DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Reopening of Prosecution After Appeal Brief
In view of the appeal brief filed on 4/25/2019, PROSECUTION IS HEREBY REOPENED.  New grounds of rejection are set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:

Response to Arguments 
Applicant’s arguments, see Applicant’s response, filed 08/16/2022, with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made using Savelle (US 20200136937 A1) in view of Vasters (US 20180241781 A1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Savelle (US 20200136937 A1) in view of Vasters (US 20180241781 A1).

Regarding Claim 1

Savalle teaches:

A computing apparatus, comprising: a hardware platform comprising a processor and a memory; 

a network interface to communicatively couple to a network (¶51 FIG. 4 is a device classification service 408 that may be hosted on one or more of networking devices 406 (networking interface coupled to the network); and 

a network gateway engine to identify devices on the network (¶51 identify the device type 412 of endpoint device 402), the network gateway engine comprising instructions encoded within the memory to instruct the processor to provide two-phase identification for a device (¶64 dynamic device profiling (phase two identification), ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase) which is the first of the two phase identification), report telemetry data for that device for a fixed duration of time (dynamic identification phase) which is the second of the two phase identification), comprising: a static identification phase comprising sending a discovery probe to the device ( ¶54 ¶66 ¶63 service may even trigger active scanning of the network and SNMP scanning (static identification phase), to retrieve the MAC address of the device or other types of information.  probes allows for the gathering of a rich set of information that can be used for device profiling (probing for information after the scanning) A degree of confidence can also be assigned to any such device type classifications, ¶64 dynamic device profiling (phase two identification), ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase).; and 

a dynamic identification phase comprising collecting network telemetry for the device over time (¶65-66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase) and

Savalle does not teach:

and receiving from the device self-reported identifying data in response to the discovery probe;

analyzing the collected network telemetry to determine if the network telemetry is consistent with an expected network usage for the device; 

the instructions further to, based at least in part on determining that the network telemetry is inconsistent with the expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device.


Vasters:

and receiving from the device self-reported identifying data in response to the discovery probe (¶17 multiple agents (discovery probe) on various IoT devices can be used to collect various types of data (self reported) which can then be used conjunctively to form a more holistic model of device operation, and intrusion, ¶55 all of the IoT devices have a software data collection agent deployed on the IoT device to collect environmental and/or internal state data from the IoT devices.);

analyzing the collected network telemetry to determine if the network telemetry is consistent with an expected network usage for the device (¶66 the determination at step 427 includes behavioral pattern matching between the received environmental/telemetry data received over time and at least one reference signal in the set of reference signals in the security rules (expected network usage of device), ¶57 once any of these attacks occur, a violation of the set of rules should occur in one example since the data collected from the devices will then be contrary to the model. The model may include one or more patterns for the telemetry data,

¶58 the set of security rules may be violated if one or more of the data elements is outside of an expected range (expected network usage)

¶59  golden image may reflect normal behavior of the IoT devices in normal operating conditions absent any intrusion or security threat, If, based on the received IoT data, some aspects differ from the golden image, the set of rules might be considered to be violated depending on other data); 

the instructions further to, based at least in part on determining that the network telemetry is inconsistent with the expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device (¶68 if a match is placed directly under a temperature sensor, the resulting rise in temperature can be determined as implausible at step 427, so that there is no false detection of a fire. Similarly, if the temperature is detected to be exactly 80.0 degrees over a long period of time, with no variation at all, this may be detected as implausible (the self-reported identifying data are false) because temperature would normally vary by slight amounts over time, such as being 80.0 degrees at one moment and 80.1 degrees at another, 

¶18 the resulting model is used to detect security threats such as intrusions, invalid data, and/or tampering

¶87 defective devices may be blacklisted so that data from defective devices are not used in the future (take a security action against the device)).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Savalle in light of Vasters in order to provide a system to monitor, detect and mitigate security threats to IoT devices, including security threats caused by invalid data, using telemetry data (Vasters ¶4).

Regarding Claim 2

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

The computing apparatus of claim 1, wherein the network gateway engine is a home gateway engine, and wherein the network is a home network (¶15 local area networks (LANs), ¶51 FIG. 4 is a device classification service 408 (gateway engine) that may be hosted on one or more of networking devices 406 to identify the device type 412 of endpoint device 402).


Regarding Claim 3

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

The computing apparatus of claim 1, wherein the instructions are further to determine that the device has provided a certified identification, and to forego the two-phase identification (¶52 classification of endpoint device 402 by service 408 can also, in some embodiments, be of varying specificity, depending on the telemetry data 410 available to service 408 and/or its degree of confidence in a particular classification, device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone, ¶86 telemetry data collection which can be governed by various factors such as a confidence measurement for the device type classifier of device classification 
service 408).

