DETAILED ACTION


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 11 and 12 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224).

Regarding claim 11, Batista discloses a computer-implemented method, (page 120, fig. 2, “Router PC”) comprising:

a. receiving, at a first port (pages 119 and 120 - fig. 2 “Input Traffic”, Fig. 3, “Interface 192.168.200.0”) of a network switch (page 120, fig. 2, “Router PC” – note that a router performs switching functions of switching traffic between the input and output), a communication packet (The network is an IP/TCP network with packets [page 1, introduction]) from a first electric device (page 120, “Modbus/TCP Clients) of an industrial control system (ICS) comprising a deterministic network (Network operates using MODBUS, which is a “deterministic” protocol having pre-defined fields [see, for example, page 112-115, section 2.2 showing the pre-defined fields of MODBUS – note applicants specification appears to define deterministic as having defined message contents – paragraph 0039 – “In addition, the protocol may define the content of messages exchanged between the first electronic device and the second electronic device. In this way, the protocol can provide that communications on the network be deterministic”) 

b. determining, by the network switch, whether the communication packet satisfies a plurality of protocol constraints associated with the deterministic network; (The system of Batista further discloses that the router PC/network device places a number of protocol constraints on incoming packets, such as requiring the source or destination port to match MODBUS TCP port 502 prior to performing layer 7 filtering [page 120, section 7.1 and pages 119-120, section 6, in particular the iptables rule only routing MODBUS TCP traffic to the QUEUE for layer 7 inspection].)

Batista discloses that if the protocol constraints indicating either a source or destination port consistent with MODBUS communications are met, the packet is passed to higher layer processing, where it is inspected, and based on the inspection result, it is either passed to the output port or dropped [pages 118-119, section 6, particularly the last paragraph]. The inspection is based on one or more models associated with allowable user configured MODBUS values and commands [After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for each Modbus/TCP devices in the network” – indicating that the user defines the allowed behavior for each of the Modbus TCP fields for each device; see also page 118, section 5.4 – defining further details such as user configurable allowed behavior [i.e. behavioral classification], such as specific allowed commands for each of the MODBUS devices]).

d. selectively generating, by the network switch, a control action for the ICS based on the process behavioral classification (The output of the rule conformity analysis [either conforming to all applicable rules or non-conforming to one or more rules] forms the behavioral classification and is used to determine a control action for the ICS system comprising accepting and outputting the packet if all rules are satisfied or dropping the packet if one or more rules are not satisfied [pages 118-119, section 6, particularly the last paragraph; see also page 117 – section 4 “After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for 

Regarding claim 12, Batista discloses selectively generating a control action comprises: transmitting the communication packet to a second electric device in response to a first process behavioral classification that meets a minimum classification level; and dropping the communication packet in response to a second process behavioral classification that fails to meet the minimum classification level (The output of the rule conformity analysis [either conforming to all applicable rules or non-conforming to one or more rules] forms the behavior classification and is used to determine a control action for the ICS system comprising accepting and outputting the packet if all rules are satisfied [i.e. a minimum classification level is met] or dropping the packet if one or more rules are not satisfied [i.e. a minimum classification level is not met] [pages 118-119, section 6, particularly the last paragraph; see also page 117 – section 4 “ After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for each Modbus/TCP devices in the network” – indicating that the user defines the allowed behavior for each of the Modbus TCP fields for each device; see also page 118, section 5.4 – defining further details such as user configurable allowed behavior [i.e. behavioral classification], such as specific allowed commands for each of the MODBUS devices].)


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224).

Regarding claim 1, Batista discloses a network switch (page 120, fig. 2, “Router PC” – note that a router performs switching functions of switching traffic between the input and output see also (e-h), infra) for industrial control system (ICS) comprising: 

a. a first port configured (pages 119 and 120 - fig. 2 “Input Traffic”, Fig. 3, “Interface 192.168.200.0”) for communication with a first electric device (page 120, “Modbus/TCP Clients) in a deterministic network (Network operates using MODBUS, which is a “deterministic” protocol having pre-defined fields [see, for example, page 112-115, section 2.2 showing the pre-defined fields of MODBUS – note applicants specification appears to define deterministic as having defined message contents – paragraph 0039 – “In addition, the protocol may define the content of messages exchanged between the first electronic device and the second electronic device. In this way, the protocol can provide that communications on the network be deterministic”) 

b. a second port (pages 119 and 120 - fig. 2 “Output Traffic”, Fig. 3, “Interface 192.160.100”configured for communication with a second electric device in the deterministic network; 

c. configured to perform operations, the operations comprising: 

d. receive at the first port a communication packet associated with the first electric device and the second electric device; (Batista discloses the router PC/network device receives packet traffic from the Modbus/TCP clients/first electronic devices that is destined for the Modbus TCP servers [page 120, section 7.1, particularly fig.3].)

