Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-2, 4-11, 13-20 are presented for examination.
Response to Arguments
Applicant's arguments with respect to the claims above filed on 07/20/2022, have been considered but are moot in view of the new ground(s) of rejection. After further search and thorough examination of present application claims 1-2, 4-11 and 13-20 remain rejected.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 11 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claims 1, 11 and 20, the limitations “attributes of a device in a network that are asserted by the device” is vague and indefinite. Specification does not describe the how the attributes are asserted. It describes the indicative of declarative attributes of a device [0076] but the asserted of these attribute is not explained. In the absence of the definition the limitation is being viewed broadly as “probes” (see paragraph [062]). Appropriate corrections are required.
Dependent claims are rejected to as having the same deficiencies as the claims they depend from.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 1-2, 4-11 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sivanathan (28 Jan 2020, Pages 1-161) in view of Muppala (US pat, 7554983)   
Referring to claims 1 & 20 Sivanathan teaches a method (Fig. 4.1, Pg.87) comprising:
obtaining, by a device classification service, device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device (Fig. 3.1, Pg.52, Analyzer/Classifier Obtain telemetry data of IoT devices indicative of various attributes such as quantitative behavioral attributes, include MAC address of device and behavioral attributes, such as flow volume, duration, rate, sleep time, DNS);
labeling, by the device classification service, the device with a device type, based on the device telemetry data (Table, 3.2, Fig. 3.10, Pg. 74 shows label of the device along with type of device);
detecting, by the device classification service, device type spoofing exhibited by the device (Page 137, Spoofing type can be ARP Spoofing, TCP Syn Flooding, Ping of Death and see Pg. 22 for DNS spoofing) using a model that models a relationship between the declarative attributes and the behavioral attributes (Page. 82, inference models that use flow level attributes to distinguish IoT device and non-IoT devices, classify individual type of devices and identify their states, see Pg. 117, Pg.118, for extracting telemetry and attributes and see Pg. 103 selection algorithm called Correlation-based Feature Subset (CFS) [168] with best-first searching method. CFS is a filter that uses a correlation-based heuristic to find a subset of attributes with the highest merit —4.e., attributes highly-correlated with the class, yet uncorrelated with each other); and 
initiating, by the device classification service and based on the device type spoofing, a mitigation action regarding the device (Pg. 148, entropy of packet is a mitigating action based).
Sivanathan teaches IoT behavioral monitoring via Network Traffic Analysis by classifying IoT devices and non-IoT devices but expressly lacks the declarative attributes of a device in a network that are asserted by the device during a network probe of the device. 
However, Muppala teaches network traffic classification corresponding to data flows traversing a network. Furthermore, Muppala teaches declarative attributes of a device in a network that are asserted by the device during a network probe of the device. (Fig. 6A, 6B, 6C, are examples of declarative attributes being probed 
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Sivanthan’s  classifier that takes in flow level telemetry data from a network device and processes that data using inference engines (see Fig. 4.1, Page 87) to include a network traffic classification mechanism that probes hosts or devices as taught by Muppala in order to generate alerts based on attribute based policy direct monitoring of network events and processing network traffic in order to optimally detect anomalous behavior or malicious activity thereby mitigating the risk of potential malicious actions taking place.
Referring to claim 2, Sivanathan teaches the method as in claim 1, wherein the mitigation action comprises generating a firewall rule to block the device or sending an alert (Page. 117, Flow rule per device for network traffic telemetry could include firewall rule). 
Referring to claim 4, Sivanathan teaches the method as in claim 1, wherein labeling the device with a device type, based on the device telemetry data, comprises: using the declarative attributes of the device to assign a type label to the device (Pg. 41, 84, Classification and Anomaly detection – classify type of IoT devices).
Referring to claim 5, Sivanathan teaches the method as in claim 4, wherein detecting device type spoofing by the device further comprises: using the behavioral attributes of the device as input to a machine learning classifier, to predict a predicted type label assigned to the device; and comparing the predicted type label to the type label assigned to the device (Pg. 103, In decision tree-based machine learning, the Information Gain (IG) method is used to measure the weight of various attributes in accurate prediction).
Referring to claim 6, Sivanathan teaches the method as in claim 1, wherein the relationship between the declarative attributes and the behavioral attributes comprises a probability of the declarative attributes given the behavioral attributes (Pg. 89,126, probability for training instance ).
Referring to claim 7, Sivanathan teaches the method as in claim 1, wherein the model comprises a joint conditional likelihood function trained using a neural network (see Pg. 45, authors use neural network-based deep autoencoders to detect anomalies – also see Pg. 93, 114).
Referring to claim 8, Sivanathan teaches the method as in claim 1, wherein detecting device type spoofing by the device further comprises: applying clustering to the behavioral attributes of the device, to assign the device to one or more device clusters over time (Page 113, 114, Behavioral changes detection using clustering algorithm); and detecting when the device alternates between assigned device clusters (Page, 115, 119, clustering between assigned devices clusters – Fig. 5.1, Page 120).
Referring to claim 9, Sivanathan teaches the method as in claim 1, wherein the model comprises an autoencoder that takes the behavioral attributes as input and outputs declarative attributes (Page. 88, SDN simulator).
