Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/19/2021 has been entered.

Response to Amendment
This communication is in response to the Amendment filed on 11/19/2021.
Claims 1-20 are pending.
Claims 1, 7, 10, 14, 15, 16 and 18 have been amended.

Response to Arguments
The applicant's arguments/remarks filed on 11/19/2021 regarding claims 1-20 have been fully considered but are moot in view of the new ground(s) of rejection. The arguments/remarks are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

REJECTIONS UNDER 35 U.S.C. 103
Applicant Arguments
Claims 1-7 and 9-13
Applicant argues that the combination of Engler and Israel fails to teach a device with an embedded intrusion system with a first processing circuit configured to perform one or more functions and a second processing circuit configured to “analyze monitored data to detect malicious or anomalous 
Engler is not concerned with the field of cybersecurity or detecting a cyberattacks, but instead is directed to “detecting and protecting physical security aspects of a computer system.” See Engler ¶ [0001]. Amended claim 1 now recites that the second processing circuit is configured “analyze monitored data to detect malicious or anomalous activity” and “determine whether the device is in a compromised state due to a cyberattack bases on detection of malicious or anomalous activity in the analyzed data.” Using the detection of malicious and anomalous activity in monitored data to determine that a device is in a compromised state due to a cyberattack would not include detecting physical security intrusions in Angler.
Furthermore, the processing circuit of the device of claim 1, which monitors and analyzes the data in the communication path to determine if the device is in a compromised state due to a cyberattack, is contained within the housing of the device. However, the firewall disclosed in Angler is a generic firewall operating the network level rather than a processing circuit contained within the housing of the device.
To the contrary, the network-level firewall in Engler is designed to be implemented at the network level.
Claims 14-19
Further, claim 14 has been amended to recite that the processing circuitry is configured to “analyze the received data to detect malicious or anomalous activity without the use of an additional monitoring device.” Engler requires the use of an additional monitoring device, e.g. the network-level firewall, in order to analyze the received data to detect malicious or anomalous activity and determine, based on the detection, that the device is in a compromised state due to a cyberattack.
Examiner’s Response
The applicant's arguments/remarks filed on 11/19/2021 regarding claims 1-20 have been fully considered and are not persuasive. The elements of applicant’s claimed invention are properly taught or 
Claims 1-7 and 9-13
Amin teaches a device with an embedded intrusion system with a first processing circuit configured to perform one or more functions and a second processing circuit configured to “analyze monitored data to detect malicious or anomalous activity” (See at least ABSTRACT, “The analysis circuitry features a first processing unit and a first memory…The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content with at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”), wherein the first and second processing units are contained within the housing (See at least Col. 8, lines 28-35, “The first and second processing units may be different processing units, where each “processing unit” may be a different physical processor located within the same processor package”).
For Engler, IPD is configured to detect physical intrusion events based on instruments via monitoring data on the communication path to “determine whether a device is in a compromised state”. It is taught as recited in paragraph [0023], “block 205 indicates that CPU 140 may also be involved with historical data collection including audit information as well as other possible function”, and  paragraph [0024], “intrusion monitor 145 may include a variety of sensors and be in communication with a number of external sensors to detect abnormal (or unexpected) physical activity with respect to device 1 (115)…These backup communication techniques may be used if standard communication to CPU using communication path 142 and redundant communication path 141 are compromised”. It is further explained as recited in paragraph [0026], “when substantial movement occurs, distance moved may be calculated to some degree of accuracy and reported back from intrusion monitoring system via any available communication link”, and paragraph [0027], “security module 305 is illustrated with a set of possible inputs/outputs or connections…Output 375 may transmit security events to an internal CPU or to external monitoring systems (e.g., via backup communication modules)”, that data (inputs, outputs, alerts, etc.) are monitored on the communication path by security module.
Thus, Engler teaches wherein determine whether the device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data.
Claims 14-19
Further, for at least the above reasons, Amin teaches “analyze the received data to detect malicious or anomalous activity without the use of an additional monitoring device” (See at least Col. 6, lines 7-14, “the virtual execution logic detects the presence of an exploit by monitoring or observing unexpected or anomalous behaviors or activities of an object under analysis, and, in response, determining whether there is at least a second probability, that the object has characteristics indicative of an exploit, and thus is associated with a malicious attack”).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7, 9-13, 16-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over  Amin et al. (hereinafter referred to as Amin) (U. S. Patent. No. 9787700 B1) in view of Engler et al. (hereinafter referred to as Engler) , and in view of Israel et al. (hereinafter referred to as Israel) (U. S. Pub. No. 2018/0096157 A1).
As to claim 1, Amin teaches a device with embedded intrusion detection, the device comprising: a housing; a first processing circuit configured to communication data between the first processing circuit and one or more other components; and a second processing circuit (See at least ABSTRACT, “The analysis circuitry features a first processing unit and a first memory…The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content with at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”); the first processing circuit and the second processing circuit contained within the housing (See at least Col. 8, lines 28-35, “The first and second processing units may be different processing units, where each “processing unit” may be a different physical processor located within the same processor package”), the second processing circuit configured to: monitor the data transmitted on the communication path; analyze the monitored data to detect malicious or anomalous activity (See at least ABSTRACT, “The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content with at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”).
