DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/01/2021 has been entered.

Response to Amendment
This is in response to the amendments filed on 03/01/2021. Claims 1, 14, and 20 have been amended. Claims 21-24 are added. Claims 1-24 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see page 7, filed 03/01/2021, with respect to the objection to claim 20 has been considered and are persuasive. The objection has been withdrawn.
Applicant’s arguments, see page 7, filed 03/01/2021, with respect to the rejection of claim 20 under 35 U.S.C. 112(b) have been considered and are persuasive. However, Applicant's amendment necessitated the new ground(s) of rejection as will be discussed below.
Applicant’s arguments, see pages 7-11, filed 03/01/2021, with respect to the rejection of claims 1-20 under 35 U.S.C. 103 have been considered but are moot.


In this regard, Yoon describes that 
Our approach employs a content based analysis that characterizes normal command and data sequences applied at the network level. (See Abstract)

We model message sequences as a Dynamic Bayesian Network and use Probabilistic Suffix Tree (PST) as the underlying predictive model. (See Section III, emphasis added) 

We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. A master mi controls, or observes the state of a slave sj, by sending a request that is composed of a command and a command-specific data. A slave may send a response back to the master after the requested execution. Similar to a request, a response is also composed of a command and data that represents the result of the execution. Because of the indistinguishability in the formats, we denote by ri,j | = (c, d) a request/response from device i| to j| with command c| and the corresponding data d, and call it a message. (See Section II-A, emphasis added)  
 
That is, modeling message sequences as a Dynamic Bayesian Network of Yoon teaches determining system-level correlations between control messages of claim 1 since Dynamic Bayesian Network approach itself relates commands and data each other as illustrated in FIGs. 1 and 2 of Yoon. Also, a request/response from device i to j with command c and the corresponding data d of Yoon teaches sequences of control messages exchanged between two or more devices of claim 1, as detailed in the rejection below.
Also, Caselli describes that 
[u]sually, ICSs deal with thousands of variables that represent physical or control parameters. … As an example, modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries. (See page 17, Second 5.3, emphasis added)

Once we have established the event sequences, we can create a model of our system using the chosen modeling approach. … In case of discrete-time Markov chains (DTMC), the modeling process clusters in a model's state sequence events that share the same semantic meaning. In the “network communication" case this concept can refer to the involved commands or carried data (e.g., a DTMC state that gathers together all the “write" commands that change a specific variable). … Finally, in the “process variable" case, the TMC states can cluster values belonging to a specific interval (e.g., temperature values discretized to integer scale. (See Section 6, emphasis added)

That is, the variables that represent physical parameters such as a temperature or a pressure of Caselli teaches the current contextual information of claim 1, and the modeling process based on the variables (e.g., temperature values) teaches correlations between sequences of control messages based on the current contextual information. Thus, Yoon in view of Caselli teaches determining system-level correlations between sequences of control messages based on the current contextual information of claim 1.

On page 8 of Remarks, Applicant also asserts that the Office Action has provided no evidence or rationale to support a finding of inherency that the command and data would include a set of constraints to control the critical infrastructure, but the assertion is moot since the current rejection does not apply the inherency statement. 

On page 9 of Remarks, Applicant further asserts that the Office has not shown that the combination of Yoon and Caselli describes "gathering" current contextual information. The Examiner respectfully disagrees.
In this regard, Caselli describes that 
The first layer is the Reader. The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.). (See Section 4 and 

a “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries. (See Section 5.3)

That is, the reader captures raw information (e.g., network packets and data streams), and the network packets and data streams should include current contextual information. Thus Yoon in view of Caselli teaches the feature discussed above.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 21-24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 21 recites the limitation “… further comprising polling one or more of the multiple devices to obtain the current contextual information”, while claim 1 recites the limitation “gathering current contextual information …” In this regard, claims 14 and 20 recite the corresponding limitation “poll(ing) one or more of the multiple devices to obtain current contextual information …” Thus, it is unclear whether the “polling” is the “gathering” step, or a completely different step. 
Claims 22-24 are rejected under 112(b) as being dependent from the rejected claim 21.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 4, 5, 9, 12-16, 19, 21 and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”).

