Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/464,150 filed on 5/24/2019. Claims 1-8 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 5/24/2019, 8/23/2019, 9/17/2019, 11/8/2019, 12/16/2020, 1/20/2021 and 2/24/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 7 and 8 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 8, 13 and 14 of copending Application No. 16/081,397 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because:

Instant Application: 16/464,150
Co-Pending: 16/081,397
1. An attack detection device to detect an attack on a control system that transitions in a plurality of system states, the control system including equipment and a server device to control the equipment, the attack detection device comprising: 


processing circuitry to correlate and store, for each system state of the plurality of system states, a white list defining system information that belongs to the control system and is permitted in the system state, to acquire communication data communicated between the server device and the equipment, 

and estimate a current system state of the control system based on the acquired communication data, and to acquire a 

and determine whether or not the attack has been detected based on the acquired white list and system information belonging to the control system in the current system state.






















7. An attack detection method of an attack detection device to detect an attack on a control system that transitions in a plurality of system states, the control system including equipment and a server device to control the equipment, wherein the attack detection device includes processing circuitry to correlate and store, for each system state of the plurality of system states, a white list defining system information that belongs to the control system and is permitted in the system state, the attack detection method comprising: acquiring communication data communicated between the server device and the equipment, and estimating 



















plurality of devices: and



processing circuitry to: detect a current control state for each of a plurality of devices included in a communication system;




determine, for each of the plurality of devices, whether the current control state detected for the device conforms to the 

determine a current system state corresponding to a combination of the current control states detected for the plurality of devices;

determine whether the combination of the detected current control states of the plurality of devices corresponds to a predefined combination when the detected control state of

each device is determined to conform to its respective predefined state transition rule:

select, from among a plurality of whitelists each of which is associated with a combination of states, a whitelist associated with the current system state when the combination of the detected 
and detect an attack on the communication system by using the whitelist selected.

13.    (Currently Amended) An intrusion detection method, comprising:
storing a respective predefined control state transition rule for each of a plurality of devices
included in the communication system:
detecting a current control state for each of at he plurality of devices included in a communication system^
determining, for each of the plurality of devices, whether the current control state detected
for the device conforms to the respective predefined state transition rule stored for the device:

determining whether the combination of the detected current control states of the plurality
of devices corresponds to a predefined combination when the detected control state of each device
is determined to conform to its respective predefined state transition rule:
selecting, from among a plurality of whitelists each of which is associated with a combination of states, a whitelist associated with the current system state when the combination of the detected current control states is determined to correspond to the predefined combination:
and
detecting an attack on the communication system by using the selected whitelist.

a process of storing a respective predefined control state transition rule for each of a
plurality of devices included in the communication system:

a state detection process of detecting a current control state for each of at he plurality of devices included in a communication system;

a process of determining, for each of the plurality of devices, whether the current control

state detected for the device conforms to the respective predefined state transition rule stored for



a current system state determining process of determining a current system state corresponding to a combination of the current control states detected for the plurality of devices; a process of determining whether the combination of the detected current control states of

the plurality of devices corresponds to a predefined combination when the detected control state

of each device is determined to conform to its respective predefined state transition rule;

a selection process of selecting, from among a plurality of whitelists each of which is associated with a combination of states, a whitelist associated with the current system state when the 

combination; and

an attack detection process of detecting an attack on the communication system by using the whitelist selected by the selection process.


Both sets of claims are drawn to the use of white lists to determine if an action performed in a current state are permitted and if not then it is possible that the system is under attack.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.






Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-5, 7 and 8 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Williams et al. (US 9,245,147).

	As per claim 1, Williams discloses an attack detection device to detect an attack on a control system that transitions in a plurality of system states, the control system including equipment and a server device to control the equipment, the attack detection device comprising (Williams, Col. 14 Lines 7-17): 
	processing circuitry to correlate and store, for each system state of the plurality of system states, a white list defining system information that belongs to the control system and is permitted in the system state (Williams, Col. 5 Line 62 – Col. 6 Line 11 recites “Referring to FIG. 2B, each entry in the state database 308 may include a number of fields describing various aspects of the state. This includes a State ID 251 to uniquely identify the state within the database; a State Activity Status 252 which marks each state as active, inactive, in transition, among other possibilities; a list of State Entry Prerequisites 253, which is a set of conditions that must be met before the state may become active; a list of State Exit Prerequisites 254, which is a set of conditions that must be met before the state may become inactive; a list of Valid Actions Within State 255, which is a set of actions that may be observed and allowed to occur without raising an alarm or executing any additional actions; a list of State Fault Actions 256, which is a set of actions to execute when an error is detected; and a list of Valid Next States 257, which is a set of other State IDs which may become active as the result of a state transition from the state described in the entry 250.” Emphasis added.),
	to acquire communication data communicated between the server device and the equipment, and estimate a current system state of the control system based on the acquired communication data, and to acquire a white list corresponding to the current system state, and determine whether or not the attack has been detected based on the acquired white list and system information belonging to the control system in the current system state (Williams, Claim 1 recites “identifying a first state of an operating domain, wherein the operating domain comprises at least one selected from a group consisting of the source system and the destination system, and wherein the first state is a current active state of the operating domain and is associated with a first state entry; making, using the first state entry, a first determination that the first action is not permitted while the operating domain is in the first state; based on the first determination, performing a state fault action;”).

