DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Claims 1-20 have been examined and are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/28/2019 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 2 and 4 are objected to because of the following informalities:  
Claim 2, line 5: “...environmental data...;” antecedent basis due to claim 2, line 1. Suggest: “the environment data.”
Claim 4, line 4: “...inbound communications would...”positively recite limitations.
  Appropriate correction is required.
Claim Rejections - 35 USC § 101
Claims 1, 11, and 18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.            Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) 
101 Flowchart Analysis: 
Step 1: meets the statutory category of a mental process;  Step 2A/Prong 1: recited claims – a system for detecting anomalies comprising a computer system including at least one processor in communication with at least one memory device, wherein the computer system receives communications from a remote computer platform, and wherein the at least one processor is programmed to: execute a real-time simulation model of the remote computer platform, wherein the simulation model simulates inputs and outputs of the remote computer platform based on real-time data; receive one or more outbound communications transmitted from the remote computer platform; generate one or more outputs of the simulation model; compare the one or more outbound communications transmitted from the remote computer platform to the one or more outputs of the simulation model; detect one or more differences based on the comparison; and generate an output based on the one or more differences – when viewed as a whole meet a mental process, thus an abstract idea; and 
Step 2B/Prong 2:  recites an additional element in steps (5)-(6) of the system, detect one or more differences based on the comparison; and generate an output based on the one or more differences, the steps are merely data gathering/analyzing processes, which are a form of insignificant extra-solution activity.  However, the particular additional element is recited at high level of generality that is no more than merely “apply” the mental step using a generic computer system.  The generating step (6) is generating an output based on the one or more differences is also recited at high level of generality, not integrated into a practical application, and amounts to a mere post-solution of outputting that is a form of insignificant extra-solution activity. 
 The additional elements are determined to be no more than insignificant extra-solution activity.  In particular, the processor and computer system are considered conventional and well-understood, and are recited at high level of generality.  As the result, the claim, as a whole, is no more than attempting to broadly cover the concept of using a computer system to implement analysis of what a human security analyst would have performed in the mind. Therefore, the claims 1, 11, and 18 is considered as an abstract idea without significantly more than the judicial exception.
Dependent claim(s) Claims 2-10, 12-17, and 19-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reason addressed above. 

	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 8-9, 11-12, 15, and 17-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kirk et al, hereinafter (“Kirk”), European Patent Publication (EP2978187 A1), was submitted in 06/28/2019 IDS.

