DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35
U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form
the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1, 2, 4, 5, 8, 9, 10, 16, 19 and 20 are rejected under pre-AIA 35 U.S.C. 102(a)(1) as being unpatentable over US 20200076799 A1 (Lackey et al.) (hereinafter Lackey).
In re claims 1, 10 and 16, Lackey discloses a method ([0006], “a method for managing network communications is provided”) and a system (Fig. 3) comprising: monitoring network communication of a plurality of electronic devices (Fig. 2, [0032], “Network communication manager 218 manages the network communications to and from each respective network device connected to the local network using device access policies that correspond to each network device model type connected to the local network. In addition, network communication manager 218 monitors for aberrant network communication behavior within the local network based on historical network device model type communication behaviors”), wherein the plurality of electronic devices are communicatively coupled to a wireless network ([0033], “Local network 220 represents an identifier for the local network that data processing system 200 is connected to. Devices 222 represent identifiers for a plurality of network devices also connected to local network 220. Devices 222 may be any type of network device, such as, for example, IoT devices, smart devices, computers, data processing systems, storage devices, and the like. Devices 222 are capable of communicating with each other, as well as with devices external to local network 220”); extracting cross-layer features for each of the plurality of electronic devices using the network communication, wherein the cross-layer features are selected based on a downstream network operation ([0063], “Metrics that illustrative embodiments may combine to form a device fingerprint are, for example: 1) MAC address of a device, which illustrative embodiments may use to identify manufacturer and device type; 2) number and type of open ports on the device; 3) attempted network connections made by the device; 4) network protocols used by the device; 5) network connection speed of the device; 6) network traffic patterns of the device; and 7) hardware and software versions of the device”); storing the cross-layer features of each of the plurality of electronic devices in a device fingerprinting database ([0084], “Further, the data processing system collects network communication metrics corresponding to the network device based on the network communications to and from the network device (step 528). The data processing system records the network communication metrics in the global policy database as historical device network communication behavior for a model type corresponding to the network device (step 530)”. [0049], “Variations in network access attempts need to be interpreted and determined whether these variations in behavior represent network security threats or valid traffic. Illustrative embodiments utilize a set of one or more local network gatekeepers to collect network metrics and network access request data from network devices connected to the local network. Then, this set of network gatekeepers generate a unique device fingerprint for each network device on the local network based on the collected metrics. The set of network gatekeepers send the generated device fingerprints to a global policy database”); monitoring a network communication of an electronic device communicatively coupled to the wireless network ([0079], “The process begins when the data processing system receives an indication that a network device has been added to a local network connected to the data processing system (step 502). The network device may be, for example, network device 110 in FIG. 1 or smart refrigerator 406 in FIG. 4” (monitoring network communication of a newly added electronic device to the network)); extracting the cross-layer features from the network communication of the electronic device ([0080], “In response to receiving the indication that the network device been added to the local network at step 502, the data processing system detects metrics corresponding to the network device added to the local network (step 504). The metrics may include a network device identifier, such as an IP or MAC address, a network device model type, network device hardware and software versions, number and type of open ports on the device, attempted network connections made by the device, network protocols used by the device, network connection speed of the device, network traffic patterns of the device, and the like”); classifying the electronic device into a device category using the cross-layer features of the electronic device and the device fingerprinting database ([0006], “The data processing system generates a device fingerprint corresponding to the network device added to the local network based on the detected metrics”. [0035], “After generating the device fingerprints, network communication manager 218 sends the device fingerprints to a global policy database. Global policy database 228 represents an identifier for the global policy database that data processing system 200 is connected to”. [0082], “Afterward, the data processing system makes a determination as to whether a device fingerprint match was found in the global policy database between the device fingerprint corresponding to the network device and one of a plurality of device fingerprints stored in the global policy database (step 510). If the data processing system determines that a device fingerprint match was found in the global policy database between the device fingerprint corresponding to the network device and one of the plurality of device fingerprints stored in the global policy database, yes output of step 510, then the data processing system identifies a model type corresponding to the network device based on the match (step 512)” (classifies as a match with the database to retrieve the model type and apply the policy)); and performing the downstream network operation on the electronic device based on the device category ([0082], “Further, the data processing system retrieves a device access policy corresponding to the identified model type from the global policy database (step 514)” (downstream operation on the refrigerator). [0085], “The data processing system makes a determination as to whether aberrant network communication behavior is detected corresponding to the network device based on historical device network communication behavior for that model type (step 532)...If the data processing system determines that aberrant network communication behavior is detected corresponding to the network device, yes output of step 532, then the data processing system performs a set of mitigation action steps regarding the detected aberrant network communication behavior (step 534)...Furthermore, the data processing system sends the detected aberrant network communication behavior to the global policy database for analysis and modification of the applied device access policy based on the analysis (step 536)”).