e. determine if the communication packet satisfies a plurality of protocol constraints; (The system of Batista further discloses that the router PC/network device places a number of protocol constraints on incoming packets, such as requiring the source or destination port to match MODBUS TCP port 502 prior to performing layer 7 filtering [page 120, section 7.1 and pages 119-120, section 6, in particular the iptables rule only routing MODBUS TCP traffic to the QUEUE for layer 7 inspection].)

f. in response to the communication packet satisfying the plurality of protocol constraints, input one or more message characteristics from the communication packet into one or more models associated with one or more industrial processes, the one or more models configured to output a process behavioral classification based at least in part on the one or more message characteristics; (Batista discloses that if the protocol constraints indicating either a source or destination port consistent with MODBUS communications are met, the packet is passed to higher layer processing, where it is inspected, and based on the inspection result, it is either passed to the output port or dropped [pages 118-119, section 6, particularly the last paragraph]. The inspection is based on one or more models associated with allowable user configured MODBUS values and commands [After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for each Modbus/TCP devices in the network” – indicating that the user defines the allowed behavior for each of the Modbus TCP fields for each device; see also page 118, section 5.4 – defining further details such as user configurable allowed behavior [i.e. behavioral classification], such as specific allowed commands for each of the MODBUS devices]).



h. selectively generate a control action for the ICS based at least in part on the process behavioral classification (pages 118-119, section 6 – see discussion in (g), supra).

Batista fails to explicitly disclose one or more processors in communication with the first port and the second port, the one or more processors. However, it is officially noted that the use of processors in communication with ports in a personal computer, such as that of Batista, was well known in the art before the effective filing date of the invention. Therefore, it would have been obvious to a person of ordinary skill in the art at the time of the invention to implement the functions of the system of Batista using an appropriately programmed processor in communication with the network Batista. 
Regarding claim 2, Batista discloses selectively generating a control action comprises selectively transmitting the communication packet to the second electric device based at least in part on the process behavioral classification (The output of the rule conformity analysis [either conforming to all applicable rules or non-conforming to one or more rules] forms the behavior classification and is used to determine a control action for the ICS system comprising accepting and outputting the packet if all rules are satisfied or dropping the packet if one or more rules are not satisfied [pages 118-119, section 6, particularly the last paragraph; see also page 117 – section 4 “ After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for each Modbus/TCP devices in the network” – indicating that the user defines the allowed behavior for each of the Modbus TCP fields for each device; see also page 118, section 5.4 – defining further details such as user configurable allowed behavior [i.e. behavioral classification], such as specific allowed commands for each of the MODBUS devices].)
Regarding claim 3, Batista discloses selectively transmitting the communication packet comprises: transmitting the communication packet to the second electric device if the process behavioral classification satisfies one or more threshold criterion; and dropping the communication packet if the process behavioral classification fails to meet the one or more threshold criterion (The output of the rule conformity analysis [either conforming to all applicable rules or non-conforming to one or more rules] forms the behavior classification and is used to determine a control action for the ICS system comprising accepting and outputting the packet if all rules are satisfied or dropping the packet if one or more rules are not satisfied [pages 118-119, section 6, particularly the last paragraph; see also page 117 – section 4 “ After this conformity test, client-side traffic (Modbus/TCP requests) is submitted to the second phase which consists on the analysis of protocol fields against user-defined rules for each 

Claims 4 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224) as applied to claims 1 and 11 and further in view of Singhvi, et al. (US Pre Grant Publication No. 2019/0149480 A1)

