Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 16/166,417 filed on 10/28/2018 is presented for examination.

Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.

Authorization for Internet Communications
The examiner encourages Applicant to submit an authorization to communicate with the examiner via the Internet by making the following statement (from MPEP 502.03):
“Recognizing that Internet communications are not secure, I hereby authorize the USPTO to communicate with the undersigned and practitioners in accordance with 37 CFR 1.33 and 37 CFR 1.34 concerning any subject matter of this application by video conferencing, instant messaging, or electronic mail. I understand that a copy of these communications will be made of record in the application file.”

Please note that the above statement can only be submitted via Central Fax, Regular postal mail, or EFS Web.

Information Disclosure Statement
As required by M.P.E.P. 609, the applicant’s submissions of the Information Disclosure Statement dated 10/22/2018 and 10/24/2018 are acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11 and 13-21 are rejected under 35 U.S.C. 103 as being unpatentable over Arov (US 2018/0276375) in view of Bauer (US 2016/0328654).

As per claim 1, Arov discloses a system to protect a cyber-physical system having a plurality of monitoring nodes each generating a series of current monitoring node values over time that represent current operation of the cyber-physical system (Abstract), comprising:
a features extraction computer platform having a memory and a computer processor adapted to:
receive the series of current monitoring node values over time (Paragraph 68), and
generate current feature vectors based on the series of current monitoring mode values (Paragraph 79); and
a system mode estimation computer platform having a memory and a computer processor adapted to:
generate a system mode status indication based on a result of said comparison (Paragraph 13 “activating said alert issuing mechanism to issue a security alert upon detecting that the monitored output data is linked to one of said defined attack vectors and is indicative of a cyber- attack perpetrated with respect to said controller.”).

Arov does not expressly disclose but Bauer discloses provide the current feature vectors to a probabilistic graphical model to generate an estimated system mode (Fig. 3, step 300, 330, and 340, compare the estimated system mode with a currently reported system mode output by the cyber-physical system (Fig. 3, step 370).
Therefore it would have been obvious to one of ordinary skill in the art at the time of filing to modify the method of Arov to include the teachings of Bauer because it detects industrial cyber-attacks by enhancing the method of Arov in order to remove noise from signals detected. In this way, the combination benefits because the decision making process is more reliable. 

As per claim 2, Arov does not expressly disclose but Bauer discloses wherein the probabilistic graphical model is associated with at least one of: (i) a hidden Markov model, (ii) a hidden semi-Markov model, (iii) a conditional random fields model, and (iv) a Bayesian network (Paragraph 162).

As per claim 3, Arov further discloses wherein the system mode status indication is used to override the currently reported system mode of the cyber-physical system (Paragraph 13 “activating said alert issuing mechanism to issue a security alert upon detecting that the monitored output data is linked to one of said defined attack vectors and is indicative of a cyber- attack perpetrated with respect to said controller.”).

As per claim 4, Arov does not expressly disclose but Bauer discloses wherein the override is only performed if a confidence level associated with the estimated system mode is above a pre-determined threshold value (Paragraph 34)

As per claim 5, Arov further discloses wherein the override is only performed when permitted by system specification requirements (Paragraph 21).

As per claim 6, Arov further discloses wherein an abnormality detection and localization process determines that a subset of the monitoring nodes are currently experiencing a cyber-attack or fault and data associated with the subset is not provided to the probabilistic graphical model (Paragraphs 14-15 “an alert issuing mechanism that is activated following detection that the outputted data flow is indicative of a cyber-attack perpetrated with respect to the controller; [0015] b) generating an operational model for a given one of said controlled subsystems that defines a relation between physical parameters of said given subsystem and that defines a combination of those data inputs which cannot coexist for use in a command of an actuated operation of each electromechanical component of said given subsystem,”).

As per claim 7, Arov further discloses wherein monitoring node values from at least one node in the subset are replaced with virtual estimated values (Paragraph 77).

