HYBRID TECHNIQUES OF DYNAMIC DISCOVERY, THREAT DETECTION, ASSESSMENT, RESPONSE, AND MONITORING OF xIoT DEVICES ON A NETWORK

§102 §103

DETAILED ACTION Claims 11-21, 32-42, 47-50, and 55-58 are elected on 01/15/2026 for examination on merits. Claims 11 and 32 are independent base claims. Election/Restrictions Claims 1-10, 22-31, 43-46, and 51-54 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected Group I, there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 01/15/2026. Applicant is advised to cancel the withdrawn claims to advance the prosecution. Applicant’s election without traverse of Group II (Claims 11-21, 32-42, 47-50, and 55-58) in the reply is acknowledged. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Examiner's Instructions for filing Response to this Office Action When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would appreciate Applicant if a clean copy of the claims is provided to facilitate the prosecution which otherwise requires extra time for editing the marked-up claims from OCR. Please submit two sets of claims: Set #1 as in a typical filing which includes indicators for the status of claim and all marked amendments to the claims; and Set #2 as an appendix to the Arguments/Remarks for a clean version of the claims which has all the markups removed for entry by the Examiner. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 11-20 and 32-41 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Trivellato (US 20200404502 A1; hereinafter “Trivel”). As per claim 11, Trivel teaches method of assessing a network, comprising: transmitting, by a site manager executing on a computer, a first probe over the network to a first network device (par. 0097: send requests of an active scan, receive active scan results or responses (e.g., responses to requests)); receiving, over the network, a first response to the first probe (par. 0097: receive active scan results or responses); determining active information about the first network device based on the first response (par. 0097-0100: determining device attributes; determine if a new entity has joined the network or an entity has rejoined the network and monitor traffic for analysis by passive scan component 508); and performing passive scanning on the network (par. 0107: perform a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network), wherein the passive scanning is modified based on the active information (par. 0107-0108: perform a passive scan of communications associated with a device, which is based on one or more attributes associated with the device based on the active scan; see also the Abstract: The adaptive scanning may include performing a passive scan of communications associated with a device, where the passive scan comprises observing one or more communications of the device over a network, including attributes associated with the device … determined based on the active scan. Trivel discloses the results of active scanning can have a high impact and is costly, and therefore, performing adaptive active scans – or passive scanning being modified or customized based on attributes or the active information is necessary). As per claim 12, Trivel teaches the method of claim 11, wherein the active information comprises a configuration of the first network device (par. 0012: Active scanning can further be useful for scanning assets in order to: understand each entity's configuration; par. 0026 and 0089-0090: gather configuration information). As per claim 13, Trivel teaches the method of claim 11, wherein the active information comprises a type of the first network device (par. 0067 and 0089-0090: determine the device type of a device sending one or more requests and the device type of a device receiving or responding to the requests; the attribute includes: device type). As per claim 14, Trivel teaches the method of claim 11, wherein the active information comprises a firmware version of the first network device (par. 0092: firmware version). As per claim 15, Trivel teaches the method of claim 11, further comprising: determining, by transmitting the first probe on the network, a status of the first network device (par. 0067 and 0105: a status information; sending one or more requests for checking compliance status of the network device). As per claim 16, Trivel teaches the method of claim 11, further comprising: responding to, by transmitting a second probe on the network, a risk identified about the first network device based on the passive scanning (par. 0027-0032 and 0094: perform adaptive scanning including one or more passive scans; responding to security threats and reducing risk.). As per claim 17, Trivel teaches the method of claim 11, further comprising: responding to, by transmitting a second probe on the network, a risk identified about the first network device based on the active information (par. 0090-0094: The second active scan is customized based on the one or more attributes associated with the device based on the first active scan. In other words, the second active scan may be more customized, targeted, or narrow than the first active scan…and customized based on the one or more attributes associated with the device, which include a response to a risk, use for compliance, threat monitoring, security vulnerability monitoring, asset management, etc.). As per claim 18, Trivel teaches the method of claim 11, further comprising: monitoring, based on the passive scanning, a status of the first network device (par. 0019-0020: the monitoring of communications …may be based on passive scanning; perform passive monitoring of communications on a network to determine if a device is an IT device or OT device (e.g., based on a MAC address portion, for instance, an organizational unique identifier (OUI) or vendor), collectively a status of the network device). As per claim 19, Trivel teaches the method of claim 11, further comprising: obtaining passive information comprising a first network device characteristic of the first network device based on the passive scanning (par. 0032: determining one or more attributes based on the one or more passive scans; one or more attributes associated with the device include ports open, ports used, communication protocols used, which are mapped to a first network device characteristic of the first network device). As per claim 20, Trivel teaches the method of claim 19, further comprising: transmitting, over the network, a second probe configured based on the passive information (par. 0107: where the passive scan comprises observing one or more communications of the device over a network; sending one or more requests to the device is transmitting a probe). Regarding claims 32-41, they are similar to claims 11-20, respectively, in view of the inventive features recited; and thus, claims 32-41 are rejected for the same reasons discussed above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 21 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Trivel (which is applied to claim 11) in view of Simpson (US 20050128988 A1). As per claim 21, Trivel teaches the method of claim 