DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.

Information Disclosure Statement

The IDS filed 5/31/2019 has been considered by the Examiner.

Examiner’s Notes

The Examiner interprets the phrase “within the anomalous bounds” in various claims as being not anomalous.
The claims recite various different ways of representing the same data: baselines and thresholds, scores, mean and standard deviation, probability curve, distribution curve, the Examiner sees no patentable distinction in regards to how the data is represented. The Examiner equates the representation as deciding whether to use centimeters or inches in discussing measurements.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to 
Claims 1 and 7-14 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 7,966,659 to Wilkinson et al. (hereinafter Wilkinson) in view of US Patent No. 9,628,497 to Zambon.

As to claim 1, Wilkinson teaches:
a.	Receiving, at an industrial control system, data indicative of a network traffic parameter for network traffic in an industrial network monitored by the industrial control system (traffic speed can be a monitored parameter in an industrial control environment) (Willkinson, 5:14-61).
b.	Establishing a baseline for the network traffic parameter based at least in part on the data (traffic analysis is, in part, used to determine anomalous traffic) (Wilkinson, 12:11-22).
Wilkinson does not expressly mention establishing anomalous bounds for network traffic. However, in an analogous art, Zambon teaches:
c.	Establishing anomalous bounds for the network traffic parameter based at least in part on the baseline for the network traffic parameter (threshold is established to determine when an alert should be issued) (Zambon, 16:50-56).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the industrial control security system of 
Wilkinson as modified further teaches:
d.	Determining whether communications in the industrial network fall within the anomalous bounds for the network traffic parameter (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31).
e.	Upon a determination that the communications in the industrial network do not fall within the anomalous bounds, indicating the industrial network is potentially under attack (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).

As to claim 7, Wilkinson as modified teaches generating an anomaly score threshold for the data indicative of the network traffic parameter (threshold (score) is established to determine when an alert should be issued) (Zambon, 16:50-56). 

As to claim 8, Wilkinson as modified teaches generating the anomaly score threshold is based at least in part on a mean and standard deviation of the data indicative of the network traffic parameter (Zambon, 16:40-50
 
As to claim 9, Wilkinson as modified teaches:
a.	Determining an anomaly score for the communications using subsequent   data indicative of the network traffic parameter (comparing expected traffic 
b.	Determining that the communications do not fall within the anomalous bounds when the anomaly score exceeds the anomaly score threshold (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).

As to claim 10, Wilkinson as modified teaches generating probability bounds on both sides of a probability curve for the network traffic parameter (probability distribution is part of the analysis) (Wilkinson, 4:17-41 and 12:11-22).

As to claim 11, Wilkinson as modified teaches using the Dvoretzky-Kiefer-Wolfowitz inequality to generate the probability bounds (Wilkinson, 4:17-41 and 12:11-22). While Wilkinson as modified does not explicitly recite using the Dvoretzky-Kiefer-Wolfowitz inequality, one of ordinary skill would recognize there are any number of mathematical computations that can be applied to data analysis and using any particular one is not seen as being patentably distinct from any other algorithm.

As to claim 12, Wilkinson as modified teaches:
a.	Determining whether a present distribution is outside of anomalous bounds (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).


As to claim 13, Wilkinson as modified teaches:
a.	Determining whether a present distribution is outside of anomalous bounds (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).
b.	Determining that the communications do not fall within the anomalous bounds when the present distribution is outside of the anomalous bounds by an amount greater than an anomaly threshold (comparing expected traffic behavior with actual traffic behavior and making a determination) (Wilkinson, 10:16-31 and 12:11-22).

As to claim 14, Wilkinson as modified teaches the industrial control system comprises a supervisory control and data acquisition system, and the network traffic comprises communications within the supervisory control and data acquisition system (Zambon, 1:53-64).

Claim 2 and claims 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 7,966,659 to Wilkinson et al. (hereinafter Wilkinson) in  as applied to claim 1 above, and further in view of US Patent No. 5,134,386 to Swanic.