Regarding claim 1:
Yoon teaches:
An intrusion detection method (Section I: intrusion detection systems (IDS)) for protecting against sequences of operationally valid control messages that in combination harm or disrupt devices in an operational control system (Abstract: Attacks on Industrial Control  Systems (ICS) continue to grow in number and complexity, and well-crafted cyber attacks are aimed at both commodity and ICS-specific contexts. It has become imperative to create efficient ICS-specific defense mechanisms that complement traditional enterprise solutions. Most commercial solutions are not designed for ICS environments) comprising multiple devices (Section II, A: The network may implement multiple protocols; a device may interact with others with different protocols. Consequently, the unique connection identifier ωi,j defined above can be extended to ωi,j,p where p represents a protocol. We perform anomaly detection at the connection level, in a multiprotocol environment; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. --- It is noted that a set of master devices and a set of slave devices teaches multiple devices), the method including the steps of:
monitoring operationally valid control messages communicated in the operational control system (Section II-B: a protocol analyzer monitors the messages transferred along all the connections …; Section IV-A: The dataset is obtained from a Modbus network testbed that consists of 43 connections established among 2 masters and 25 slaves. The number of commands used by the connections is 4, i.e., Σc {a, b, c, d}. To the best of our knowledge, there are no attack/abnormal scenarios in this dataset, and thus all sequences are considered normal. --- It is noted that monitors the messages transferred along all the connections and obtaining number of commands from a Modbus network (and ICS environments) teaches monitoring control messages communicated in the operational control system; all sequences are considered normal teaches operationally valid control messages);
… 
determining system-level correlations between sequences of control messages exchanged between two or more devices of the multiple devices and other sequences of control messages between another two or more devices of the multiple devices … (Abstract: Our approach employs a content based analysis that characterizes normal command and data sequences applied at the network level; Section III: We model message sequences as a Dynamic Bayesian Network and use Probabilistic Suffix Tree (PST) as the underlying predictive model; Section III-B: we present a method to learn the hidden pattern from a sequence of commands (or data); If a sequence of elements is generated by an underlying pattern and exhibits no noise, there always exists a minimum order, m, for a Markov chain allows us to predict the probability of an element by just looking at the m most recent elements; a PST learns a set of subsequences of different lengths, e.g., ‘σ1’, ‘σ2, σ3’, each of which can be a significant indicative of the next element. This enables us to efficiently calculate the probability of the ‘next’ element without having to look back all or a pre-defined length of the history; Section III-B: Thus, for the rest of this section we use ‘element’ to refer to command or data; also see FIG. 3; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. A master mi controls, or observes the state of a slave sj, by sending a request that is composed of a command and a command-specific data. A slave may send a response back to the master after the requested execution. Similar to a request, a response is also composed of a command and data that represents the result of the execution. Because of the indistinguishability in the formats, we denote by ri,j | = (c, d) a request/response from device I| to j| with command c| and the corresponding data d, and call it a message. --- It is noted that learn analysis that characterizes normal command and data sequences applied at the network level and modeling message sequences as a Dynamic Bayesian Network and FIGs. 1 to 3 teaches system-level correlations between control messages, here Dynamic Bayesian Network correlates commands and data as illustrated in FIGs. 1 and 2, which teaches system-level (i.e., connection-level or network-level) correlation; a set of master devices and a set of slave devices teaches multiple devices; command c and the corresponding data d of, for example, rm1,s1 and rm2,s2 teaches sequences of control messages exchanged between two or more devices; command c and the corresponding data d of, for example, rm3,s3 and rm4,s4 teaches other sequences of control messages exchanged between another two or more devices); 
(Section III-D: To illustrate our approach, let us consider a sequence of commands, shown in Figure 5, which is a part of the sequence generated from the base pattern of ababcc as in Figure 3; see also FIGs. 3 & 4; Section IV: we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies; Section IV-B-1: To mimic attack scenarios, some random, abnormal subsequences are embedded into the dataset under test. --- It is noted that, for example, FIGs. 3, 4 and 5 teaches generating a sequence of commands based on the correlation, and to mimic attack scenarios teaches that the commands would result in actual harm); and
… when a harmful sequence of messages is identified (Section IV-B-2: If c(t) is deemed abnormal, and there was indeed an attack sequence (or a part of it) within the recent D commands, the attack is detected. --- It is noted that the attack is detected teaches a threat is identified, and c(t) is deemed abnormal teaches a harmful sequence of messages).
Yoon is silent about:
gathering current contextual information which includes a set of physical constraints on control system properties;
determining … correlations … based on the current contextual information; and
reporting a threat … 
Caselli, in the same field of endeavor, teaches:
gathering current contextual information which includes a set of physical constraints on control system properties (Section 4 & Figure 1: In Figure 1, we propose an architecture for a sequence-aware intrusion detection system which is based on a layered structure. Each layer receives information items from a lower layer, evaluates them, and finally forwards the results to the following layer. A layered structure allows to abstract from the input sources and to improve both usability a maintainability of the S-IDS. The first layer is the Reader. The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.); Section 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries. --- It is noted that thousands of variables that represent physical parameters (e.g., a temperature or a pressure) teaches current contextual information which includes a set of physical constraints on control system properties; Each layer receives information items from a lower layer and the input sources, and Reader captures raw information (e.g., files, network packets, data streams, etc.), also it is inherent that the network packets and/or data streams include process variables. Thus, which teaches gathering current contextual information; system component (i.e., master devices and slave devices) teaches control system properties);
determining … correlations … based on the current contextual information (Section 6: Once we have established the event sequences, we can create a model of our system using the chosen modeling approach. … In case of discrete-time Markov chains (DTMC), the modeling process clusters in a model's state sequence events that share the same semantic meaning. In the “network communication" case this concept can refer to the involved commands or carried data (e.g., a DTMC state that gathers together all the “write" commands that change a specific variable). … Finally, in the “process variable" case, the TMC states can cluster values belonging to a specific interval (e.g., temperature values discretized to integer scale); Section 8.1: Figure 6 represents the result from our modeling approach applied to a communication involving a PLC and the SCADA server. Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. --- It is noted that for example, FIGs. 6, 7 and 8 teaches determining system-level correlations between messages; the modeling process is based on the process variable, also FIGs. 6, 7 and 8 represent the result from modeling, thus which teaches determining correlations based on the current contextual information).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to gather process variables including physical parameters, as taught by Caselli, in order to analyze how the parameters changes over time.
In this regard, Caselli describes that modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries (Caselli, Section 5.3).
Thus, the motivation is to give useful insights on the behavior of a system component and its physical boundaries.
Caselli further teaches:
reporting a threat … (Section 4: the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns. --- It is noted that arising alerts teaches reporting a threat). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to arise alerts to user, as taught by Caselli, in order to allow the user acknowledge the alerts when malicious patterns are detected.
The motivation is to allow the user acknowledge the alerts when malicious patterns are detected, and to minimize damages inflicted by the malicious patterns (Caselli, Section 2.1).

Regarding claim 2: 
Yoon in view of Caselli teaches:
The method of claim 1 … 
Yoon further teaches:
… wherein the operational control system is a manufacturing control system that controls machines used for manufacturing products (Section I: It is well known that Industrial Control Systems (ICS) (some of which are also known as Supervisory Control and Data Acquisition or SCADA systems) supporting the critical infrastructure of our nation are vulnerable and have even become the targets of well-crafted cyber attacks aimed at both commodity and ICS-specific contexts. --- It is noted that industrial control systems teaches a manufacturing control system; and the critical infrastructure implies machines used for manufacturing products).

