DETAILED ACTION
This non-final office action is in response to applicant’s RCE filed on 10/26/2021 for response of office action mailed on 08/10/2021. Claim 1 and 34 are currently amended. No claim is cancelled and added. Claims 1-35 are being examined and pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 10/26/2021 has been entered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments and arguments on independent claim 1 and 34, filed on 10/26/2021, have been considered.
Regarding argument on claim 1 on page 11-12, applicant amended the claim with new limitation:  “wherein the platform certificate provides a hardware identity associated with an electric vehicle communication controller”. The applicant’s amendments to claim 1 necessitated the new 
Regarding argument on claim 34 on page 12-13, applicant amended the claim from “at least one boundary” to “one boundary” which overcame the previous rejections. But US patent #10686806 has same invention as the current application. Therefore the claim 34-35 are rejected with nonstatutory double patenting. Refer to the following section for details. 
Applicant presents no further arguments. 
For the above reasons, it is believed that the rejections should be sustained. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 34 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 19 of U.S. Patent No. US10686806 in view of Karner et al. (US20130127416, hereinafter Karner). 
Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature with the U.S. Patent No. US10686806. The claim 34 in the instant application recites a method to protect an electric vehicle charging infrastructure and claim 19 in US patent #10686806 recites a method to protect an industrial asset and US patent #10686806 also teaches the industrial asset could be power grid (Para. 0067). Karner teaches an electric vehicle charging system is configured to receive electricity from electric grid (Para. 0033 and 0034). 
Instant Application # 16/255073
US Patent #10686806
an electric vehicle charging infrastructure, comprising: Amendment and Response to August 10, 2021 Final Office Action 
19.  A computerized method to protect an industrial asset, comprising:
           receiving, from a normal space data source for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the electric vehicle charging infrastructure;
receiving, from a normal space data source for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset;
            receiving, from an attacked space data source for each of the plurality of monitoring nodes, a series of attacked monitoring node values over time that represent attacked operation of the electric vehicle charging infrastructure;
receiving, from an attacked space data source for each of the plurality of monitoring nodes, a series of attacked monitoring node values over time that represent attacked operation of the industrial asset;
           receiving, from a fault space data source for each of the plurality of monitoring nodes, a series of fault monitoring node values over time that represent fault operation of the electric vehicle charging infrastructure; and 8Application No.: 16/255,073 
receiving, from a fault space data source for each of the plurality of monitoring nodes, a series of fault monitoring node values over time that represent fault operation of the industrial asset;
           automatically calculating and outputting, by a multi-class classifier model creation computer, a decision boundary for a multi-class classifier model based on the set of normal 
at least one decision boundary for a multi-class classifier model based on the set of 



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Karner et al. (US20130127416, hereinafter Karner) in view of Levy et al. (US20110099144, hereinafter Levy), and further in view of Narayanaswami (US20200200824, hereinafter Nara).
Regarding claim 1, Karner teaches a system to protect an electric vehicle charging infrastructure, comprising: an electric vehicle charging site to receive alternating current power from a power grid and provide direct current power to electric vehicles (Karner: charging station 105 to provide electricity from electric grids to electric vehicle; Fig. 1; Para. 0033; Para. 0034; Para. 0037), including: a plurality of monitoring nodes each generating a series of current monitoring node values over time that represent a current operation of the electric vehicle charging infrastructure (Karner: system 100 is configured to monitor charging stations and collect measurements; Para. 0003; Para. 0076; Para. 0025); a supply equipment communication controller to receive an access request from an access requestor associated with an electric vehicle (Karner: receiving a request to charge the electrical vehicle’s battery; Para. 0025; Fig. 10), a secondary actor policy decision point server to evaluate the access requestor's identity and respond with an action message allowing high-level communication with the access requestor to proceed (Karner: upon authenticating the user, check other criteria to permit charging; Fig. 10; Para. 014).
wherein the platform certificate provides a hardware identity associated with an electric vehicle communication controller, and wherein information associated with at least one of the current monitoring node values and the access request is stored in a secure, distributed transaction ledger.
