DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Preliminary Amendment, received on 11 May 2020, has been entered into record.  In this amendment, claims 1, 11, 13, 15, 16, and 20 have been amended, claims 2-10 and 17-19 have been canceled, and claims 21-32 have been added.
Claims 1, 11-16, and 20-32 are presented for examination.

Priority
The claim for priority from PCT/US2018/048424 filed on 29 August 2018, which claims priority from US Provisional 62/587,655 filed on 17 November 2017 is duly noted.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 11-15, 20-28, and 30-32 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Asenjo et al. (EP2801942 A1 and Asenjo hereinafter).
As to claims 1 and 11, Asenjo discloses a system and method for risk assessment for industrial systems using big data, the system and method having:
at least one multi-app sensor comprising at least one processor configured via executable instructions included in at least one memory to (0028, lines 13-16; 0031, lines 1-9; 0035, lines 7-8): 
based on a plurality of received configuration profiles, execute respectively a plurality of applications from different security providers, which applications monitor and collect data from at least one control system in at least one industrial network and from at least one virtual model of the control system, wherein the control system includes at least one programmable logic controller (PLC) (0031, lines 4-9; 0048, lines 4-7; 0077, lines 1-4; 0101, lines 6-12; 0110, lines 2-6); 
based on comparisons between collected data from the control system and the virtual model, generate at least one further configuration profile that provides further detection coverage for control system anomalies (0031, lines 11-19; 0048, lines 4-8; 0078, lines 5-12; 0079, lines 1-4; 0102, lines 1-7); 
deploy the further configuration profile to further multi-app sensors (0032, lines 1-6).

As to claims 12 and 24, Asenjo discloses:
wherein the applications carry out security monitoring and network monitoring, wherein the configuration profiles include at least one of: a list that specifies what or what not to scan or monitor; behavior profiles corresponding to anomalies; or any combination thereof (0048, lines 4-19).

As to claims 13 and 25, Asenjo discloses:
wherein at least some of the applications from different security providers respectively operate in respective different virtual machines on the multi-app sensor, further comprising the multi-app sensor automatically adjusting at least one live parameter of a hypervisor resource allocation to at least one virtual machine in order to control performance overhead of the multi-app sensor (0027, lines 1-12).

As to claims 14 and 26, Asenjo discloses:
wherein the multi-app sensor includes a virtual machine with a virtual network interface card in a promiscuous mode configured to capture the collected data (0027, lines 1-12; 0112, lines 1-14).

As to claims 15, 27, and 28, Asenjo discloses:
wherein the multi-app sensor includes a store-and-forward service configured to communicate collected data to the at least one cloud server, wherein the collected data includes: control system network information; control system configuration information; and control system process variables (0024, lines 2-21), wherein the control system configuration information includes PLC in-memory read/write transactions (0110, lines 1-7).
As to claims 20, Asenjo discloses:
A non-transitory computer readable medium encoded with processor executable instructions that when executed by at least one processor, cause the at least one processor to carry out a method according to claim 11 (0027, lines 1-12).

As to claim 21, Asenjo discloses:
wherein an active app operates on a multi-app sensor, wherein the active app executes based on a configuration profile, wherein the active app is configured to only execute under the restrictions of an enforced configuration profile (0034, lines 3-11).

As to claim 22, Asenjo discloses:
wherein the multi-app sensor contains multiple virtual machines and a hypervisor resource allocation to each virtual machine, wherein the multi-app sensor automatically adjusts live parameters of a hypervisor resource allocation to each virtual machine and security configurations of the applications to regulate data collection and monitoring operations of the applications (0027, lines 1-12).

As to claim 23, Asenjo discloses:
wherein the system is adapted to autonomously generate virtual patches capable of detecting such anomalies in other multi-app sensors, wherein the virtual patch is a configuration profile (0078, lines 5-12; 0079, lines 1-19).

As to claim 30, Asenjo discloses:
wherein the multi-app sensor is configured to generate the virtual model of the control system based on collected data (0101, lines 2-14).

at least one cloud server that receives collected data from a plurality of multi-app sensors collected by applications from different security providers and distributes the configuration profiles to a plurality of multi-app sensors (0122, lines 19-27; Figure 13).

As to claim 32, Asenjo discloses:
wherein the plurality of multi-app sensors from which collected data is received are configured to anonymize and obfuscate collected data communicated to the at least one cloud server, wherein the at least one cloud server is further configured to generate and output benchmarking data comparing the applications from the different security providers (0062, lines 2-19).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner 
Claims 16 and 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Asenjo as applied to claims 1 and 11 above, and further in view of McDougal et al. (US 2017/0163665 A1 and McDougal hereinafter).
As to claims 16 and 29, Asenjo fails to specifically disclose:
wherein the multi-app sensor includes a data diode that prevents outbound communications to the control system.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Asenjo, as taught by McDougal.
McDougal discloses a system and method for malware lab isolation, the system and method having:
wherein the multi-app sensor includes a data diode that prevents outbound communications to the control system (0037, lines 3-8).
Given the teaching of McDougal, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Asenjo with the teachings of McDougal by using a data diode to prevent outbound communications. McDougal recites motivation by disclosing that using a diode prevents improper two way communications or covert exfiltration of content between zones, thus providing security (0037, lines 3-8). It is obvious that the teachings of McDougal would have improved the teachings of Asenjo by using a diode in order to prevent improper two way communication and provide security.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Park et al. (US 2019/0052600 A1) discloses a system and method for one step removed shadow network.
Roark et al. (US 2021/0233383 A1) discloses a system and method for impeding unauthorized network infiltration at remote critical infrastructure facilities.
Shulman et al. (US Patent 8,713,682 B2) discloses a system and method for dynamic learning and adaptive normal behavior profile architecture for providing fast protection of enterprise applications.
Wei et al. (WO 2016/172514 A1) discloses a system and method for improving control system resilience.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 




/SARAH SU/Primary Examiner, Art Unit 2431