Regarding Claim 4

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

The computing apparatus of claim 1, wherein the instructions are further to reconcile results from the static identification phase and the dynamic identification phase (¶52 device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone, but may or may not be able to determine whether device 402 is an 
iPhone 5s or an iPhone 6, ¶63 service may even trigger active scanning of the network and SNMP scanning (static identification phase), to retrieve the MAC address of the device or other types of information.  probes allows for the gathering of a rich set of information that can be used for device profiling, A degree of confidence can also be assigned to any such device type classifications, ¶64 dynamic device profiling (phase two identification), ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase) .

Regarding Claim 5

Savalle-Vasters teaches:

 The computing apparatus of claim 4.

Savalle teaches:

 The computing apparatus of claim 4, wherein reconciling comprises determining that the static identification phase yielded no result or a low- confidence result, and applying results from the dynamic identification phase (¶52 classification of endpoint device 402 by service 408 can also, in some embodiments, be of varying specificity, depending on the telemetry data 410 available to service 408 and/or its degree of confidence in a particular classification, device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone, ¶63 degree of confidence can also be assigned to any such device type classifications, ¶46 the telemetry reporting mechanism may further control the reporting, based on the nature of telemetry, volume of data, duration of data collection according to the confidence of classification).
Regarding Claim 6

Savalle-Vasters teaches:

 The computing apparatus of claim 4.

Vaster teaches:
The computing apparatus of claim 4, wherein reconciling comprises determining that the static identification phase yielded inconsistent results, determining that at least one result from the dynamic identification phase matches at least one of the inconsistent results, and selecting the at least one matching result ( ¶79 The behavior matching may be used to detect implausibility both for the purpose of detecting intentional spoofs and other similar attacks, as well as detecting defective devices that are giving false readings. In some examples, a plausibility score may be generated based on comparing the received telemetry with the reference model, and the determination at step 427 is positive if the plausibility score exceeds a particular threshold)

Regarding Claim 7

Savalle-Vasters teaches:

 The computing apparatus of claim 4.

Vaster teaches:

The computing apparatus of claim 4, wherein reconciling comprises determining that the static identification phase yielded inconsistent results, determining that no results from the dynamic identification phase match any of the inconsistent results, and marking the device as suspicious (¶79 The behavior matching may be used to detect implausibility both for the purpose of detecting intentional spoofs and other similar attacks, as well as detecting defective devices that are giving false readings. In some examples, a plausibility score may be generated based on comparing the received telemetry with the reference model, and the determination at step 427 is positive if the plausibility score exceeds a particular threshold (if below threshold, device is not trusted))

Regarding Claim 8

Savalle-Vasters  teaches:

 The computing apparatus of claim 4.

Vaster teaches:
 The computing apparatus of claim 4, wherein reconciling comprises determining that the static identification phase yielded consistent and high- confidence results, determining that the dynamic identification phase yielded high-confidence results that substantially match the consistent and high-confidence results of the static identification phase, and marking the device as trusted suspicious (¶80 the more trust can be established on the behavioral observation ¶79The behavior matching may be used to detect implausibility both for the purpose of detecting intentional spoofs and other similar attacks, as well as detecting defective devices that are giving false readings. In some examples, a plausibility score may be generated based on comparing the received telemetry with the reference model, and the determination at step 427 is positive if the plausibility score exceeds a particular threshold (marking the device as trusted suspicious))


Regarding Claim 9

Savalle-Vasters teaches:

 The computing apparatus of claim 4.

Vaster teaches:
The computing apparatus of claim 4, wherein reconciling comprises determining that the static identification phase yielded consistent and high- confidence results, determining that the dynamic identification phase yielded high-confidence results that do not match the consistent and high- confidence results of the static identification phase, and marking the device as suspicious (¶79 The behavior matching may be used to detect implausibility both for the purpose of detecting intentional spoofs and other similar attacks, as well as detecting defective devices that are giving false readings. In some examples, a plausibility score may be generated based on comparing the received telemetry with the reference model, and the determination at step 427 is positive if the plausibility score exceeds a particular threshold (high- confidence results)).

Regarding Claim 10

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

 The computing apparatus of claim 1, wherein the instructions are further to periodically renew the dynamic identification phase (¶65 Once the initial observation period has elapsed, telemetry data for that device can be dropped for a much longer duration (e.g., 6 hours, one or more days, etc.), ¶46 the telemetry reporting mechanism may further control the reporting, based on the nature of telemetry, volume of data, duration of data collection according to the confidence of classification).