However, in the same field of endeavor, Levy teaches the access request being associated with a platform certificate, wherein the platform certificate provides a hardware identity associated with an electric vehicle communication controller (Levy: electrical vehicle transmits a permanent security certificate containing it’s unique ID to the charging station; Para. 0028, Claim 1) (examiner note: Claim 1 recites “hardware identity”, electric vehicle communication controller”. This describes what contains inside the certificate. However, these recited parameters not processed or used to carry out any steps or functions that rely on these particular parameters recited in the claims. Therefore, these claim recites nonfunctional descriptive material. When descriptive material is not functionally related to the substrate, the descriptive material will not distinguish the invention from prior art in terms of patentability. It has been held that where the printed matter is not functionally related to the substrate, the printed matter will not distinguish the invention from the prior art in terms of patentability …. [T]he critical question is whether there exists any new and unobvious functional relationship between the printed matter and the substrate (In re Ngai 367 F.3d 1336, 1339, 70 USPQ2d 1862 (Fed. Cir. 2004); Ex parte Nehls 88 USPQ2d 1883, 1888-1889 (BPAI 2008); In re Lowry, 32 USPQ2d 1031 (Fed. Cir. 1994); MPEP § 2111.05; Cf. In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 401, 404 (Fed. Cir. 1983)).; and a software identifier (Levy:  program updates is enabled every time a secure communication session is established and EV periodically check for upgrades; Para. 0048)(examiner note: software/program upgrade request contains software/program identifier). 
wherein the platform certificate provides a hardware identity associated with an electric vehicle communication controller as disclosed by Levy. One of ordinary skill in the art would have been motivated to make this modification in order to secure manage electric vehicle recharging through using certificates as suggested by Levy (Levy: Para. 0023). 
However, in the same field of endeavor, Nara teaches wherein information associated with at least one of the current monitoring node values and the access request is stored in a secure, distributed transaction ledger (Nara: Fig. 6A: Distributed ledger (630), blockchain (632), new block (650); Para. 0008: wherein the processor is configured to perform one or more of connect to a blockchain network that includes a plurality of charging station nodes, acquire a current battery data from a charging station node of the plurality of the charging station node, the current battery data includes a battery identification (ID), store the current battery data with a timestamp onto a blockchain ledger; Para. 0084: The block data 670 may store transactional information of each transaction that is recorded within the block 650. For example, the transaction data may include one or more of a type of the transaction, a version, a timestamp, a channel ID of the distributed ledger 630, a transaction ID, an epoch, a payload visibility, a chaincode path (deploy tx), a chaincode name, a chaincode version, input (chaincode and functions), a client (creator) identify such as a public key and certificate, a signature of the client). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by Karner and Levy to include wherein information associated with at least one of the current monitoring node values and the access request is stored in a secure, distributed transaction ledger as disclosed by Nara. One of ordinary skill in 
Regarding claim 2, combination of Karner, Levy and Nara teaches the system of claim 1. In addition, Nara further teaches wherein the secure, distributed transaction ledger is associated with an attestation blockchain (Nara: Fig. 6A: Distributed ledger (630), blockchain (632), new block (650); Para. 0008: wherein the processor is configured to perform one or more of connect to a blockchain network that includes a plurality of charging station nodes, acquire a current battery data from a charging station node of the plurality of the charging station node, the current battery data includes a battery identification (ID), store the current battery data with a timestamp onto a blockchain ledger; Para. 0084: The block data 670 may store transactional information of each transaction that is recorded within the block 650. For example, the transaction data may include one or more of a type of the transaction, a version, a timestamp, a channel ID of the distributed ledger 630, a transaction ID, an epoch, a payload visibility, a chaincode path (deploy tx), a chaincode name, a chaincode version, input (chaincode and functions), a client (creator) identify such as a public key and certificate, a signature of the client).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the secure, distributed transaction ledger is associated with an attestation blockchain as disclosed by Nara. One of ordinary skill in the art would have been motivated to make this modification in order to obtain permissioned request on the blockchain as suggested by Nara (Nara: Para. 0064). 
Regarding claim 3, combination of Karner, Levy and Nara teaches the system of claim 1. In addition, Karner teaches wherein the current monitoring node values are associated with at least one of: (i) voltage, (ii) current, (iii) a charging rate limit, (iv) a duty ratio, (v) a transformer temperature, (vi) a load, (vii) a visit date, (viii) a driver preference, (ix) a radio frequency identifier tag, (x) a demand the measurement module can be configured to measure a first measurement of the electricity used to charge the rechargeable energy storage system, and the timing module can be configured to measure at least one of (a) a second measurement of a first quantity of time during which the electricity is used to charge the rechargeable energy storage system or (b) a third measurement of a second quantity of time during which the electric vehicle occupies a space located adjacent to the electricity transmission module).