In re claim 2, Lackey discloses the method of claim 1, wherein the downstream network operation is one of media access control (MAC) address spoofing detection, device localization, quality of service (QoS) provisioning, access control, device authentication, device identification, and attack detection ([0059], “For example, such local smart devices may be compromised or corrupted and used to perform a DDoS attack on a device having an external network address”. [0062], “Because illustrative embodiments utilize available sources of information to produce a device fingerprint beyond a mere IP or MAC address, illustrative embodiments provide reliable device identification. This reliable device identification of illustrative embodiments makes device spoofing (i.e., masquerading as a different device) more difficult”).
In re claim 4, Lackey discloses the method of claim 3, wherein compiling the cross-layer features of each of the plurality of electronic devices into the device fingerprinting database includes: determining a plurality of MAC addresses for the plurality of electronic devices; determining one or more EVMs for each of the plurality of electronic devices; and storing the plurality of MAC addresses, and the one or more EVMs determined for each of the plurality of electronic devices, in the device fingerprinting database ([0060], “Furthermore, illustrative embodiments improve over existing network security systems by providing device fingerprinting. Traditional firewalls typically cannot depend on the identification information provided by devices sending traffic into a local network because this identification information, such as an IP address or MAC address, can be easily spoofed”. [0063], “Metrics that illustrative embodiments may combine to form a device fingerprint are, for example: 1) MAC address of a device, which illustrative embodiments may use to identify manufacturer and device type”).
In re claim 5, Lackey discloses the method of claim 4, wherein the cross-layer features of the electronic device comprise a first MAC address of the electronic device, and a first EVM of the electronic device, and wherein classifying the electronic device into the device category using the cross-layer features of the electronic device and the device fingerprinting database, comprises: determining if the first MAC address of the electronic device matches a second MAC address of the plurality of MAC addresses stored in the device fingerprinting database; and responding to the first MAC address matching the second MAC address by: accessing the one or more EVMs associated with the second MAC address; and determining the device category of the electronic device based on a comparison between the first EVM and the one or more EVMs associated with the second MAC address ([0063], “For example, a MAC address can specify a manufacturer, since the MAC address must be registered by the manufacturer, while the number of ports and connection speed of each port can be matched to a particular device type in that manufacturer's product catalog”. [0064], “If device metrics disagree with known device metrics (e.g., a MAC address registered to a particular manufacturer with a specified number of ports does not match any known product of that manufacturer), then illustrative embodiments flag that device as suspicious, send a security notification regarding that device, and apply a restrictive policy to that device (e.g., block all local network communication by that device)”).
In re claim 8, Lackey discloses the method of claim 1, wherein extracting the cross-layer features for each of the plurality of electronic devices using the network communication comprises: determining a plurality of cross-layer feature values for each of the plurality of electronic devices from distinct communications transmitted by each of the plurality of electronic devices; and determining one or more statistics based on the plurality of cross-layer feature values for each of the plurality of electronic devices ([0032], “Network communication manager 218 manages the network communications to and from each respective network device connected to the local network using device access policies that correspond to each network device model type connected to the local network. In addition, network communication manager 218 monitors for aberrant network communication behavior within the local network based on historical network device model type communication behaviors”. [0036], “Global policy database 228 includes machine learning component 230. Global policy database 228 utilizes machine learning component 230 to analyze the network device information received from the plurality of different network gatekeeper devices and identify device model types 232 of the network devices connected to each respective local network corresponding to each respective network gatekeeper device”. See further “In re claim 1”. All features are covered in claim 1).
In re claim 9, Lackey discloses the method of claim 8, wherein the one or more statistics include one or more of a mean, a standard deviation, a range, and a variance of the plurality of cross-layer feature values for each of the plurality of electronic devices ([0036], “Global policy database 228 includes machine learning component 230. Global policy database 228 utilizes machine learning component 230 to analyze the network device information received from the plurality of different network gatekeeper devices and identify device model types 232 of the network devices connected to each respective local network corresponding to each respective network gatekeeper device”. It is implicit that machine learning model utilize statistical tools for analysis).
In re claim 19, Lackey discloses the method of claim 16, further comprising: monitoring network communications of the electronic device over a period of time; extracting the cross-layer features from the network communications at multiple time instances during the period of time; and updating the device fingerprinting database with the extracted cross-layer features at the multiple time instances (implicitly covered as in machine learning model, data is continuously updated over period of time).
