DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to applicant’s amendment and RCE filed, 14 December 2022, of application filed, with the above serial number, on 03 June 2019 in which claims 1, 8, 15 have been amended. Claims 1-3, 8-10, 15-17 are pending in the application. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-3, 8-10, 15-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The specification does not describe any ‘type of content’ and claims 1-3, 8-10, 15-17 recite the limitation "the type of content" in lines 11-12 of exemplary claim 1.  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-3, 8-10, 15-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bagasra (hereinafter “Bagasra”, 2017/0180380) in view of Dezent et al (hereinafter “Dezent”, 2018/0375887).
As per Claim 1, Bagasra discloses a system for securing an Internet of Things (IoT) device, comprising: 
a memory (at least paragraph 30-31, 45; IoT security engine network device installed in DNS server having memory); and 
a hardware processor that is coupled to the memory (at least paragraph 30-31, 45; IoT security engine network device installed in DNS server having processing unit) and that is configured to: 
receive a DNS request identifying a fully qualified domain name (FQDN) that originated from the IoT device, wherein the FQDN corresponds to a target domain (at least paragraph 37-38, 44, 77; IoT 105 sends a DNS query message 415, which includes a domain name, and which requests an IP address associated with the domain name. When DNS server 145 receives message 415, DNS server 145 retrieves the domain name from message 415 and, in one implementation, forwards the domain name to IoT security engine 150; If the DNS query domain name is identified as valid, then IoT security engine 150 may allow 630 network access to IoT device 105 by sending a network access message 635 that notifies IoT device 105 of its permission to access the network; If the DNS query domain name is not identified as a valid domain name, then IoT security engine 150 may deny 435 network access to IoT device 105 by sending a network denial message 435 that notifies IoT device 105 that its access to the network is denied and blocked); 
in response to receiving the DNS request
determine that a type of the IoT device is known and that a manufacturer of the IoT device is not known (at least paragraph 69-73, 77-78; IOT security engine identifies IoT device’s class and other information such as from an analysis of the IoT device 105's MAC address, OUI, IMEI, and/or other parameters, associated with the manufacturer and/or the owner, operator and/or administrator of the particular IoT device 105; IoT security engine 150 determines if a manufacturer domain(s) is identified in DB 130 (block 1340). If no manufacturer domain(s) is identified in DB 130 (NO—block 1340), then IoT security engine 150 crawls the web to identify a manufacturer domain(s) for the IoT device 105 (block 1350). If IoT security engine 150 does not identify an entry 1100 of DB 130 having a value in field 1110 that matches the identified OUI, then no manufacturer's domain (or a domain(s) associated with an owner, operator or administrator of the IoT device 105) will have been identified; eg. thermostat IoT with no manufacturer and/or manuf. domain being determined; Identification of the IoT device 105 that sent the DNS query may include retrieving the IoT device 105's MAC address, or MDN and/or IMEI from the new DNS query; Based on the identification of the IoT device 105, IoT security engine 150 determines if a device class of IoT device 105 is “non-computing.” (block 1410)); and
respond to the DNS request with instructions to allow the connection between the IoT device and the target domain when the target domain matches (at least paragraph 37-38, 44; If the DNS query domain name is identified as valid, then IoT security engine 150 may allow 630 network access to IoT device 105 by sending a network access message 635 that notifies IoT device 105 of its permission to access the network; If the DNS query domain name is not identified as a valid domain name, then IoT security engine 150 may deny 435 network access to IoT device 105 by sending a network denial message 435 that notifies IoT device 105 that its access to the network is denied and blocked).
Bagasra fails to explicitly disclose determine a common category of domains that have been connected to by other IoT devices of the type of the IoT device, wherein the common category describes the type of content available at domains of the common category, and such matches the common category. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Dezent. Dezent discloses, in an analogous art, an “Internet Protocol (IP) destination address abnormality detector 321 may operate (i) to determine that a particular IoT device belongs to a particular type of IoT devices, (ii) to determine that said particular type of IoT devices typically communicates only with a pre-defined set of particular IP destination addresses, (iii) to determine that said particular IoT device communicates with another IP destination address that is not in said pre-defined set of particular IP destination addresses” to block the IoT device from communicating with an address or domain that is not in the pre-defined set (at least paragraph 65-66, 32, 34, 36, 78). Dezent is teaching that IoT devices have very predictable usage patterns, with domains and IP addresses and traffic size in particular (par. 14). Dezent teaches traffic of a vending machine type IoT device is monitored, a data point of the vending machine domain is requested (ie. Best-Cola-Support.com ) and compared to the cluster of vending machine category domains that vending machines access on a regular basis. And while the examples in par. 34 are said to be, for example, for the vending machines, they may only communicate with Best-Cola-Support.com, further above in par. 34 Dezent outlines that the profile is updated for which domain(s) they access on a regular basis. Profiles that describe the type of content and include such domains are built and updated.