11, but do not explicitly disclose a discovery agenda for configuring a site manager. This aspect of the claim is identified as a further difference. In a related art, Simpson teaches: wherein the site manager is configured by a discovery agenda (Simpson par. 0036-0039: [generating] an enhanced passive scan schedule of executing an enhanced passive scanning; Note that the passive scan schedule is a discovery agenda. The site timing table entries may be created, updated and removed based on the received beacon signals and GPRs. The STT and the site timing table entries may be created, updated and removed, for example, by a controller and a memory located within the mobile station. Using site timing table entry information in the STT, an enhanced passive scan schedule may be generated.). Trivel and Simpson are analogous art to the claimed invention in the same field of endeavor as the claimed invention for improving network scanning, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Trivel’s system with Simpson’s teachings of an enhanced passive scan schedule that configure a site timing table and managing the discovery agenda. For this combination, the motivation would have been to improve the level of security by minimizing the service interruption caused by network scanning. Regarding claim 42, the claim is similar to claim 21 and is therefore rejected using a similar rationale. Claims 47-49 and 55-57 are rejected under 35 U.S.C. 103 as being unpatentable over Trivel (which is applied to claim 11) in view of Caceres (US 20220014561 A1; hereinafter “Cacer”). As per claim 47, Trivel teaches the method of claim 11, but does not explicitly disclose scanning during at least one of a discovery stage and a monitoring stage. This aspect of the claim is identified as a further difference. In a related art, Cacer teaches: wherein the passive scanning is performed during at least one of a discovery stage and a monitoring stage (Cacer, par. 0074: modify scheduling configuration. A scan may also check for webpages and sub-domains, for example using nmap or other scanning tools to scan the domain and automatically add discovered sub-domains, pages, or other accessible resources to a database to expand the search corpus for future scans; Caser here discloses that scanning is performed during at least one of a discovery stage of sub-domains, pages, or other accessible resources, which are added to a monitoring stage automatically. See also par. 0080: A block scan - this type of scan is useful for a variety of service discovery and data collection tasks, as it allows a broad scan of many hosts). Trivel and Cacer are analogous art to the claimed invention in the same field of endeavor as the claimed invention for improving network scanning, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Trivel’s system with Cacer’s teachings of automatically scan the domain and automatically add discovered sub-domains, pages, or other accessible resources for monitoring. For this combination, the motivation would have been to improve the level of security with automatic network scanning on all discovered devices and resources. As per claim 48, the combination of Trivel and Cacer teaches the method of claim 47, wherein, during the discovery stage, the site manager discovers that the first network device is connected to the network, and Cacer also teaches: wherein, during the monitoring stage, the site manager monitors the first network device for a security threat (Cacer, par. 0101-0102: perform the configured scan operations during a discovery stage in which a similar set of domains are scanned in order to perform parallel testing. For example, multiple web crawlers may be used in parallel to perform load testing, or to utilize different testing configurations with each of a number of crawlers. Cacer continues to monitor potential angles of attack and then produce 805 security suggestions…by using a passive monitoring technique. See par. 0103: Passive monitoring 801 then continues, collecting information after new security solutions are implemented 806,). Cacer is herein combined with Trivel for same obviousness reasons as stated for claim 47. As per claim 49, Trivel teaches the method of claim 11, but do not explicitly disclose wherein the first probe is sent during at least one of an assessment stage, a remediation stage, a detection stage, and a response stage. This aspect of the claim is identified as a further difference. In a related art, Cacer teaches: wherein the first probe is sent during at least one of an assessment stage, a remediation stage, a detection stage, and a response stage (Note: optional limitations are recited herein) (Cacer, par. 0104: during assessment or analytical stage, nonhuman “bad actors” such as automated software bots mitigated. [These] automated software bots may probe for, and then exploit, existing vulnerabilities. Using automated behavioral learning in this manner provides a much more responsive solution than manual intervention, enabling rapid response to threats to mitigate any potential impact. See also FIG. 8, 804-806). Trivel and Cacer are analogous art to the claimed invention in the same field of endeavor as the claimed invention for improving network scanning, or reasonably pertinent to the problem faced by the inventor, which may be in a different field. Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Trivel’s system with Cacer’s teachings of automatically sending a probe or scan request during an assessment stage or a detection stage. For this combination, the motivation would have been to improve the level of security with automatic network scanning on all discovered devices and resources. Regarding claims 55-57, they are similar to claims 47-49 in view of the inventive features recited, respectively; and thus, claims 55-57 are rejected for the same reasons discussed above. Allowable Subject Matter Claims 50 and 58 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claims 50 and 58 each recite elements “wherein the assessment stage obtains additional information about the first network device based on a response to the first probe, wherein the remediation stage uses the first probe to modify an aspect of the first network device to reduce a vulnerability of the first network device, wherein the detection stage detects a security threat relating to the first network device at least partially based on a response to the first probe, and wherein the response stage uses the first probe to modify at least one of an aspect of the first network device and an aspect of the network to address the security threat” These elements and the features thereof in combination with the other limitations in the claims 11 and 19, 32 and 57, respectively, are not anticipated by, nor made obvious over the prior art of record. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”). Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953. The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862. The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000. /Don G Zhao/Primary Examiner, Art Unit 2493 02/19/2026