DEATAILED ACTION
This is in response to amendment filed on 08/19/2021.  Claims 1-12 are pending and claim 1 and 5 are independent.  Claims 1 and 5 have been amendment.  Claims 11 and 12 have been added. No claims have been canceled.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 2-4 and 8-10 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends, Claims 2-4 and 8-10 recite limitations of “further comprises performing the step of checking launched operations by .  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Response to Arguments
Applicant amendment necessitated the new 112d rejection of the claims 2-4 and 8-10 since the newly limitations incorporated into independent claims 1 and 5 are same limitations are claims 2-4 and 8-10. 
Applicant’s argument filed on 08/19/2021 on page 10 “Anurag does not teach or suggest crosschecking logins for detecting, whether the operator log-in himself at different places at a same time where such simultaneous logins may not be expected.” Examiner appreciates the applicant’s interpretation and respectfully disagrees and notes that plurality of logs are used to further provide a source of checking and crosschecking for the system as a whole which includes core service logs, database audit logs, application logs, log consolidators, web server logs, etc., (para. 0018-0019). Anurag also discloses user data storage in para. 0043, at 502, the SIEM 110 stores user data for the users of the data sources The user data is stored in the data storage 111. The SIEM 110 may use a user data model to store user data. The MIC 103 may map user information from the IDMs 103 to the user data model for the SIEM 110 to organize the user data into predetermined fields. The user data model may include a UUID for each user and user account IDs for each user as well as other user information. Stored user data and the models and other data described herein may be updated over time and new data may be stored as received.  This clearly indicates that an update taking place implying a crosscheck with the user data stored in the database.
Regarding applicant’s argument filed on 08/19/2021 on pages 11-12, “Anurag does not teach or suggest: determining whether an operation complies with an order scheduling being defined by the calendar information in the first database.” Also, “Anurag does not refer to calendar information for shift.” Examiner respectfully disagrees with applicant interpretation and notes that Anurag not only discloses a time period a particular user held the account but also discloses the calendar information with an even data include information about the device or application with a receipt time that is a date and time stamp.  Paragraph 0015, event data can include information about the device or application that generated the event and when the event was received from the event source ("receipt time"). The receipt time may be a date/time stamp, and the event source is a network endpoint identifier (e.g., an IP address or Media Access Control (MAC) address) and/or a description of the source, possibly including information about the product's vendor and version. The data/time stamp, source information and other information is used to correlate events with a user and analyze events for security threats.
Regarding applicant’s argument filed on 08/19/2021 on page 12, “Anurag does not teach or suggest a machine learning” however, examiner respectfully disagrees with applicant’s interpretation and notes that a SIEM collects security data from network devices, servers, domain controllers, and etc.  SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trend, detect threats, and enable enterprises to investigate all or any alerts.  Paragraph 0013, FIG. 1 illustrates an environment 100 including an SIEM 110, according to an embodiment. The environment 100 includes data sources 101 generating event data for security events, which is collected by the SIEM 110 and stored in the data storage 111. The data storage 111 may include memory and/or non-volatile storage and may include a database or other type of data storage system. The data storage 111 stores any data used by the SIEM 110 to correlate and analyze event data to identify security threats. A security event, also referred to as an event, is any activity that can be analyzed to determine if it is associated with a security threat. The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-12 are rejected under 35 U.S.C. 103 as being unpatentable over Emmertz et al. (US PGPUB No. 2013/0158708) [This reference provided in the application IDS] in view of Anurag et al. (US PGPUB No. 2013/0081141) [This reference provided in the application IDS] further in view of Chao et al. (US PGPUB No. 2018/0356792).
Regarding claim 1. Emmertz does teach, a method for a safe guard detection of unexpected operations launched by an operator for a manufacturing execution system (MES-System), wherein the MES-System containing [Emmertz, 0061, FIG. 3, a system for providing safe remote access…a robot controller receives credentials from the remote computer, the credentials are sent to the server computer and the authentication component on the server computer authenticates the credentials, and sends back the result of the authentication to the controller.]: 
a first database including [Emmertz, para. 0060, FIG. 3, the server computer contains a server authentication module 18 configured to receive the server credentials and to authorize actions on the server computer based on the received server credentials. The computer 16 is configured to enable a user, for example a customer, to create the list of robot controllers for which remote access is to be allowed, and to store the list in the data storage 14 on the server computer 12.].
