Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 7/2/2021. Claims 1, 9 and 20 are independents. No amendments on claims in this office action. Claims 1-20 are currently pending.

Response To Arguments
Applicant argues Gonzalez does not teach the limitation of retrieving a plurality of sensor datasets with heterogeneous modalities from a plurality of multi-modal sensors. Applicant further argues Gonzalez as teaching a matrix of probe elements 401 that include multiple identical elements spatially distributed.
Examiner respectfully disagrees. Gonzalez does teach a matrix of probe elements 401 that include multiple identical elements spatially distributed. However, in col13 ln1-5 Gonzalez also teaches that a matrix of probe elements 401 also can include multiple different elements that allow for the capture of different signals, or elements that can be dynamically configured to form a combined probe with different characteristics. A matrix of probe elements 401 also can include multiple different elements that allow for the capture of different signals is equivalent to retrieving a plurality of sensor datasets with heterogeneous modalities from a plurality of multi-modal sensors. The elements that can be dynamically configured to form a combined probe with different characteristics is also read on the limitation. Gonzalez further explains that a matrix of probe elements 401 also can include multiple different elements that allow for the capture of different signals and elements that can be dynamically configured to form a combined probe with different characteristics in col13 ln6-25.
Applicant also argues on pp. 5-6 that [[t]]he matrix of elements described in Gonzalez are commonly known as a smart antenna, which is implemented for multiple input multiple output (MIMO) wireless communication to enhance signal to noise for a wireless phone receiver. One skilled in the art would not find a pathway for a technical solution provided by the recited claim feature for retrieving a plurality of sensor datasets with heterogeneous modalities from a plurality of multi-modal sensors since a smart antenna is applied to wireless transmission signal of a common modality. The multiple elements in a smart antenna enable beamforming for more targeted transmissions to a wireless receiver. This bears no relation to a retrieving data of heterogeneous modality from multi-modal sensors.
Examiner respectfully disagrees. Applicant does not distinguish the claim language from antenna. Furthermore, col13 ln1-5 teaches matrix of probe elements 401 can include multiple identical elements spatially distributed, multiple different elements that allow for the capture of different signals, or elements that can be dynamically configured to form a combined probe with different characteristics and col13 ln6-9 the same principles apply to all other types of sensors.
Therefore, the rejection stays. 

Claim Objections
Claim 10 is objected. Examiner believes there is no amendment made. Appropriate correction is required. 

Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.



Claims 1, 3, 6, 9, 10 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez et al. (US 9268938 81), hereinafter Gonzalez, in view of Joshi et al. (US 20140337974 A1), hereinafter Joshi.

