METHOD OF USING HARDWARE IDENTIFIERS TO DETECT IoT SECURITY INCIDENTS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment The amendment filed 10/30/2025 has been fully considered and entered into record. Claims 1-21 remain pending in the application. Response to Arguments Applicant's arguments, see remarks filed 10/30/2025, regarding the rejection of the claims under 35 U.S.C. 112 have been fully considered, and the rejections are overcome in view of the amendments provided. Applicant’s arguments regarding the rejection of the claims under 35 U.S.C. 102 have been fully considered but are moot because they do not apply to the new combination of references being used in the current rejection. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over De Knijf et al (US 2018/0191746), in view of Yen et al (US 2019/0394692). Regarding Claim 1, De Knijf teaches a computer implemented (Fig. 1) method for identifying and managing security incidents for IoT devices ([0035], FIG. 2 is a flow chart illustrating operations of a method 200 for detecting a malicious IoT device by determining IoT device behavior) operating on a cellular network ([0019], Local network 102 can be a wired network, a wireless network, or any combination thereof. Any of the wired or wireless networks may be a home network, local area network (LAN), metropolitan area network (MAN), wide area network (WAN), corporate intranet, or any combination thereof)), the method comprising: receiving device hardware identifier from a device operating on a cellular network ([0036], The method 200 can begin at block 202 by a data stream monitor 106 on local network 102 collecting network device statistics 108 from devices, including IoT devices. At block 204, the data stream monitor on local network 102 can transmit the network device statistics 108 to behavior analyzer 124); retrieving additional device information from the device information storage database ([0037], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102, [0038-0039], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. At block 210, a normal device behavior can be estimated for the identified groups and subgroups, [0041], At block 212, the normal device behavior is deployed back to the local network 102); and initiating an action for the one or more devices when the retrieved additional device information does not match expected additional device information ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior), wherein the expected additional device information is based on the received device hardware identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. [0039], In some aspects, statistical patterns are derived for the different groups and subgroups to determine normal device behavior for the groups and subgroups. The normal device behavior can include data that describes the usual behavior of devices that belong to that group. In particular, for every group the normal behavior can be estimated based upon the behavioral data for that group. That is, for every group, statistical patterns can be derived that use the different types of data available in central database 126. Such a pattern would capture (with statistical bounds) the normal behavior for the group, and the data element). De Knijf fails to teach the following, which in the same field of endeavor, Yen teaches in response to receiving the device hardware identifier, retrieving additional device information from the device information storage database using the received device hardware identifier ([0022], small cell may obtain data indicating an identity of the customer (e.g., IMSI) and device (e.g., IMEI) for use in querying a mobile carrier's home database to obtain additional information about the user of the UE or mobile device. It is understood that an IMSI refers to an indication of an identity of a user of a UE or an indication of an identity of a customer profile of the user of a UE. The customer information received from a mobile carrier's database may be compared with customer account information generated by the store front hosting the modified small cell). It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate using a device identifier independent of the IMSI or user of the device to authenticate and obtain information about a connected UE, as taught in Yen, in the system of De Knijf, in order to provide services tailored to the specific device needs. Regarding Claim 2, De Knijf, modified by Yen, teaches the invention of claim 1, De Knijf further comprising: analyzing the received device hardware identifier for the device to determine a device information feature; and using the determined device information feature to retrieve additional device information from the device information storage database ([0037-0038], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102. At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group. In some aspects, data stream monitor 106 can calculate a score that reflects how likely it is that the current behavior of an IoT device is in accordance with the normal behavior of its particular group or subgroup. In particular aspects, this score can be calculated by using a statistical test of the current observed data and the statistical normal behavior patterns derived for the different groups or subgroups of the device). Regarding Claim 3, De Knijf, modified by Yen, teaches the invention of claim 2, De Knijf further comprising wherein the device information feature include device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups). Regarding Claim 4, De Knijf, modified by Yen, teaches the invention of claim 1, De Knijf further comprising wherein the additional device for the device comprises at least one of: device type, device manufacturer, device functionality, subscription identifier for that device, or a combination thereof ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)). Regarding Claim 5, De Knijf, modified by Yen, teaches the invention of claim 1, De Knijf further comprising wherein the