a set of operations [Emmertz, para. 0047, FIG. 1, (Examiner notes that person(s) perform a set of function using robots remotely or on the factory floor thus, the functions are interpreted as the set of operations to be performed), FIG. 1 shows a system for providing safe remote access to functions of a plurality of robot controllers 1 according to an embodiment of the invention. The system includes a plurality of robots and robot controllers for controlling the robots. ];
a set of operators [Emmertz, 0066, FIG. 3, (Examiner notes that user(s), person(s) are the operators that gain access to control the robots and this is recited throughout the reference).]; 
calendar information for the shift [Emmertz, para. 0023, (Examiner notes that a the system comprises data storage for storing a list of robot controllers to which access is allowed during specified time periods  (as noted in the application specification para. 0064) and that is interpreted as the schedule or list of shift), according to an embodiment of the invention, for at least one of the robot controller on said list, the list includes information on a time period during which access to the robot controller is allowed]; 
calendar information for equipment of the MES-System [Emmertz, para. 0057, (Examiner notes that a certain time period is made available to a service engineer for a robot or controller and that is interpreted as calendar information), The list may further include information on a time period during which access to the robot controllers is allowed, and the server component is configured to authorize access to the robot controller based on the time period specified in the list. The list may include different time periods for different controllers and/or for different users. The server component is configured to authorize access to a robot controller during the time period specified in the list.]; 
Emmertz does not explicitly disclose, a second database including;
a login history of carried out logins of the operator;

which method comprises the steps of: 
checking launched operations as to whether the launched operations comply with the set of rules;
storing a launched operation together with data identifying the operator and operator login data as an entry in an event trace file in case of non-compliance of the launched operation;
analyzing entries in the event trace file by an intrusion detection system;
generating alerts based on an analysis of the entries in the event trace file.
However, Anurag does teach, a second database including [Anurag, para. 0013, FIG. 1, FIG. 1 illustrates an environment 100 including an SIEM 110, according to an embodiment. The environment 100 includes data sources 101 generating event data for security events, which is collected by the SIEM 110 and stored in the data storage 111. The data storage 111 may include memory and/or non-volatile storage and may include a database or other type of data storage system.]:
a login history of carried out logins of the operator [Anurag, para. 0024-0025, FIG. 1,  history of a user account is stored, which may include a time period a particular user held the account. This history may be used for forensic analysis. The analysis may also include correlating events from connectors with user attributes that pertain to the time of occurrence of the event as opposed to correlating them with the current state of the user. (Para. 0025), The SIEM 110 includes a manager 120 receiving and storing user account data and event data in the data storage 111. A correlation engine 121 correlates event data with users to associate activities described in event data from data sources 101 with particular users. For example, from a user-defined set of base event fields and event end time, a mapping is done to attribute the event to a user. For example, event data may include an account ID and application event fields and these fields are used to look up user information in the data storage 111 to identify a user having those attributes at the time the event occurred.];
a set of rules defining allowed combinations of operations being launched by the operator at a specific time according to a content of the first database [Anurag, para. 0034, FIG. 1, As part of the process of identifying security threats, the analyzer 122 examines received events to determine which (if any) of the various rules being processed in the SIEM 110 may be implicated by a particular event or events. A rule is considered to be implicated if an event under test has one or more attributes that satisfy, or potentially could satisfy, one or more rules. For example, a rule can be considered implicated if the event under test has a particular source address from a particular subnet that meets conditions of the rule. Events may remain of interest in this sense only for designated time intervals associated with the rules and so by knowing these time windows the analyzer 122 can store and discard events as warranted. Any interesting events may be grouped together and subjected to further processing by the analyzer 122.]; 
checking launched operations as to whether the launched operations comply with the set of rules [Anruag, para. 0011, 0045, FIG. 5, security information and event management system (SIEM) collects event data from sources including network devices and applications, and analyzes the data to identify network security threats.  (Para. 0045, FIG. 5). At 504, the SIEM 110 stores rules for determining whether a security threat exists. The rules may be created by users of the SIEM 110. The rules may specify one or more conditions and one or more actions that are triggered if the conditions are satisfied. ]; 
storing a launched operation together with data identifying the operator and operator login data as an entry in an event trace file in case of non-compliance of the launched operation [Anurag, para. 0046, FIG. 5, The storing described in 501-504 may include storing in memory and/or storing in non-volatile data storage, such as a database on a server. For example, for in-memory storage, event data is stored in memory and correlation and/or analysis described at 505 and 506 below is performed in-memory for faster processing. In-memory provides real-time or close to real-time correlation and processing for identifying security threats. The output of correlation and analysis may be stored in the database. Event data may also be stored in a database and correlation and analysis can be performed by accessing the data from the database. In one example, the database is used for forensic, historical analysis of event data.]; 
analyzing entries in the event trace file by an intrusion detection system [Anurag, para. 0048, FIG. 5, at 506, the SIEM 110 determines whether a security threat exists based on the correlating. For example, the level in the role actor category model for manager is identified. Rules associated with the level are identified. The SIEM 110 determines if conditions for the rules are satisfied, which may be representative of a security threat.]; and
generating alerts based on an analysis of the entries in the event trace file [Anurag, para. 0049, FIG. 5 At 507, if a security threat exists an action is performed, such as generating reports and/or notifications alerting to the security threat. The action may be specified in the identified rules.]. 