Regarding claim 4, combination of Karner, Levy and Nara teaches the system of claim 1. In addition, Karner further teaches wherein the access request is further associated with at least one of: (i) a trusted platform module, (ii) a hardware root of trust, (iii) platform configuration 35Docket No: 327192_1 (G30.286) registers, (iv) a trusted connection network, (v) a policy enforcement point, and (vi) an electric vehicle power standard (Karner: Para. 0025: The administrative module can be configured to authenticate a user via radio frequency identification and to administrate payment by the user for using the system to charge the rechargeable energy storage system); 
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy and Nara, and further in view of Kim et al. (US20150113275, hereinafter Kim).
Regarding claim 5, combination of Karner, Levy and Nara teaches the system of claim 1.
Yet, the combination does not teach wherein bi-directional authentication of the electric vehicle and the electric vehicle charging site is performed.
However, in the same field of endeavor, Kim teaches wherein bi-directional authentication of the electric vehicle and the electric vehicle charging site is performed (Kim: Para. 0004: Embodiments of the invention provide tamper-resistant and scalable mutual authentication for machine-to-machine devices. While not limited thereto, such authentication techniques are particularly suitable for use with devices involved in controlled electric vehicle charging operations; Para. 0083: we view the EV authentication problem as a mutual-authentication problem within a mobile and hostile machine-to-machine (M2M) communication setting. We describe a mutual authentication system tamper-resistant and scalable mutual authentication framework, or TSAF, that can support large-scale grid-connected EV charging). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include  wherein bi-directional authentication of the electric vehicle and the electric vehicle charging site is performed as disclosed by Kim. One of ordinary skill in the art would have been motivated to make this modification in order to provide scalable mutual authentication between electric vehicle and charging station as suggested by Kim (Kim: Para. 0016).    
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy and Nara, and further in view of Kruszelnicki  (US20180339601, hereinafter Krus).
Regarding claim 6, combination of Karner, Levy and Nara teaches the system of claim 1.
Yet, the combination does not teach wherein the electric vehicle charging site is associated with extreme fast charging.
However, in the same field of endeavor, Krus teaches wherein the electric vehicle charging site is associated with extreme fast charging (Krus: Para. 0014: At up to 1 MW delivered to the EV, the charging station system provides extremely fast charging of the battery, the highest efficiency, and the lowest cost for a charging station system having such power output). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the electric vehicle charging site is associated with extreme fast charging as disclosed by Krus. One of ordinary skill in the art would have been motivated to make this modification in order to enable fast and efficient charging of electric vehicles as suggested by Krus (Krus: Para. 0010). 
Claim 7-9, 16-21, and 24-29 are rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy and Nara, and further in view of Evans et al. (US20140289852, hereinafter Evans).
Regarding claim 7, combination of Karner, Levy and Nara teaches the system of claim 1.
Yet, the combination does not teach a node classifier computer, coupled to the plurality of monitoring nodes, to: (i) receive the series of current monitoring node values and generate a set of current feature vectors, (ii) access at least one multi-class classifier model having at least one decision boundary, and (iii) execute the at least one multi-class classifier model and transmit a classification result based on the set of current feature vectors and the at least one decision boundary, wherein the classification result indicates whether a monitoring node status is normal, attacked, or fault.