Regarding claims 1, 11, and 18, Kirk teaches a system for detecting anomalies comprising a computer system including at least one processor in communication with at least one memory device, wherein the computer system receives communications from a remote computer platform, and wherein the at least one processor is ¶0008 and Fig. 1:a secure communication management, SCM, computer device, avionics/aircraft server 102; ¶0014: processing device 116 include: central processing unit (CPU);]
execute a real-time simulation model of the remote computer platform, wherein the simulation model simulates inputs and outputs of the remote computer platform based on real-time data; [Kirk, ¶0009: this disclosure enhance the security of the architecture for avionics servers 102 (a real-time simulation model of the remote computer platform,) by removing the switches that direct signals between more than one avionics domain. Specifically, the embodiments in this disclosure have a plurality of device network interface cards each coupled to a respective one of a plurality of device ports on the avionics server. Further, each of the plurality of device ports is dedicated to a respective one of a plurality of avionics domains which corresponds to the respective device network interface card. As a result, any signals sent to or received (simulates inputs and outputs of the remote computer platform based on real-time data) from an avionics domain on the avionics server will go through the one device port. ¶0011: To provide data services for on-board devices 120A-120C, the avionics server 102 receives signals from a datalink 104. In some embodiments, the datalink 104 can send and receive signals using various satellite communication protocols (i.e. Inmarsat, Iridium, Thuraya, etc.)]
receive one or more outbound communications transmitted from the remote computer platform; [Kirk, ¶0009: To provide data services for on-board devices 120A-120C, the avionics server 102 receives signals from a datalink 104 from satellite communications. ¶0011: The signals from the datalink 104 can then be sent to a datalink port 107 via a datalink network interface card 106. The processing device 116 can then direct the signal from the datalink port 107 to the appropriate domain 108A-108C, depending on the content of the signal.]
compare the one or more outbound communications transmitted from the remote computer platform to the one or more outputs of the simulation model; [Kirk ¶0011:The processing device 116 can then direct the signal from the datalink port 107 to the appropriate domain 108A-108C, depending on the content of the signal. ¶0015: Since each of the domains 108A-108C is accessed by a respective device NIC 118A-118C, Open Systems Interconnection model (OSI) layer 1 and layer 2 security techniques can be used to track users' signals, such as media access control (MAC) address tracking. Since the system is able to track the users, the users can be segregated to a specific domain. ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A) on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]
receive a first data stream transmitted from the remote computer platform, wherein the first data stream includes a plurality of communications based, at least in part, on measurements from one or more sensors associated with the remote computer platform, wherein the one or more sensors measure environment conditions associated with the remote computer platform; [Kirk, ¶0009: To provide data services for on-board devices 120A-120C, the avionics server 102 receives/sends signals from a datalink 104; where datalink communicates to various satellite communications/protocols via a datalink port coupled to a datalink network interface card 106. Examiner interprets the received signals, implicitly receives from a first user computer device, a first data message/first signal, for a first aircraft; for one of the on-board devices 120A-120C located in the aircraft.]
receiving one or more outbound communications transmitted from the remote computer platform, wherein the one or more outbound communications based, at least in part, on measurements from one or more sensors associated with the remote computer platform, wherein the one or more sensors measure environment conditions associated with the remote computer platform; [Kirk, ¶0009: To provide data services for on-board devices 120A-120C, the avionics server 102 receives/sends signals from a datalink 104; where datalink communicates to various satellite communications/protocols via a datalink port coupled to a datalink network interface card 106. ¶0011: The processing device 116 can then direct the signal from the datalink port 107 to the appropriate domain 108A-108C, depending on the content of the signal. Examiner interprets the received signals, implicitly receives from a first user computer device, a first data message/first signal, for a first aircraft; for one of the on-board devices 120A-120C located in the aircraft.] 
receiving environmental data associated with the remote computer platform; [Kirk, ¶¶0010 and 0017: applications and services 110A-110C can include: weather data application; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]
receive a second data stream comprising one or more environmental conditions associated with the remote computer platform; [Kirk, ¶¶0001 and 0010: Weather data application can be included in a second avionics domain with a second set of access requirements; applications and services 110A-110C can include, but are not limited to, flight functions, cabin functions, weather data applications, etc. ¶0016: a processing device 116 in the server 102 can be configured to identify what specific device port 114A-114C that the user's signals came from and verify whether the user has access to the respective domain 108A-108C. ¶0017  the logged signals and observed behavior can be reported to a ground station; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity. Examiner interprets domain 108B to be a second data stream comprising one or more environmental conditions associated with the remote computer platform.]
compare payload data from the first data stream with the one or more environmental conditions of the second data stream; [Kirk ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A) on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]
detect one or more differences based on the comparison;  [Kirk ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A). If suspicious activity is discovered, the IP and MAC addresses associated with that device can be denied access to the server 102] and 
generate an output based on the one or more differences. [Kirk ¶0017: then denial of service to ; ¶0016: due to this architecture, a processing device 116 in the server 102 can be configured to identify what specific device port 114A-114C that the user's signals came from and verify whether the user has access to the respective domain 108A-108C.]
Regarding claim 2, Kirk teaches claim 1 as described above.

receive environmental data associated with the remote computer platform, wherein the environment data is at least one of real-time actual data or modeled data;   [See Kirk, ¶¶0010 and 0017: applications and services 110A-110C can include: weather data application; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.] 
compare payload data from the one or more outbound communications with the environmental data; [See Kirk ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A) on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]  and 
detect one or more differences based on the comparison. [See Kirk ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A). If suspicious activity is discovered, the IP and MAC addresses associated with that device can be denied access to the server 102] 

Regarding claim 3, Kirk teaches claim 1 as described above.
Kirk teaches wherein the at least one processor is further programmed to: 
receive one or more inbound communications transmitted to the remote computer platform; [Kirk, ¶0018: the processing device 116 can be further configured to compare a user and/or device 120A-120C with a list of prohibited users and/or devices 120A-120C. In some embodiments, the list of prohibited users and/or devices can be provided by different authorities or extrapolated from the monitoring activity discussed above. ¶0021: Once a device's access has been verified, method 200 includes forwarding the one or more signals to the one or more avionics domains that the device has access to (block 208). Examiner interprets that the received, verified signal can be forwarded toward the data link 104, as shown in Fig. 1] and 
input into the simulation model the one or more inbound communications transmitted to the remote computer platform to generate the one or more outputs of the simulation model. [Kirk, ¶0017: the processing device 116 can be configured to record the signals being received at one or more of the plurality of device ports 114A-114C, associate the signals with the devices' 120A-120C respective IP addresses and/or MAC addresses and observe any behavior that might be suspicious.]