As to claim 2, Wilkinson as modified does not expressly mention using network jitter as a parameter. However, in an analogous art, Swanic teaches the network traffic parameter comprises network jitter in the industrial network (jitter thresholds are established to signal possible intrusion into the network) (Swanic, 4:1-9).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the industrial control security system of Wilkinson as modified with the monitoring of network jitter of Swanic in order to detect intrusion into a network as suggested by Swanic (Swanic, 2:5-29).

As to claims 15 and 19, the limitations of claim 15 are computer readable medium limitations of method claims 1 and 2. Similarly, the limitations of claim 19 are system limitations of method claims 1 and 2.  Claims 15 and 19 include the communications parameter jitter which is found in claim 2. Claims 15 and 19 are rejected in the same fashion as claims 1 and 2 above.

As to claim 16, Wilkinson as modified teaches the network fitter comprises server-centric jitter or client-centric jitter (network jitter thresholds are established to signal possible intrusion into the network) (Swanic, 4:1-9).

As to claim 17, Wilkinson as modified teaches:

b.	Determining that the communications do not fall within the anomalous bounds when the anomaly score exceeds the anomaly score threshold (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).

As to claim 18, Wilkinson as modified teaches:
a.	Determining whether a present distribution is outside of anomalous bounds (comparing expected traffic behavior with actual traffic behavior) (Wilkinson, 10:16-31 and 12:11-22).
b.	Determining that the communications do not fall within the anomalous bounds when the present distribution is outside of the anomalous bounds by an amount greater than an anomaly threshold (comparing expected traffic behavior with actual traffic behavior and making a determination) (Wilkinson, 10:16-31 and 12:11-22).

Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 7,966,659 to Wilkinson et al. (hereinafter Wilkinson) in view of US Patent No. 9,628,497 to Zambon as applied to claim 1 above, and further in view of US PG Pub. No. 2017/0126745 to Taylor.


Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the industrial control security system of Wilkinson as modified with the use of histograms to analyze traffic data of Taylor in order to determine when the network is possibly under attack as suggested by Taylor (Taylor, [0001]).

As to claim 4, Wilkinson as modified teaches averaging a plurality of histograms of sub-sequences of the data indicative of the network traffic parameter (min/max/average of traffic sampling) (Taylor, [0029]).

As to claim 5, Wilkinson as modified teaches performing vector quantization on a plurality of histograms of sub-sequences of the data indicative of the network traffic parameter (Taylor, [0029]). While Taylor does not explicitly recite vector quantization, one of ordinary skill would recognize there are any number of mathematical computations that can be applied to data analysis and using any particular one is not seen as being patentably distinct from any other algorithm.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 7,966,659 to Wilkinson et al. (hereinafter Wilkinson) in view of US Patent No.  as applied to claim 1 above, and further in view of US Patent No. 9,628,499 to Yu et al. (hereinafter Yu).

As to claim 6, Wilkinson as modified does not expressly mention using a probability mass function. However, in an analogous art, Yu teaches generating a probability mass function for the data indicative of the network traffic parameter (Yu, 12:46-62).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the industrial control security system of Wilkinson as modified with the use probability mass function of Yu in order to analyze data traffic within a network as suggested by Yu (Yu, 12:46-62).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 7,966,659 to Wilkinson et al. (hereinafter Wilkinson) in view of US Patent No. 9,628,497 to Zambon in view of US Patent No. 5,134,386 to Swanic as applied to claim 15 above, and further in view of US Patent No. 9,628,499 to Yu et al. (hereinafter Yu).

As to claim 20, Wilkinson as modified does not expressly mention using a probability mass function. However, in an analogous art, Yu teaches generating a probability mass function for the data indicative of the network traffic parameter (Yu, 12:46-62) and the communications comprise a present distribution of network jitter to be tested for abnormality (probability distribution is part of the analysis) (Wilkinson, 4:17-41 and 12:11-22).



Conclusion

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573.  The examiner can normally be reached on M-F 7:30-17:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571 270 3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  






/WILLIAM S POWERS/           Primary Examiner, Art Unit 2419