However, in the same field of endeavor, Evans teaches a node classifier computer, coupled to the plurality of monitoring nodes (Evans: Para. 0018: the system 100 includes a monitoring module 110, a communication link 140, and plural functional systems 150 (monitoring nodes)… the monitoring module 110 is configured to monitor the state or condition of the functional system 150; Para. 0051: The depicted identification module 430 (classifier) is configured to identify a current state or condition of a system. In the illustrated embodiment, the identification module 430 includes an anomaly fault module 432 and a classification module 434), to: (i) receive the series of current monitoring node values and generate a set of current feature vectors (Evans: Para. 0049: The data acquisition 410 module is configured to obtain data. The data acquisition module 110, for example, may receive physical information from one or more sensors or detection channels associated with a functional system, as well as cyber security data of the system; Para. 0036: a model may be developed by generating data, extracting features of interest, and then designing classifiers (or identifiers). In various embodiments, the generating of data may include collecting data and correlating the data to a known process being executed by a system (or saving the data for correlation to a subsequent identification of the process being executed). Data may be collected for both normal and malicious processes. The data may then be analyzed to determine one or more features or parameters that may be used to build a model to identify a particular process (or state associated with a process)), (ii) access at least one multi-class classifier model having at least one decision boundary (Evans: Para. 0041: the identification module 120 may receive physical analysis information form the physical analysis module 112 and cyber analysis information from the cyber analysis module 114, and apply one or more modules from the modeling module 118 to all or a portion of the received information to determine a state of the functional system 150 based on the received information; Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign), and (iii) execute the at least one multi-class classifier model and transmit a classification result based on the set of current feature vectors and the at least one decision boundary, wherein the classification result indicates whether a monitoring node status is normal, attacked, or fault (Evans: Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign). 

Regarding claim 8, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein decision fusion resides in the secondary actor policy decision point (Evans: Para. 0035: Plural models may be combined, for example, by ensemble or fusion techniques. In various embodiments, historical data and/or running totals of parameters may be utilized to develop or modify models; Para. 0051: the identification module 430 includes an anomaly fault module 432 and a classification module 434. The anomaly fault module 432 is configured to detect an anomaly or fault, for example, via the use of a model. For example, a measure, comparison, combination, or the like of a number of parameters (physical, cyber, or both) corresponding to a detected state may be compared to corresponding measures, comparisons, combinations, or the like of known conditions or faults to determine if a detected state is a normal condition or a fault. The classification module 434 is configured, for example via the use of a model based on historical information, to classify a given detected fault. The classification module 434 may classify the fault as either malicious or non-malicious, and/or may identify the fault as a particular specific fault or belonging to a particular group, family, or type of fault). 

Regarding claim 9, combination of Karner, Levy, Nara and Evans teaches the system of claim 8. In addition, Evans teaches wherein the classification result is transmitted to the secondary actor policy decision point, and the classification result and an output of a platform identity evaluation in secondary actor policy decision point are fused to a final decision, including allowing or refusing an electrical or communication connection (Evans: Fig. 4: Identification module (430); fault prognosis module (440); maintenance and scheduling module (450); Para. 0052: The fault prognosis module 440 is configured to provide an estimated life or lives for one or more aspects of the system being analyzed. For example, the fault prognosis module 440 may provide one or more of a remaining useful life based on a remaining secure life…..The estimated life (or lives) are provided in the illustrated embodiment to the maintenance and scheduling module 450. Based on both the type of fault (or faults identified) as well as the estimated life (or lives remaining), the maintenance and scheduling module 450 may identify both an appropriate corresponding remedial action (or actions) and time (or times) to perform the remedial action(s). Remedial actions may address physical (benign) and/or cyber security (malicious) faults, and may include one or more of replacement of a part, repair or re-furbishing of a part, shutdown of a system, re-imaging of one or more aspects of system, use of anti-malware software, or the like). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the classification result is transmitted to the secondary actor policy decision point, and the 
Regarding claim 16, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein decision fusion is within at least one of: (i) a raw data level, (ii) a feature level, and (iii) a decision level (Evans: Para. 0051: The depicted identification module 430 is configured to identify a current state or condition of a system. In the illustrated embodiment, the identification module 430 includes an anomaly fault module 432 and a classification module 434. The anomaly fault module 432 is configured to detect an anomaly or fault, for example, via the use of a model. For example, a measure, comparison, combination, or the like of a number of parameters (physical, cyber, or both) corresponding to a detected state may be compared to corresponding measures, comparisons, combinations, or the like of known conditions or faults to determine if a detected state is a normal condition or a fault. The classification module 434 is configured, for example via the use of a model based on historical information, to classify a given detected fault. The classification module 434 may classify the fault as either malicious or non-malicious, and/or may identify the fault as a particular specific fault or belonging to a particular group, family, or type of fault).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein decision fusion is within at least one of: (i) a raw data level, (ii) a feature level, and (iii) a decision level as disclosed by Evans. One of ordinary skill in the art would have been motivated to make 
