DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is responsive to communication filed on 12/16/2020.  Claims 1-21 are pending.  Claim 21 is new.  Claims 1, 3, 5, 6-11, 13-20 have been amended.  Entry of this amendment is accepted and made of record.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Skare US2011/0039237A1 (hereinafter Skare) in view of Long US 2016/0085986.
Regarding claim 1, Skare teaches a method for analyzing an abnormal event in an industrial automation and control system, IACS, (see abstract, para. 8, 15, 30-33) comprising the following steps: 
a) identifying the abnormal event (see para. 8, 15, 30-33, 34-36, 42, 48, 83-84); 
b) detecting a root cause of the abnormal event (para. 42, 83, wherein a key root cause events is determined); and 
(c) determining that the root cause is a user activity (see para. 8, 42, 51, 83-84, 87-88, wherein events are correlated to determine root cause events, and wherein SCADA system failures can be detected and alerts are triggered when system integrity is compromised);
(d) evaluating a possible impact on the IACS caused by the abnormal event, in response to determining that the root cause is the user activity (see para. 62, 83-88, wherein significant impacts on the health of the SCADA servers and networking devices are identified an alarmed by network manager); and 
(e) generating a notification in response to the evaluation of the possible impact not matching a predefined list of allowable behavior (para. 42, 47-48, 50, 53-55, 84-91, wherein correlations are made to determine whether the security inputs from user and authorized external contactors are detected, and security errors and logging failures are detected; wherein the events are matched; where the system detects remote users not allowed, where IP addresses not allowed, which poses a security risk, are designated black listed and an alarm will be produced and wherein an alarm is sent and wherein the breach by the intruder is identified and misconfigured bridge is identified and repaired setting the SCADA security level back to normal).
However, Skare do not expressly or explicitly teaches that the user is an authorized user. 
Long teaches a system and method for data analysis for monitoring activities associated with data and misuse of data, determine whether an event has occurred and a notification can be provided if the event has occurred (see abstract, para. 0002).  Long further teaches normalized event data and identifier to determine whether an attempt to access data is fraudulent or indicative of probable misuse based on at least a rule implemented where a normalized event data is correlated with other instances of normalized event data stored to determine a set of activities performed by the authorized user of the system associated with the protected data and determining whether the set of activities are performed by an authorized user of the system associated with the protected data deviates from an allowable set of activities (see Fig. 1A-B2-6; abstract; para. 2, 7, 9, 23-24, 26, 28, 31, 33-40, 63, 66, 69, 71-72, 75 claim 9). 
Therefore, given the teachings of Long of identifying abnormal events (deviation from allowable set of activities) performed by an authorized user of the system, as discussed above, it would have been obvious to one of ordinary skilled in the art at the time the invention was effectively filed to configure the system of Skare to determining that the root cause is an user activity by an authenticated user, evaluating a possible impact on the IACS caused by the abnormal event in response to determining that the root cause is the user activity by the authenticated user for the benefit of providing a reliable, secure and enhanced system that would allow for detection of misuse in a computer environment based on analyzing application layer data such as in log files including user identifiable data.
	Regarding claim 2, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches wherein the abnormal event is identified using a predefined list of allowable event types and/or of abnormal event types (see para. 11, 15, 47-48, 50).
	Regarding claims 3 and 16, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches wherein evaluating the possible impact on the IACS is performed by evaluating at least one change in a configuration of the IACS related to the identified abnormal event (see para. 24, 32, 36, 42-44, 53-56, Fig. 2). 
Regarding claim 4, the combination of Skare and Long teaches all the materials as applied above. Skare further that evaluating the change in the configuration of the IACS caused by the abnormal event is performed by comparing a predefined configuration of the IACS with the at least one change in the configuration of the IACS caused by the abnormal event (see abstract, para. 12, 14, 24, 31-32, 35-36, 38, 40, 42-44, 53-57, 59, Fig. 2, wherein the system is monitoring for operational/configuration changes caused by abnormal event).
