PNG
    media_image1.png
    327
    1870
    media_image1.png
    Greyscale

    PNG
    media_image1.png
    327
    1870
    media_image1.png
    Greyscale




                                 P.O. Box 1450, Alexandria, Virginia 22313-1450 – WWW.USPTO.GOV
                           


                             

				
  		        REASONS FOR ALLOWANCE

1.	The following is an Examiner’s statement for reasons for allowance: 

2.	Claims 1-39 are considered allowable since when reading the claims in light of the specifi- 

cation, as per, MPEP §2111.01 or Toro Co. v. White Consolidated Industries Inc., 199 F.3d 1295, 

1301, 53 USPQ2d 1065, 1069 (Fed. Cir. 1999), none of the references of record alone or in combi- 

nation disclose or suggest the combination of limitations specified in the independent claims.

3.	The limitations recited in independent claim 1  “A method of monitoring data traffic 

on a data communication network, the method comprising: parsing the data traffic to extract 

at least one protocol field of a protocol message of the data traffic; associating the extracted 

protocol field with a respective model for that protocol field, the model being selected from 

a set of models, the set of models comprising different models for different protocol fields; 

assessing if a contents of the extracted protocol field is in a safe region as defined by the mo-

del; and generating an intrusion detection signal in case it is established that the contents of 

the extracted protocol field is outside the safe region, wherein in a learning phase a model is 

built for the extracted protocol field, the learning phase comprising: providing a plurality of 

model types, determining a data type of the extracted protocol field, selecting a model type 

for the extracted protocol field from the plurality of model types on the basis of a characteris-


building the model for the extracted protocol field on the basis of the selected model type.73 SAS 100016US Attorney Docket No.: 094926-1044641”

4.	The limitations recited in independent claim 19 “A data communication network com-

prising: an intrusion detection system for detecting an intrusion in data traffic on the data com-

munication network, the intrusion detection system comprising: a parser for parsing the data 

traffic to extract at least one protocol field of a protocol message of the data traffic; an engine 

for associating the extracted protocol field with a respective model for that protocol field, the 

model being selected from a set of models, the set of models comprising different models for 

different protocol fields; a model handler for assessing if a contents of the extracted protocol 

field is in a safe region as defined by the model; and an actuator for generating an intrusion 

detection signal in case it is established that the contents of the extracted protocol field is out-

side the safe region, wherein the system is arranged for, in a learning phase, build a model for 

the extracted protocol field, the learning phase comprising: providing a plurality of model ty-

pes, determining a data type of the extracted protocol field, selecting a model type for the ex-

tracted protocol field from the plurality of model types on the basis of a characteristic of the 

extracted protocol field, the characteristic comprising the determined data type, and building 

the model for the extracted protocol field on the basis of the selected model type.73 SAS 100016US Attorney Docket No.: 094926-1044641”

5.	The limitations recited in independent claim 37  “A data center comprising an intrusion 

detection system for detecting an intrusion in data traffic on a data communication network of 

the data center, the intrusion detection system comprising: a parser for parsing the data traffic 

to extract at least one protocol field of a protocol message of the data traffic; an engine for asso-

ciating the extracted protocol field with a respective model for that protocol field, the model 


protocol fields; a model handler for assessing if a contents of the extracted protocol field is in a 

safe region as defined by the model; and an actuator for generating an intrusion detection signal 

in case it is established that the contents of the extracted protocol field is outside the safe region, 

wherein the system is arranged for, in a learning phase, build a model for the extracted protocol 

field, the learning phase comprising: providing a plurality of model types, determining a data 

type of the extracted protocol field, Ser. No. 15/461,816Page 8 of 11Dkt. No. 102152 1290USC1 P30657US2selecting a model type for the extracted protocol field from 

the plurality of model types on the basis of a characteristic of the extracted protocol field, the 

characteristic comprising the determined data type, and building the model for the extracted pro-

tocol field on the basis of the selected model type.73 SAS 100016US Attorney Docket No.: 094926-1044641”