wherein the step of checking launched operations includes at least one step selected from the group consisting of: crosschecking of logins for detecting, whether the operator loqs-in himself at different places at a same time where such simultaneous logins may not be expected [Anurag, para. 0013, 0020, (Examiner notes that the identity management system (IDMS) 103 is checking the incidences of user login), activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network. (Para. 0020), the IDMs 103 track the accounts on the systems, such as the DB, LDAP and UNIX systems. The provisioning, including tracking of user accounts, is represented by the dashed lines in FIG. 1. Also, each of the systems may have its own authentication system for authenticating users. For example, the LDAP and DB systems authenticate users creating accounts and logging into App1 and App2.],
and performing a comparison of a login time of the operator with the calendar information for a shift stored in the first database [Anurag, para. 0024, FIG. 1, (Examiner notes that a forensic analysis is to provide a comparison of the user’s access event using history of the user’s access.), the SIEM 110 analyzes event data to identify security threats. Analysis can include detection, correlation, and notification or escalation. The analysis may include forensic analysis. The SIEM 110 correlates past events with user attributes based on the state of the user at the time the event occurred. For example, if the user did not have the role of FINANCE_DBA in the past and accessed information from financial databases at that time, then rules and reports flag this as a violation. This happens even if the user has now transitioned to the FINANCE_DBA group/role. History of a user account is stored, which may include a time period a particular user held the account. This history may be used for forensic analysis. The analysis may also include correlating events from connectors with user attributes that pertain to the time of occurrence of the event as opposed to correlating them with the current state of the user.].
Emmertz and Anurag are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, 

Emmertz and Anurag does not disclose, determining whether an operation complies with an order scheduling being defined by the calendar information in the first database.
However, Chao does disclose, determining whether an operation complies with an order scheduling being defined by the calendar information in the first database [Chao, (Corresponding to the relationship of calendar information (para. 0085), correlates date/time stamps across data files, and corresponding to order schedule and the operation and the operator, para. 0093, generates a customized dashboards with work schedule and maintenance schedule), (0085), discovery component 208 can also correlate date/time stamps (calendar information), across data files to facilitate discovery of correlations between data items. For example, discovery component 208 may discover that two different sets of measured data indicating two non-typical events at two different production areas or machines have identical or substantially identical time stamps (within a defined tolerance of similarity). (0093, FIG. 10), the presentation components 306 and 406 can generate customized dashboards that are specific to a given user role (e.g., operator, maintenance personnel, plant engineer, plant manager, etc.)... In response to a request for specific information received from the user's client device (e.g., a request for information about an indicated machine or production area, work schedule or maintenance schedule information, inventory information, power consumption statistics, etc.), the system 1016 can filter the requested information based on the user's role.].
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Anurag that is related to a security information and event management system (SIEM) collects event data from sources including network devices and applications, and analyzes the data to identify network security threats (Anurag, please see abstract and para. 0011) with teachings of Chao (Chao, para. 0085, 0093, and FIG. 10) would enable Emmertz and Anurag to implement an interface dashboard to accurately display specific user/operator role submitting security credentials and identity information showing the operator’s location, the time and date (calendar information) and with respect to a work schedule that was predetermined for performing scalable analytics.

Regarding claim 2. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 1.  However, Anurag further teaches, which further comprises performing the step of checking launched operations by crosschecking of logins for detecting, whether the operator logs-in himself at different places at a same time where such simultaneous logins may not be expected [Anurag, para. 0013, 0020, (Examiner notes that the identity management system is checking the incidences of user login), activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network. (Para. 0020), the IDMs 103 track the accounts on the systems, such as the DB, LDAP and UNIX systems. The provisioning, including tracking of user accounts, is represented by the dashed lines in FIG. 1. Also, each of the systems may have its own authentication system for authenticating users. For example, the LDAP and DB systems authenticate users creating accounts and logging into App1 and App2.]. 
