INTERNET OF THINGS SECURITY

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/02/2025 has been entered. Response to Arguments Applicant’s arguments, see Remarks, filed 12/02/2025, with respect to the rejection(s) of independent claims 1 and 8-9 under 35 USC § 103 have been fully considered but are moot because of the new ground of rejection based on newly found prior arts, Sun, US 11132447, and McLinden, US 10742674. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 and 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT No. 11132447 B1 to Sun et al. (hereinafter “Sun”), USPAT No. 10742674 B1 to McLinden et al. (hereinafter “McLinden”), and further in view of US-PGPUB No. 2014/0033310 A1 to Cheng. Regarding claim 1: Sun discloses: (Currently Amended) A computer implemented security method for a set of internet-of- things (IoT) devices (col 3, lines 4-6: “method for determining and protecting against a security vulnerability of an IoT device;”, see Fig. 2), the set of IoT devices comprising network-connected sensors and network-connected actuators (col 1, lines 10-16: “smart home devices may control lighting, heating, ventilation, air conditioning (HVAC) systems, entertainment systems, appliances, etc. Each of these devices may be part of what is referred to as the Internet of Things, or a network of devices that contain electronics, software, sensors, actuators, …”), wherein a data repository (col 2, line 41: “a database”) stores data about the set of IoT devices (col 2, lines 37-41: “… labeling, by the security computing device, the second IoT device … storing, by the security computing device, the labeled data in a database.”), actions performable by each of the IoT devices (col 7, lines 18-21: “The IoT module 108 may communicate with a back end service (e.g, the server device 112) in order to determine what type of security action would be suit the security posture determined of the new IoT device.”) and one or more types of network attack to which at least a subset of the set of IoT devices are susceptible (col 2, lines 37-41: “… labeling, by the security computing device, the second IoT device with data related to the determined known security vulnerability; and storing, by the security computing device, the labeled data in a database.”), the method comprising: defining, for each type of network attack of the one or more types of network attack (col 8, lines 24-30: “IoT module 108 may determine that the first and the second IoT devices are both subject to malware, ransomware, trojans, an outdated operating system, device hijacking, application level distributed denial of service (DDoS), permanent denial of service (PDoS), man-in-the-middle attacks, or a combination thereof.”), one or more responsive actions for the respective type of network attack, each responsive action identifying one or more performable actions for performance by one or more IoT devices of the set of IoT devices to mitigate an attack of the respective type (col 7, lines 22-28: “… the IoT module 108 may thus implement a security action such as sending a notification to the user or to the IoT device vendor to update the IoT device firmware, block network connectivity to the IoT device, send an alert to the user that a security issue is potentially or actually present. … the IoT module 108 may isolate a compromised IoT device.”); detecting an IoT device of the set of IoT devices in a compromised state (col 7, lines 28-31: “… the IoT module 108 may isolate a compromised IoT device. … by analyzing the associated app, it may be determined that a new IoT device is vulnerable to code injection attacks.”), […] However, Sun does not explicitly teach the following limitation taught by McLinden: […] the compromised state being determined based on a threshold number of occurrences of a particular type of attack perpetrated against the IoT device (McLinden, col 9, lines 29-39: “… the SAPSIN device may check whether the number of the configuration requests within the predetermined time satisfies the threshold defined in the security database. If the number does not satisfy the threshold, the SAPSIN device may determine the configuration request is malicious and deny the configuration request by dropping the request data packets as potentially infectious traffic. … the SAPSIN device may mark the previously configured device as potentially compromised and quarantine the potentially compromised device.”), the particular type of perpetrated attack being one of the one or more types of network attack (McLinden, col 5, lines 47-50: “The SAPSIN 108 may combine and analyze the metrics to provide security features such as distributed denial of service (DDoS) attack detection …”); It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Sun to incorporate the functionality of the SAPSIN device to check whether the number of configuration requests within a predetermined time satisfies a threshold defined in a security database, as disclosed by McLinden, such modification would enable the system to identify false-positives, and also prevent attackers from maintaining long-term, persistent access. The combination of Sun and McLinden does not