	As per claim 2, Williams discloses the attack detection device according to claim 1, Williams further discloses wherein the processing circuitry correlates and stores as the white list, for each system state of the plurality of system states, a communication data white list defining, as the system information, communication data permitted in the system state (Williams, Col. 5 Line 62 – Col. 6 Line 11 recites “Referring to FIG. 2B, each entry in the state database 308 may include a number of fields describing various aspects of the state. This includes a State ID 251 to uniquely identify the state within the database; a State Activity Status 252 which marks each state as active, inactive, in transition, among other possibilities; a list of State Entry Prerequisites 253, which is a set of conditions that must be met before the state may become active; a list of State Exit Prerequisites 254, which is a set of conditions that must be met before the state may become inactive; a list of Valid Actions Within State 255, which is a set of actions that may be observed and allowed to occur without raising an alarm or executing any additional actions; a list of State Fault Actions 256, which is a set of actions to execute when an error is detected; and a list of Valid Next States 257, which is a set of other State IDs which may become active as the result of a state transition from the state described in the entry 250.” Emphasis added.) 
	and acquires a communication data white list corresponding to the current system state, and determines that the attack has been detected when acquired communication data does not match the acquired communication data white list (Williams, Claim 1 recites “identifying a first state of an operating domain, wherein the operating domain comprises at least one selected from a group consisting of the source system and the destination system, and wherein the first state is a current active state of the operating domain and is associated with a first state entry; making, using the first state entry, a first determination that the first action is not permitted while the operating domain is in the first state; based on the first determination, performing a state fault action;”).


	As per claim 3, Williams discloses the attack detection device according to claim 1, Williams further discloses wherein the processing circuitry stores the current system state and a system state before transitioning to the current system state, correlates and stores as the white list, for each system state of the plurality of system states, a state transition white list defining, as the system information, a pre-transition state permitted as a system state before transitioning to the system state, and acquires a state transition white list corresponding to the current system state, and determines that the attack has been detected when a system state before transitioning to the stored current system state does not match the acquired state transition white list (Williams, Col. 3 Lines 43-55 recites “In one or more embodiments of the invention, the State Machine Reference Monitor 104 is one or more finite state machines configured to mirror the configuration of the systems in the environment being monitored. The finite state machine, which may be implemented in software and/or in hardware, includes functionality to apply different sets of logic to various configured states on the monitored systems and/or monitored subsystems. The sets of logic may specify the conditions and rules for transitions between states. For example, if states A, B, and C configured, a transition from A to B may be allowed, but a transition from A directly to C may not be allowed. In the same example, Actions X, Y, and Z are allowed in state A, but only X is allowed in state B.”).

	As per claim 4, Williams discloses the attack detection device according to claim 1, Williams further discloses , wherein the processing circuitry transmits an alarm to the server device when it is determined that the attack has been detected (Williams, Col. 9 Lines 37-41 recites “The controller devices all communicate with each other using the same MODBUS protocol for all messages. The State Machine Reference Monitor is also connected to a siren and light, which act as a means for alerting when an error is detected.”).

	As per claim 5, Williams discloses the attack detection device according to claim 1, Williams further discloses wherein the processing circuitry estimates the current system state by a state observation device based on a control theory (Williams, Col. 3 Lines 5-16 recites “FIG. 1 shows a system in accordance with one or more embodiments of the invention. The system includes an Administrator Console 101, Optional Alerting Function 102, Optional External Logging or Security Information and Event Management System 103, State Machine Reference Monitor 104, Monitored System 1 105, Monitored System 2 106, Monitored System 3 107, Monitored Subsystem 3 108A, Monitored Subsystem 31 108B, Monitored Subsystem 31 108C, Network or Communication Bus 109, Monitor Port 110, and Operating Domain 111. Each of the aforementioned systems is described in detail below.”).

Regarding claims 7 and 8, claims 7 and 8 are directed to method and a non-transitory readable medium associated with the system of claim 1. Claims 7 and 8 are of similar scope to claim 1, and are therefore rejected under similar rationale.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to 


Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. (US 9,245,147) in view of Watanabe et al. (US 2009/0167520).

	As per claim 6, Williams discloses the attack detection device according to claim 1, but fails to disclose the processing circuitry acquires communication data communicated between the server device and the equipment, classifies the acquired communication data into an operation amount transmitted from the server device to the equipment and an observation amount transmitted from the equipment to the server device, and estimates the current system state by the state observation device with use of the operation amount and the observation amount.
	However, in an analogous art Watanabe teaches wherein the processing circuitry acquires communication data communicated between the server device and the equipment, classifies the acquired communication data into an operation amount transmitted from the server device to the equipment and an observation amount transmitted from the equipment to the server device, and estimates the current system state by the state observation device with use of the operation amount and the observation amount (Watanabe, Paragraph 0056 recites “The failure detection system 1 according to the present invention comprises a log collecting unit 100 for collecting a log output by a management server (not shown) of the communication network, an observation amount extracting unit 101 for extracting an observation amount necessary for monitoring a state of the communication network from a collected log, a more significant factor occurrence intensity calculating unit 102 for converting an extracted observation amount into an occurrence intensity of the more significant factor 500, an occurrence intensity probability distribution calculating unit 108 for calculating a probability distribution of an occurrence intensity of the more significant factor 500 at the normal state and storing the same in a network characteristic data base 106, a degree of abnormality calculating unit 103 for comparing a value of an occurrence intensity of an individual more significant factor 500 and a probability distribution of an occurrence intensity of the more significant factor 500 at the normal state which is stored in the network characteristic data base 106 to calculate how abnormal the occurrence intensity is (degree of abnormality) and further integrating the degrees of abnormality of a plurality of occurrence intensities to calculate a degree of abnormality of the communication network, a failure detecting unit 104 for comparing the degree of abnormality of the communication network and a threshold value of the degree of abnormality stored in the network characteristic data base 106 and determining a state of the communication network to detect a failure, a result displaying unit 105 for displaying a failure detection result on a display device such as a CRT, and an input unit 109.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Watanabe’s Communication network failure detection system, and communication network failure detection method and failure detection program with 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439