Regarding claim 4: 
Yoon in view of Caselli teaches:
The method of claim 1, wherein the generating sequences of operationally valid control messages …
Yoon further teaches:
… includes using current messages as starting points and generating subsequent messages that are predicted to be harmful (Section IV: we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies; Section IV-B-1: To mimic attack scenarios, some random, abnormal subsequences are embedded into the dataset under test; see also FIG. 4. --- It is noted that FIG. 4 shows that strings are generated using current string (e.g., cab) as starting point and substrings (e.g., a, b, c” are generated; and to mimic attack scenarios teaches the embedded data to be harmful).

Regarding claim 5: 
Yoon in view of Caselli teaches:
The method of claim 1 …
Yoon further teaches:
… further including evaluating harmfulness of the generated sequences of messages using one or more behavior oracles (Section IV: we evaluate how well the probabilistic suffix tree can model normal sequences of command and data. Then, we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies. --- It is noted that probabilistic suffix tree teaches a behavior oracle, and the presence of anomalies implies harmfulness).

Regarding claim 9: 
Yoon in view of Caselli teaches:
The method of claim 5, wherein the behavior oracles used include …
Yoon is silent about:
a simple static context (SSC) oracle that is configured to compare a set of values in a message sequence against an allowable range for the set of values.
Caselli teaches:
a simple static context (SSC) oracle that is configured to compare a set of values in a message sequence against an allowable range for the set of values (Section 3: The … extract variable values from devices' network communications and use autoregression modeling and control limits to monitor their changes over time. When a value does not fit the model or exceeds the control limits, the intrusion detection system raises an alert providing the correct expected behavior. --- It is noted that variable values teaches a set of values in a message sequence; the control limits teaches an allowable range for the set of values; a value exceeds the control limits teaches compare a set of values in a message sequence against an allowable range for the set of values; thus, this approach teaches a simple static context (SSC) oracle).
Thus, it would have been obvious to one of ordinary skill in the art before the effective 
The motivation is to minimize computationally expensive for evaluating a behavior of the variable values by simply comparing the values while providing promising results.

Regarding claim 12: 
Yoon in view of Caselli teaches:
The method of claim 5, wherein the behavior oracles used include… 
Yoon is silent about:
a physical (PHY) oracle that is configured to use equipment to directly observe physical effects of sequences of operationally valid control messages.
Caselli teaches:
a physical (PHY) oracle that is configured to use equipment to directly observe physical effects of sequences of operationally valid control messages (Section 5.3: Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries; Section 3: Security solutions such as intrusion detection systems can not recognize semantic attacks without any knowledge of the infrastructure and the physical processes under control; Section 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2. Due to the criticality of the water infrastructure we were not allowed to test the attacks on the real network. For this reason we replay the same 24 hours of real traffic plus the attacks to the intrusion detection system. Also in this case the SIDS raises the previous 211 false positives for the reasons discussed above. In addition, the S-IDS raises also eight correct alerts detecting both the attacks; Section I: Instead, they exploit the possibility to arrange “valid" events (e.g. network messages, log entries, variable values) in a way that their presence, in relation with other operations, can cause problems to targeted devices (e.g., faults, failures). … a sequence attack being the cause of “water hammer effects" … By closing and opening these valves with the right timing the authors succeed to increase the pressure to a critical value. --- It is noted that closing and opening valves and control pumps teaches use equipment; closing and opening with the right timing and start and stop commands teaches sequences of operationally valid control messages; water hammer effects teaches directly observe physical effects; thus the S-IDS of which effectiveness is proved by using the pump and valve teaches a physical (PHY) oracle).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to inject sequence attacks to infrastructure, as taught by Caselli, in order to evaluate semantic attacks. 
The motivation is to prove the effectiveness of the industrial control systems by injecting semantic attacks to the infrastructure because security solutions such as intrusion detection systems can not recognize semantic attacks without any knowledge of the infrastructure and the physical processes under control (Caselli, Section 3).

Regarding claim 13: 
Yoon in view of Caselli teaches:
The method of claim 1 … 
Yoon is silent about:
… wherein reporting a threat includes reporting anomalous message sequences or reporting an estimated failure state based on current messaging.
Caselli teaches:
… wherein reporting a threat includes reporting anomalous message sequences or reporting an estimated failure state based on current messaging (Section 4: the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns; Section 2.2: These valves can be rapidly opened and closed causing a so-called water hammer effect, which could result in a large number of simultaneous main breaks in the pipeline. --- It is noted that result in breaks in the pipeline based on malicious patterns teaches an estimated failure state based on current messaging).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to include results by a threat, as taught by Caselli, in order to allow an operator to acknowledge the predicted results.
The motivation is to avoid the future problems by allowing an operator to acknowledge the predicted results by sequence attacks (Caselli, Section 2.2).