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Dezent’s IoT device type access network protection with Bagasra as Dezent teaches that a type and profile of an IoT device, such as soda vending machine, may try to access a domain name or IP address such as best-cola-support.com, the vending machine is compared to other vending machines to determine if best-cola-support.com is within domains that vending machines typically access, and quarantining, blocking, or in this case, allowing access if vending machines typically access vending machine category domains such as best-cola-support.com. This allows types of IoT devices to connect to categories of allowable domains regardless of manufacturer as a vending machine connecting to another vendor’s domain rather than it’s own manufacturer’s domain would not typically be a security concern of getting malware from the other vendor’s domain, thus resulting in less data being needed in the DNS request and to be stored and analyzed thereby having faster DNS responses without crawling the web.
As per Claim 2. The system of claim 1, wherein the hardware processor is further configured to add a category of the target domain to a white list (at least paragraph 51, 56-58; valid lists and blacklists of valid domain names for IoT devices to send DNS requests to “Valid domain(s) field 815 stores one or more domain names that have been, using the exemplary processes described below, associated with a particular IoT device 105 identified in field 805 of an entry 800, where those associated domain names have been identified as being legitimate and valid domain names with which the particular IoT device 105 may communicate (e.g., a list of domains that the IoT device 105 may “visit”); at least Dezent par. 74, 76 “put “Smoke-Detectors-Company.com” and/or its corresponding IP address(es) into a whitelist of destinations”).
As per Claim 3. The system of claim 1, wherein the white list is a white list of categories of domains for the type of the IoT device (at least paragraph 51, 56-58; valid lists and blacklists of valid domain names for IoT devices to send DNS requests to “Valid domain(s) field 815 stores one or more domain names that have been, using the exemplary processes described below, associated with a particular IoT device 105 identified in field 805 of an entry 800, where those associated domain names have been identified as being legitimate and valid domain names with which the particular IoT device 105 may communicate (e.g., a list of domains that the IoT device 105 may “visit”); at least Dezent par. 74, 76 “put “Smoke-Detectors-Company.com” and/or its corresponding IP address(es) into a whitelist of destinations”).
As per Claims 8-10, 15-17. The limitations therein have substantially the same scope as claims 1-3 because claims 1-3 are a system for implementing those methods of claims 8-10 and non-transitory computer-readable medium of claims 15-17. Therefore claims 8-10 and 15-17 are rejected for at least the same reasons as claims 1-3.

Response to Arguments
Applicant's arguments filed 14 December 2022 have been fully considered but they are not persuasive.
Applicant argues that Dezent does not disclose the amended limitations of claim 1, including ‘a common category of domains’ and the common category describes the type of content available at domains of the common category.
However, see the above 112 Rejection. There is a lack of antecedent basis for ‘the type of content available’ and it is not clear in the specification any ‘type of content’ is described. Support is offered in original par. 21 of the specification, however that paragraph describes “an IoT device has a known type, manufacturer, and model” which as Applicant points out on p. 7 of the remarks, the claim specifically recited that the manufacturer is not known. It is not clear what a common category would be for a white-listed target domain, for example. Is the type of the IoT device different from the type of content available? It is not clear as only blacklisted categories are given as examples, such as alcohol. For example, if the requested domain is alcohol categorized from a refrigerator-type IoT device, and alcohol domains are black-listed the connection is not allowed. But if the requested domain is refrigerator categorized from the refrigerator-type IoT device, and refrigerator domains are white-listed the connection is allowed. Further, is there a single category for white-listed domains such as “IoT type of content”?
  Par. 63 describes: “process 300 can determine whether a category associated with the target domain is the same as a category associated with a domain frequently connected to by IoT devices of the known type. This determination can be made in any suitable manner. For example, a database showing categories of domains accessed by IoT devices of different types can be accessed to determine what categories of domains are accessed by IoT devices matching the known type.” Thus the ‘category’ appears to be based on type alone, ie. refrigerator type domains for refrigerator type IoT devices as exemplified above. It is not described what, if any, the type of content available would differ from the type of IoT device.