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites.

Regarding claim 3. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 1.  However, Chao does disclse, which further comprises performing the step of checking launched operations by determining whether an operation complies with an order scheduling being defined by the calendar information in the first database [Chao, (Corresponding to the relationship of calendar information para. 0085, correlates date/time stamps across data files, and corresponding to order schedule and the operation and the operator, para. 0093, generates a customized dashboards with work schedule and maintenance schedule), (0085) discovery component 208 can also correlate date/time stamps (calendar information), across data files to facilitate discovery of correlations between data items. For example, discovery component 208 may discover that two different sets of measured data indicating two non-typical events at two different production areas or machines have identical or substantially identical time stamps (within a defined tolerance of similarity). (0093, FIG. 10), the presentation components 306 and 406 can generate customized dashboards that are specific to a given user role (e.g., operator, maintenance personnel, plant engineer, plant manager, etc.)... In response to a request for specific information received from the user's client device (e.g., a request for information about an indicated machine or production area, work schedule or maintenance schedule information, inventory information, power consumption statistics, etc.), the system 1016 can filter the requested information based on the user's role.].
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Anurag that is related to a security information and event management system (SIEM) collects event data from sources including network devices and applications, and analyzes the data to identify network security threats (Anurag, please see abstract and para. 0011) with teachings of Chao (Chao, para. 0085, 0093, and FIG. 10) would enable Emmertz and Anurag to  performing scalable analytics.

Regarding claim 4. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 1.  However, Anurag further teaches, the method of claim 1, which further comprises performing the step of checking launched operations by performing a comparison of a login time of the operator with the calendar information for a shift stored in the first database [Anurag, para. 0024, FIG. 1, (Examiner notes that a forensic analysis is the provide a comparison of the user’s access event using history of the user’s access.), she SIEM 110 analyzes event data to identify security threats. Analysis can include detection, correlation, and notification or escalation. The analysis may include forensic analysis. The SIEM 110 correlates past events with user attributes based on the state of the user at the time the event occurred. For example, if the user did not have the role of FINANCE_DBA in the past and accessed information from financial databases at that time, then rules and reports flag this as a violation. This happens even if the user has now transitioned to the FINANCE_DBA group/role. History of a user account is stored, which may include a time period a particular user held the account. This history may be used for forensic analysis. The analysis may also include correlating events from connectors with user attributes that pertain to the time of occurrence of the event as opposed to correlating them with the current state of the user.]. 
Emmertz and Anurag Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002) with the teachings of Anurag (Anurag, para. 0024 and FIG. 1) would enable Emmertz to implement correlation engine correlates event data with users to associate activities described in event data from data sources with particular users at a particular set time.

Regarding claim 5. Emmertz does teach, a method for a safe guard detection of unexpected operations launched by an operator for a manufacturing execution system (MES-System), where the MES-System contains: 
a first database containing [Emmertz, para. 0060, FIG. 3, the server computer contains a server authentication module 18 configured to receive the server credentials and to authorize actions on the server computer based on the received server credentials. The computer 16 is configured to enable a user, for example a customer, to create the list of robot controllers for which remote access is to be allowed, and to store the list in the data storage 14 on the server computer 12.]: 
a set of operations [Emmertz, para. 0047, FIG. 1, (Examiner notes that person(s) perform a set of function using robots remotely or on the factory floor thus, the functions are interpreted as the set of operations to be performed), FIG. 1 shows a system for providing safe remote access to functions of a plurality of robot controllers 1 according to an embodiment of the invention. The system includes a plurality of robots and robot controllers for controlling the robots.]; 
a set of operators [Emmertz, FIG. 3, (Examiner notes that user(s), person(s) are the operators that gain access to control the robots and this is recited throughout the reference).]; 
calendar information for a shift [Emmertz, para. 0023, (Examiner notes that a the system comprises data storage for storing a list of robot controllers to which access is allowed during specified time periods  (as noted in the application specification para. 0064) and that is interpreted as the schedule or list of shift), according to an embodiment of the invention, for at least one of the robot controller on said list, the list includes information on a time period during which access to the robot controller is allowed.];
calendar information for equipment of the MES-System [Emmertz, para. 0057, (Examiner notes that a certain time period is made available to a service engineer for a robot or controller and is interpreted as calendar information), The list may further include information on a time period during which access to the robot controllers is allowed, and the server component is configured to authorize access to the robot controller based on the time period specified in the list. The list may include different time periods for different controllers and/or for different users. The server component is configured to authorize access to a robot controller during the time period specified in the list.];