Regarding claim 17, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein at least one monitoring node is associated with at least one of: (i) a sensor node, (ii) a critical sensor node, (iii) an actuator node, (iv) a controller node, and (v) a key software node (Evans: Para. 0003: The physical analysis module is configured to obtain, via one or more sensors, physical diagnostic information describing at least one of an operational or environmental state of a functional system). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein at least one monitoring node is associated with at least one of: (i) a sensor node, (ii) a critical sensor node, (iii) an actuator node, (iv) a controller node, and (v) a key software node as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 18, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein the classification result further includes, in the case of a monitoring node status indicating a fault, a failure mode (Evans: Para. 0017: Various embodiments provide for improved identification of a state of a system, improved characterization of detected faults as malicious or benign… A benign or non-malicious fault may be understood as a fault not occurring due to an attack on a computer system, but instead occurring, for example, due to normal wear and tear or the failure of a physical component). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include   as 
Regarding claim 19, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein the set of current feature vectors includes at least one of: (i) a local feature vector associated with a particular monitoring node, and (ii) a global feature vector associated with a plurality of monitoring nodes (Evans: Para. 0049: The data acquisition 410 module is configured to obtain data. The data acquisition module 110, for example, may receive physical information from one or more sensors or detection channels associated with a functional system, as well as cyber security data of the system…. Data from the data acquisition module 410 in the illustrated embodiment is obtained by the preprocessing module 420; Para. 0050: the preprocessing module 420 includes a signal processing module 422 and a feature extraction module 424…. The feature extraction module 424 may be configured to identify and extract features that have been identified as pertinent or relevant to an analysis to be performed. For example, the features to be extracted may be identified based on a model (e.g., a model developed by a modeling module such as modeling module 118). Information corresponding to the extracted features may then be provided to the identification module 430). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include 
Regarding claim 20, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein the set of current feature vectors are associated with at least one of (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, and (viii) interaction features (Evans: Para. 0036: Statistical descriptors and/or shapes associated with the data may be used to identify and/or extract features). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the set of current feature vectors are associated with at least one of (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, and (viii) interaction features as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 21, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein the multi-class classifier model is associated with at least one of: (i) an actuator attack, (ii) a controller attack, (iii) a monitoring node attack, (iv) a plant state attack, (v) spoofing, (vi) financial damage, (vii) unit availability, (viii) a unit trip, (ix) a loss of unit life, and (x) asset damage requiring at least one new part (Evans: Para. 0031: Cyber security attacks may include attacks such as viruses, spoofing, malware; Para. 0042: a functional system or component of a functional system such as a programmable logic controller (PLC) may be spoofed in an attempt to evade cyber security measures. However, in various embodiments, the analysis of parameters corresponding to the operation of the PLC (in addition or alternatively to conventional cyber security parameters or analysis) may determine that an abnormal condition is being run and identify the abnormal condition as a security threat. For example, the abnormal condition may be identified via the use of one or more models based on historical data regarding the cyberattack and/or the normal operation of the PLC). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the multi-class classifier model is associated with at least one of: (i) an actuator attack, (ii) a controller attack, (iii) a monitoring node attack, (iv) a plant state attack, (v) spoofing, (vi) financial damage, (vii) unit availability, (viii) a unit trip, (ix) a loss of unit life, and (x) asset damage requiring at least one new part as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 24, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Karner teaches system(s) functioning as electric vehicle charging infrastructure (Karner: Para. 0003: This invention relates generally to systems for charging electric vehicles, and relates more particularly to such systems operating as dynamic constituents of a network of electric vehicle charging stations; Para. 0076: system 100 can be configured to monitor and regulate electric vehicle charging station 105). 
In addition, Evans teaches wherein said executing includes: determining, by a global binary classifier, whether the functional system is normal or abnormal (Evans: Para. 0020: the functional system 150 is configured to perform a useful or productive task. Functional systems 150 may be used for a variety of tasks and/or in a variety of industries. By way of example, functional systems 150 may be utilized in energy, aviation, oil and gas, healthcare, rail transport; Para. 0055: At 502, physical diagnostic information is obtained. For example, the physical information may be obtained from one or more sensors or detection channels associated with one or more physical aspects or portions of a functional system, and/or associated with operation of the functional system; Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No), when the function system is abnormal, determining, by a 3-class classifier for each monitoring node, whether the node is normal, attacked, or faulty (Evans: Para. 0058: If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign); and when a node is faulty, determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node (Evans: Para. 0058: If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign. Further, a particular fault or type of fault may be identified). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein said executing includes: determining, by a global binary classifier, whether the electric vehicle charging infrastructure is normal or abnormal, when the electric vehicle charging infrastructure is abnormal, determining, by a 3-class classifier for each monitoring node, whether the node is normal, attacked, or faulty; and when a node is faulty, determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 25, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Karner teaches system(s) functioning as electric vehicle charging infrastructure (Karner: This invention relates generally to systems for charging electric vehicles, and relates more particularly to such systems operating as dynamic constituents of a network of electric vehicle charging stations; Para. 0076: system 100 can be configured to monitor and regulate electric vehicle charging station 105). 