explicitly disclose the following limitation taught by Cheng: selecting at least one of the defined responsive actions for the perpetrated attack based on the type of the attack (Cheng, ¶43: “ARPPS 120 can also be configured to determine the appropriate type of passive protection based on the detected type of attack or unauthorized access and select the type appropriate type of passive protection or countermeasures from a passive protection database to execute and remediate against attacks.”); and triggering the selected at least one defined responsive action to mitigate the perpetrated attack (Cheng, ¶72: “If Passive Protection is selected, the ARPPS 120 can be configured to execute one or more passive protection mechanisms and/or passive countermeasures ("Passive Protection" 412), such as for example, blocking or throttling one or more attacks and/or unauthorized access.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun and McLinden to incorporate the functionality of the method to determine the appropriate type of passive protection based on the detected type of attack, as disclosed by Cheng, such modification would allow for targeted and efficient security measures, leading to faster and more effective resolution of security incidents. Regarding claim 7: The combination of Sun, McLinden and Cheng discloses: (Currently Amended) The method of claim 1, wherein the compromised state is detected based on network traffic communicated with the compromised IoT device (McLinden, col 10, lines 59-63: “… the attacker may try to establish remote sessions to IoT devices and infect the devices with malware. Such connections may rapidly request configuration of the IoT devices within a certain period. The SAPSIN may utilize such feature to detect the malicious configuration requests.”). The same motivation which is applied to claim 1 with respect to McLinden applies to claim 7. Regarding claim 8: Sun discloses: (Currently Amended) A computer system (see Fig. 3, Computer System 300) comprising: a processor (see Fig. 3, Processors 302) and memory storing computer program code (col 9, lines 41-42: “… program instructions and/or process data stored in the memory 304”, see Fig. 3, Memory 304) for implementing a security method for a set of internet-of-things (IoT) devices (col 9, lines 48-50: “… the instructions may include the processor 302 performing one or more of the actions of the method 200 of FIG. 2.”), … In addition to the above limitations, claim 8 recites substantially the same limitations as claim 1 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Regarding claim 9: Claim 9 recites substantially the same limitations as claim 1 in the form of a non-transitory computer-readable storage medium. Therefore, it is rejected by the same rationale. Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable Sun, McLinden, Cheng, and further in view of US-PGPUB No. 2017/0177869 A1 to Langton et al. (hereinafter “Langton”) Regarding claim 2: The combination of Sun, McLinden and Cheng discloses the method of claim 1, but does not explicitly disclose the following limitation taught by Langton: wherein multiple IoT devices are detected in a compromised state (Langton, ¶49: “… security device 220 determines whether a malicious file was executed on one or more client devices 210 of a set of client devices 210,”), the method further comprising: prioritizing the multiple IoT devices in the compromised state based on the threshold number of occurrences for each IoT device (Langton, ¶49: “… security device 220 may prioritize the set of client devices 210 based on a confidence score for determining that client device 210 is infected, based on a quantity of fuzzy hash matches, based on a severity of the infection, … or the like.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden and Cheng to incorporate the functionality of the security device to generate a prioritization for a set of client devices when determining whether any of the set of client devices are infected by a malicious file, as disclosed by Langton, such modification would enable the user to assess the risk posed by vulnerabilities based on factors like severity, exploitability, and asset criticality, and then focus on addressing the highest-risk issues first. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable Sun, McLinden, Cheng, US-PGPUB No. 2019/0372834 A1 to Patil et al. (hereinafter “Patil”), and further in view of US-PGPUB No. 2017/0169640 A1 to Britt Regarding claim 3: The combination of Sun, McLinden and Cheng discloses the method of claim 1, but does not explicitly disclose the following limitation taught by Patil: wherein triggering the responsive actions includes communicating with the one or more IoT devices for the responsive actions to trigger the one or more performable actions identified by the responsive actions (Patil, ¶53 : “… upon determining that an IoT device has been compromised by malicious software … one of the managing devices 214 may trigger an update of the IoT device … Corrective actions may include remotely changing behavior of the IoT device using triggering instructions to the IoT device directly …”), It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden and Cheng to incorporate the functionality of the method to apply corrective actions that may include remotely changing the behavior of the IoT device using triggering instructions to the IoT device directly, as disclosed by Patil, such modification would offer the advantage of real-time optimization, improved efficiency, and enhanced decision-making by enabling immediate adjustments and automation based on current conditions. The combination of Sun, McLinden, Cheng and Patil does not explicitly disclose the following limitation taught by Britt: wherein the communicating is encrypted (Britt, ¶241: “… the communication channel between the IoT device 104 and IoT service 120 may be encrypted …”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden, Cheng and Patil to incorporate the functionality of the method to encrypt the communication between an IoT device and an IoT service, as disclosed by Britt, such modification would enable the system to protect the transmission of IoT device identification data and commands. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable Sun, McLinden, Cheng, USPGPUB No. 2018/0293387 A1 to Bar-El et al. (hereinafter “Bar-El”), Regarding claim 4: The combination of Sun, McLinden and Cheng discloses the method of claim 1, but fails to explicitly disclose the following limitation taught by Bar-El: wherein the data repository further includes the defined one or more responsive actions (Bar-El, ¶35: “a corrective actions database 128 able to store known corrective actions which may cure or mitigate some or all of the known threats and/or vulnerabilities;”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden and Cheng to incorporate the functionality of the TM server implementing a corrective actions database to store information about known corrective actions, as disclosed by Bar-El, such modification would offer advantages like centralized management, enhanced security, easier analysis, and efficient troubleshooting, ultimately improving IoT system performance and security. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable Sun, McLinden, Cheng, and further in view of US-PGPUB No. 2015/0188934 A1 to Vasseur et al. (hereinafter “Vasseur”) Regarding claim 5: The combination of Sun, McLinden and Cheng discloses the method of claim 1, but does not explicitly disclose the following limitation taught by Vasseur: wherein selecting responsive actions includes identifying at least one IoT device within a predetermined proximity of the compromised IoT device (Vasseur, ¶94: “a management device may receive data indicating that one or more nodes in a computer network are under attack. … the management device may then determine that one or more intermediate nodes are in proximity to the one or more nodes under attack.”) and using the identified at least one IoT device to provide the mitigation of the perpetrated attack (Vasseur, ¶94: “The management device may then communicate an attack-mitigation packet to the one or more nodes under attack by using the one or more intermediate nodes to relay the attack-mitigation packet to the one or more nodes under attack, as shown in step 620.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden and Cheng to incorporate the functionality of method to receive data indicating that one or more nodes in a computer network are under attack and identify one or more intermediate nodes in proximity to the one or more nodes under attack, and communicate an attack-mitigation packet to the one or more nodes under attack by using the one or more intermediate nodes to relay the attack-mitigation packet to the one or more nodes under attack, as disclosed by Vasseur, such modification enables the system with enhanced speed, reliability and security, and enables the system to detect and respond to threats autonomously. Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable Sun, McLinden, Cheng, and further in view of US-PGPUB No. 2021/0344690 A1 to Sharifi Mehr (hereinafter “Sharifi”) Regarding claim 6: The combination of Sun, McLinden and Cheng discloses the method of claim 1, but does not explicitly disclose the following limitation taught by Sharifi: wherein the compromised state is detected based on data received from one or more sensors of the network- connected sensors (Sharifi, ¶32: “… obtains significance scores for different sources of interactions with the plurality of threat sensors. … can receive identifiers of known actors, such as … IoT devices … can correlate the malicious actors with the known actors to identify which known actors might be infected by malware, …”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Sun, McLinden and Cheng to incorporate the functionality of the method to receive identifiers of known actors from a plurality of threat sensors, as disclosed by Sharifi, such modification would enable the system to correlate malicious actors with known actors to identify which known actors might be infected by malware. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached on (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MATTHIAS HABTEGEORGIS/Examiner, Art Unit 2491