Regarding Claim 11

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

 The computing apparatus of claim 1, wherein the static identification phase comprises a probe selected from the group consisting of multicast domain name server (mDNS), universal plug and play (UPnP), hypertext transfer protocol (HTTP) user agent, and dynamic host configuration protocol (DHCP) parameter request list option 55 (¶54 device type classification can be achieved by using active and/or passive probing of devices, to assign a device type and corresponding host profile to a device ¶55 DHCP probes).

Regarding Claim 12

Savalle-Vasters teaches:

 The computing apparatus of claim 1.

Savalle teaches:

The computing apparatus of claim 1, wherein the dynamic identification phase comprises monitoring domains visited or traffic patterns (¶65 telemetry data 410 to device classification service 408 for ingestion: [0066] Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP), report telemetry data for that device for a fixed duration of time (e.g., one hour, etc.).  This includes all traffic, flows, or packet data).







Regarding Claim 13
Savalle teaches:

 One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to: connect to a home network (¶51 FIG. 4 is a device classification service 408 that may be hosted on one or more of networking devices 406 (networking interface coupled to the network); 

perform a first-stage identification of  a device, the first-stage identification comprising, upon newly identifying the device (¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase); perform a second-stage identification of the device, the second- stage identification comprising passive monitoring of the device's network traffic ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase); 

Savalle does not teach:

sending a discovery probe to the device, and receiving from the device self-reported identifying data in response to the discovery probe;

reconciling the first-stage identification with the second-stage identification; and assigning a device identification to the device according to the reconciling;

the instructions further to, based at least in part on determining that the device's network traffic is inconsistent with an expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device 

Vasters teaches:

sending a discovery probe to the device, and receiving from the device self-reported identifying data in response to the discovery probe (¶17 multiple agents (discovery probe) on various IoT devices can be used to collect various types of data (self reported) which can then be used conjunctively to form a more holistic model of device operation, and intrusion, ¶55 all of the IoT devices have a software data collection agent deployed on the IoT device to collect environmental and/or internal state data from the IoT devices.);


reconciling the first-stage identification with the second-stage identification (¶66 the received environmental data (second stage identification) is compared with the reference model (first stage identification) using behavioral pattern matching); and

assigning a device identification to the device according to the reconciling (¶82 a device lacking the expected identity is generally a strong indicator for likely untrustworthy information in such a setting);

the instructions further to, based at least in part on determining that the device's network traffic is inconsistent with an expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device (¶68 if a match is placed directly under a temperature sensor, the resulting rise in temperature can be determined as implausible at step 427, so that there is no false detection of a fire. Similarly, if the temperature is detected to be exactly 80.0 degrees over a long period of time, with no variation at all, this may be detected as implausible (the self-reported identifying data are false) because temperature would normally vary by slight amounts over time, such as being 80.0 degrees at one moment and 80.1 degrees at another, 

¶18 the resulting model is used to detect security threats such as intrusions, invalid data, and/or tampering

¶87 defective devices may be blacklisted so that data from defective devices are not used in the future (take a security action against the device)).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Savalle in light of Vasters in order to provide a system to monitor, detect and mitigate security threats to IoT devices, including security threats caused by invalid data, using telemetry data (Vasters ¶4).



Regarding Claim 14

Savalle-Vasters teaches:

 The computing apparatus of claim 13.

Savalle teaches:
 The one or more tangible, non-transitory computer-readable media of claim 13, wherein the instructions are further to assign a confidence score to the device identification (¶46 the telemetry reporting mechanism may further 
control the reporting, based on the nature of telemetry, volume of data, 
duration of data collection according to the confidence of classification ¶52 degree of confidence in a particular classification).

Regarding Claim 15

Savalle-Vasters teaches:

 The one or more tangible, non-transitory computer-readable media of claim 13.

Savalle teaches:
The one or more tangible, non-transitory computer-readable media of claim 13, wherein the device identification comprises a {type, manufacturer, model} tuple (¶34 device classification process 248 may assess captured telemetry data regarding one or more traffic flows involving the device, to determine the device type associated with the device).

Regarding Claim 16

Savalle-Vasters teaches:

 The one or more tangible, non-transitory computer-readable media of claim 13.

Savalle teaches:

The one or more tangible, non-transitory computer-readable media of claim 13, wherein the first-stage identification comprises pattern matching (¶35 Device classification process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data and apply a device 
type label to a device associated with the traffic.  In general, machine 
learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., telemetry data regarding traffic in the network) and recognize complex patterns in the input data (pattern matching)).