Regarding claims 1, 9 and 20, Gonzalez teaches a computer-implemented method for detecting cyber-attacks affecting a computing device (FIG. 7C), the method comprising:
retrieving a plurality of sensor datasets with heterogeneous modalities from a plurality of multi-modal sensors (FIG. 4 and col13 ln1-5, the matrix of probe elements 401 can include multiple identical elements spatially distributed, multiple different elements that allow for the capture of different signals, or elements that can be dynamically configured to form a combined probe with different characteristics), each sensor dataset corresponding to involuntary emissions from the computing device (FIG. 4 and col1 ln29-46, a probe component that is configured to capture side-channel information relating to an operation status of a target device [thus involuntary emission] when the probe component disposed proximate to the target device) in a particular modality (FIG. 4 and col3 ln45-64, side-channel probes 101 can capture side-channel information (e.g., power consumption or electromagnetic emissions and other physical signals, etc.). In some instances, the side-channel information can be used in conjunction with other physical sensor signals such as temperature, vibration, pressure, timing, global positioning system (GPS) coordinates, and/or the like);
extracting a plurality of features from the plurality of sensor datasets (FIG. 7C item 715a and col6 ln15-20, a feature extraction engine to perform different signal processing approaches to extract discriminatory features from the signals captured by the probe sensors 201 that uniquely identify the execution status in the target system. FIG. 70 and col9 ln53-col10 ln12, There are several options to facilitate and enhance the extraction of trusted reference data, including: crowd sourcing … Learning may be implemented by simple averaging or more complex generalized learning using for instance a neural network ... The reference extraction module 218 can further extract statistics of the data to determine if a fuzzing attack is occurring);
applying one or more statistical models (FIG. 7D and col17 ln27-37, decision module 206b includes a set of devices 722 to normalize signals such as automatic gain control (AGC) devices, a set of devices 723a-732n to weight signals such as multipliers, an summer 724 and one or more detectors 725 that perform a threshold comparison for the added signal) to the plurality of features to identify one or more events related to the computing device (FIG. 7C item 717 and col7 ln57-col8 ln10, retrieve reference data from a PFP references database 207 to compare the reference data to the received side-channel information from DSP 205. Upon performing comparison and analytics, the PFP analytics 206 can forward comparison data to a decision module 206b to determine whether an intrusion or anomaly exists); and
applying a domain-specific technique (col6 ln15-20, the PFP analytics 206 can select the specific feature extraction technique or techniques for a specific platform can be selected by finding the best features and/or combination of features), and to designate each of the one or more events as benign, failure, or a cyber-attack (FIG. 70 and col17 ln27-37, The appropriate detectors 725 can detect, for example, for the different discriminatory features and makes the final assessment of whether a specific trace should be considered normal, anomalous, or malicious).
Gonzalez does not explicitly disclose applying an ontology to designate event as a cyber-attack. However, in an analogous art, Joshi teaches applying an ontology to designate event as a cyber-attack (para. 0057, The ontology language used by the ontology module 110A is preferably Web Ontology Language (OWL) [13], however any type of ontology language can be used. The ontology used by the ontology module 110A preferably includes three fundamental classes: ‘means’, ‘consequences’, and ‘targets’. The ‘means’ class encapsulates the ways and methods used to perform an attack, the ‘consequences’ class encapsulates the outcomes of the attack, and the ‘target’ class encapsulates the information of the system under attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez and Joshi because it would provide a system and method for detecting cyber intrusions that utilizes information from heterogeneous data sources to infer the context of the system being monitored and use the context to determine if the context represents an attack (Joshi, para. 0021).

Regarding claim 3, the combination of Gonzalez and Joshi teaches all of the limitations of claim 1, as described above. Gonzalez further teaches wherein the sensor dataset comprises data from one or more of acoustic, video, thermal, electromagnetic, and radiofrequency modalities (FIG. 4 and col3 ln45-64, side-channel probes 101 can capture side-channel information (e.g., power consumption or electromagnetic emissions and other physical signals, etc.). In some instances, the side-channel information can be used in conjunction with other physical sensor signals such as temperature, vibration, pressure, timing, global positioning system (GPS) coordinates, and/or the like. col4 ln30-42, The probes 201 that can be used by the fingerprinting system include, but are not limited to: acoustic and vibration detectors, temperature detectors, electro-magnetic (such as electric current (e.g. current probes, hall effect sensors, radio frequency (RF) transformers, current mirrors, shunt resistors, etc.) detectors, electric and magnetic flux detectors, electro-magnetic radiation detectors).

Regarding claims 6 and 18, the combination of Gonzalez and Joshi teaches all of the limitations of claims 1 and 9, as described above. Gonzalez further teaches wherein the plurality of features is extracted using physics-based models (FIG. 7C item 717 and col6 ln57-col7 ln10, retrieve reference data from a PFP references database 207 to compare the reference data to the received side-channel information from DSP 205.
FIG. 4 and col3 ln45-64, side-channel probes 101 can capture side-channel information (e.g., power consumption or electromagnetic emissions and other physical signals, etc.). In some instances, the side-channel information can be used in conjunction with other physical sensor signals such as temperature, vibration, pressure).

Regarding claim 10, the combination of Gonzalez and Joshi teaches all of the limitations of claim 9, as described above. Gonzalez further teaches wherein the statistical learning of signatures module of signatures modules (FIG. 20 and col11 ln4- 15, the PFP system can rely on remote analytics 214 based on data from the cloud 213, and store/update reference data at the reference database 207. FIG. 7C and 70, feature extraction data and analytics data are statistically learned) is further configured to fuse features derived from each particular modality to determine correlations between the modalities (FIG. 7C and col16 ln34-44, The PFP analytics 206 or 214 can discover meaningful patterns in side-channels and related data as well as finding correlations between events, and between PFP and other sensors).