Referring to claim 10, Sivanathan teaches the method as in claim 9, further comprising: deploying an encoder of the autoencoder for execution by a networking element in the network (Page, 45, Auto encoder), wherein the networking element uses the encoder to generate a compressed representation of the behavioral attributes of the device for inclusion in the device telemetry data to be sent to the device classification service (Pg, 21, Compressed Video).
Referring to claim 11, Sivanathan teaches apparatus (Fig. 3.1, Page, 52, actual page # 71, Classifier), comprising: one or more network interfaces (Pg. 53, interfaces); a processor coupled to the one or more network interfaces and configured to execute one or more processes; and a memory configured to store a process that is executable by the processor (Fig. 4.1, sdn controller has a processor), the process when executed configured to:
obtain device telemetry data indicative of declarative attributes of a device in a network and indicative of behavioral attributes of that device (Fig. 3.1, Pg.52, Analyzer/Classifier Obtain telemetry data of IoT devices indicative of various attributes such as quantitative behavioral attributes, include MAC address of device and behavioral attributes, such as flow volume, duration, rate, sleep time, DNS); 
label the device with a device type, based on the device telemetry data (Table, 3.2, Fig. 3.10, Pg. 74 shows label of the device along with type of device); 
detect device type spoofing (Page 137, Spoofing type can be ARP Spoofing, TCP Syn Flooding, Ping of Death and see Pg. 22 for DNS spoofing) exhibited by the device using a model that models a relationship between the declarative attributes and the behavioral attributes (Page. 82, inference models that use flow level attributes to distinguish IoT device and non-IoT devices, classify individual type of devices and identify their states, see Pg. 117, Pg.118, for extracting telemetry and attributes and see Pg. 103 selection algorithm called Correlation-based Feature Subset (CFS) [168] with best-first searching method. CFS is a filter that uses a correlation-based heuristic to find a subset of attributes with the highest merit —4.e., attributes highly-correlated with the class, yet uncorrelated with each other); and 
initiate a mitigation action regarding the device, based on the device type spoofing (Pg. 148, entropy of packet is a mitigating action based)
Sivanathan teaches IoT behavioral monitoring via Network Traffic Analysis by classifying IoT devices and non-IoT devices but expressly lacks the declarative attributes of a device in a network that are asserted by the device during a network probe of the device. 
However, Muppala teaches network traffic classification corresponding to data flows traversing a network. Furthermore, Muppala teaches declarative attributes of a device in a network that are asserted by the device during a network probe of the device. (Fig. 6A, 6B, 6C, are examples of declarative attributes being probed 
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Sivanthan’s  classifier that takes in flow level telemetry data from a network device and processes that data using inference engines (see Fig. 4.1, Page 87) to include a network traffic classification mechanism that probes hosts or devices as taught by Muppala in order to generate alerts based on attribute based policy direct monitoring of network events and processing network traffic in order to optimally detect anomalous behavior or malicious activity thereby mitigating the risk of potential malicious actions taking place.
Referring to claim 13, Sivanathan teaches the apparatus as in claim 11, wherein the apparatus labels the device with a device type, based on the device telemetry data, by: using the declarative attributes of the device to assign a type label to the device (Pg. 41, 84, Classification and Anomaly detection – classify type of IoT devices).
Referring to claim 14, Sivanathan teaches the apparatus as in claim 13, wherein the apparatus detects device type spoofing by the device further by: using the behavioral attributes of the device as input to a machine learning classifier, to predict a predicted type label assigned to the device; and comparing the predicted type label to the type label assigned to the device (Pg. 103, In decision tree-based machine learning, the Information Gain (IG) method is used to measure the weight of various attributes in accurate prediction).
Referring to claim 15, Sivanathan teaches the apparatus as in claim 11, wherein the relationship between the declarative attributes and the behavioral attributes comprises a probability of the declarative attributes given the behavioral attributes  (Pg. 89,126, probability for training instance ).
Referring to claim 16, Sivanathan teaches the apparatus as in claim 11, wherein the model comprises a joint conditional likelihood function trained using a neural network (see Pg. 45, authors use neural network-based deep autoencoders to detect anomalies – also see Pg. 93, 114).
Referring to claim 17, Sivanathan teaches the apparatus as in claim 11, wherein the apparatus detects device type spoofing by the device further by: applying clustering to the behavioral attributes of the device, to assign the device to one or more device clusters over time (Page 113, 114, Behavioral changes detection using clustering algorithm); and detecting when the device alternates between assigned device clusters (Page, 115, 119, clustering between assigned devices clusters – Fig. 5.1, Page 120).
Referring to claim 18, Sivanathan teaches the apparatus as in claim 11, wherein the model comprises an autoencoder that takes the behavioral attributes as input and outputs declarative attributes (Page. 88, SDN simulator).
Referring to claim 19, Sivanathan teaches the apparatus as in claim 18, wherein the process when executed is further configured to: deploy an encoder of the autoencoder for execution by a networking element in the network, wherein the networking element uses the encoder to generate a compressed representation of the behavioral attributes of the device for inclusion in the device telemetry data to be sent to the apparatus (see Pg. 45, authors use neural network-based deep autoencoders to detect anomalies – also see Pg. 93, 114).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The examiner also requests, when responding to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFTAB N. KHAN whose telephone number is (571)270-5172.  The examiner can normally be reached on Monday-Friday 8AM-5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AFTAB N. KHAN/
Primary Examiner, Art Unit 2454