Regarding claim 14:
Yoon teaches:
An intrusion detection system (Section I: intrusion detection systems (IDS)) for protecting against sequences of operationally valid control messages that in combination harm or disrupt devices in an operational control system (Abstract: Attacks on Industrial Control  Systems (ICS) continue to grow in number and complexity, and well-crafted cyber attacks are aimed at both commodity and ICS-specific contexts. It has become imperative to create efficient ICS-specific defense mechanisms that complement traditional enterprise solutions. Most commercial solutions are not designed for ICS environments) comprising multiple devices (Section II, A: The network may implement multiple protocols; a device may interact with others with different protocols. Consequently, the unique connection identifier ωi,j defined above can be extended to ωi,j,p where p represents a protocol. We perform anomaly detection at the connection level, in a multiprotocol environment; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. --- It is noted that a set of master devices and a set of slave devices teaches multiple devices), the intrusion detection system including a processor and a memory having instructions executable by the processor (--- it is inherent that the intrusion detection systems (IDS) containing a processor and a memory having instructions executable by the processor), causing the processor to: 
monitor operationally valid control messages communicated in the operational control system (Section II-B: a protocol analyzer monitors the messages transferred along all the connections …; Section IV-A: The dataset is obtained from a Modbus network testbed that consists of 43 connections established among 2 masters and 25 slaves. The number of commands used by the connections is 4, i.e., Σc {a, b, c, d}. To the best of our knowledge, there are no attack/abnormal scenarios in this dataset, and thus all sequences are considered normal. --- It is noted that monitors the messages transferred along all the connections and obtaining number of commands from a Modbus network (and ICS environments) teaches monitor control messages communicated in the operational control system; all sequences are considered normal teaches operationally valid control messages);
…
determine system-level correlations between sequences of control messages exchanged between two or more devices of the multiple devices and other sequences of control messages exchanged between another two or more devices of the multiple devices …(Abstract: Our approach employs a content based analysis that characterizes normal command and data sequences applied at the network level; Section III: We model message sequences as a Dynamic Bayesian Network and use Probabilistic Suffix Tree (PST) as the underlying predictive model; Section III-B: we present a method to learn the hidden pattern from a sequence of commands (or data); If a sequence of elements is generated by an underlying pattern and exhibits no noise, there always exists a minimum order, m, for a Markov chain allows us to predict the probability of an element by just looking at the m most recent elements; a PST learns a set of subsequences of different lengths, e.g., ‘σ1’, ‘σ2, σ3’, each of which can be a significant indicative of the next element. This enables us to efficiently calculate the probability of the ‘next’ element without having to look back all or a pre-defined length of the history; Section III-B: Thus, for the rest of this section we use ‘element’ to refer to command or data; also see FIG. 3; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. A master mi controls, or observes the state of a slave sj, by sending a request that is composed of a command and a command-specific data. A slave may send a response back to the master after the requested execution. Similar to a request, a response is also composed of a command and data that represents the result of the execution. Because of the indistinguishability in the formats, we denote by ri,j | = (c, d) a request/response from device I| to j| with command c| and the corresponding data d, and call it a message. --- It is noted that learn analysis that characterizes normal command and data sequences applied at the network level and modeling message sequences as a Dynamic Bayesian Network and FIGs. 1 to 3 teaches system-level correlations between control messages, here Dynamic Bayesian Network correlates commands and data as illustrated in FIGs. 1 and 2, which teaches system-level (i.e., connection-level or network-level) correlation; a set of master devices and a set of slave devices teaches multiple devices; command c and the corresponding data d of, for example, rm1,s1 and rm2,s2 teaches sequences of control messages exchanged between two or more devices; command c and the corresponding data d of, for example, rm3,s3 and rm4,s4 teaches other sequences of control messages exchanged between another two or more devices); 
generate sequences of operationally valid control messages that would result in actual harm based on the system-level correlations (Section III-D: To illustrate our approach, let us consider a sequence of commands, shown in Figure 5, which is a part of the sequence generated from the base pattern of ababcc as in Figure 3; see also FIGs. 3 & 4; Section IV: we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies; Section IV-B-1: To mimic attack scenarios, some random, abnormal subsequences are embedded into the dataset under test. --- It is noted that, for example, FIGs. 3, 4 and 5 teaches generating a sequence of commands based on the correlation, and to mimic attack scenarios teaches that the commands would result in actual harm); and 
… when a harmful sequence of messages is identified (Section IV-B-2: If c(t) is deemed abnormal, and there was indeed an attack sequence (or a part of it) within the recent D commands, the attack is detected. --- It is noted that the attack is detected teaches a threat is identified, and c(t) is deemed abnormal teaches a harmful sequence of messages).
Yoon is silent about:
poll one or more of the multiple devices to obtain current contextual information which includes a set of physical constraints on control system properties;
determining … correlations … based on the current contextual information; and
reporting a threat … 
Caselli, in the same field of endeavor, teaches:
poll one or more of the multiple devices to obtain current contextual information which includes a set of physical constraints on control system properties (Section 4 & Figure 1: In Figure 1, we propose an architecture for a sequence-aware intrusion detection system which is based on a layered structure. Each layer receives information items from a lower layer, evaluates them, and finally forwards the results to the following layer. A layered structure allows to abstract from the input sources and to improve both usability a maintainability of the S-IDS. The first layer is the Reader. The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.); Section 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries; Section 8.1 & Figure 6: Over the four hours of training, the infrastructure shows 20 different Modbus connections: 9 PLC-to-RTU, 3 PLC-to-PLC, and 6 PLC-to-SCADA Server, 1 SCADA Server-to-SCADA Server and 1 HMI-to-SCADA Server. … Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 5.1: … the context of network communications … communication patterns (e.g., pushing vs. polling) being used in ICS. --- It is noted that thousands of variables that represent physical parameters (e.g., a temperature or a pressure) teaches current contextual information which includes a set of physical constraints on control system properties; Each layer receives information items from a lower layer and the input sources, and Reader captures raw information (e.g., files, network packets, data streams, etc.), also it is inherent that the network packets and/or data streams include process variables. Thus, which teaches gathering current contextual information; system component teaches control system properties; Most of the Modbus connections (between PLCs, RTUs, and servers) involve just one or two Modbus requests and responses sent periodically (e.g., once every second), and communication patterns (e.g., polling) is used in ICS, and ICSs deal with thousands of variables that represent physical or control parameters, thus which teaches poll one or more of the multiple devices to obtain current contextual information);
determine … correlations … based on the current contextual information (Section 6: Once we have established the event sequences, we can create a model of our system using the chosen modeling approach. … In case of discrete-time Markov chains (DTMC), the modeling process clusters in a model's state sequence events that share the same semantic meaning. In the “network communication" case this concept can refer to the involved commands or carried data (e.g., a DTMC state that gathers together all the “write" commands that change a specific variable). … Finally, in the “process variable" case, the TMC states can cluster values belonging to a specific interval (e.g., temperature values discretized to integer scale); Section 8.1: Figure 6 represents the result from our modeling approach applied to a communication involving a PLC and the SCADA server. Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. --- It is noted that for example, FIGs. 6, 7 and 8 teaches determine system-level correlations between messages; the modeling process is based on the process variable, also FIGs. 6, 7 and 8 represent the result from modeling, thus which teaches determining correlations based on the current contextual information).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to gather process variables including physical parameters, as taught by Caselli, in order to analyze how the parameters changes over time.
In this regard, Caselli describes that modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries (Caselli, Section 5.3).
Thus, the motivation is to give useful insights on the behavior of a system component and its physical boundaries.
Caselli further teaches:
report a threat … (Section 4: the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns. --- It is noted that arising alerts teaches reporting a threat). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to arise 
The motivation is to allow the user acknowledge the alerts when malicious patterns are detected, and to minimize damages inflicted by the malicious patterns (Caselli, Section 2.1).