In addition, Evans teaches wherein said executing includes determining, by a global binary classifier, whether the function system is normal or abnormal (Evans: Para. 0020: the functional system 150 is configured to perform a useful or productive task. Functional systems 150 may be used for a variety of tasks and/or in a variety of industries. By way of example, functional systems 150 may be utilized in energy, aviation, oil and gas, healthcare, rail transport; Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No); and when the function system is abnormal, determining, by a multi-class classifier for each monitoring node, whether the node is normal, attacked, or one of a pre-determined number of failure modes (Evans: Para. 0058: If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein said executing includes determining, by a global binary classifier, whether the electric vehicle charging infrastructure is normal or abnormal; and when the electric vehicle charging infrastructure is abnormal, determining, by a multi-class classifier for each monitoring node, whether the node is normal, 
Regarding claim 26, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches determining, by a 3-class classifier for each monitoring node, whether the node is normal, attacked, or faulty; and when a node is faulty (Evans: Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No), determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node (Evans: Para. 0058: If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign. Further, a particular fault or type of fault may be identified). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include determining, by a 3-class classifier for each monitoring node, whether the node is normal, attacked, or faulty; and when a node is faulty, determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 27, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches determining, by a multi-class classifier for each monitoring node, whether the At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include determining, by a multi-class classifier for each monitoring node, whether the node is normal, attacked, or faulty, or one of a pre-determined number of failure modes as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 28, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein said executing includes determining, by global multi-class classifier, whether each monitoring node is normal or abnormal (Evans: Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No); when a monitoring node is abnormal, determining, by a binary classifier for each monitoring node, whether the node is attacked or faulty (Evans: Para. If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign); and when a node is faulty, determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node (Evans: Para. 0058: If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign. Further, a particular fault or type of fault may be identified). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include determining, by global multi-class classifier, whether each monitoring node is normal or abnormal; when a monitoring node is abnormal, determining, by a binary classifier for each monitoring node, whether the node is attacked or faulty; and when a node is faulty, determining, by a multi-class classifier for each monitoring node, a failure mode for the monitoring node as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Regarding claim 29, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Evans teaches wherein said executing includes determining, by global multi-class classifier, whether each monitoring node is normal or abnormal (Evans: Para. 0058: At 508, it is determined if one or more of the states determined at 506 correspond to a fault. The determination may be performed (e.g., by a processing module such as the monitoring module 110 described herein) via one or models based on information received at 502 and/or 504 (or portions of the information and/or information derived from all or a portion of the information received at 502 and/or 504). If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510; Fig. 5, Fault? (step 508) Yes/No); when a monitoring node is abnormal, determining, by a binary classifier for each monitoring node, whether the node is attacked or one of a pre-If no state is determined to correspond to a fault, the method 500 proceeds to 512. If a fault is determined, the method proceeds to 510, where the fault is identified as malicious or benign. Further, a particular fault or type of fault may be identified; Para. 0017: A benign or non-malicious fault may be understood as a fault not occurring due to an attack on a computer system, but instead occurring, for example, due to normal wear and tear or the failure of a physical component. Examples of benign or non-malicious fault include bearing wear, failure of a physical component, cracking of a structural member, seizing of a bearing, failure of a seal resulting in leakage and/or an inappropriate pressure, blockage of a fuel line, or the like). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein said executing includes determining, by global multi-class classifier, whether each monitoring node is normal or abnormal; when a monitoring node is abnormal, determining, by a binary classifier for each monitoring node, whether the node is attacked or one of a pre-determined number of failure modes as disclosed by Evans. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious as well as non-malicious fault for the system being monitored as suggested by  Evans (Evans: Para. 0002).
