an abstract idea. 
For step 2A (Prong Two), a claim is determined whether it recites additional elements that integrate the judicial exception into a practical application. In other words, step 2A (Prong Two) seeks to determine if the claim as a whole presents an inventive concept. See MPEP 2106.04(d).  The additional elements are:
“determine an Internet of Things (IoT) device profile…”;
“…take a remedial action in response”;
Various recitations of computer components performing the steps (e.g. a “processor” and “a memory”).
However, these elements fail to add something more meaningful to the judicial exception as generic computer components – e.g. a “processor” in claim 1 – are used to apply the exception. See MPEP 2106.05(f). For example, consider the arithmetic operation of “2 + 2”, which is an operation that can be performed mentally. Using a processor to perform the arithmetic operation does not make it more meaningful or an inventive concept. Furthermore, the additional elements amount to insignificant extra-solution activities, such as mere data gathering (e.g. limitation [D]) and performing post-solution activities (e.g. limitation [E]). See MPEP 2106.05(g). Thus, the independent claims fail to present enough elements to integrate the abstract idea into a practical application. Accordingly, the independent claims are directed to an abstract idea.
For step 2B, a claim is determined whether any elements, or combination of elements, are enough to ensure that the claims amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements to perform the steps amounts to no more than mere instructions to apply the exception using a generic computer component. Since these elements are recited at a high level of generality, such that they can be represented as ordinary computer systems. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Having a computer system with a processor to perform such elements does not instantly preclude it from mental activities if the act itself is presented in a generic/abstract manner – it would be mere instructions to apply an exception (see MPEP 2106.05(f)). Hence, the independent claims are not patent eligible.

Dependent Claims: The dependent claims fail to provide meaningful features to be more than the exception. For example, dependent claims 3 and 4 further define what is included in the device profile without further providing any additional context of its importance in the claimed process. Dependent claim 7 further recites a “determine” step that is mere data comparison. Dependent claim 13 further defines the risk level determination by “evaluating a set of risk factors”. Again, similar to limitations [B] and [C], there is a significant lack of context to how the evaluation is achieved to be considered meaningful and beyond mental activities. Thus, the dependent claims further to add more to the claimed invention and provide a clear inventive concept to the rest of the independent claims.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-11 and 17-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by 2017/0118240 to Devi Reddy et al. (hereinafter, “Devi” – cited in the IDS filed 11-18-2021),
As per claim 1: Devi discloses: A system, comprising (a security analytics system [Devi, ¶0026]): a processor configured to (the system is executed by a machine that includes memory and a processor [Devi, ¶¶0131-0136; Fig. 11]): determine an Internet of Things (IoT) device profile applicable to an IoT device (building machine-learned models of the behavior of entities, wherein the models are built from features of structured data collected and formatted from raw data of the entities [Devi, ¶0030]; entities include client devices 100, wherein client devices can be IoT appliances [Devi, ¶¶0027, 0132]); analyze data packets transmitted to and from the IoT device (collecting data of an entity, including network traffic [Devi, ¶0038]); determine a risk level of the IoT device based at least in part on the data packet analysis (using the machine-learned model to generate a threat score based on features of the collected data  [Devi, ¶¶0075, 0090-0092]); determine that the risk level exceeds a threshold and take a remedial action in response (determine if the threat score exceeds a threat score threshold and performing a course of action to take regarding the security threat [Devi, ¶0098]); and a memory coupled to the processor and configured to provide the processor with instructions (the system is executed by a machine that includes memory and a processor [Devi, ¶¶0131-0136; Fig. 11]).

As per claim 2: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining the IoT device profile includes analyzing one or more characteristics of how the IoT device functions in accessing a network service (the collected raw data includes a user access control log [Devi, ¶0062]).

As per claim 3: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein the IoT device profile includes one or more characteristics of the IoT device (the machine-learned model describes a type of entity [Devi, ¶0090]).

As per claim 4: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein the IoT device profile includes one or more characteristics of how the IoT device functions in operation (machine-learned models are used to determine behavior of entities [Devi, ¶0091]).

As per claim 5: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein the processor is further configured to cluster a plurality of IoT devices together (identifying relationships and/or memberships, such as a server being a member of a cluster with other servers [Devi, ¶0069]).

As per claim 6: Devi discloses all limitations of claim 5. Furthermore, Devi discloses: wherein the processor is further configured to associate a plurality of IoT device profiles together based at least in part on the cluster (an entity can refer to a group of devices [Devi, ¶0027]; a machine-learned model is generated for each entity [Devi, ¶0090]).

