Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
      			      Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 02/13/2019 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Specification
The specification is objected to because of the following informalities:
Paragraph 15, line 2, “the first device 210” should read “the first device 220”
Appropriate correction is required. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-7 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2019/0190938 A1 to Oba et al (hereinafter Oba) and further in view of US-PGPUB No. US 2015/0381642 A1 to Kim et al. (hereinafter Kim)
Regarding claim 1: 
Oba discloses:
An intrusion detection device, which is suitable for Modbus, comprising: 
a connection interface (see Fig. 2 for an anomaly detection device comprising a communication interface, and ¶02: “…  an anomaly detection device which detect anomalies in a plurality of packets”, 
¶29: “… the internal network of the control systems now use communications using open protocols such as Modbus …”, and See Fig. 5 MODEL ID 6 for Modbus); 
a processor configured to receive a plurality of first packets through the connection interface (see ¶05: “The anomaly detection device includes a processor and a memory. …
The anomaly detection method includes the following executed by the processor: obtaining the plurality of learning packets; extracting … first combinations of N data units …”), 
wherein the processor is configured to: 
obtain a network protocol data and an industrial operation data of each of the plurality of first packets (see Fig. 6 for packet content, and ¶05: “… extracting, for each of the plurality of learning packets obtained, first combinations of N data units out of a plurality of data units obtained by dividing a data sequence forming a payload included in the learning packet …” 
¶120: “The destination IP, destination port, source IP, and protocol … are information included in the packet header …”);
tag a first internet protocol (IP) address of the network protocol data with a first action role and tag a second internet protocol (IP) address of the network protocol data with a second action role respectively (see ¶136: “Anomaly detection models … include data items of model ID …”, and Fig. 6 for packets content); 
obtain a related group of the first IP address, wherein the related group comprises a first industrial device information and a second industrial device information (see ¶81: “… the anomaly detection method further includes classifying each of the plurality of packets obtained into any one of the plurality of models according to a header of the packet …”,
¶82: “… each of the plurality of models is a model classified by at least one of a destination internet protocol (IP), a destination port, a source IP, and a protocol of the packet.”,
¶137: “…  packets with the same destination IP and the same destination port often have similar roles.”, and also see Fig. 6 for packets content); 
 generate a rule list (¶05: “the plurality of first probabilities being calculated by performing smoothing processing; storing the plurality of first probabilities calculated, in the memory as the anomaly detection model”),  
(see Fig. 6 for entries of the model (rule list), ¶136: “Anomaly detection models 131 illustrated in FIG. 5 include data items of model ID, destination IP, destination port, data from which N-grams are obtained, the number of occurrences of N-grams, and probability of occurrence of N-grams.”
¶138: “Anomaly detection models 132 illustrated in FIG. 6 include the item of source IP in addition to the items of anomaly detection models 131”), 
Oba fails to explicitly disclose the following limitation taught by Kim:
wherein the first action role on the rule list corresponds to the first industrial device information and the second industrial device information (see Kim Fig. 7 for how to generate a server and a command table (rule list),
 ¶65: “… the communication pattern classifier 110 may classify the device in which the port value is 502 as the server, and as shown in FIG. 4, classify devices as the server and the client.”, and 
¶70: “… the communication pattern classifier 110 may extract values of the client IP, the server IP, the UID, and the function code FCode …”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Oba to incorporate the communication pattern classifier functions of generating an entry of a server table and an entry of a command table separately as disclosed by Kim. The availability of such functionality would make the searching and matching of incoming packets faster thereby providing efficient intrusion detection system. 

Regarding claim 2: 
The combination of Oba and Kim disclose:
The intrusion detection device of claim 1, wherein the processor is further configured to: 
search a communication port of the network protocol data on a look-up table in order to tag the first IP address with the first action role and to tag the second IP address with the second action role (Oba ¶136: “The model ID is an identifier uniquely assigned to each of a plurality of models for identification. The destination IP is information which indicates the destination IP of the packets associated with the model. The destination port is information which indicates the destination port of the packets associated with the model.”, and see Fig. 6 for communication port and Model ID (tag)).  