expected additional device information comprises an expected device type, the expected device type comprising at least one of: an IoT device, a tablet or a phone ([0036-0038], IoT devices and devices of any other kind on the network including media players, smart devices, gaming consoles, IP cameras, etc.). Regarding Claim 6, De Knijf, modified by Yen, teaches the invention of claim 1, De Knijf further comprising wherein the initiating the action for the device comprises at least one of sending an alert to the user interface of the device or blocking the device from using the cellular network ([0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Regarding Claim 7, De Knijf, modified by Yen, teaches the invention of claim 4, De Knijf further comprising grouping device with one or more additional devices into a device group based on one or more grouping parameters, the one or more grouping parameters comprising at least one of: device type, device manufacturer, device functionality, wherein the one or more grouping parameters are retrieved by using device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)); and identifying one or more compromised devices by using an anomaly detection algorithm to analyze network traffic for each device of the device group using network traffic pattern for that device group ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Regarding Claim 8, De Knijf teaches a system (Fig. 1) for identifying and managing security incidents for IoT devices ([0035], FIG. 2 is a flow chart illustrating operations of a method 200 for detecting a malicious IoT device by determining IoT device behavior) operating on a cellular network ([0019], Local network 102 can be a wired network, a wireless network, or any combination thereof. Any of the wired or wireless networks may be a home network, local area network (LAN), metropolitan area network (MAN), wide area network (WAN), corporate intranet, or any combination thereof)) operating on a cellular network ([0019], Local network 102 can be a wired network, a wireless network, or any combination thereof. Any of the wired or wireless networks may be a home network, local area network (LAN), metropolitan area network (MAN), wide area network (WAN), corporate intranet, or any combination thereof)), the system including a processor and a storage database, wherein the system is configured to: Receive a device hardware identifier from a device operating on a cellular network ([0036], The method 200 can begin at block 202 by a data stream monitor 106 on local network 102 collecting network device statistics 108 from devices, including IoT devices. At block 204, the data stream monitor on local network 102 can transmit the network device statistics 108 to behavior analyzer 124); retrieve additional device information from the device information storage database ([0037], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102, [0038-0039], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. At block 210, a normal device behavior can be estimated for the identified groups and subgroups, [0041], At block 212, the normal device behavior is deployed back to the local network 102); and initiates an action for the device when the retrieved additional device information does not match expected additional device information ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior), wherein the expected additional device information is based on the received device hardware identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. [0039], In some aspects, statistical patterns are derived for the different groups and subgroups to determine normal device behavior for the groups and subgroups. The normal device behavior can include data that describes the usual behavior of devices that belong to that group. In particular, for every group the normal behavior can be estimated based upon the behavioral data for that group. That is, for every group, statistical patterns can be derived that use the different types of data available in central database 126. Such a pattern would capture (with statistical bounds) the normal behavior for the group, and the data element). De Knijf fails to teach the following, which in the same field of endeavor, Yen teaches in response to receiving the device hardware identifier, retrieving additional device information from the device information storage database using the received device hardware identifier ([0022], small cell may obtain data indicating an identity of the customer (e.g., IMSI) and device (e.g., IMEI) for use in querying a mobile carrier's home database to obtain additional information about the user of the UE or mobile device. It is understood that an IMSI refers to an indication of an identity of a user of a UE or an indication of an identity of a customer profile of the user of a UE. The customer information received from a mobile carrier's database may be compared with customer account information generated by the store front hosting the modified small cell). It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate using a device identifier independent of the IMSI or user of the device to authenticate and obtain information about a connected UE, as taught in Yen, in the system of De Knijf, in order to provide services tailored to the specific device needs. Regarding Claim 9, De Knijf, as modified by Yen, teaches the invention of claim 8, De Knijf further comprising wherein the system further analyzes the received device hardware identifier for the device to determine a device information feature; and uses the determined device information feature to retrieve additional device information from the device information storage database ([0037-0038], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102. At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group. In some aspects, data stream monitor 106 can calculate a score that reflects how likely it is that the current behavior of an IoT device is in accordance with the normal behavior of its particular