Regarding claim 15:
Claim 15 recites the intrusion detection system which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 15 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 16:
Claim 16 recites the intrusion detection system which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 16 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 19:
Claim 19 recites the intrusion detection system which corresponds to the method of claim 13, and contains no additional limitations. Therefore claim 19 is rejected by applying the same rationale used to reject claim 13 above.

Regarding claim 21: 
Yoon in view of Caselli teaches:
The method of claim 1, further comprising: … obtain the current contextual information.
Yoon is silent about:
polling one or more of the multiple devices [to obtain the … information].
Caselli teaches:
(Section 8.1 & Figure 6: Over the four hours of training, the infrastructure shows 20 different Modbus connections: 9 PLC-to-RTU, 3 PLC-to-PLC, and 6 PLC-to-SCADA Server, 1 SCADA Server-to-SCADA Server and 1 HMI-to-SCADA Server. … Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 5.1: … the context of network communications … communication patterns (e.g., pushing vs. polling) being used in ICS; Section 5.3: Usually, ICSs deal with thousands of variables that represent physical or control parameters. --- It is noted that most of the Modbus connections (between PLCs, RTUs, and servers) involve just one or two Modbus requests and responses sent periodically (e.g., once every second), and communication patterns (e.g., polling) is used in ICS, and ICSs deal with thousands of variables that represent physical or control parameters, thus which teaches polling one or more of the multiple devices to obtain current [contextual] information).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to use a polling pattern, as taught by Caselli, in order to sample the contextual information.
The motivation is to reduce the memory required to store the information and computational burden by reducing the dimensionality of the input data.

Regarding claim 23: 
Yoon in view of Caselli teaches:
The method of claim 21, further comprising … 
Yoon further teaches:
measuring inter-arrival times … (Section V: Valdes et al. proposed a flow-based anomaly detection approach, which keeps a library of flow and, using simple statistics, such as mean and variance, detects flows that are unexpected or exhibit significant change in parameters such as packet inter-arrival time, volume, etc. --- It is noted that detects flows … such as packet inter-arrival time teaches measuring inter-arrival times). 
Yoon is silent about:
measuring inter-arrival times between operationally valid control messages.
Caselli teaches:
measuring inter-arrival times between operationally valid control messages (Section 6: Timestamp of Modbus “Request/Response" element. --- which teaches measuring inter-arrival times between operationally valid control messages). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to measure inter-arrival times between operationally valid control messages, as taught by Caselli, in order to calculate average time elapsed and standard deviation on time elapsed.
The motivation is to consider message history in learning a hidden pattern from the messages. 

Regarding claim 24: 
Yoon in view of Caselli teaches:
The method of claim 1, wherein the current contextual information further comprises …
Yoon is silent about:
… one or more of (i) static physical context data, (ii) dynamic physical context data, (iii) static cyber context data, (iv) dynamic cyber context data, (v) any one or more of (i), (ii), (iii), (iv). 
Caselli teaches:
… one or more of (i) static physical context data, (ii) dynamic physical context data, (iii) static cyber context data, (iv) dynamic cyber context data, (v) any one or more of (i), (ii), (iii), (iv). (Section 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries. --- It is noted that physical parameters such as a temperature or a pressure teaches dynamic physical context data; and physical boundaries teaches static physical context data. In this regard, the specification describes that static physical context comprises the fixed constraints of the system, such as the critical ranges and limits of components. … The dynamic context, on the other hand, captures the system's status during operation in real-time. This context includes the condition of the process (e.g., pressure, power level, temperature) and the transient communication patterns (e.g., message rate, observed messages, transmitting nodes). (See para. [0037]).
The motivation for claim 1 is applicable for claim 24.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Ruvio et al. (US 2018/0196941 A1; hereinafter, “Ruvio”).

Regarding claim 3: 
Yoon in view of Caselli teaches:
The method of claim 1 …
Yoon in view of Caselli is silent about:
… wherein the devices are vehicles.
Ruvio, in the same field of endeavor, teaches:
wherein the devices are vehicles (para. [0089]: Anomaly-based intrusion detection involves creating models that specify what is “normal”, or in other words, what is considered a legitimate traffic on the vehicle's network and what could be marked as suspicious. One important tool is to define the relations between different network frames; para. [0116]: The term “attack” in reference to an ‘attack originator’ refers herein to any attempted damage, unauthorized use or unauthorized access to bus communication or any connected ECU.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to apply the intrusion detection method in vehicles, as taught by Ruvio, in order to protect vehicle systems from cyber-attacks.
The motivation is to enable identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems. (Ruvio, para. [0017]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Bowman-Amuah (WO 2001/017169 A2; hereinafter, “Bowman-Amuah”).

Regarding claim 6: 
Yoon in view of Caselli teaches:
The method of claim 5 … 
Yoon further teaches:
… wherein the evaluating harmfulness includes, using the one or more behavior oracles, determining whether the generated sequences of messages induce operational drift towards a failure state for one or more devices (Section IV: we evaluate how well the probabilistic suffix tree can model normal sequences of command and data. Then, we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies. --- It is noted that probabilistic suffix tree teaches a behavior oracle, and the presence of anomalies implies harmfulness).
Yoon in view of Caselli is silent about:
… determining whether the … messages induce operational drift towards a failure state for one or more devices.
Bowman-Amuah, in the same field of endeavor, teaches:
… determining whether the … messages induce operational drift towards a failure state for one or more devices (P. 3: First, a performance of a network is monitored. Any degradation in the performance of the network is identified. A future performance of the network is then predicted based on the identified degradation in the performance of the network. Then the predicted future performance is compared to performance requirements of service level agreements of a plurality of network users to identify any future problems in meeting the performance requirements. The network is reconfigured to avoid the problems in meeting the performance requirements; p. 102: The present invention includes data mining capability that provides the capability to analyze network management data looking for patterns and correlations across multiple dimensions. The system also constructs models of the behavior of the data in order to predict future growth or problems and facilitate managing the network in a proactive, yet cost-effective manner).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to evaluate the sequences of command and data whether if they degrade the performance, as taught by Bowman-Amuah, in order to predict future performance.
The motivation is to identify and avoid the problems in meeting the performance requirements by predicting future performance of the network based on the identified degradation in the performance of the network (Bowman-Amuah, p. 3).