Although Amin teaches the substantial features of applicant’s claimed invention, Amin fails to expressly teach wherein determine whether the device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data; 
In analogous teaching, Engler exemplifies this wherein Engler teaches wherein determine whether the device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data (See at least paragraph [0023], “block 205 indicates that CPU 140 may also be involved with historical data collection including audit information as well as other possible function”, and  paragraph [0024], “intrusion monitor 145 may include a variety of sensors and be in communication with a number of external sensors to detect abnormal (or unexpected) physical activity with respect to device 1 (115)…These backup communication techniques may be used if standard communication to CPU using communication path 142 and redundant communication path 141 are compromised”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to See Engler: ABSTRACT).
Although Amin and Engler teach the substantial features of applicant’s claimed invention, Amin and Engler fails to expressly teach wherein initiate a corrective action responsive to a determination that the device is in the compromised state.
In analogous teaching Israel exemplifies this wherein Israel teaches wherein initiate a corrective action responsive to a determination that the device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 2, Amin, Engler and Israel teach the device of claim 1. Israel further teaches wherein transmitting, to a user device via a network connection, the notification (Israel further teaches wherein the corrective action comprises: generating a notification comprising information associated with the determination that the device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmitting, to a user device via a network connection, the notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 3, Amin, Engler and Israel teach the device of claim 1. Engler further teaches wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 4, Amin, Engler and Israel teach the device of claim 1. Engler further teaches wherein the second processing circuit configured to: identify a traffic pattern for the communication path, wherein See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 5, Amin, Engler and Israel teach the device of claim 4. Israel further teaches wherein the second processing circuit configured to receive a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 6, Amin, Engler and Israel teach the device of claim 4. Israel further teaches wherein the second processing circuit configured to determine that the device is in the compromised state by: determining that the monitored data does not match the first traffic profile for the device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or determine that the monitored data is outside of a threshold of the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 7, Amin teaches a circuit for detecting whether a building device is in a compromised state due to a cyberattack (See at least ABSTRACT, “determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”), the circuit structured to be mounted within a housing of the building device, the building device comprising a processor and a communication path configured to communicate data between the processor and one or more other components of the building device, the circuit comprising: an interface configured to receive data transmission on the processor communication path; and the processing circuitry configured  to: analyze the received data to detect malicious or anomalous activity (See at least ¶ [0021], “a goal of redundant communication path 142 is to ensure communication to CPU if an intrusion event is suspected or has compromised standard communication path 142 in any way”; Figure 5, 530, 540, 545, etc., and ¶[0036], “Block 530 indicates that each of these detected events, if present, may be used with security parameters for different devices within the secure computer room to determine if unauthorized actions may in progress or suspected…issue an alert or obtain confirmation from a system administrator via a challenge response mechanism or acknowledgement of the alert…Different levels of response may be determined based on collective analysis of all detected intrusion measurements and sensitivity of computer system”).
Although Amin teaches the substantial features of applicant’s claimed invention, Amin fails to expressly teach wherein determine whether the device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data; 
In analogous teaching, Engler exemplifies this wherein Engler teaches wherein determine whether the device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data (See at least paragraph [0023], “block 205 indicates that CPU 140 may also be involved with historical data collection including audit information as well as other possible function”, and  paragraph [0024], “intrusion monitor 145 may include a variety of sensors and be in communication with a number of external sensors to detect abnormal (or unexpected) physical activity with respect to device 1 (115)…These backup communication techniques may be used if standard communication to CPU using communication path 142 and redundant communication path 141 are compromised”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT
Although Amin and Engler teach the substantial features of applicant’s claimed invention, Amin and Engler fails to expressly teach wherein initiate a corrective action responsive to a determination that the device is in the compromised state.
In analogous teaching Israel exemplifies this wherein Israel teaches wherein initiate a corrective action responsive to a determination that the device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 9, Amin, Engler and Israel teach the circuit of claim 7. Engler further teaches wherein the processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern (See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method See Engler: ABSTRACT).