Emmertz does not explicitly disclose, a second database containing a login history of carried out logins of the operator;
a machine learning model;
which method comprises the steps of: 
feeding, in a learning phase, a learning module being part of a machine learning model with launched operations for that role;
checking, in a run time phase, the launched operations as to whether the launched operations comply with the operations in the learning module;
storing a launched operation together with data identifying the operator and operator login data as an entry in an event trace file in case of non-compliance of the launched operation;
analyzing entries in the event trace repository by an intrusion detection system and based on an analysis generating alerts;
However, Anurag does teach, a second database containing a login history of carried out logins of the operator [Anurag, para. 0013, FIG. 1, The data storage 111 stores any data used by the SIEM 110 to correlate and analyze event data to identify security threats… The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc.];
a machine learning model [Anurag, para. 0011, 0016, FIG. 1, (Examiner notes that SIEM analysis interpreted as learning model that includes detection, correlates current and past events, a forensic analysis in addition to notification and escalation), a security information and event management system (SIEM) collects event data from sources including network devices and applications, and analyzes the data to identify network security threats. Analyzing may be performed using hierarchal actor category models that organize user data according to predetermined categories. For example, the models organize user data by location, by organization or reporting structure, by roles or other criteria. The models may include multiple levels in a hierarchy and different rules for determining security threats may be applicable to different levels. Parent-child relationships can exist between the levels and may be used to inherent rules among the levels. (Para. 0016), event data may be organized in a data structure that includes one or more fields, where each field can contain a value. Event data may be provided in any format. The SIEM 110 may normalize event data into a structured format or schema. This normalization may include mapping event data to the appropriate fields in the structured representation of the event. The mapping operation uses knowledge about the format of an event and may be specified at the time of development.];

feeding, in a learning phase, a learning module being part of a machine learning model with launched operations for that role [Anurag, 0014-0015, FIG. 1, (Examiner notes that event data is fed to the SIEM through multiple connectors and a forensic analysis is performed, managed and correlated and analyzed to check and crosscheck the users identity, receipt time and their roles), Event data can include information about the device or application that generated the event and when the event was received from the event source ("receipt time"). The receipt time may be a date/time stamp, and the event source is a network endpoint identifier (e.g., an IP address or Media Access Control (MAC) address) and/or a description of the source, possibly including information about the product's vendor and version. The data/time stamp, source information and other information is used to correlate events with a user and analyze events for security threats.];
checking, in a run time phase, the launched operations as to whether the launched operations comply with the operations in the learning module [Anurag, para. 0046-0047, in-memory provides real-time or close to real-time correlation and processing for identifying security threats. The output of correlation and analysis may be stored in the database. Event data may also be stored in a database and correlation and analysis can be performed by accessing the data from the database. In one example, the database is used for forensic, historical analysis of event data.  (Para. 0047), at 505, the SIEM 110 correlates security events with a stored actor category model. For example, attributes associated with a security event and a user associated with the event are compared with attributes in actor category models. If values for the attributes match, the security events are correlated with the matching category model. As an example, a security event may be access to an HR record by a user. The user is determined to have a role of manager according to its attributes.];
storing a launched operation together with data identifying the operator and operator login data as an entry in an event trace file in case of non-compliance of the launched operation [Anurag, para. 0012-0013, (Examiner notes that the non-compliance is reached when a generated alert or notification is prompted by the SIEM module), the SIEM may also store other information to correlate security events with users to identify threats. The information may include multiple account IDs associated with each user. The information may also include user account ID history and user account ID authenticator information.  (Para. 0013), the environment 100 includes data sources 101 generating event data for security events, which is collected by the SIEM 110 and stored in the data storage 111.  (Para. 0049), at 507, if a security threat exists an action is performed, such as generating reports and/or notifications alerting to the security threat. The action may be specified in the identified rules.];
analyzing entries in the event trace repository by an intrusion detection system and based on an analysis generating alerts [Anurag, para. 0033, FIG. 1 and 5, An analyzer 122 in the SIEM 110 uses rules to evaluate each event with network model and vulnerability information to develop real-time threat summaries. The analyzer 122 may include a rules engine to correlate event data with security rules in order to identify security threats. This may include identifying multiple individual events that collectively satisfy one or more rule conditions such that an action is triggered. The aggregated events may be from different data sources and are collectively indicative of a common incident representing a security threat as defined by one or more rules. The actions triggered by the rules may include notifications transmitted to designated destinations… The information sent with the notification can be configured to include the most relevant data based on the event that occurred and the requirements of the analyst.].