Claims 7, 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Kontogiannis (“HIERARCHICAL ORACLES FOR TIME-DEPENDENT NETWORKS“, 2015; hereinafter, “Kontogiannis”).

Regarding claim 7:  
Yoon in view of Caselli teaches:
The method of claim 5 … 
Yoon further teaches:
… wherein the behavior oracles used include a set of hierarchical oracles, and wherein a subset of the set of hierarchical oracles are used (Section I-B: Our implementation and experiments focus on the problem of creating adaptive models, leveraging the intrinsic characteristics of the environment where the models are created. Section IV: we evaluate how well the probabilistic suffix tree can model normal sequences of command and data; see also Figs. 3 and 4; Section III-B: finding such an mth-order Markov chain is challenging since m is unknown especially during an online-learning phase. Even if it is known a priori, the construction of the conditional probability distribution remains computationally expensive if m is large, due to the fixed-order model. --- It is noted that probabilistic suffix tree teaches behavior oracle).
Yoon in view of Caselli is silent about:
… a set of hierarchical oracles, and wherein a subset of the set of hierarchical oracles are used.
Kontogiannis teaches:
(p. 10, Section 5.2: Performance of HORN (This stands for Hierarchical ORacle for time-dependent Networks, see p, 8). The construction of the required travel-time summaries for HORN is based on the BIS + TRAP preprocessing scenario; p. 2: That algorithm, called the bisection method (BIS), is based on bisecting the common departure-time axis for a given origin and all possible destinations, when the arc-cost metric satisfies a slightly stricter assumption than just the FIFO property. BIS requires … time-dependent shortest path functions …; p. 3: A novel efficient algorithm (TRAP) for constructing one-to-all (1 + ε)-summaries of the time dependent shortest path function). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to use a hierarchical oracle of time-dependent function, as taught by Kontogiannis, in consideration of computationally expensive.
The motivation is to minimize computationally expensive by using a hierarchical oracle of time-dependent function identify and avoid the problems (Kontogiannis, p. 3, section 1.2).

Regarding claim 8: 
Yoon in view of Caselli and Kontogiannis teaches:
The method of claim 7 … 
Yoon in view of Caselli is silent about:
… wherein at least two hierarchical oracles of the set of hierarchical oracles vary in computational complexity, and wherein the subset is selected based on timing constraints.
Kontogiannis teaches:
… wherein at least two of the hierarchical oracles vary in computational complexity, and wherein the subset is selected based on timing constraints (p. 10, Section 5.2: Performance of HORN (This stands for Hierarchical ORacle for time-dependent Networks, see p, 8). The construction of the required travel-time summaries for HORN is based on the BIS + TRAP preprocessing scenario; p. 2: That algorithm, called the bisection method (BIS), is based on bisecting the common departure-time axis for a given origin and all possible destinations, when the arc-cost metric satisfies a slightly stricter assumption than just the FIFO property. BIS requires … time-dependent shortest path functions …; p. 3: A novel efficient algorithm (TRAP) for constructing one-to-all (1 + ε)-summaries of the time dependent shortest path function. --- It is noted that HORN is based on two algorithms, i.e., the BIS + TRAP, and both are time dependent). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to use a hierarchical oracle of time-dependent function, as taught by Kontogiannis, in consideration of computationally expensive.
The motivation is to minimize computationally expensive by using a hierarchical oracle of time-dependent function identify and avoid the problems (Kontogiannis, p. 3, section 1.2).

Regarding claim 17:
Claim 17 recites the intrusion detection system which corresponds to the method of claim 8, and contains no additional limitations. Therefore claim 17 is rejected by applying the same rationale used to reject claim 8 above.

Claims 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Scheidt (US 2016/0063870 A1; hereinafter, “Scheidt”).

Regarding claim 10: 
Yoon in view of Caselli teaches:
The method of claim 5, wherein the behavior oracles used include … 
Yoon in view of Caselli is silent about:
… a high fidelity simulator (HFS) oracle that is configured to simulate a control system environment to determine effects of message sequences on normal operations.
Scheidt, in the same field of endeavor, teaches:
… a high fidelity simulator (HFS) oracle that is configured to simulate a control system environment to determine effects of message sequences on normal operations (para. [0003]: since the AUV is expected to be tested on a test range where both the test environment and the real world environment must be considered relative to safety concerns, it can be appreciated that the testing of such platforms can be difficult. Thus, a mechanism by which to evaluate AUV performance with improved realism in a cost effective manner is clearly desirable; para. [0021]: The high fidelity stimulator 154 may include (or otherwise operate under the control of) processing circuitry that is configured to send or generate high fidelity simulation data for the AUV 100. The high fidelity simulation data may include high complexity fluid dynamics related data or other complex modeling data to create very accurate information for consumption by the AUV 100 to simulate encounters with other devices, objects, or vehicles).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to utilize the high fidelity simulator, as taught by Scheidt, in order to evaluate system performance.
The motivation is to evaluate system performance with improved realism in a cost effective manner (Scheidt, paras. [0003]&[0021]).

Regarding claim 18:
.

Claims 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Yao et al. (“Provenance-based Indexing Support in Micro-blog Platforms”, 2012; hereinafter, “Yao”).