group or subgroup. In particular aspects, this score can be calculated by using a statistical test of the current observed data and the statistical normal behavior patterns derived for the different groups or subgroups of the device). Regarding Claim 10, De Knijf, as modified by Yen, teaches the invention of claim 9, De Knijf further comprising wherein the device information feature comprises a device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups). Regarding Claim 11, De Knijf, as modified by Yen, teaches the invention of claim 8, De Knijf further comprising wherein the additional device information from the device information storage database for the one or more devices operating on a cellular network comprises at least one of f: device type, device manufacturer, device functionality, subscription identifier for that device, or a combination thereof ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)). Regarding Claim 12, De Knijf, as modified by Yen, teaches the invention of claim 8, De Knijf further comprising wherein the expected additional device information comprises an expected device type, the expected device type comprising at least one of: an IoT device, a tablet or a phone ([0036-0038], IoT devices and devices of any other kind on the network including media players, smart devices, gaming consoles, IP cameras, etc.). Regarding Claim 13, De Knijf, as modified by Yen, teaches the invention of claim 8, De Knijf further comprising wherein the initiated action for the device comprises at least one of sending an alert to the user interface of an entity managing the device or blocking the device from using the cellular network ([0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Regarding Claim 14, De Knijf, as modified by Yen, teaches the invention of claim 11, De Knijf further comprising grouping the device with one or more additional devices into a device group based on one or more grouping parameters, the one or more grouping parameters comprising at least one of: device type, device manufacturer, device functionality, wherein the one or more grouping parameters are retrieved by using device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)); and identifying one or more compromised devices by using anomaly detection algorithm to analyze network traffic for each device of the device group using network traffic pattern for that device group ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Regarding Claim 15, De Knijf teaches a non-transitory computer-readable medium ([0018-0022], Fig. 1) for identifying and managing security incidents for one or more IoT devices operating on a cellular network ([0035], FIG. 2 is a flow chart illustrating operations of a method 200 for detecting a malicious IoT device by determining IoT device behavior) operating on a cellular network ([0019], Local network 102 can be a wired network, a wireless network, or any combination thereof. Any of the wired or wireless networks may be a home network, local area network (LAN), metropolitan area network (MAN), wide area network (WAN), corporate intranet, or any combination thereof)) having executable instructions stored therein that, when executed, cause one or more processors corresponding to a system having a one or more devices operating on a cellular network ([0019], Local network 102 can be a wired network, a wireless network, or any combination thereof. Any of the wired or wireless networks may be a home network, local area network (LAN), metropolitan area network (MAN), wide area network (WAN), corporate intranet, or any combination thereof)), a processor, and a storage database ([0018], Fig. 1, behavior analyzer 124 in conjunction with central database 126) to perform operations comprising: receiving device hardware identifier from a device operating on a cellular network ([0036], The method 200 can begin at block 202 by a data stream monitor 106 on local network 102 collecting network device statistics 108 from devices, including IoT devices. At block 204, the data stream monitor on local network 102 can transmit the network device statistics 108 to behavior analyzer 124); retrieve additional device information from the device information storage database ([0037], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102, [0038-0039], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. At block 210, a normal device behavior can be estimated for the identified groups and subgroups, [0041], At block 212, the normal device behavior is deployed back to the local network 102); and initiating an action for the device when the retrieved additional device information does not match expected additional device information ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior), wherein the expected additional device information is based on the received device hardware identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. [0039], In some aspects, statistical patterns are derived for the different groups and subgroups to determine normal device behavior for the groups and subgroups. The normal device behavior can include data that describes the usual behavior of devices that belong to that group. In particular, for every group the normal behavior can be estimated based upon the behavioral data for that group. That is, for every group, statistical patterns can be derived that use the different types of data available in central database 126. Such a pattern would capture (with statistical bounds) the normal behavior for the group, and the data element). De Knijf fails to teach the following, which in the same field of endeavor, Yen teaches in response to receiving the device hardware identifier, retrieving additional device information from the device information storage database using the received device hardware identifier ([0022], small cell may obtain data indicating an identity of the customer (e.g., IMSI) and device (e.g., IMEI) for use in querying a mobile carrier's home database to obtain additional information about the user of the UE or