Regarding claim 4, Kirk teaches claim 3 as described above.
Kirk teaches wherein the at least one processor is further programmed to synchronize the simulation model with the remote computer platform by inputting the [Kirk, ¶0020: method 200 includes identifying the one or more device ports that are receiving the one or more signals from the device (block 204). In some embodiments, each of the plurality or device ports is coupled to a respective one of a plurality of device network interface cards (NICs). As a result, one can identify which of the device NICs that a device is using to send signals to the plurality of device ports. ¶0021: once verified, the respective one or more avionics domains are dedicated to the one or more identified device ports; additionally a separate firewall can be configured for each domain. Examiner interprets that the received, verified signal can be forwarded toward the data link 104, as shown in Fig. 1]

Regarding claims 8 and 17, Kirk teaches claim 1 as described above.
Kirk teaches wherein the at least one processor is further programmed to: receive one or more direct communications directly from the remote computer platform; [Kirk, ¶0015: The switches, however, can be circumvented through techniques such as internet protocol (IP) address spoofing. ¶0020: method 200 includes identifying the one or more device ports that are receiving the one or more signals from the device (block 204). In some embodiments, each of the plurality or device ports is coupled to a respective one of a plurality of device network interface cards (NICs). As a result, one can identify which of the device NICs that a device is using to send signals to the plurality of device ports.] and 
[Kirk, ¶0021: once verified, the respective one or more avionics domains are dedicated to the one or more identified device ports; additionally a separate firewall can be configured for each domain.]

Regarding claim 9, Kirk teaches claim 1 as described above.
Kirk teaches wherein the remote computer platform is aboard an aircraft. [Kirk, ¶0005: security architecture for a server on board an aircraft]

Regarding claim 12, Kirk teaches claim 11 as described above.
Kirk teaches wherein the at least one processor is further programmed to: subsequent to comparing the payload data, generate one or more outputs of the simulation model using the second data stream; [See Kirk ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A) on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.] and 
compare the first data stream to the one or more outputs of the simulation model. [See Kirk ¶0011:The processing device 116 can then direct the signal from the datalink port 107 to the appropriate domain 108A-108C, depending on the content of the signal. ¶0015: Since each of the domains 108A-108C is accessed by a respective device NIC 118A-118C, Open Systems Interconnection model (OSI) layer 1 and layer 2 security techniques can be used to track users' signals, such as media access control (MAC) address tracking. Since the system is able to track the users, the users can be segregated to a specific domain. ¶0017: the logged signals received from one device 120A-120C (i.e. 120B) can be compared to logged signals received by other devices 120A-120C (i.e. 120A) on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]

Regarding claims 8 and 17, Kirk teaches claim 1 as described above.
Kirk teaches wherein the at least one processor is further programmed to: receive one or more direct communications directly from the remote computer platform; [Kirk, ¶0015: Since each of the domains 108A-108C is accessed by a respective device NIC 118A-118C; a switch is used to direct signals to different domains 108A-108C. The switches, however, can be circumvented through techniques such as internet protocol (IP) address spoofing.] and 
synchronize the simulation model based on the one or more direct communications. [Kirk, ¶0021: once verified, the respective one or more avionics domains are dedicated to the one or more identified device ports; additionally a separate firewall can be configured for each domain.]

Regarding claim 9, Kirk teaches claim 1 as described above.
Kirk teaches wherein the remote computer platform is aboard an aircraft. [Kirk, ¶0005: security architecture for a server on board an aircraft]