Regarding claim 4, Batista fails to disclose selectively generating a control action comprises, in response to the process behavioral classification failing to meet one or more threshold criterion: transmitting the communication packet to the second electric device and generating an alert indicating that the data packet failed to meet a minimum classification level. In the same field of endeavor, Singhvi discloses selectively generating a control action comprises, in response to the process behavioral classification failing to meet one or more threshold criterion: transmitting the communication packet to the second electric device and generating an alert indicating that the data packet failed to meet a minimum classification level. (The system of Singhvi discloses that the permitted actions for packets that fail firewall/intrusion detection system filtering may be to permit, drop and/or alert, indicating that permitting and alerting is allowed [paragraph 0021].)
Therefore, since the system of Singhvi discloses filtering actions including permitting a packet and alerting, it would have been obvious to a person of ordinary skill in the art at the time of the Singhvi with the system of Batista by allowing the outcome of the behavioral classification filtering to be, in response to the packet failing one or more of the threshold criterion of Batista, to permit the transmission of the packet to the output/second port, but to also send an alert. The motive to combine is to allow monitoring of exceeding of the threshold criterion without interrupting network operation through the use of permitted transmission with alerts.
Regarding claim 16, Batista fails to disclose selectively generating the control action comprises: in response to the process behavioral classification failing to meet a minimum classification level, transmitting the communication packet to a second electric device specified by the communication packet; and in response to the process behavioral classification failing to meet the minimum classification level, generating the control action. In the same field of endeavor, Singhvi discloses selectively generating the control action comprises: in response to the process behavioral classification failing to meet a minimum classification level, transmitting the communication packet to a second electric device specified by the communication packet; and in response to the process behavioral classification failing to meet the minimum classification level, generating the control action. (The system of Singhvi discloses that the permitted actions for packets that fail firewall/intrusion detection system filtering may be to permit, drop and/or alert, indicating that permitting and alerting is allowed [paragraph 0021].)
Therefore, since the system of Singhvi discloses filtering actions including permitting a packet and alerting/performing a control action, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the permitting and alerting of Singhvi with the system of Batista by allowing the outcome of the behavioral classification filtering to be, in response to the packet failing one or more of the threshold criterion of Batista, to permit the transmission of the packet to the output/second port, but to also send an alert/generate a control action to send an alert. The motive to .

Claims 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224) as applied to claims 1 and 11 and further in view of Aguiar, et al. (US Pre Grant Publication No. 2018/0198803 A1).

Regarding claims 5 and 13, Batista fails to disclose in response to the process behavioral classification failing to meet the one or more threshold criterion, transmitting one or more signals to the first electric device and the second electric device including a command to operate in a safe-operating mode. In the same field of endeavor, Aguiar discloses in response to the process behavioral classification failing to meet the one or more threshold criterion, transmitting one or more signals to the first electric device and the second electric device including a command to operate in a safe-operating mode. (The system of Aguiar discloses the use of a Local Threat Intelligence and Security Event Management Server that gathers information from all devices on the network and, in response to a detected threat condition may transmit a DEFCON 3 command, which instructs the network devices to enter into safe-operating mode [paragraph 0005, 0022, 0027] additionally the defcon level may result in logging information being sent back to , for example, computer 155 [paragraph 0026; paragraph 0033 - note also logging can occur at higher defcon levels depending on configuration] not also that computer 155 could also be used for standard information collection and plant management [paragraph 0021].)
Aguiar discloses the use of safe operating commands upon detection of a network threat condition, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the safe operating commands of Aguiar with the system of Batista by implementing the functions of the Local Threat Intelligence and Security Event Management Server in the router of Aguiar and having it transmit a signal to the second electric device [i.e. the field device/process control device] indicating transition into a safe operating mode and to further transmit logging information back to the first network device, (i.e. the signal sent to the first electric device) which can be used for both logging receipt and basic information collection and process control/plant management such that it could be the first device of Batista. (Note that by claim interpretation only one of the first and second network devices needs to receive the safe operating command since the one or more signals to the first and second electric devices need only include one command to operate in a safe operating mode). The motive to combine is to allow operation in safe mode and logging in response to a threat to the network to minimize damage.

Claims 6-8 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224) as applied to claims 1 and 11 and further in view of Valdes, et al. (A. Valdes OR S. Cheung, Communication pattern anomaly detection in process control systems, 2009, pages 22-29)