Regarding claim 5, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches the predefined configuration is at least one of the following: a commissioned configuration, a configuration previously running on the IACS, or a configuration currently running on the IACS (see abstract, para. 12, 14, 19, 24, 31-32, 35-36, 38, 40, 42-44, 53-57, 59, 85 Fig. 2, wherein the system is configured e.g. definition of criticality indices of the industrial control system).
Regarding claims 6 and 17, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches wherein evaluating the possible impact on the IACS is performed using information on at least one of the following: at least one electronic device that has been affected by the abnormal event, a functionality of the at least one electronic device, or and interconnection of the at least one electronic device with at least one other electronic device of the IACS (see para. 88, wherein impacts on the health of the SCADA servers and networking devices are identified and alarmed by the Network Manager/IHM and any events from servers firewalls, routers or network devices are correlated by the ECE and sent to the SSM).
	Regarding claim 7, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches wherein evaluating the possible impact on the IACS is performed by analyzing a configuration file uploaded to at least one device of the IACS, and the configuration file contains information and/or instructions for the change in the configuration of the IACS (see para. 51, 60, 84, 85, 87, 91, wherein data changes are injected system and security events are identified and a proper way to respond to the event is determined).
	Regarding claim 8, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches wherein evaluating the possible impact on the IACS is performed by analyzing whether the at least one electronic device is an instruction sender and/or receiver within the IACS and whether there is a change in a functionality of the sender and/or receiver (see para. 54, 56-57, 59, 62, 84, 88; wherein data from all monitored system components is being send at a Java application in order to evaluate the operation of the system).
Regarding claims 9 and 18, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches that information on a result of evaluating the possible impact on the IACS caused by the abnormal event and information on the abnormal event are linked, and the linked information is stored in a record (para. 14, 42, 47-48, 50, 53-55, 84-91, wherein correlations are made to determine whether the security inputs from user and authorized external contactors are detected, and security errors and logging failures are detected; wherein the events are matched; para. 69-70, 92, wherein the disturbances and groups of events are stored).
Regarding claims 10 and 19, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches that evaluating the possible impact on the IACS is performed by checking a record, the record comprising linked information on at least one previous result of evaluating a possible impact on the IACS caused by at least one previous abnormal event and information on the at least one previous abnormal event (para. 14-15, 31, 42, 47-48, 50, 53-55, 84-91, wherein trace-back of identified security event sources when a security event is identified and collecting of logs and traces for the security event, correlations are made to determine whether the security inputs from user and authorized external contactors are detected, and security errors and logging failures are detected, the events are matched and security logs involving the event is triggered for forensic review; para. 69-70, 92, wherein the disturbances and groups of events are stored).
Regarding claim 11, Skare teaches An industrial automation and control system, IACS, (see abstract, para. 8, 15, 30-33) comprising: 
an identification unit configured to identifying the abnormal event (see para. 8, 15, 30-33, 34-36, 42, 48, 83-84,88 e.g. Network Manager/IHM identifies impacts on the health of the SCADA servers and networking devices); 
a detection unit configured to detect a root cause of the abnormal event (para. 42, 83, wherein a key root cause events is determined by an Event correlator); and 
a generating and evaluating unit configured to generate a first notification if the root cause is not any user activity (see para. 8, 42-43, 51, 54, 59, 83-84, 87-88, wherein events are correlated to determine root cause events, and wherein SCADA system failures can be detected and alerts are triggered when system integrity is compromised, e.g. interfaces are used to send status and alarm data, Security Manager 20, collects security statuses and sets system security level, set changes in operational state and allows reactions to security state), and, if the root cause is a user activity, configured to evaluate a possible impact on the IACS caused by the abnormal event (see para. 62, 83-88, wherein significant impacts on the health of the SCADA servers and networking devices are identified an alarmed by network manager), and generating a second notification if the evaluation of the possible impact does not match a predefined list of allowable behavior (para. 42, 47-48, 50, 53-55, 84-91, wherein correlations are made to determine whether the security inputs from user and authorized external contactors are detected, and security errors and logging failures are detected; wherein the events are matched; where the system detects remote users not allowed, where IP addresses not allowed, which poses a security risk, are designated black listed and an alarm will be produced and wherein an alarm is sent and wherein the breach by the intruder is identified and misconfigured bridge is identified and repaired setting the SCADA security level back to normal).