Kirk teaches wherein the at least one processor is further programmed to: receive a third data stream transmitted to the remote computer platform; [See Kirk, ¶¶0001 and 0010: Weather data application can be included in a second avionics domain with a second set of access requirements; applications and services 110A-110C can include, but are not limited to, flight functions, cabin functions, weather data applications, etc. ¶0016: a processing device 116 in the server 102 can be configured to identify what specific device port 114A-114C that the user's signals came from and verify whether the user has access to the respective domain 108A-108C. ¶0017  the logged signals and observed behavior can be reported to a ground station; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity. Examiner interprets domain 108C to be a third data stream comprising one or more environmental conditions associated with the remote computer platform.] and 
input into the simulation model the third data stream to generate the one or more outputs of the simulation model. [See Kirk, ¶¶0001 and 0010: Weather data application can be included in a second avionics domain with a second set of access requirements; applications and services 110A-110C can include, but are not limited to, flight functions, cabin functions, weather data applications, etc. ¶0016: a processing device 116 in the server 102 can be configured to identify what specific device port 114A-114C that the user's signals came from and verify whether the user has access to the respective domain 108A-108C. ¶0017  the logged signals and observed behavior can be reported to a ground station; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity. Examiner interprets domain 108C to be a third data stream comprising one or more environmental conditions associated with the remote computer platform.]
Claim Rejections - 35 USC § 103
 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 5-7, 10, 13-14, 16, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirk et al, hereinafter (“Kirk”), European Patent Publication (EP2978187 A1), was submitted in 06/28/2019 IDS, in view of Grantcharov et al, hereinafter (“Grantcharov”), US PG Publication (20180122506 A1).
Regarding claim 5, Kirk teaches claim 1 as described above.
wherein the simulation model includes sensor data from at least one simulated sensor representing at least one sensor associated with the remote computer platform, wherein the at least one processor is further programmed to: 
Kirk teaches receive environmental data associated with the remote computer platform; [See Kirk, ¶¶0010 and 0017: applications and services 110A-110C can include: weather data application; the logged signals received from one device 120A-120C can be compared to logged signals received by other devices 120A-120C on the same aircraft or other aircrafts and the processing device can search for patterns of suspicious activity.]
However, Kirk fails to explicitly teach but Grantcharov teaches generate simulated sensor data for the at least one simulated sensor based on the environmental data; [Grantcharov, ¶0122: The platform 10 includes hardware units 20 that include a collection or group of data capture devices for capturing and generating medical or surgical data feeds for provision to encoder 22. Example sensors 34 installed or utilized in a surgical unit, ICU, emergency unit or clinical intervention units include but not limited to: environmental sensors (e.g., temperature, moisture, humidity, etc., acoustic sensors (e.g., ambient noise, decibel)] and 
input the simulated sensor data into the simulation model to generate the one or more outputs of the simulation model. [Grantcharov, ¶0184: recording device 40 synchronizes and records the feed to generate output data 44; for example, measurement values to assess individual and team performance]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of security architecture for a connected aircraft of Kirk before him or her by including the teachings of operating room black-box device, system, method and computer readable medium for event and error prediction of Grantcharov. The motivation/suggestion would have been obvious to try to the platform 10 to gather simulated data like environmental inputs and output to be assessed [Grantcharov, ¶0184].  

Regarding claims 6, 13, and 19, Kirk teaches claim 1 as described above.
However, Kirk fails to explicitly teach but Grantcharov teaches wherein the at least one processor is further programmed to detect the one or more differences based on at least one of message size, data handshaking rate or frequency, and transmission delay associated with the one or more outbound communications. [Grantcharov, ¶0239: network delays along the streaming path]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of security architecture for a connected aircraft of Kirk before him or her by including   

Regarding claims 7 and 16, Kirk teaches claim 1 as described above.
However, Kirk fails to explicitly teach but Grantcharov teaches wherein the at least one processor is further programmed to transmit an alert to the remote computer platform based on the output. [Grantcharov, ¶0060: generating an alert notification of the detected smart devices operating outside of normal conditions]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of security architecture for a connected aircraft of Kirk before him or her by including the teachings of operating room black-box device, system, method and computer readable medium for event and error prediction of Grantcharov. The motivation/suggestion would have been obvious to try to the media management hub server to detect operations of smart devices [Grantcharov, ¶0060].  

Regarding claims 10, 14, and 20, Kirk teaches  claim 1 as described above.
However, Kirk fails to explicitly teach but Grantcharov teaches wherein the at least one processor is further programmed to detect the one or more differences based on a time series analysis of data contained in the one or more outbound [Grantcharov, ¶0296: through exploratory analysis of data; temporal nature of data is well suited for time series analysis to extract meaningful statistics and insights]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of security architecture for a connected aircraft of Kirk before him or her by including the teachings of operating room black-box device, system, method and computer readable medium for event and error prediction of Grantcharov. The motivation/suggestion would have been obvious to try to analyze extracted features, changes, distribution, etc. through time series analysis [Grantcharov, ¶0296].  

	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Abramson et al (20180124233 A1) discloses restricting mobile device usage.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/Examiner, Art Unit 2497