6.	 The limitations recited in independent claim 38  “An industrial plant comprising an in-

trusion detection system for detecting an intrusion in data traffic on a data communication net-

work of the industrial plant, the intrusion detection system comprising: a parser for parsing the 

data traffic to extract at least one protocol field of a protocol message of the data traffic; an en-

gine for associating the extracted protocol field with a respective model for that protocol field, 

the model being selected from a set of models, the set of models comprising different models 

for different protocol fields; a model handler for assessing if a contents of the extracted protocol 

field is in a safe region as defined by the model; and an actuator for generating an intrusion de-

tection signal in case it is established that the contents of the extracted protocol field is outside 

the safe region, wherein the system is arranged for, in a learning phase, build a model for the ex-

tracted protocol field, the learning phase comprising: providing a plurality of model types, deter-

mining a data type of the extracted protocol field, selecting a model type for the extracted proto-


col field, the characteristic comprising the determined data type, and building the model for the 

extracted protocol field on the basis of the selected model type.73 SAS 100016US Attorney Docket No.: 094926-1044641”

7.	The limitations recited in independent claim 39  “An office data network comprising an 

intrusion detection system for detecting an intrusion in data traffic on the office data network, 

the intrusion detection system comprising: a parser for parsing the data traffic to extract at least 

one protocol field of a protocol message of the data traffic; Ser. No. 15/461,816Page 9 of 11Dkt. No. 102152 1290USC1 P30657US2an engine for associating the extract-

ed protocol field with a respective model for that protocol field, the model being selected from 

a set of models, the set of models comprising different models for different protocol fields; a mo-

del handler for assessing if a contents of the extracted protocol field is in a safe region as defined 

by the model; and an actuator for generating an intrusion detection signal in case it is established 

that the contents of the extracted protocol field is outside the safe region, wherein the system is 

arranged for, in a learning phase, build a model for the extracted protocol field the learning phase 

comprising: providing a plurality of model types, determining a data type of the extracted proto-

col field, selecting a model type for the extracted protocol field from the plurality of model types 

on the basis of a characteristic of the extracted protocol field, the characteristic comprising the 

determined data type, and building the model for the extracted protocol field on the basis of the 

selected model type.73 SAS 100016US Attorney Docket No.: 094926-1044641”
                                                                   8.	When taken in context the claims as a whole was/were not uncovered in the prior art i.e., the de-

pendent claims are allowed as they depend upon an allowable independent claim.

9.	Any comments considered necessary by applicant must be submitted no later than the payment of 

the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submission 



                                  Correspondence Information

10.	Any inquiries concerning this communication or earlier communications from the examiner 

should be directed to Michael B. Holmes, who may be reached Monday through Friday, between 5:00 

a.m. and 6:00 p.m. EST. or via telephone at (571) 272-3686 or facsimile transmission (571) 273-3686 

or email michael.holmesb@uspto.gov. If you need to send an Official facsimile transmission, please 

send it to (571) 273-8300. If attempts to reach the examiner are unsuccessful the Examiner’s Supervi-

sor (SPE), Lo Ann J., may be reached at (571) 272-9767. Hand-delivered responses should be deliver-

ed to the Receptionist @ (Customer Service Window Randolph Building 401 Dulany Street, Alexan-

dria, VA 22313), located on the first floor of the south side of the Randolph Building. Finally, infor-

mation regarding the status of an application may be obtained from the Patent Application Information 

Retrieval (PAIR) system. Moreover, status information for published applications may be obtained from 

either Private PAIR or Public PAIR. Status information for unpublished applications is available through 

Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

you have any questions on access to the Private PAIR system, contact the Electronic Business Center 

(EBC) toll-free @ 1-866-217-9197.
                                                  Michael B. Holmes
                                                                                  Primary Examiner
                                                                                Artificial Intelligence
                                                                                     Art Unit 2126
                                                          United States Department of Commerce
                                                                        Patent & Trademark Office

Thursday, January 14, 2021
                MBH
                                                                                        /MICHAEL B HOLMES/                                                                                   Primary Examiner, Art Unit 2126