However, Skare do not expressly or explicitly teaches that the user is an authorized user. 
Long teaches a system and method for data analysis for monitoring activities associated with data and misuse of data, determine whether an event has occurred and a notification can be provided if the event has occurred (see abstract, para. 0002).  Long further teaches normalized event data and identifier to determine whether an attempt to access data is fraudulent or indicative of probable misuse based on at least a rule implemented where a normalized event data is correlated with other instances of normalized event data stored to determine a set of activities performed by the authorized user of the system associated with the protected data and determining whether the set of activities are performed by an authorized user of the system associated with the protected data deviates from an allowable set of activities and generate a notification or alert triggered by the activities (see Fig. 1A-B2-6; abstract; para. 2, 7, 9, 23-24, 26-28, 31, 33-40, 63, 66, 69, 71-72, 75 claim 9). 
Therefore, given the teachings of Long of identifying abnormal events (deviation from allowable set of activities) performed by an authorized user of the system, as discussed above, it would have been obvious to one of ordinary skilled in the art at the time the invention was effectively filed to configure the system of Skare to generate and evaluate a first notification if the root cause is not any user activity and if the root cause is a user activity by an authenticated user, evaluating a possible impact on the IACS caused by the abnormal event in response to determining that the root cause is the user activity by the authenticated user for the benefit of providing a reliable, secure and enhanced system that would allow for detection of misuse in a computer environment based on analyzing application layer data such as in log files including user identifiable data.
	Regarding claim 12, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches wherein the identification unit is configured to identify the abnormal event by using a predefined list of allowable event types and/or of abnormal event types (see para. 11, 15, 47-48, 50).
	Regarding claim 13, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches that generating and evaluating unit is configured to evaluate the possible impact on the IACS by using information on at least one of the following: at least one electronic device that has been affected by the abnormal event, the functionality of the at least one electronic device, or an interconnection of the at least one electronic device with at least one other electronic device of the IACS (see para. 88, wherein impacts on the health of the SCADA servers and networking devices are identified and alarmed by the Network Manager/IHM and any events from servers firewalls, routers or network devices are correlated by the ECE and sent to the SSM)..
	Regarding claim 14, the combination of Skare and Long teaches all the materials as applied above. Skare further teaches that the generating and evaluation unit is configured to evaluate the possible impact on the IACS by analyzing whether at least one device is an instruction sender and/or receiver within the IACS and whether there is a change in a functionality of the sender and/or receiver (see para. 54, 56-57, 59, 62, 84, 88; wherein data from all monitored system components is being send at a Java application in order to evaluate the operation of the system).
Regarding claim 15, Skare teaches a computer program product for analyzing an abnormal event in an industrial automation and control system, IACS, (see abstract, para. 8, 15, 30-33) and comprising one or more non-transitory computer readable media having computer executable instructions (para. 9, 17) for performing the steps of : 
a) identifying the abnormal event (see para. 8, 15, 30-33, 34-36, 42, 48, 83-84); 
b) detecting a root cause of the abnormal event (para. 42, 83, wherein a key root cause events is determined); and 
c) generating a first notification if the root cause is not any user activity (see para. 8, 42, 51, 54, 59, 83-84, 87-88, wherein events are correlated to determine root cause events, and wherein SCADA system failures can be detected and alerts are triggered when system integrity is compromised), and, if the root cause is a user activity, evaluating a possible impact on the IACS caused by the abnormal event (see para. 62, 83-88, wherein significant impacts on the health of the SCADA servers and networking devices are identified an alarmed by network manager), and generating a second notification if the evaluation of the possible impact does not match a predefined list of allowable behavior (para. 42, 47-48, 50, 53-55, 84-91, wherein correlations are made to determine whether the security inputs from user and authorized external contactors are detected, and security errors and logging failures are detected; wherein the events are matched; where the system detects remote users not allowed, where IP addresses not allowed, which poses a security risk, are designated black listed and an alarm will be produced and wherein an alarm is sent and wherein the breach by the intruder is identified and misconfigured bridge is identified and repaired setting the SCADA security level back to normal).