As to claim 10, Amin, Engler and Israel teach the circuit of claim 9. Israel further teaches wherein the processing circuitry further configured to receive, from a user device, a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 11, Amin, Engler and Israel teach the circuit of claim 10. Israel further teaches wherein a determination that the building device is in the compromised state is based on: an indication that the received data does not match the first traffic profile for the building device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or indication that the received data is outside of a threshold of the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 12, Amin, Engler and Israel teach the circuit of claim 7. Engler further teaches wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the processor of the building device; or transmitting, via the communication path, random data to the processor of the building device (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”). Israel teaches wherein initiating the corrective action (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the See Israel: ABSTRACT).

As to claim 13, Amin, Engler and Israel teach the circuit of claim 7. Israel teaches the processing circuitry further configured to: generate, based on a determination that the building device is in the compromised state, at least one of an alert or a report, the report comprising information associated with the determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmit, to a user device via a network connection, at least one of the alert  notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 16, Amin and Engler teaches the system of claim 15. Israel further teaches wherein the processing circuit further configured to receive, from a user device, a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 17, Engler and Israel teach the system of claim 16. Israel further teaches wherein a determination that the building device is in the compromised state is based on: an indication that the received data does not match the first traffic profile for the building device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or an indication that the received data matches the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have See Israel: ABSTRACT).

As to claim 19, Amin and Engler teach the system of claim 14. Israel further teaches the processing circuitry further configured to: generate, based on a determination that the building device is in the compromised state, at least one of an alert or a report, the report comprising information associated with the determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmit, to a user device via a network connection, at least one of the alert  notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

Claims 14, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over  Amin in view of Angler.
As to claim 14, Amin teaches a building device comprising: a housing; a processor configured to perform one or more functions; and a communication path configured to communicate data between the processor and one or more other components of a building (See at least ABSTRACT, “The analysis circuitry features a first processing unit and a first memory…The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content with at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”); wherein the processor and the communication path are contained within the housing (See at least Col. 8, lines 28-35, “The first and second processing units may be different processing units, where each “processing unit” may be a different physical processor located within the same processor package”); and a circuit comprising: an interface configured to receive data transmitted on the communication path;  and processing circuitry configured to: analyze the received data to detect malicious or anomalous activity without the use of an additional monitoring device (See at least ABSTRACT, “The detection circuitry includes a second processing unit and a second memory. The second memory includes a virtual execution logic to process content with at least a first object of the second plurality of objects. The virtual execution logic is configured to monitor for behaviors, during the processing of the first object, and determine whether any or all of the monitored behaviors correspond to activities indicative that the first object is associated with a malicious attack”).
Although Amin teaches the substantial features of applicant’s claimed invention, Amin fails to expressly teach wherein determine whether the building device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data; 
In analogous teaching, Engler exemplifies this wherein Engler teaches wherein determine whether the building device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data (See at least paragraph [0023], “block 205 indicates that CPU 140 may also be involved with historical data collection including audit information as well as other possible function”, and  paragraph [0024], “intrusion monitor 145 may include a variety of sensors and be in communication with a number of external sensors to detect abnormal (or unexpected) physical activity with respect to device 1 (115)…These backup communication techniques may be used if standard communication to CPU using communication path 142 and redundant communication path 141 are compromised”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 15, Amin and Engler teaches the system of claim 14. Engler further teaches wherein the  processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern (See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 18, Amin and Engler teaches the system of claim 14. Engler further teaches wherein the processing circuitry further configured to initiate a corrective action, wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Amin, system and method for packet processing and analysis, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Amin, in view of Angler, and  in view of Israel, and further in view of Jenkins et al.(hereinafter referred to as Jenkins) (U. S. Patent No. 10410002 B1).
As to claim 8, Amin, Engler and Israel teach the circuit of claim 1. However, Amin, Engler and Israel fail to expressly teach wherein the communication path is at least one of an address bus, a data bus, or a control bus.
In analogous teaching, Jenkins exemplifies this wherein Jenkins teaches wherein the communication path is at least one of an address bus, a data bus, or a control bus (See at least Abstract “An intrusion detection device is incorporated between a bus controller and a bus of multiplex data bus. The intrusion detection device receives message that are communicated among the bus controller and a plurality of remote terminals (by way of the bus)”).
Thus, given the teaching of Jenkins, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Jenkins, Intrusion detection apparatus, system and methods, into Israel, detection of compromised devices via user states, and Engler, Intrusion detection and notification device, and Amin, and Amin, system and method for packet processing and analysis,  for a method and system to implement intrusion detection on the communication paths. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to detect and migrate terminal attacks on multiplex data buses (See Jenkins: ABSTRACT).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Amin in view of Angler, and  in view of Jenkins
As to claim 20, Amin and Engler teaches the system of claim 14. However, Amin and Engler fail to expressly teach wherein the communication path is at least one of an address bus, a data bus, or a control bus.
In analogous teaching, Jenkins exemplifies this wherein Jenkins teaches wherein the communication path is at least one of an address bus, a data bus, or a control bus (See at least Abstract “An intrusion detection device is incorporated between a bus controller and a bus of multiplex data bus. The intrusion detection device receives message that are communicated among the bus controller and a plurality of remote terminals (by way of the bus)”).
Thus, given the teaching of Jenkins, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Jenkins, Intrusion detection apparatus, system and methods, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to implement intrusion detection on the communication paths. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to detect and migrate terminal attacks on multiplex data buses (See Jenkins: ABSTRACT).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN FAN whose telephone number is (571) 272-3345.  The examiner can normally be reached on Monday-Thursday, 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




John Fan
/J.F/Examiner, Art Unit 2454     
02/04/2022


/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2454