Applicant argues the cited portions of Dezent merely show single or set of particular IP addresses, neither suggests a common category of domains. However, Dezent discloses more breadth as Dezent is monitoring traffic from IoT devices, determining the type of IoT device, building or accessing a profile of device behavior,. See [0034]: 
“such as which domain(s) it accesses on a regular basis, and then creating and updating a behavior profile database of various devices, which then enables to match a device to an existing device-profile; as a demonstrative example, a Tesla connected car may typically communicate with the domain “Tesla-Telemetry-Service.com”, whereas a certain model of soda vending machines may communicate only with the domain “Best-Cola-Support.com”, whereas the measuring units of an electricity company may communicate only with the domain “Local-Power-And-Light.com”, and so forth; and accordingly, based on aggregation of data from multiple devices that access the same domain, a classification of IoT devices may be created with an accompanying profile, and detection of communication behavior that matches such profile may be used to identify the type of an IoT device”

and
[0036]:
“An Analyzer unit 212 performs analysis of the collected data: (a) Network activity profiling, performed periodically (e.g., at pre-defined time intervals), by clustering the collected data (e.g., via Cd interface) using a pre-defined clustering mechanism or clustering algorithm (e.g., by utilizing K-Means, or other suitable clustering method); and performing extraction of features from the data-set, per class of IoT devices, wherein a class pertains to a set of IoT devices that belongs to the same IoT service or type (e.g., type of “vending machine”, or type of “smoke detector”). (b) Each new data point for a particular IoT device is compared to the cluster(s) of the class for that device; or, the features or characteristics of traffic pertaining to a particular IoT device, is compared to the features or characteristics that characterize the cluster of IoT devices of that type. (c) Outliers are detected and flagged as suspicious, for example, based on distance greater than a pre-defined threshold value, or based on other indicators for irregularity of values or ranges-of-values; and a notification is generated with regard to such flagged IoT device, e.g., for further manual and/or automatic handling, for initiating attack mitigation operations, for remote de-activation or remote pausing of the IoT device, or the like.”

Dezent is teaching that IoT devices have very predictable usage patterns, with domains and IP addresses and traffic size in particular (par. 14). Dezent teaches traffic of a vending machine type IoT device is monitored, a data point of the vending machine domain is requested (ie. Best-Cola-Support.com ) and compared to the cluster of vending machine category domains that vending machines access on a regular basis. And while the examples in par. 34 are said to be, for example, for the vending machines, they may only communicate with Best-Cola-Support.com, above that Dezent outlines that the profile is updated for which domain(s) they access on a regular basis. Thus, here Dezent is teaching Best-Cola-Support.com as well as other soda domains would be in a common category profile of soda vending machine type domains with soda vending machine type of content. Compared to Tesla-Telemetry-Service.com and other electric vehicle domains that would have would be in a common category profile of electric vehicle type domains with electric vehicle type of content.
Regarding paragraphs 64 and 66 argued by Applicant for the IP addresses not showing common category of domains. The IP addresses correspond to the domains and are synonymous. When the IoT device first communicates with the domain being requested, if the domain is allowed an IP address is returned that the IoT device then uses when communicating rather than resolving a domain name request each time, as is well known in the art. See par. 74 of Dezent: 
“destination IP address that corresponds to “Smoke-Detectors-Company.com”, exhibits abnormal behavior, such as, it sends every four hours a varying-size message of between 47 kilobytes to 58 kilobytes to a destination IP address that corresponds to “Hackerz-Unite-Server.com”. Accordingly, the enforcement and quarantine unit 330 may put “Smoke-Detectors-Company.com” and/or its corresponding IP address(es) into a whitelist of destinations and senders that the smoke detector is authorized to communicate with. Similarly, the enforcement and quarantine unit 330 may put “Hackerz-Unite-Server.com” and/or its corresponding IP address(es) into a blacklist of destinations and senders that the smoke detector is unauthorized to communicate with. Then, full blocking, or partial blocking or selective blocking, of traffic to or from the compromised or malfunctioning IoT device, is applied based on such whitelist and/or blacklist; such as, by discarding or blocking or dropping or non-delivering or stopping (or erasing in transit) packets or messages or signals that are directed from the IoT device to a destination on the blacklist, or that are directed from a sender on the blacklist towards the IoT device; and/or by allowing passage and/or relaying and/or forwarding and/or delivering packets or messages or signals that are directed from the IoT device to a destination on the whitelist, or that are directed from a sender on the whitelist towards the IoT device.”


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763.  The examiner can normally be reached on 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GREGORY TODD/Primary Examiner, Art Unit 2443