Regarding Claim 17

Savalle-Vasters teaches:

 The one or more tangible, non-transitory computer-readable media of claim 13.

Savalle teaches:
 The one or more tangible, non-transitory computer-readable media of claim 13, wherein the first-stage identification comprises machine learning (¶35 Device classification process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data and apply a device 
type label to a device associated with the traffic ¶64 device classification service 408 may use machine learning to train and update a machine learning-based classifier able to learn and classify new devices types that a network may encounter).

Regarding Claim 18
Savalle teaches:

A computer-implemented method, comprising: detecting a device on a home network (¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase); 

deriving a static identification for the device, comprising, upon newly identifying the device, sending a discovery probe to the device, and receiving from the device self-reported identifying data in response to the discovery probe (¶66 ¶63 service may even trigger active scanning of the network and SNMP scanning (static identification phase), to retrieve the MAC address of the device or other types of information.  probes allows for the gathering of a rich set of information that can be used for device profiling, A degree of confidence can also be assigned to any such device type classifications); 


assigning the device a provisional identity based on the static identification (¶52 degree of confidence in a particular classification, device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone (provisional identity)).; 

deriving a dynamic identification for the device, comprising passive longer-term monitoring of network traffic patterns for the device (¶64 dynamic device profiling (phase two identification), ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase); reconciling the provisional identity with the dynamic identification (¶64 dynamic device profiling (phase two identification), ¶66 Whenever a device is seen for the first time (e.g., as identified by a primary key such as a MAC or IP (using the static identification phase)), report telemetry data for that device for a fixed duration of time (dynamic identification phase); 

Savalle does not teach:

sending a discovery probe to the device, and receiving from the device self-reported identifying data in response to the discovery probe;

assigning the device a reconciled identity; and 

assigning the device a security status based on the reconciled identity; 
further comprising, based at least in part on determining that the device's network traffic is inconsistent with an expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device.

Vasters teaches:

sending a discovery probe to the device, and receiving from the device self-reported identifying data in response to the discovery probe(¶17 multiple agents (discovery probe) on various IoT devices can be used to collect various types of data (self reported) which can then be used conjunctively to form a more holistic model of device operation, and intrusion, ¶55 all of the IoT devices have a software data collection agent deployed on the IoT device to collect environmental and/or internal state data from the IoT devices);

assigning the device a reconciled identity (¶82  the identity of the device should be verified in order for the data provided to be trusted, since a device lacking the expected identity is generally a strong indicator for likely untrustworthy information in such a setting); and 

assigning the device a security status based on the reconciled identity (¶82 a device lacking the expected identity is generally a strong indicator for likely untrustworthy information in such a setting); 

further comprising, based at least in part on determining that the device's network traffic is inconsistent with an expected network usage for the device, determine that the self-reported identifying data are false, and take a security action against the device (¶68 if a match is placed directly under a temperature sensor, the resulting rise in temperature can be determined as implausible at step 427, so that there is no false detection of a fire. Similarly, if the temperature is detected to be exactly 80.0 degrees over a long period of time, with no variation at all, this may be detected as implausible (the self-reported identifying data are false) because temperature would normally vary by slight amounts over time, such as being 80.0 degrees at one moment and 80.1 degrees at another, 

¶18 the resulting model is used to detect security threats such as intrusions, invalid data, and/or tampering

¶87 defective devices may be blacklisted so that data from defective devices are not used in the future (take a security action against the device)).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Savalle in light of Vasters in order to provide a system to monitor, detect and mitigate security threats to IoT devices, including security threats caused by invalid data, using telemetry data (Vasters ¶4).






Regarding Claim 19

Savalle-Vasters teaches:

 The method of claim 18.

Savalle teaches:
The method of claim 18, further comprising assigning a confidence score to the reconciled identity (¶52 degree of confidence in a particular classification, device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone).

Regarding Claim 20

Savalle-Vasters teaches:

 The method of claim 18.

Savalle teaches:
 The method of claim 18, further comprising periodically renewing the dynamic identification (¶65 Once the initial observation period has elapsed, telemetry data for that device can be dropped for a much longer duration (e.g., 6 hours, one or more days, etc.), ¶46 the telemetry reporting mechanism may further control the reporting, based on the nature of telemetry, volume of data, duration of data collection according to the confidence of classification).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUWATOSIN M GIDADO whose telephone number is (571)272-4227.  The examiner can normally be reached on Monday -Friday 8:00 - 4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on (571) 270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLUWATOSIN M GIDADO/Examiner, Art Unit 2445                                                                                                                                                                                                        
/OSCAR A LOUIE/Supervisory Patent Examiner, Art Unit 2445