Regarding claim 6, Batista fails to disclose the communication packet is a first communication packet, the operations further comprising input a plurality of message parameters from a sequence of communication packets including the first communication packet into the one or more models, wherein Valdes discloses the communication packet is a first communication packet, the operations further comprising input a plurality of message parameters from a sequence of communication packets including the first communication packet into the one or more models, wherein receiving a process behavioral classification from the one or more models comprises receiving a process behavioral classification for each communication packet of the sequence based on the sequence of communication packets. (The system of Valdes discloses a system for detecting anomalous communication patters in process control systems [page 22, section I]. In relevant part, the anomaly detection system receives as an input message parameters of relevant packets between devices and classifies the transmissions into various flows based on IP address and port [page 23, section III]. In addition to the classification, the received input parameters are used to train the pattern recognition system by adapting the matching library patterns [page 23, section III, particularly the second paragraph]. Anomalous patterns are then detected using a tail probability algorithm [page 23, section III, particularly the third paragraph]. Similarly, a flow based anomaly detector tracks input parameters, such as source and destination [page 24, left column] and compares them to learned historic flow records learned from the analysis and training based on prior flows [page 24, left column, last paragraph, carried on to the next column] and then generates an anomalous flow alert if the anomaly score is above a threshold [pages 24-25, section A, in particular “Anomalous Flow Alert” on page 25].)
Therefore, since the system of Valdes suggests the use of an anomalous packet classifier, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the anomalous packet classifier of Valdes with the system of Batista by using message parameters from a series of packets, as taught by Valdes and determining if each packet is anomalous based on a flow Valdes as the determination of if a packet is anomalous/abnormal in the system of Batista and therefore should be blocked as abnormal, as taught by Batista. The motive to combine is to allow the use of a self-training system for detecting anomalies to reduce the configuration burden and to allow detection of unknown anomaly types as abnormal based on machine learning.
Regarding claim 7, Batista as modified by Valdes in claims 6 and XXX discloses the operations further comprising determining, based on the one or more models, whether the sequence of communication packets is indicative of an unknown ICS behavior (As noted in claims 6 and X the combination of Batista as modified by Valdes discloses that an anomalous behavior that was not previously observed in the prior historic flow data [i.e. which is unknown] can trigger an anomalous behavior indication.)
Regarding claim 8, Batista fails to disclose the one or more models includes a machine-learned model, the method further comprising: inputting to the machine-learned model training data including a plurality of message characteristics from a first sequence of communication packets corresponding to the one or more industrial processes, the first sequence of communication packets having one or more predetermined process behavioral classifications; and training the machine-learned model based on the one or more predetermined process behavioral classifications. In the same field of endeavor, Valdes the one or more models includes a machine-learned model, the method further comprising: inputting to the machine-learned model training data including a plurality of message characteristics from a first sequence of communication packets corresponding to the one or more industrial processes, the first sequence of communication packets having one or more predetermined process behavioral classifications; and training the machine-learned model based on the one or more predetermined process behavioral classifications. (The system of Valdes discloses a system for detecting anomalous 
Therefore, since the system of Valdes suggests the use of an anomalous packet classifier, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the anomalous packet classifier of Valdes with the system of Batista by using message parameters from a series of packets, as taught by Valdes and determining if each packet is anomalous based on a flow classification system and a flow pattern anomaly detection algorithm trained from the message parameters of prior packets for particular predetermined behavioral classifications, such as Historic Bytes Per packet, Variance of bytes per packet, average inter-arrival time, exc., as also taught by Valdes as the determination of if a packet is anomalous/abnormal in the system of Batista and therefore should be blocked as abnormal, as taught by Batista. The motive to combine is to allow the use of a self-training system for detecting anomalies to reduce the configuration burden and to allow detection of unknown anomaly types as abnormal based on machine learning.
Regarding claim 14, Batista fails to disclose the model is a machine-learned model configured to generate process behavioral classifications. In the same field of endeavor, Valdes discloses the model is a machine-learned model configured to generate process behavioral classifications. (The system of Valdes discloses a system for detecting anomalous communication patters in process control systems [page 22, section I]. In relevant part, the anomaly detection system receives as an input message parameters of relevant packets between devices and classifies the transmissions into various flows based on IP address and port [page 23, section III]. In addition to the classification, the received input parameters are used to train the pattern recognition system by adapting the matching library patterns [page 23, section III, particularly the second paragraph]. Anomalous patterns are then detected using a tail probability algorithm [page 23, section III, particularly the third paragraph]. Similarly, a flow based anomaly detector tracks input parameters, such as source and destination [page 24, left column] and compares them to learned historic flow records learned from the analysis and training based on prior flows, which include predetermined behavioral classifications, such as Historic Bytes Per packet, Variance of bytes per packet, average inter-arrival time, exc [page 24, left column, last paragraph, carried on to the next column] and then generates an anomalous flow alert if the anomaly score is above a threshold [pages 24-25, section A, in particular “Anomalous Flow Alert” on page 25].)
Therefore, since the system of Valdes suggests the use of an anomalous packet classifier, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the anomalous packet classifier of Valdes with the system of Batista by using message parameters from a series of packets, as taught by Valdes and determining if each packet is anomalous based on a flow classification system and a flow pattern anomaly detection algorithm trained from the message parameters of prior packets for particular predetermined behavioral classifications, such as Historic Bytes Per packet, Variance of bytes per packet, average inter-arrival time, exc., as also taught by Valdes as the determination of if a packet is anomalous/abnormal in the system of Batista and therefore should Batista. The motive to combine is to allow the use of a self-training system for detecting anomalies to reduce the configuration burden and to allow detection of unknown anomaly types as abnormal based on machine learning.