 Regarding claim 19, the combination of Gonzalez and Joshi teaches all of the limitations of claim 9, as described above. Joshi further teaches wherein the domain­ specific ontology is specified in web ontology language (OWL) (para. 0057, The ontology language used by the ontology module 110A is preferably Web Ontology Language (OWL) [13]. however any type of ontology language can be used. The ontology used by the ontology module 110A p preferably includes three fundamental classes: ‘means’, ‘consequences’, and ‘targets’. The ‘means’ class encapsulates the ways and methods used to perform an attack, the ‘consequences’ class encapsulates the outcomes of the attack, and the ‘target’ class encapsulates the information of the system under attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez and Joshi because it would provide a system and method for detecting cyber intrusions that utilizes information from heterogeneous data sources to infer the context of the system being monitored and use the context to determine if the context represents an attack (Joshi, para. 0021).

Claims 2, 4, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez in view of Joshi, as applied in the claims above, further in view of Keller et al. (US 20160098561 A1), hereinafter Keller. 

Regarding claims 2 and 14, the combination of Gonzalez and Joshi teaches all the limitations of claims 1 and 9, as described above.
The combination of Gonzalez and Joshi may not specifically teach wherein the sensor datasets are each retrieved using a sensor that is external to the computing device and separated from the computing device by an air gap. However, in an analogous art, Keller further teaches wherein the sensor datasets are each retrieved using a sensor that is external to the computing device and separated from the computing device by an air gap (FIG. 1 and para. 0137, sensor 820 is configured to capture unintended emitted electromagnetic energy and/or unintended conducted energy from the device 2. It can been seen from the figure, that the sensor is external to the computing device and separated by air).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez, Joshi and Keller because there is a need to mitigate or overcome the limitations of test intrusiveness, the limitations of acquiring or testing for malware by requiring modification of device operation, and the limitations of inability to test for firmware or hardware changes with conventional methods and/or techniques (Keller, para. 0013).

Regarding claim 15, the combination of Gonzalez, Joshi and Keller teaches all of the limitations of claim 14, as described above. Gonzalez further teaches wherein the plurality of sensors comprise one or more of an acoustic sensor, a video sensor, a thermal sensor, an electromagnetic sensor and a radiofrequency sensor (FIG. 4 and col3 ln45-64, side-channel probes 101 can capture side-channel information (e.g., power consumption or electromagnetic emissions and other physical signals, etc.). In some instances, the side-channel information can be used in conjunction with other physical sensor signals such as temperature, vibration, pressure, timing, global positioning system (GPS) coordinates, and/or the like).

Claims 4, 5, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez in view of Joshi, as applied in the claims above, further in view of Fousek et al. (US 20150317990 A1), hereinafter Fousek.

Regarding claims 4 and 16, the combination of Gonzalez and Joshi teaches all of the limitations of claims 1 and 9, as described above.
The combination of Gonzalez and Joshi does not explicitly disclose wherein the plurality of features is extracted using a nonlinear convolutional network. However, in an analogous art, Fousek teaches wherein the plurality of features is extracted using a nonlinear convolutional network (para. 0014, Deep scattering networks (DSN) ... take a raw signal and generate a contractive representation, which preserves signal energy, while ensuring Lipschitz continuity to deformations. A scattering representation includes
log-mel like features (first-order scatter) together with higher order features that can preserve greater detail in the speech signal).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez,
Joshi and Fousek because it can preserve greater detail in the speech signal (Fousek,
para. 0014).

Regarding claims 5 and 17, the combination of Gonzalez, Joshi and Fousek teaches all of the limitations of claims 4 and 16, as described above. Fousek further teaches wherein the nonlinear convolutional network comprises one or more of a scattering network and a semi-discrete convolutive network (para. 0014, Deep scattering networks (DSN) ... take a raw signal and generate a contractive representation, which preserves signal energy, while ensuring Lipschitz continuity to deformations. A scattering representation includes log-mel like features (first-order scatter) together with higher order features that can preserve greater detail in the speech signal).
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez,
Joshi and Fousek because it can preserve greater detail in the speech signal (Fousek para. 0014).