Claim 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy, Nara and Evans, and further in view of Hong et al. (US20200162487, hereinafter Hong).
Regarding claim 10, combination of Karner, Levy, Nara and Evans teaches the system of claim 7.
Yet, the combination does not explicitly teach wherein decision fusion resides in a Charging Station Energy Management System ("EMS-Si").
However, in the same field of endeavor, Hong teaches wherein decision fusion resides in a Charging Station Energy Management System ("EMS-Si") (Hong: Fig. 1: EV charger (150, 152, 154), CADS logic unit (160, 162, 164); Para. 0014: each electric vehicle charger 150, 152, 154, which may be connected to a corresponding converter 140, 142, 144 (e.g., any device or circuitry configured to convert alternating current (AC) to direct current (DC)), includes a collaborative anomaly detection system (CADS) logic unit 160, 162, 164, each of which may be embodied as any device or circuitry capable of detecting abnormal behaviors in the charging station 110 by monitoring both host-based activities (e.g., within the corresponding electric vehicle charger 150) and monitoring communications on a network 134 between the electric vehicle chargers 150, 152, 154 and other devices (e.g., the charging station management system 130, remote devices of a cloud service, etc.), determining whether any of the activities are abnormal (e.g., anomalies indicative of a cybersecurity threat)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein decision fusion resides in a Charging Station Energy Management System ("EMS-Si") as disclosed by Hong. One of ordinary skill in the art would have been motivated to make this modification in order to detect abnormal activities in an electric vehicle charging station as suggested by Hong (Hong: abstract).
Regarding claim 11, combination of Karner, Levy, Nara, Evans and Hong teaches the system of claim 10.
In addition, Hong teaches wherein the output of the secondary actor policy decision point is transmitted to the EMS-Si, and the classification result and a detection feature or decision from malware propagation containment module, stability monitoring and assurance module, and the output of a platform identity evaluation in the secondary actor policy decision point are fused to a final decision, including allowing or refusing an electrical or communication connection (Hong: Para. 0020: The CADS logic unit 160, in the illustrative embodiment, includes a host-based anomaly detection logic unit 230, a network-based anomaly detection logic unit 232, and a machine learning-based mitigation logic unit 234….The host-based anomaly detection logic unit 230 may be embodied as any device or circuitry (e.g., a processor, an ASIC, etc.) configured to monitor the system and security logs generated by processes (e.g., operating system processes, application processes, etc.) executed by the compute engine 210 to identify whether an anomaly (e.g., an unauthorized file system modification, an unauthorized firmware update, an abnormal application installation, etc.) has occurred within the electric vehicle charger 150. The network-based anomaly detection logic unit 232 may be embodied as any device or circuitry (e.g., a processor, an ASIC, etc.) configured to monitor all communication connections of the electric vehicle charger 150 to other devices (e.g., devices in communication with the EV charger 150 through the communication circuitry 218). In doing so, the network-based anomaly detection logic unit 232 may detect network-based anomalies (e.g., denial of service (DoS) attacks, replay attacks, or unauthorized communication connections)….. the machine learning-based mitigation logic unit 234, in the illustrative embodiment, enables the CADS logic unit 160 to identify abnormal activities (e.g., anomalies) occurring within the electric vehicle charger 150 (e.g., based on data monitored by the host-based anomaly detection logic unit 230) and/or abnormal activities in communication connections with other devices (e.g., based on data monitored by the network-based anomaly detection logic unit 232). Furthermore, in the illustrative embodiment, the machine learning-based mitigation logic unit 234 is configured to determine a responsive action to perform, based on a determination of whether a cyberattack has been identified and the type of cyberattack that has been identified, such as by sending a control command to another device (e.g., another electric vehicle charger 152, 154 or the charging station management system 130) to disconnect a communication connection to the charging station, correcting compromised sensor measurements, blocking a start or stop command issued from another device to an electric vehicle charger 150, 152, 154, controlling the operation of a local energy source 132, dropping abnormal packets, issuing an alarm to one or more devices, and/or performing other responsive actions). 

Regarding claim 12, combination of Karner, Levy, Nara and Evans teaches the system of claim 7.