Claims 9 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224) as applied to claims 1 and 11 and further in view of Gao, et al. (W. Gao, T. Morris, On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems, pages 1-21, 2014).

	Regarding claims 9 and 15, Batista fails to disclose the one or more models include a physics-based model. (i.e. Batista discloses that the user may set allowed parameter ranges for the various MODBUS commands, but fails to disclose that those parameter ranges could represent a physics based models, such as a range of physically possible values in the system. The system of Gao cures this deficiency.) In the same field of endeavor, Gao discloses the one or more models include a physics-based model. (The system of Gao discloses that attacks/anomalies may be detected by scanning MODBUS packets [page 39, left column and fig. 1] and among the detected anomalies/attacks are those based on a physically impossible or improbably rate of change in storage tank or pipeline models [page 41, Table 1] or a physically impossible tank negative pressure or fill [page 41, table 1] [see also page 40, section 3, page 50, especially table 4, and page 51, left column, first and second full paragraph].)
	Therefore, since Gao suggests setting allowed parameter ranges and rates of change to represent a physics based model, it would have been obvious to a person of ordinary skill in the art at the time of the invention to combine the physics based ranges and rates of change with the system of Batista by setting the allowed MODBUS parameter values of Batista so they represent values that are allowed based on the physics based models by way of setting an allowable range to represent allowed model values, such as not allowing negative pressure or fill levels, or by setting an allowable rate of change to represent realistic rates of change for parameter values, such as tank fill level changes or pipeline pressure level changes. The motive to combine is to allow further detection of abnormal system operation using realistic physical models of process parameters to improve security. 

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Batista, et al. (Aguinaldo B. Batista Jr., Tiago H. Kobayashi, Joao Paulo S. Medeiros, Agostinho M. Brito Jr., and Paulo S. Motta Pires, Application Filters for TCP/IP Industrial Automation Protocols, Published in Proceedings of the Fourth International Workshop on Critical Information Infrastructures Security, 2009, pages 1-224) as applied to claim 1 and further in view of Schubert, et al. (US Pre Grant Publication No. 2014/0380001 A1).

Regarding claim 10, Batista fails to disclose the first port is configured to communicate with the first electric device using a first safety integrity level and the second port is configured to communicate with the second electric device using a second safety integrity level. In the same field of endeavor, Schubert dislcoses the first port is configured to communicate with the first electric device using a first safety integrity level and the second port is configured to communicate with the second electric device using a second safety integrity level. (The system of Schubert dislcoses the use of a USMC/Firewall between domains [paragaprhs 0147-0148] including multiple control system domains [paragraph 0116] that may operate as different safety integrity levels such as standard SIL and an automotive SIL/ASIL, exc [paragraphs 0128, 0129].)
Therefore, since the system of Schubert dislcoses a firewall between different safety integrity levels, it would have been obvious to a person of ordinary skill in the art at the time of the invention to Schubert with the system of Batista by having the firewall/router of Batista link networks with devices operating at different safety integrity levels, such as SIL and ASIL. The motive to combine is to allow communication between devices at different safety integrity levels by using a firewall/router for enhanced security.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:

a. Kim, et al. (US Patent No. 9,699,294) – disclosing detecting abnormal MODBUS traffic using machine learning.

b. Ostergaard, et al. (US Pre Grant Publication No. 2018/0255082 A1) – disclosing anaomoly detection in automotive networks

c. Hu, et al. (Yan Hu, An Yang, Hong Li, Yuyan Sun, and Limin Sun, A survey of intrusion detection
on industrial control systems, pages 1-14, 2018) – disclosing a number of IDS systems for control networks

d. Angseus, et al. (J. Angseus, R. Ekbom, Network-based Intrusion Detection Systems
for Industrial Control Systems, pages 1-103, 2017) – disclosing a number of IDS systems for control networks



f. Shang, et al. (Wenli Shang, Quansheng Qiao, Ming Wan, Peng Zeng, Design and Implementation of Industrial Firewall for Modbus/TCP, pages 1-7, 2015) – disclosing firewall desing for MODBUS networks

g. Shang, et al. (W. Shang, J, Cui, M. Wan, P. An, P. Zeng, Modbus Communication Behavior Modeling and SVM Intrusion Detection Method, pages 1-6, 2016) - disclosing a number of techniques for anomaly detection in control networks


Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER M CRUTCHFIELD whose telephone number is (571)270-3989.  The examiner can normally be reached on 9am-5pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Faruk Hamza can be reached on (571) 272-7969.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained 






/CHRISTOPHER M CRUTCHFIELD/               Primary Examiner, Art Unit 2466