As per claim 8, Arov further discloses wherein at least one of the current feature vectors is associated with at least one of. (i) a rate of change of time-domain signals, and (ii) a rate of change of a feature (Paragraphs 76-78).

As per claim 9, Arov further discloses wherein the features extraction computer platform is further adapted to:
compare the current feature vectors with a data-driven feature decision boundary, and
generate an abnormal alert signal (Paragraph 13 “activating said alert issuing mechanism to issue a security alert upon detecting that the monitored output data is linked to one of said defined attack vectors and is indicative of a cyber- attack perpetrated with respect to said controller.”).

As per claim 10, Arov further discloses wherein at least one decision boundary and abnormal alert signal are associated with a global feature vector (Paragraph 76).

As per claim 11, Arov further discloses wherein at least one decision boundary and abnormal alert signal are associated with a local feature vector (Paragraph 76).

As per claim 13, Arov discloses a method to protect a cyber-physical system having a plurality of monitoring nodes each generating a series of current monitoring node values over time that represent current operation of the cyber-physical system (Abstract), comprising:
receiving, at a features extraction computer platform, the series of current monitoring node values over time (Paragraph 68);
generating, by the features extraction computer platform, current feature vectors based on the series of current monitoring mode values\ (Paragraph 79); and
generating, by the system mode estimation computer platform, a system mode status indication based on a result of said comparison (Paragraph 13 “activating said alert issuing mechanism to issue a security alert upon detecting that the monitored output data is linked to one of said defined attack vectors and is indicative of a cyber- attack perpetrated with respect to said controller.”).

Arov does not expressly disclose but Bauer discloses providing, by a system mode estimation computer platform, the current feature vectors to a probabilistic graphical model to generate an estimated system mode (Fig. 3, step 300, 330, and 340);
comparing, by the system mode estimation computer platform, the estimated system mode with a currently reported system mode output by the cyber-physical system (Fig. 3, step 370).

Therefore it would have been obvious to one of ordinary skill in the art at the time of filing to modify the method of Arov to include the teachings of Bauer because it detects industrial cyber-attacks by enhancing the method of Arov in order to remove noise from signals detected. In this way, the combination benefits because the decision making process is more reliable. 

As per claim 14, it is a method claim having similar limitations as cited in claim 2 and is thus rejected under the same rationale.

As per claim 15, it is a method claim having similar limitations as cited in claim 3 and is thus rejected under the same rationale.

As per claim 16, it is a method claim having similar limitations as cited in claim 4 and is thus rejected under the same rationale.

As per claim 17, it is a method claim having similar limitations as cited in claim 5 and is thus rejected under the same rationale.

As per claim 18, it is a medium claim having similar limitations as cited in claim 1 and is thus rejected under the same rationale.

As per claim 19, it is a method claim having similar limitations as cited in claim 6 and is thus rejected under the same rationale.

As per claim 20, it is a method claim having similar limitations as cited in claim 7 and is thus rejected under the same rationale.

As per claim 21, it is a method claim having similar limitations as cited in claim 8 and is thus rejected under the same rationale.


Allowable Subject Matter
Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
The prior art of record does not disclose or make obvious the following features of claim 12:
a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the cyber-physical system; and
an abnormal space data source storing, for each of the plurality of monitoring nodes, a series of abnormal monitoring node values over time that represent abnormal operation of the cyber-physical system, wherein the features extraction computer platform is further adapted to:
receive the series normal monitoring node values and generate a set of normal feature vectors, receive the series of abnormal monitoring node values and generate a set of abnormal feature vectors, and
automatically calculate and output the at least one decision boundary for an abnormal detection platform based on the set of normal feature vectors and the set of abnormal feature vectors.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TIMOTHY A MUDRICK whose telephone number is (571)270-3374.  The examiner can normally be reached on 9am-5pm Central Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571) 272-7767.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TIMOTHY A MUDRICK/Primary Examiner, Art Unit 2194                                                                                                                                                                                                        4/06/2021