wherein the step of checking launched operations includes at least one step selected from the group consisting of: crosschecking of logins for detecting, whether the operator loqs-in himself at different places at a same time where such simultaneous logins may not be expected [Anurag, para. 0013, 0020, (Examiner notes that the identity management system (IDMS) 103 is checking the incidences of user login), activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network. (Para. 0020), the IDMs 103 track the accounts on the systems, such as the DB, LDAP and UNIX systems. The provisioning, including tracking of user accounts, is represented by the dashed lines in FIG. 1. Also, each of the systems may have its own authentication system for authenticating users. For example, the LDAP and DB systems authenticate users creating accounts and logging into App1 and App2.],
and performing a comparison of a login time of the operator with the calendar information for a shift stored in the first database [Anurag, para. 0024, FIG. 1, (Examiner notes that a forensic analysis is to provide a comparison of the user’s access event using history of the user’s access.), the SIEM 110 analyzes event data to identify security threats. Analysis can include detection, correlation, and notification or escalation. The analysis may include forensic analysis. The SIEM 110 correlates past events with user attributes based on the state of the user at the time the event occurred. For example, if the user did not have the role of FINANCE_DBA in the past and accessed information from financial databases at that time, then rules and reports flag this as a violation. This happens even if the user has now transitioned to the FINANCE_DBA group/role. History of a user account is stored, which may include a time period a particular user held the account. This history may be used for forensic analysis. The analysis may also include correlating events from connectors with user attributes that pertain to the time of occurrence of the event as opposed to correlating them with the current state of the user.].
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.


Emmertz and Anurag does not disclose, determining whether an operation complies with an order scheduling being defined by the calendar information in the first database.
However, Chao does disclose, determining whether an operation complies with an order scheduling being defined by the calendar information in the first database [Chao, (Corresponding to the relationship of calendar information para. 0085, correlates date/time stamps across data files, and corresponding to order schedule and the operation and the operator, para. 0093, generates a customized dashboards with work schedule and maintenance schedule), (0085), discovery component 208 can also correlate date/time stamps (calendar information), across data files to facilitate discovery of correlations between data items. For example, discovery component 208 may discover that two different sets of measured data indicating two non-typical events at two different production areas or machines have identical or substantially identical time stamps (within a defined tolerance of similarity). (0093, FIG. 10), the presentation components 306 and 406 can generate customized dashboards that are specific to a given user role (e.g., operator, maintenance personnel, plant engineer, plant manager, etc.)... In response to a request for specific information received from the user's client device (e.g., a request for information about an indicated machine or production area, work schedule or maintenance schedule information, inventory information, power consumption statistics, etc.), the system 1016 can filter the requested information based on the user's role.].

Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002) with the teachings of Anurag that is related to a security information and event management system (SIEM) collects event data  performing scalable analytics.

Regarding claim 6. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 5.  However, Anurag further teaches, the method of claim 5, which further comprises repeating the learning phase in order to get a refinement of allowed operations
However, Anurag does teach, which further comprises repeating the learning phase in order to get a refinement of allowed operations [Anurag, para. 0033, (Examiner notes that “Connectors” have bi-directional communication with the SIEM module to assess all events and related user’s information), an analyzer 122 in the SIEM 110 uses rules to evaluate each event with network model and vulnerability information to develop real-time threat summaries. The analyzer 122 may include a rules engine to correlate event data with security rules in order to identify security threats. This may include identifying multiple individual events that collectively satisfy one or more rule conditions such that an action is triggered.]. 

Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002) with the teachings of Anurag (Anurag, para.  0033, and FIG. 1) would enable Emmertz to implement a normalization processes to include mapping event data to the appropriate fields as part of learning module where a mapping operation uses knowledge learned about the format of an event developed at a specified time by a user having certain role.  As such using a security threat with network devices by correlating of user category model as well as hierarchically arranged levels to enhance compute security of a computer component equipment as MES/MOM systems running on PC based systems.
