Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply by Applicant filed on 11/3/2021. Claims 1-21 are pending. This Office Action is Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 9/20/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
	A) Applicant’s amendments and arguments with regards to 35 USC 101 rejection for No hardware embodiment has been considered and deemed persuasive.  As a result these rejections have been withdrawn.

	B) Applicant’s arguments with respect to claim(s) 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on the exact same rejection applied in the prior rejection.  Further, Applicant argues that Seddigh fails to disclose, teach or even suggest “information received from a duplicator,” for clarity Seddigh is relied on to teach the effective steps of intercepting…, comparing... and detecting of a packet.  Where the packet comes from is taught by Petit-Huguenin.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8, 10-15 and 17-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over in in view of Petit-Huguenin et al. (US 2016/0021253) in view of Tsirkin (US 2011/0126195) and Seddigh et al. (US 2018/0139104).

	As per claim 1, Petit-Huguenin teaches a method for detecting anomalies in a technological system, the method comprising: intercepting, by a duplicator running on an upper-level element of the technological system at least one outgoing data packet addressed to a middle-level element of the technological system; sending, by the (Petit-Huguenin, Paragraph 0152 recites “Step 804 can include sending an outgoing data stream to multiple network devices 302. In particular, step 804 can include sending, from the first network device 302a, an outgoing data stream to each of the plurality of network devices 302 participating in the communication session. For example, the first network device 302a can send an outgoing data stream to a duplicator 206, which in turns forwards a copy of the outgoing data stream to each network device 302 participating in the multi-device communication session, in any suitable manner as described herein. For instance, a communication manager 314 can send the outgoing data stream.”).
	But fails to explicitly a packet from a guest operating system.
	However, in an analogous art Tsirkin teaches a packet from a guest operating system (Tsirkin, Paragraph 0018 recites “The guest OS then tries to notify a driver of the host network device about the data packet. The notification of the guest OS is intercepted by the hypervisor, which determines whether a zero copy transmission should be used for the data packet. If this determination is negative, the hypervisor copies the data packet to a hypervisor buffer, and notifies the driver of the host network device about the data packet residing in the hypervisor buffer.”). 
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tsirkin’s zero copy transmission in virtualization environment with Petit-Huguenin’s managing data streams for a communication network because the use of the buffer provides an extra layer of protection to the system.  

	However, in an analogous art Seddigh teaches intercepting, by the monitor, at least one incoming data packet; comparing, by the monitor, the information received from the duplicator with the intercepted at least one incoming data packet; and detecting, by the monitor, an anomaly in the technological system when the intercepted at least one incoming data packet does not conform to the information received from the duplicator (Seddigh, Paragraph 0169 recites “Further, a SCADA Anomaly Detection Module 240 monitors the traffic flow information and detects cyber threats by applying anomaly detection and machine learning techniques to statistics which it distills from the traffic flow information. A SCADA Situational Awareness Analyzer module 260 combines the SCADA network map obtained from the Network Topology Discovery Module 280 with the cyber threat information and security analytics to create a situational awareness view of the network posture. A SCADA Security Analytics module 250 applies analytics to traffic flow information to detect security threats not discovered using the anomaly detection module 240 and adds to the Situational Awareness Analyzer module 260. For example, this module may detect the presence of rogue DNS or DHCP servers.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Seddigh’s Method and System for Discovery and Mapping of 

	As per claim 3, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, Seddigh further teaches wherein the upper-level element is running in a protected environment and the middle-level element is using an unprotected data transmission protocol (Seddigh, Paragraphs 0048-0049 recites “using information from the SNMP and the routing protocols to validate a set of links from the plurality of candidate links and add the validated set of links to the first discovered topology. The method described above may be applicable to topology discovery in various types of networks, for example a Supervisory Control and Data Acquisition (SCADA) network.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Seddigh’s Method and System for Discovery and Mapping of a Network Topology with Petit-Huguenin’s managing data streams for a communication network because the use of anomaly detection would provide protection amongst data sent over networks.

	As per claim 4, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, Petit-Huguenin further teaches establishing, by the duplicator, at least one secure connection with each monitor located in the data transmission network; and sending, by the duplicator, information about each intercepted outgoing data packet to the monitors with which the duplicator has established at least one secure connection (Petit-Huguenin, Paragraph 0152 recites “Step 804 can include sending an outgoing data stream to multiple network devices 302. In particular, step 804 can include sending, from the first network device 302a, an outgoing data stream to each of the plurality of network devices 302 participating in the communication session. For example, the first network device 302a can send an outgoing data stream to a duplicator 206, which in turns forwards a copy of the outgoing data stream to each network device 302 participating in the multi-device communication session, in any suitable manner as described herein. For instance, a communication manager 314 can send the outgoing data stream.”).