Regarding claim 4:
The combination of Oba and Kim disclose: 
The intrusion detection device of claim 1, wherein the processor is further configured to: receive a second packet through the connection interface (Oba ¶05: “obtaining a plurality of packets”, 
¶76: “… for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted, the second combinations being all possible combinations of the N data units …”); 
read the network protocol data and the industrial operation data of the second packet to determine whether the second packet satisfies contents of the rule list (Oba ¶151: “Detector 160 extracts all the possible second combinations of N data units out of a plurality of data units obtained by dividing a data sequence forming the payload included in the packet …”, and 
¶155: “Detector 160 determines whether or not the score calculated for the packet exceeds an alert threshold as a predetermined threshold that is based on the anomaly detection models stored in anomaly detection model DB 130.”); 
generate a warning signal in response to determining that the second packet does not satisfy the contents of the rule list (Oba ¶147: “input receiving unit 140 receives an input of a parameter related to the alert occurrence rate for generating an alert.”, and 
Kim ¶96: “…  when there is not the information identical to the combined SIP/FCode information and there is not the FCode itself in the command table, the abnormal behavior detector 130 may generate a warning of an abnormal command level 3 …”).  

Regarding claim 5:
The combination of Oba and Kim disclose: 
The intrusion detection device of claim 4, wherein the processor is further configured to: 
read a third internet protocol (IP) address from the network protocol data of the second packet (Oba ¶76: “… for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted …”); 
obtain a third action role of the third IP address according to a communication port of the network protocol data of the second packet (Oba ¶76: “… the second combinations being all possible combinations of the N data units …”, and see Fig. 6 for packets content); 
read at least one operation parameter of the industrial operation data of the second packet (Oba ¶200: “Detector 160 extracts the target data portion in the target packet in step S37.”); 
 generate the warning signal in response to determining that the third IP address, the third action role of the third IP address, and the at least one 20operation parameter have not satisfied the first action role, the first IP address, the second IP address, and the contents of the related group on the rule list (Oba ¶202: “Detector 160 determines whether or not the score calculated for the target packet exceeds the alert threshold associated with the anomaly detection model of the target packet which is stored in anomaly detection model DB 130 (S39). When detector 160 determines that the calculated score exceeds the corresponding alert threshold (Yes in S39), presentation unit 170 presents an alert (S40) …”).  

Regarding claims 6-7 and 9-10:
Claims 6-7 and 9-10 recite substantially the same limitations as claims 1-2 and 4-5 respectively. Therefore, claims 6-7 and 9-10 are rejected under the same rationale as claims 1-2 and 4-5 respectively.

Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Oba and Kim as applied to claim 1 above, and further in view of US-PGPUB No. US 2014/0359708 A1 to Schwartz
Regarding claim 3:
The combination of Oba and Kim discloses the intrusion detection device of claim 2, but fails to explicitly disclose the following limitation taught by Schwartz:
 Purdue model (Schwartz ¶03: “… attempts at improving security for industrial control systems have been made ... control hierarchy models, such as the Purdue model, have been implemented …”).  



Regarding claim 8:
Claim 8 recites substantially the same limitations as claim 3. Therefore, claim 8 is rejected under the same rationale as claim 3.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

McQuillan et al.  (US-PGPUB No. 2016/0094578 A1)- disclosed SCADA system that includes a network interface configured to communicate data with a plurality of industrial control devices via an industrial control system (ICS) network.
Kang et al. (US-PGPUB No. 2016/60094517 A1)- disclosed an apparatus and method for blocking abnormal communication, which are capable of protecting an industrial control system against cyber threats through the traffic analysis of an industrial firewall. 
Shimizu et al. (US-PGPUB No. 2018/0069835 A1)- disclosed a packet filtering apparatus that represents a rule set for packet filtering being a technique for preventing a cyber-attack. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        


/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491