In re claim 20, Lackey discloses the method of claim 16, wherein the device fingerprinting database is compiled by: monitoring network communications of the plurality of electronic devices; extracting the cross-layer features for each of the plurality of electronic devices from the network communications; and storing the extracted cross-layer features for each of the plurality of electronic devices in the device fingerprinting database (See “In re claim 1”. All features are covered in claim 1).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200076799 A1 (Lackey et al.) (hereinafter Lackey) in view of CN 111917715 A (MIAO et al.) (hereinafter MIAO).
In re claim 3, Lackey discloses the method of claim 1, but does not explicitly disclose wherein the downstream network operation is MAC address spoofing detection, wherein the cross-layer features include a MAC address and an error vector magnitude (EVM), and wherein the EVM is correlated to one or more of a phase noise, an I/Q imbalance, nonlinearities in a power amplifier, and quantization noise in an analog-to-digital converter, of the electronic device.
MIAO discloses wherein the downstream network operation is MAC address spoofing detection, wherein the cross-layer features include a MAC address and an error vector magnitude (EVM), and wherein the EVM is correlated to one or more of a phase noise, an I/Q imbalance, nonlinearities in a power amplifier, and quantization noise in an analog-to-digital converter, of the electronic device (Page 5, lines 4-5, “forming the characteristic vector of 400 dimension wherein n is the effective number of the original fingerprint characteristic vector”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lackey with MIAO to provide an efficient method for device fingerprinting (FP) to enhance wireless network security. The advantage of doing so is to address the computational complexity with the growing network of low-end edge devices.
In re claim 11, Lackey discloses the system of claim 10, but does not explicitly disclose wherein the feature extraction module is configured to extract a plurality of error vector magnitude (EVM) values from communications transmitted by the edge device, and wherein the device fingerprinting database comprises, for each of the plurality of edge devices, an estimated probability distribution of a plurality of EVM values extracted from communications transmitted by the respective edge device.
MIAO discloses wherein the feature extraction module is configured to extract a plurality of error vector magnitude (EVM) values from communications transmitted by the edge device, and wherein the device fingerprinting database comprises, for each of the plurality of edge devices, an estimated probability distribution of a plurality of EVM values extracted from communications transmitted by the respective edge device (Page 10, lines 10-14, “Finally, a 400-dimensional feature vector is formed, where n is the effective number of original fingerprint feature vectors. The neural network uses a lightweight multilayer perceptron as a multi-classification model to achieve a balance between classification performance and computational cost. The multi-layer perceptron including input and output layers is set to 5, the number of neurons in each layer is 128, and the dropout parameter is set to 0.3”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lackey with MIAO to provide an efficient method for device fingerprinting (FP) to enhance wireless network security. The advantage of doing so is to address the computational complexity with the growing network of low-end edge devices.
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over US 20200076799 A1 (Lackey et al.) (hereinafter Lackey) in view of US 20210058394 A1 (Zhang et al.) (hereinafter Zhang).
In re claim 17, Lackey discloses the method of claim 16, but does not explicitly disclose wherein classifying the electronic device into the device category using the cross-layer features of the electronic device and the device fingerprinting database comprises: determining a similarity score between the cross-layer features of the electronic device and the cross-layer features of each of the plurality of electronic devices stored in the device fingerprinting database; and assigning the electronic device to the device category associated with the electronic device from the plurality of electronic devices having a highest similarity score.
Zhang discloses wherein classifying the electronic device into the device category using the cross-layer features of the electronic device and the device fingerprinting database comprises: determining a similarity score between the cross-layer features of the electronic device and the cross-layer features of each of the plurality of electronic devices stored in the device fingerprinting database; and assigning the electronic device to the device category associated with the electronic device from the plurality of electronic devices having a highest similarity score ([0019], “Embodiments may perform device identification based on network traffic analysis. Multiple identification solutions are integrated, optimized, and combined with advanced detection heuristics and algorithms which can provide reliable device identification and fine-grained device identification. The logic of one or more identification engines can be combined with signatures, in addition to the confidence score algorithm which can be used separately as a software package without affecting the existing software architecture thereby providing flexibility and extensibility”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lackey with Zhang to provide an efficient method for device fingerprinting (FP) to enhance wireless network security. The advantage of doing so is to address the computational complexity with the growing network of low-end edge devices.
Allowable Subject Matter
Claims 6, 7, 12-15 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SWATI JAIN whose telephone number is (571)270-0699. The examiner can normally be reached Mon - Fri (830 am - 530 pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pan Yuwen can be reached on 5712727855. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SWATI JAIN/Examiner, Art Unit 2649 /YUWEN PAN/Supervisory Patent Examiner, Art Unit 2649