Regarding claim 11:  
Yoon in view of Caselli teaches:
The method of claim 5, wherein the behavior oracles used include … 
Yoon in view of Caselli is silent about:
… a message provenance oracle that is configured to predict subsequent sequences of non-harmful control messages. 
Yao, in the same field of endeavor, teaches:
… a message provenance oracle that is configured to predict subsequent sequences of non-harmful control messages (p. 559, left col.: we propose a provenance based indexing approach to explore and manage the micro-blog messages. Provenance discovery [5], [6] is an important technique to derive the source and transformation from large amounts of data. Provenance information describes the origin and the development of data in their life cycles. It has been demonstrated useful in many domains, such as business workflow, scientific processing and database query analysis).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon 
The motivation is to predict the probability of an element by deriving the source and transformation from the sequence of elements using the provenance based indexing approach (Yao, p. 559, left col.).

Regarding claim 20: 
Yoon teaches:
An intrusion detection method (Section I: intrusion detection systems (IDS)) for protecting against sequences of operationally valid control messages that in combination harm or disrupt devices in an operational control system (Abstract: Attacks on Industrial Control  Systems (ICS) continue to grow in number and complexity, and well-crafted cyber attacks are aimed at both commodity and ICS-specific contexts. It has become imperative to create efficient ICS-specific defense mechanisms that complement traditional enterprise solutions. Most commercial solutions are not designed for ICS environments) comprising multiple devices (Section II, A: The network may implement multiple protocols; a device may interact with others with different protocols. Consequently, the unique connection identifier ωi,j defined above can be extended to ωi,j, p where p represents a protocol. We perform anomaly detection at the connection level, in a multiprotocol environment; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. --- It is noted that a set of master devices and a set of slave devices teaches multiple devices), the method including the steps of:
monitoring operationally valid control messages communicated in the operational control system, (Section II-B: a protocol analyzer monitors the messages transferred along all the connections …; Section IV-A: The dataset is obtained from a Modbus network testbed that consists of 43 connections established among 2 masters and 25 slaves. The number of commands used by the connections is 4, i.e., Σc {a, b, c, d}. To the best of our knowledge, there are no attack/abnormal scenarios in this dataset, and thus all sequences are considered normal. --- It is noted that monitors the messages transferred along all the connections and obtaining number of commands from a Modbus network (and ICS environments) teaches monitoring control messages communicated in the operational control system; all sequences are considered normal teaches operationally valid control messages);
… 
mapping … by determining system-level correlations between sequences of control messages exchanged between two or more devices of multiple devices and other sequences of control messages exchanged between another two or more devices of multiple devices … (Abstract: Our approach employs a content based analysis that characterizes normal command and data sequences applied at the network level; Section III: We model message sequences as a Dynamic Bayesian Network and use Probabilistic Suffix Tree (PST) as the underlying predictive model; Section III-B: we present a method to learn the hidden pattern from a sequence of commands (or data); If a sequence of elements is generated by an underlying pattern and exhibits no noise, there always exists a minimum order, m, for a Markov chain allows us to predict the probability of an element by just looking at the m most recent elements; a PST learns a set of subsequences of different lengths, e.g., ‘σ1’, ‘σ2, σ3’, each of which can be a significant indicative of the next element. This enables us to efficiently calculate the probability of the ‘next’ element without having to look back all or a pre-defined length of the history; Section III-B: Thus, for the rest of this section we use ‘element’ to refer to command or data; also see FIG. 3; Section II-A: We consider a control network that comprises of a set of master devices M = {m1, m2, … mNm} and a set of slave devices S = {s1, s2, …, 2Ns}. A master mi controls, or observes the state of a slave sj, by sending a request that is composed of a command and a command-specific data. A slave may send a response back to the master after the requested execution. Similar to a request, a response is also composed of a command and data that represents the result of the execution. Because of the indistinguishability in the formats, we denote by ri,j | = (c, d) a request/response from device I| to j| with command c| and the corresponding data d, and call it a message; also see FIG. 3; Section IV-A: Consequently, we implemented a template-based online data clustering that incrementally extracts data templates and maps each data to one of them. --- It is noted that learn analysis that characterizes normal command and data sequences applied at the network level and modeling message sequences as a Dynamic Bayesian Network and FIGs. 1 to 3 teaches determining system-level correlations between control messages, here Dynamic Bayesian Network correlates commands and data as illustrated in FIGs. 1 and 2, which teaches system-level (i.e., connection-level or network-level) correlation; a set of master devices and a set of slaves device teaches multiple devices; command c and the corresponding data d of, for example, rm1,s1 and rm2,s2 teaches sequences of control messages exchanged between two or more devices; command c and the corresponding data d of, for example, rm3,s3 and rm4,s4 teaches other sequences of control messages exchanged between another two or more devices; for example, FIG. 3 and mapping each data teach mapping between sequences of control messages);
using semantic fuzzing to generate predictive sequences of legal control messages that would result in actual harm (Section III-D: To illustrate our approach, let us consider a sequence of commands, shown in Figure 5, which is a part of the sequence generated from the base pattern of ababcc as in Figure 3; see also FIGs. 3 & 4; Section IV: we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies; Section IV-B-1: To mimic attack scenarios, some random, abnormal subsequences are embedded into the dataset under test. --- It is noted that, for example, FIGs. 3, 4 and 5 teaches generating a sequence of commands based on the correlation, and to mimic attack scenarios teaches that the commands would result in actual harm);
(Section IV: we evaluate how well the probabilistic suffix tree can model normal sequences of command and data. Then, we generate and use a synthetic dataset to see the performance of our framework in the presence of anomalies. --- It is noted that probabilistic suffix tree teaches a behavior oracle, and the presence of anomalies implies harmfulness); and
… when a harmful sequence of messages is identified (Section IV-B-2: If c(t) is deemed abnormal, and there was indeed an attack sequence (or a part of it) within the recent D commands, the attack is detected. --- It is noted that the attack is detected teaches a threat is identified, and c(t) is deemed abnormal teaches a harmful sequence of messages).
Yoon is silent about:
polling one or more of the multiple devices to obtain contextual information including a set of physical constraints on control system properties;
… message provenance by determining … correlations … based on the current contextual information; and
…
generating a threat reporting … 
Caselli teaches:
polling one or more of the multiple devices to obtain contextual information including a set of physical constraints on control system properties (Section 4 & Figure 1: In Figure 1, we propose an architecture for a sequence-aware intrusion detection system which is based on a layered structure. Each layer receives information items from a lower layer, evaluates them, and finally forwards the results to the following layer. A layered structure allows to abstract from the input sources and to improve both usability a maintainability of the S-IDS. The first layer is the Reader. The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.); Section 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries; Section 8.1 & Figure 6: Over the four hours of training, the infrastructure shows 20 different Modbus connections: 9 PLC-to-RTU, 3 PLC-to-PLC, and 6 PLC-to-SCADA Server, 1 SCADA Server-to-SCADA Server and 1 HMI-to-SCADA Server. … Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 5.1: … the context of network communications … communication patterns (e.g., pushing vs. polling) being used in ICS. --- It is noted that thousands of variables that represent physical parameters (e.g., a temperature or a pressure) teaches current contextual information which includes a set of physical constraints on control system properties; Each layer receives information items from a lower layer and the input sources, and Reader captures raw information (e.g., files, network packets, data streams, etc.), also it is inherent that the network packets and/or data streams include process variables, thus which teaches gathering current contextual information; system component teaches control system properties; Most of the Modbus connections (between PLCs, RTUs, and servers) involve just one or two Modbus requests and responses sent periodically (e.g., once every second), and communication patterns (e.g., polling) is used in ICS, and ICSs deal with thousands of variables that represent physical or control parameters, thus which teaches polling one or more of the multiple devices to obtain current contextual information);
… determining … correlations … based on the current contextual information (Section 6: Once we have established the event sequences, we can create a model of our system using the chosen modeling approach. … In case of discrete-time Markov chains (DTMC), the modeling process clusters in a model's state sequence events that share the same semantic meaning. In the “network communication" case this concept can refer to the involved commands or carried data (e.g., a DTMC state that gathers together all the “write" commands that change a specific variable). … Finally, in the “process variable" case, the TMC states can cluster values belonging to a specific interval (e.g., temperature values discretized to integer scale); Section 8.1: Figure 6 represents the result from our modeling approach applied to a communication involving a PLC and the SCADA server. Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. --- It is noted that for example, FIGs. 6, 7 and 8 teaches determining system-level correlations between messages; the modeling process is based on the process variable, also FIGs. 6, 7 and 8 represent the result from modeling, thus which teaches determining correlations based on the current contextual information).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon’s system by enhancing Yoon’s system to gather process variables including physical parameters using a polling pattern, as taught by Caselli, in order to sample the contextual information and analyze how the parameters changes over time.
In this regard, Caselli describes that modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries (Caselli, Section 5.3).
Thus, the motivation is to give useful insights on the behavior of a system component and its physical boundaries while reducing the memory required to store the information and computational burden.
Caselli further teaches:
generating a threat reporting … (Section 4: the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns. --- It is noted that arising alerts teaches reporting a threat). 