Regarding claim 7. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 5.  However, Anurag further teaches, the method of claim 5, wherein the machine learning model input comprises:
[Anurag, para. 0024, The SIEM 110 correlates past events with user attributes based on the state of the user at the time the event occurred. For example, if the user did not have the role of FINANCE_DBA in the past and accessed information from financial databases at that time, then rules and reports flag this as a violation.];
 operations to be performed or launched [Anurag, para. 0013, The activity may be associated with a user, also referred to as an actor, to identify the security threat and the cause of the security threat. Activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc.]; and 
a time frame [Anurag, para. 0015, event data can include information about the device or application that generated the event and when the event was received from the event source ("receipt time"). The receipt time may be a date/time stamp, and the event source is a network endpoint identifier.]. 
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Chao that relates to industrial 

Regarding claim 8. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 5.  However, Anurag further teaches, the method of claim 5, which further comprises performing the step of checking launched operations by crosschecking of logins for detecting, whether the operator logs-in himself at different places at a same time where such simultaneous logins may not be expected [Anurag, para. 0013, 0020, (Examiner notes that the identity management system is checking the incidences of user login), activities may include logins, logouts, sending data over a network, sending emails, accessing applications, reading or writing data, etc. A security threat includes activity determined to be indicative of suspicious or inappropriate behavior, which may be performed over a network or on systems connected to a network. Common security threats, by way of example, are user attempts to gain unauthorized access to confidential information, such as social security numbers, credit card numbers, etc., over a network. (Para. 0020), the IDMs 103 track the accounts on the systems, such as the DB, LDAP and UNIX systems. The provisioning, including tracking of user accounts, is represented by the dashed lines in FIG. 1. Also, each of the systems may have its own authentication system for authenticating users. For example, the LDAP and DB systems authenticate users creating accounts and logging into App1 and App2.]. 
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002)with the teachings of Anurag (Anurag, para. 0013, 0020, FIG. 1) would enable Emmertz to implement a normalization processes to include mapping event data to the appropriate fields as part of learning module where a mapping operation uses knowledge learned about the format of an event developed at a specified time by a user having certain role.  As such using a security threat with 
Regarding claim 9. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 5.  However, Chao does disclose, the method of claim 5,  which further comprises performing the step of checking launched operations by determining whether an operation complies with an order scheduling being defined by the calendar information in the first database [Chao, (Corresponding to the relationship of calendar information para. 0085, correlates date/time stamps across data files, and corresponding to order schedule and the operation and the operator, para. 0093, generates a customized dashboards with work schedule and maintenance schedule), (0085), discovery component 208 can also correlate date/time stamps (calendar information), across data files to facilitate discovery of correlations between data items. For example, discovery component 208 may discover that two different sets of measured data indicating two non-typical events at two different production areas or machines have identical or substantially identical time stamps (within a defined tolerance of similarity). (0093, FIG. 10), the presentation components 306 and 406 can generate customized dashboards that are specific to a given user role (e.g., operator, maintenance personnel, plant engineer, plant manager, etc.)... In response to a request for specific information received from the user's client device (e.g., a request for information about an indicated machine or production area, work schedule or maintenance schedule information, inventory information, power consumption statistics, etc.), the system 1016 can filter the requested information based on the user's role.].
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
Therefore, it would have been obvious to one having ordinary skill in the art before the effective date of the claimed invention to modify the invention of Emmertz relates to a system and a method for providing safe remote access to a plurality of robot controllers positioned at a local site for a person positioned on a remote site (Emmertz, please see abstract and para. 0001) with the teachings of Anurag that is related to a security information and event management system (SIEM) collects event data from sources including network devices and applications, and analyzes the data to identify network security threats (Anurag, please see abstract and para. 0011) with teachings of Chao (Chao, para. 0085, 0093, and FIG. 10) would enable Emmertz and Anurag to implement an interface dashboard to accurately display specific user/operator role submitting security credentials and identity information showing the operator’s location, the time and date (calendar information) and with respect to a work schedule that was predetermined for performing scalable analytics.

Regarding claim 10. The combination of Emmertz and Anurag and Chao does disclose, the method according to claim 5.  However, Anurag further teaches, the method of claim 5, which further comprises performing the step of checking launched [Anurag, para. 0019, 0024, FIG. 1, (Examiner notes that a forensic analysis and resolver component of the connector 102 is to provide a comparison of the user’s access event using history of the user’s access.), the connectors 102 may provide efficient, real-time (or near real-time) local event data capture and filtering from the data sources 101. The connectors 102, for example, collect event data from event logs or messages and can operate at the network device, at consolidation points within the network, and/or through simple network management protocol (SNMP) traps.  (Para. 0024), the analysis may include forensic analysis. The SIEM 110 correlates past events with user attributes based on the state of the user at the time the event occurred. For example, if the user did not have the role of FINANCE_DBA in the past and accessed information from financial databases at that time, then rules and reports flag this as a violation. This happens even if the user has now transitioned to the FINANCE_DBA group/role. History of a user account is stored, which may include a time period a particular user held the account. This history may be used for forensic analysis. The analysis may also include correlating events from connectors with user attributes that pertain to the time of occurrence of the event as opposed to correlating them with the current state of the user.].