As per claim 7: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein the processor is further configured to determine an operational performance deviation of a particular instance of the IoT device at least in part by using a plurality of other instances of the IoT device (using timestamps or timeframes associated with entities as part of the collected data when formatting the data for analysis [Devi, ¶¶0065-0066; 0071-0072]).

As per claim 8: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining the IoT device profile includes matching the IoT device to an existing device profile (applying machine-learned model, wherein the models were previously generated for each entity using historical data [Devi, ¶¶0090]).

As per claim 9: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining the IoT device profile includes generating a new IoT device profile (models are updated on a regular basis [Devi, ¶0117]).

As per claim 10: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining the IoT device profile includes passively observing the IoT device (collecting raw data about the entities by intercepting network communications [Devi, ¶0056], wherein the raw data is formatted into structured data to generate features for building the machine-learned models [Devi, ¶¶0061, 0090]).

As per claim 11: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining the IoT device profile includes actively probing the IoT device (collecting forwarded raw network traffic [Devi, ¶0038]; various raw data of the entity that are collected include hardware events, system state information, file system information, operating system event logs – all system events of the entity itself [Devi, ¶0039-0043]).

As per claim 17: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein taking the remedial action includes generating an alert that a single IoT device has the risk level that exceeds the threshold (alerting a network administrator to the security threat [Devi, ¶0098]).

As per claim 18: Devi discloses all limitations of claim 1. Furthermore, Devi discloses: wherein determining that the risk level exceeds the threshold includes determining that a plurality of IoT devices have respective risk levels above respective thresholds (using threat scores from other machine-learned models to generate a threat score for a current entity [Devi, ¶0092]; using threat score threshold to determine if a security threat is present [Devi, ¶0097]).

As per claim 19: Claim 19 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 19. Claim 19 is directed to a method corresponding to the function of the system of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 19.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Devi in view of US 2017/0230402 to Greenspan et al. (hereinafter, “Greenspan”)
As per claim 12: Devi discloses all limitations of claim 1. Devi does not disclose the features of claim 12. However, Greenspan discloses: wherein at determining the risk level includes evaluating a set of risk factors (an automated method for risk assessment of IoT devices [Greenspan, ¶0036]; risk assessment is performed on the source or any context of the source, such as factors related to the sensitivity of the data type [Greenspan, ¶0041]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was first effectively filed to incorporate risk assessment in part of the security assessment of entities in Devi. Greenspan would have provided a method to score and manage risk associated with IoT devices. In addition, with the need in the marketplace for data risk assessment in an IoT environment [Greenspan, ¶0005], such methods in Greenspan would have complemented protecting IoT devices similarly discussed in Devi.

As per claim 13: Devi in view of Greenspan disclose all limitations of claim 12. The same reasons for incorporating Greenspan with Devi in claim 12 is also applicable for claim 13. Therefore, Devi in view of Greenspan disclose: wherein the risk factors have one or more associated assessment weights (risk assessment may weight a number of contextual elements [Greenspan, ¶0041]).

As per claim 14: Devi in view of Greenspan disclose all limitations of claim 12. The same reasons for incorporating Greenspan with Devi in claim 12 is also applicable for claim 14. Therefore, Devi in view of Greenspan disclose: wherein at least one risk factor comprises a risk posed by the IoT device using an application in accessing a network service (providing API transaction risk assessment from an application [Greenspan, ¶0022]).

As per claim 15: Devi in view of Greenspan disclose all limitations of claim 13. The same reasons for incorporating Greenspan with Devi in claim 12 is also applicable for claim 15. Therefore, Devi in view of Greenspan disclose: wherein at least one assessment weight is based at least in part on a network characteristic (risk assessment my weight a number of contextual elements or data to return a risk score, wherein contextual elements include source information, device location, device ID, etc. [Greenspan, ¶¶0040-0041]).

As per claim 16: Devi in view of Greenspan disclose all limitations of claim 13. The same reasons for incorporating Greenspan with Devi in claim 12 is also applicable for claim 16. Therefore, Devi in view of Greenspan disclose: wherein at least one assessment weight is based at least in part on an operational performance deviation of the IoT device (deviations from normal operations can affect risk score assessment [Greenspan, ¶0088]; as disclosed in [Greenspan, ¶0040], data is weighted for analysis in the risk assessment).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        11-16-2022