mobile device. It is understood that an IMSI refers to an indication of an identity of a user of a UE or an indication of an identity of a customer profile of the user of a UE. The customer information received from a mobile carrier's database may be compared with customer account information generated by the store front hosting the modified small cell). It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to incorporate using a device identifier independent of the IMSI or user of the device to authenticate and obtain information about a connected UE, as taught in Yen, in the system of De Knijf, in order to provide services tailored to the specific device needs. Regarding Claim 16, De Knijf, as modified by Yen, teaches the invention of claim 15, De Knijf further comprising analyzing the received device hardware identifier for the device operating on a cellular network to determine device information feature; and using the determined device information feature to retrieve additional device information from the device information storage database ([0037-0038], At block 206, behavior analyzer 124 receives the network device statistics 108 and can store the network device statistics 108 in central database 126. As noted above, the network device statistics 108 can be received from multiple local networks 102. At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group. In some aspects, data stream monitor 106 can calculate a score that reflects how likely it is that the current behavior of an IoT device is in accordance with the normal behavior of its particular group or subgroup. In particular aspects, this score can be calculated by using a statistical test of the current observed data and the statistical normal behavior patterns derived for the different groups or subgroups of the device). Regarding Claim 17, De Knijf, as modified by Yen, teaches the invention of claim 16, De Knijf further comprising wherein the device information feature comprises a device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups). Regarding Claim 18, De Knijf, as modified by Yen, teaches the invention of claim 15, De Knijf further comprising wherein the additional device information for the device comprises at least one of: device type, device manufacturer, device functionality, subscription identifier for that device, or a combination thereof ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)). Regarding Claim 19, De Knijf, as modified by Yen, teaches the invention of claim 15, De Knijf further comprising wherein the expected additional device information comprises an expected device type, the expected device type comprising at least one of: an IoT device, a tablet or a phone ([0036-0038], IoT devices and devices of any other kind on the network including media players, smart devices, gaming consoles, IP cameras, etc.). Regarding Claim 20, De Knijf, as modified by Yen, teaches the invention of claim 15, De Knijf further comprising wherein the initiating the action for the device comprises at least one of sending an alert to the user interface of an entity managing the device or blocking the device from using the cellular network ([0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Regarding Claim 21, De Knijf, as modified by Yen, teaches the invention of claim 18, De Knijf further comprising instructions for: grouping the device with one or more additional devices into a device group based on one or more grouping parameters, the one or more grouping parameters comprising at least one of: device type, device manufacturer, or device functionality, wherein the one or more grouping parameters are retrieved by using device type identifier ([0038], At block 208, the IoT devices can be grouped by device type, and can also be grouped into functional groups. In some aspects, a functional group is a group that performs the same task. For example, one such group can be IP-cameras (of different vendors, with different operating systems). Another group can be media players such as smart speaker systems, smart televisions, and the like. A further group can be game consoles. Those of skill in the art will appreciate that many other groups can exist and such groups are within the scope of the inventive subject matter. A device can be a member of more than one group. For example, a Microsoft Xbox can both belong to the game consoles group as well as to the media player group. Furthermore, a group can have subgroups that can represent multiple granularity layers. For example, IP-cameras can be further divided into subgroups comprising outdoor cameras and indoor cameras. In some aspects, grouping can be further refined by various other additional information. For example, the grouping can be refined base on time zone, country of residence, seasonal influences, time of day, day of week, month, and external events such as sporting events, political events etc. (considers device type, function, and manufacturer)); and identifying one or more compromised devices by using anomaly detection algorithm to analyze network traffic for each device of the device group using network traffic pattern for that device group ([0042], At block 214, data stream monitor 106 on local network 102 monitors the current behavior of IoT devices on the local network 102, [0043], At block 216, data stream monitor 106 determines if the current IoT device behavior is within a threshold for normal device behavior for its device type or group, [0044], If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device. In alternative aspects, the malicious IoT device can be automatically shut down or quarantined to minimize the impact of the malicious behavior). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARGARET G WEBB whose telephone number is (571)270-7803. The examiner can normally be reached M-F 9:00-6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Charles Appiah can be reached at (571) 272-7904. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MARGARET G WEBB/ Primary Examiner, Art Unit 2641