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
 with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002) with the teachings of Anurag (Anurag, para. 0019, 0024, FIG. 1) would enable Emmertz to implement a normalization processes to include mapping event data to the appropriate fields as part of learning module where a mapping operation uses knowledge learned about the format of an event developed at a specified time by a user having certain role.  As such using a security threat with network devices by correlating of user category model as well as hierarchically arranged levels to enhance compute security of a computer component equipment as MES/MOM systems running on PC based systems.
Regarding claim 11. The combination of Emmertz and Anurag and Chao disclose, the method according to claim 10.  Emmertz does not explicitly disclose, wherein the calendar information for the shift indicates whether the operator is meant to be at work and a geographical area at which the operator is expected to be at work.
However, Anurag does disclose, wherein the calendar information for the shift indicates whether the operator is meant to be at work and a geographical area at which the operator is expected to be at work [Anurag, para. 0015, 0034, 0038, FIG. 3-4, event data can include information about the device or application that generated the event and when the event was received from the event source ("receipt time"). The receipt time may be a date/time stamp, and the event source is a network endpoint identifier (e.g., an IP address or Media Access Control (MAC) address) and/or a description of the source, possibly including information about the product's vendor and version. The data/time stamp, source information and other information is used to correlate events with a user and analyze events for security threats. (Para. 0038), corresponding to geographical location and permission in that location, FIG. 3 shows a hierarchal location model. Modeling the hierarchy of locations is useful in defining location level policies. For example, accessing some services or performing certain activities may be permissible for employees in one state or country only. Employees typically have their exact location assigned (for example, Location: Cupertino-B4) by the organization, and this information is used to build the hierarchal location model. The hierarchal location model includes the following locations: USA: Country, California: State, New York: State, Cupertino: City, Cupertino-B4: An office building in Cupertino, and Cupertino-B5: another office building in Cupertino. The hierarchy of these locations is shown in FIG. 4 and may be used to determine authorized activities. For example, if an activity is permissible for California employees, then it is also permissible for employees in Cupertino-B4 and B5.].  
Emmertz and Anurag and Chao are in the same field of endeavor as they pertaining to the field of security information/event management providing safe access to controllers a multiple sites and monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control.
 with the teachings of Chao that relates to industrial automation systems, and, for example, to systems and methods for monitoring industrial enterprises in connection with reporting, notifying, and performing supervisory control (Chao, please see abstract and para. 0002) with the teachings of Anurag (Anurag, para. 0015, 0034, 0038 and FIG. 3-4) would enable Emmertz utilizing a security information and event management system such as SIEM that correlates security events with operators/users, storing all information/data including operator’s account IDs, position level, geographical locations, account history, date and time of logins-logouts and applying analytics to that data to discover trend, detect threats, and enable enterprises/organization to investigate all or any alerts.
Regarding method claim 12 that same or similar to method claim 11, and is similarly rejected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
US PGPUB No. (2016/0070258) to Raviola disclose, a method increases the work performance of a manufacturing executing system (MES) and an enterprise resource planning system (ERP). The method includes forming the enterprise 
US PGPUB No. (2017/0277173) to Bonomi disclose, Provided herein are exemplary systems and methods for a fog computing facilitated flexible factory including establishing a physical production process as part of a work cell, establishing a sensing process as part of the work cell for the physical production process, establishing a monitoring process for the sensing process and the physical production process, establishing a managing process for the monitoring process.
US PGPUB No. (2018/0259943) to Borriello disclose, a method operates the machinery of a plant having various machines. The method includes providing software-readable information relative to working areas each relating to at least an operation of one of the machines. At least part of the machines are operated by MES or MOM software reading the information so as to avoid operations with overlapping working areas being performed at a same time. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD S SHAMS whose telephone number is (571)272-3406. The examiner can normally be reached Monday-Friday 8:00 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/MOHAMMAD S SHAMS/Examiner, Art Unit 2434                                                                                                                                                                                                        
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434