	As per claim 5, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, Seddigh further teaches wherein the monitor is a protected operating system (Seddigh, Paragraph 0049 recites “The method described above may be applicable to topology discovery in various types of networks, for example a Supervisory Control and Data Acquisition (SCADA) network.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Seddigh’s Method and System for Discovery and Mapping of a Network Topology with Petit-Huguenin’s managing data streams for a communication network because the use of anomaly detection would provide protection amongst data sent over networks.


	As per claim 6, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, Seddigh further teaches wherein the monitor is located in a same data transmission network in which the middle-level element to which the intercepted at least one outgoing data packet is addressed is located (Seddigh, Paragraph 0169 recites “Further, a SCADA Anomaly Detection Module 240 monitors the traffic flow information and detects cyber threats by applying anomaly detection and machine learning techniques to statistics which it distills from the traffic flow information. A SCADA Situational Awareness Analyzer module 260 combines the SCADA network map obtained from the Network Topology Discovery Module 280 with the cyber threat information and security analytics to create a situational awareness view of the network posture. A SCADA Security Analytics module 250 applies analytics to traffic flow information to detect security threats not discovered using the anomaly detection module 240 and adds to the Situational Awareness Analyzer module 260. For example, this module may detect the presence of rogue DNS or DHCP servers.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Seddigh’s Method and System for Discovery and Mapping of a Network Topology with Petit-Huguenin’s managing data streams for a communication network because the use of anomaly detection would provide protection amongst data sent over networks.

	As per claim 7, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, Seddigh further teaches wherein the upper-level elements of the technological system which operate in a protected environment comprise one or more of: supervisory (Seddigh, Paragraph 0049 recites “The method described above may be applicable to topology discovery in various types of networks, for example a Supervisory Control and Data Acquisition (SCADA) network.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Seddigh’s Method and System for Discovery and Mapping of a Network Topology with Petit-Huguenin’s managing data streams for a communication network because the use of anomaly detection would provide protection amongst data sent over networks.

Regarding claims 8 and 15, claims 8 and 15 are directed to a system and a non-transitory computer readable medium associated with the method of claim 1. Claims 8 and 15 are of similar scope to claim 1 and are therefore rejected under similar rationale.

Regarding claims 10 and 17, claims 10 and 17 are directed to a system and a non-transitory computer readable medium associated with the method of claim 3. Claims 10 and 17 are of similar scope to claim 3 and are therefore rejected under similar rationale.

Regarding claims 11 and 18, claims 11 and 18 are directed to a system and a non-transitory computer readable medium associated with the method of claim 4. 

Regarding claims 12 and 19, claims 12 and 19 are directed to a system and a non-transitory computer readable medium associated with the method of claim 5. Claims 12 and 19 are of similar scope to claim 5 and are therefore rejected under similar rationale.

Regarding claims 13 and 20, claims 13 and 20 are directed to a system and a non-transitory computer readable medium associated with the method of claim 6. Claims 13 and 20 are of similar scope to claim 6 and are therefore rejected under similar rationale.

Regarding claims 14 and 21, claims 14 and 21 are directed to a system and a non-transitory computer readable medium associated with the method of claim 7. Claims 14 and 21 are of similar scope to claim 7 and are therefore rejected under similar rationale.

Claims 2, 9, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over in in view of Petit-Huguenin et al. (US 2016/0021253), Tsirkin (US 2011/0126195) and Seddigh et al. (US 2018/0139104) and in further view of Ross (US 2006/0242706).

As per claim 2, Petit-Huguenin in view of Tsirkin and Seddigh teaches the method of claim 1, but fails to teach sending, by the monitor, information about the detected anomaly to all upper-level elements of the technological system.
	However, in an analogous art Ross teaches sending, by the monitor, information about the detected anomaly to all upper-level elements of the technological system (Ross, Paragraph 0027 recites “FIG. 1 shows a Supervisory Control and Data Acquisition (SCADA) system which is one type of network system to which the present teachings can be applied. SCADA systems are typically employed to monitor and/or control conditions, facilities, sensors, etc., that generally are at a remote location, where data from such remote location is transferred to a control center to allow for data analysis, data presentation, etc., and the provision of alerts when needed to signal an anomaly condition. Accordingly, like other types other networked systems, a SCADA system can be vulnerable to intrusions and/or network "attacks" that can compromise the integrity of the network and the data thereon”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Ross’ Methods and systems for evaluating and generating anomaly detectors with Petit-Huguenin’s managing data streams for a communication network because the use of an alarm helps to alert the network of any issue.

Regarding claims 9 and 16, claims 9 and 16 are directed to a system and a non-transitory computer readable medium associated with the method of claim 2. Claims 9 and 16 are of similar scope to claim 2 and are therefore rejected under similar rationale.



Conclusion
	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO

Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439