Claims 7, 8 and 11-13 are rejected under35 U.S.C. 103 as been unpatentable over Gonzalez in view of Joshi, as applied in the claims above, further in view of Tsai et al. (US 20160354053 A1), hereinafter Tsai.

Regarding claims 7 and 11, the combination of Gonzalez and Joshi teaches all of the limitations of claims 1 and 10, as described above. Gonzalez further teaches during extraction of the plurality of features, fuse features derived from each particular modality (FIG. 7C and col16 ln34-44, The PFP analytics 206 or 214 can discover meaningful patterns in side-channels and related data as well as finding correlations between events, and between PFP and other sensors).
The combination of Gonzalez and Joshi does not explicitly disclose using a deep
propagation network to extract features. However, in an analogous art, Tsai teaches using a deep propagation network to extract features (FIG. 2, 3, para. 0080, 0083, 0096 and 0100, operation of the DNN module 134 is to take output layer to serve as the input of the next hidden layer. The concept is to utilize the increase of hidden layer number to strengthen the system ... the DNN module 134 usually uses restricted Boltzmann machines (RBM) to conduct the prediction for initial parameter and uses back­ propagation to adjust parameters).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez, Joshi and Tsai because the SVM module 133 and the DNN module 134 both showed very high recognition rate (Tsai, para. 0096 and 0100).

Regarding claims 8 and 13, the combination of Gonzalez, Joshi and Tsai teaches all of the limitations of claims 7 and 11, as described. Tsai further teaches wherein the deep propagation network is a restricted Boltzmann machine (FIG. 2, 3, para. 0080, 0083, 0096 and 0100, operation of the DNN module 134 is to take output layer to serve as the input of the next hidden layer. The concept is to utilize the increase of hidden layer number to strengthen the system ... the DNN module 134 usually uses restricted Boltzmann machines (RSM) to conduct the prediction for initial parameter and uses back-propagation to adjust parameters).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez, Joshi and Tsai because the SVM module 133 and the DNN module 134 both showed very high recognition rate (Tsai, para. 0096 and 0100).

Regarding claim 12, the combination of Gonzalez, Joshi and Tsai teaches all of the limitations of claim 11, as described. Tsai further teaches wherein the processors comprises a plurality of graphical processing units configured to execute operations associated with the deep propagation network in parallel (FIG. 2, 3, para. 0079 and 0083, Neural network algorithm has certain characteristics as follows: 1. Parallel processing, 2. fault-tolerant ... the DNN module 134 usually uses restricted Boltzmann machine).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Gonzalez, Joshi and Tsai because the SVM module 133 and the DNN module 134 both showed very high recognition rate (Tsai, para. 0096 and 0100).

	References cited but not used are listed below.
The closest prior art Keller (US 20150358337 A1) discloses a method of testing, inspecting or screening an electronic device for electrical characteristics, modified or unmodified hardware, or firmware modifications including Malware, Trojans, improper versioning, and the like, includes a transmitting antenna positioned at a distance from the electronic device and an electromagnetic energy receiver or sensor for examining a resulting unintentional derived electromagnetic energy from the electronic device. The receiver collects unintentional RF energy components emitted by the device and includes a processor and executable instructions that perform analysis in a response to the acquired electromagnetic energy input. The characteristics of the collected RF energy may be compared with RF energy characteristics of an exemplary device. The analysis determines one of a modified, unmodified or score of certainty of discerned condition of the device
The closest prior art Fernandez et al. (US 20130191052 A1) discloses a method of monitoring the electric grid and predicting failures and/or other issues. Streams of data about a power grid are received from a plurality of remote power grid sensors and converted into a univariate time sequence. Anomaly patterns are identified in the univariate time sequence and analyzed or simulated to predict the power grid disruption. The anomaly patterns are compared to power disruption contingencies stored in a database to simulate and/or predict the present or future power disruption represented by the anomaly pattern.

Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 

/ALI S ABYANEH/Primary Examiner, Art Unit 2437