The motivation is to allow the user acknowledge the alerts when malicious patterns are detected, and to minimize damages inflicted by the malicious patterns (Caselli, Section 2.1).
Yoon in view of Caselli is silent about:
… message provenance …
Yao, in the same field of endeavor, teaches:
… message provenance … (p. 559, left col.: we propose a provenance based indexing approach to explore and manage the micro-blog messages. Provenance discovery [5], [6] is an important technique to derive the source and transformation from large amounts of data. Provenance information describes the origin and the development of data in their life cycles. It has been demonstrated useful in many domains, such as business workflow, scientific processing and database query analysis).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon in view of Caselli’s system to includes a provenance based indexing approach, as taught by Yao, in order to predict the probability of an element. 
The motivation is to predict the probability of an element by deriving the source and transformation from the sequence of elements using the provenance based indexing approach (Yao, p. 559, left col.).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014; hereinafter, “Yoon”) in view of Caselli et al. (“Sequence-aware Intrusion .

Regarding claim 22:  
Yoon in view of Caselli teaches:
The method of claim 21, further comprising … the current contextual information … the one or more of the multiple devices.
Yoon in view of Caselli is silent about:
capturing, in …information, different polling frequencies used to poll the … devices.
Vidal, in the same field of endeavor, teaches:
… capturing, in … information, different polling frequencies used to poll the one or more of the multiple devices (para. [0022]: In a fourth aspect of the invention, a client device adapted to communicate with a host device over a serial bus is disclosed. In one embodiment, the host device is adapted to poll the second device to determine whether the client device has data to be transferred to the host device, and the client device comprises: a first module adapted to determine whether the host device should poll the client device at a different frequency than the client device is currently being polled; and a second module adapted to transmit a signal to the host device, the signal indicating to the host device to poll the client device at the different frequency; para. [0026]: the program being adapted to selectively poll one or more client devices based on evaluation of one or more parameters (e.g., non-productive polling intervals, etc.). --- It is noted that a second module transmits a signal to the host device, and the signal indicating to the host device to poll the client device at the different frequency teaches capturing, in information, different polling frequencies used to poll; poll one or more client devices teaches poll the one or more of the multiple devices).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yoon in view of Caselli’s system by enhancing Yoon 
The motivation is to preserve power in both the host and the client, and also to free up available bus bandwidth for useful operations.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ray (US 10,692,032 B2) discloses a cyber security and risk management system provided with a broad range of contextual information which consists of data from various sources including real-time operating conditions, as well as physical, operational, legal, and regulatory constraints of the enterprise business and operational processes; and real-time operating conditions, as well as physical, operational, legal, and regulatory constraints of the enterprise IT infrastructure, which also hosts the cyber security infrastructure (ST)). (See col. 7, ll. 32-45). Jorgenson et al. (US 2005/0243729 A1) discloses a cost-effective approach to fault diagnosis in computer networks which define a form of event correlation using a dynamic Bayesian network approach.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        





/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491