However, Skare do not expressly or explicitly teaches that the user is an authorized user. 
Long teaches a system and method for data analysis for monitoring activities associated with data and misuse of data, determine whether an event has occurred and a notification can be provided if the event has occurred (see abstract, para. 0002).  Long further teaches normalized event data and identifier to determine whether an attempt to access data is fraudulent or indicative of probable misuse based on at least a rule implemented where a normalized event data is correlated with other instances of normalized event data stored to determine a set of activities performed by the authorized user of the system associated with the protected data and determining whether the set of activities are performed by an authorized user of the system associated with the protected data deviates from an allowable set of activities and generate a notification or alert triggered by the activities (see Fig. 1A-B2-6; abstract; para. 2, 7, 9, 23-24, 26-28, 31, 33-40, 63, 66, 69, 71-72, 75 claim 9). 
Therefore, given the teachings of Long of identifying abnormal events (deviation from allowable set of activities) performed by an authorized user of the system, as discussed above, it would have been obvious to one of ordinary skilled in the art at the time the invention was effectively filed to configure the system of Skare to generate a first notification if the root cause is not any user activity and if the root cause is a user activity by an authenticated user, evaluating a possible impact on the IACS caused by the abnormal event in response to determining that the root cause is the user activity by the authenticated user for the benefit of providing a reliable, secure and enhanced system that would allow for detection of misuse in a computer environment based on analyzing application layer data such as in log files including user identifiable data.
	Regarding claim 20, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches that evaluating the change in the configuration of the IACS caused by the abnormal event is performed by comparing a predefined configuration of the IACS with the at least one change in the configuration of the IACS caused by the abnormal event (see abstract, para. 12, 14, 24, 31-32, 35-36, 38, 40, 42-44, 53-57, 59, Fig. 2, wherein the system is monitoring for operational/configuration changes caused by abnormal event), 
the predefined configuration is at least one of the following: a commissioned configuration, a configuration previously running on the IACS, or a configuration currently running on the IACS (see abstract, para. 12, 14, 19, 24, 31-32, 35-36, 38, 40, 42-44, 53-57, 59, 85 Fig. 2, wherein the system is configured e.g. definition of criticality indices of the industrial control system), 
evaluating the possible impact on the IACS is performed by analyzing a configuration file uploaded to at least one device of the IACS, the configuration file contains information and/or instructions for the change in the configuration of the IACS (see para. 51, 60, 84, 85, 87, 91, wherein data changes are injected system and security events are identified and a proper way to respond to the event is determined), and evaluating the possible impact on the IACS is performed by analyzing whether the at least one electronic device is an instruction sender and/or receiver within the IACS and preferably whether there is a change in the functionality of the sender and/or receiver (see para. 54, 56-57, 59, 62, 84, 88; wherein data from all monitored system components is being send at a Java application in order to evaluate the operation of the system).
Regarding claim 21, the combination of Skare and Long teaches all the materials as applied above.  Skare further teaches 
a) identifying a second abnormal event (see para. 8, 15, 30-33, 34-36, 42, 48, 83-84, a variety of events are identified);
b) detecting a second root cause of the second abnormal event (para. 42, 83, wherein a key root cause events is determined); and 
c) generating a second notification in response to the second root cause not being any user activity (see para. 8, 42, 51, 83-84, 87-88, wherein events are correlated to determine root cause events, and wherein SCADA system failures can be detected and alerts are triggered when system integrity is compromised). 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-21 have been fully considered but are moot because in view of the new ground of rejection necessitated by the amendments now being treated on the merits. 

Conclusion
The prior art made of record cited in form PTOL-892 and not relied upon is considered pertinent to applicant's disclosure. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


                                                                                                                                                                                           
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YARITZA H PEREZ BERMUDEZ whose telephone number is (571)270-1520.  The examiner can normally be reached on Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/YARITZA H. PEREZ BERMUDEZ/
Examiner
Art Unit 2864



/MANUEL A RIVERA VARGAS/Primary Examiner, Art Unit 2864