Yet, the combination does not explicitly teach wherein decision fusion resides in a Centralized Distribution Substation Energy Management System ("EMS-DS") or a Centralized Multiple Charging Stations Energy Management System ("EMS-CO").
However, in the same field of endeavor, Hong teaches wherein decision fusion resides in a Centralized Distribution Substation Energy Management System ("EMS-DS") or a Centralized Multiple Charging Stations Energy Management System ("EMS-CO") (Hong: Fig. 1: Charging station management system (130); CADS logic unit (166); Para. 0014: the EV chargers 150, 152, 154 are not equipped with the CADS logic units 160, 162, 164 and the cyberattack detection operations are performed only by the charging station management system 130 (e.g., using the CADS logic unit 166)). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein decision fusion resides in a Centralized Distribution Substation Energy Management System ("EMS-DS") or a Centralized Multiple Charging Stations Energy Management System ("EMS-CO") as disclosed by Hong. One of ordinary skill in the art would have been motivated to make this modification 
Regarding claim 13, combination of Karner, Levy, Nara, Evans and Hong teaches the system of claim 12.
In addition, Hong teaches wherein the output of the secondary actor policy decision point is transmitted to a Charging Station Energy Management System ("EMS-Si"), and the classification result and the detection feature or decision from malware propagation containment module, stability monitoring and assurance module, and the output of platform identity evaluation in the secondary actor policy decision point are fused to a final decision, including allowing or refusing an electrical or communication connection (Hong: Para. 0020: The CADS logic unit 160, in the illustrative embodiment, includes a host-based anomaly detection logic unit 230, a network-based anomaly detection logic unit 232, and a machine learning-based mitigation logic unit 234….The host-based anomaly detection logic unit 230 may be embodied as any device or circuitry (e.g., a processor, an ASIC, etc.) configured to monitor the system and security logs generated by processes (e.g., operating system processes, application processes, etc.) executed by the compute engine 210 to identify whether an anomaly (e.g., an unauthorized file system modification, an unauthorized firmware update, an abnormal application installation, etc.) has occurred within the electric vehicle charger 150. The network-based anomaly detection logic unit 232 may be embodied as any device or circuitry (e.g., a processor, an ASIC, etc.) configured to monitor all communication connections of the electric vehicle charger 150 to other devices (e.g., devices in communication with the EV charger 150 through the communication circuitry 218). In doing so, the network-based anomaly detection logic unit 232 may detect network-based anomalies (e.g., denial of service (DoS) attacks, replay attacks, or unauthorized communication connections)….. the machine learning-based mitigation logic unit 234, in the illustrative embodiment, enables the CADS logic unit 160 to identify abnormal activities (e.g., anomalies) occurring within the electric vehicle charger 150 (e.g., based on data monitored by the host-based anomaly detection logic unit 230) and/or abnormal activities in communication connections with other devices (e.g., based on data monitored by the network-based anomaly detection logic unit 232). Furthermore, in the illustrative embodiment, the machine learning-based mitigation logic unit 234 is configured to determine a responsive action to perform, based on a determination of whether a cyberattack has been identified and the type of cyberattack that has been identified, such as by sending a control command to another device (e.g., another electric vehicle charger 152, 154 or the charging station management system 130) to disconnect a communication connection to the charging station, correcting compromised sensor measurements, blocking a start or stop command issued from another device to an electric vehicle charger 150, 152, 154, controlling the operation of a local energy source 132, dropping abnormal packets, issuing an alarm to one or more devices, and/or performing other responsive actions). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the output of the secondary actor policy decision point is transmitted to a Charging Station Energy Management System ("EMS-Si"), and the classification result and the detection feature or decision from malware propagation containment module, stability monitoring and assurance module, and the output of platform identity evaluation in the secondary actor policy decision point are fused to a final decision, including allowing or refusing an electrical or communication connection as disclosed by Hong. One of ordinary skill in the art would have been motivated to make this modification in order to detect abnormal activities in an electric vehicle charging station as suggested by Hong (Hong: abstract).
Regarding claim 14, combination of Karner, Levy, Nara and Evans teaches the system of claim 7.

However, in the same field of endeavor, Hong teaches wherein decision fusion resides in in both a Centralized Distribution Substation Energy Management System ("EMS-DS") and a Charging Station Energy Management System ("EMS-Si") (Hong: Fig. 1: EV charger (150, 152, 154), CADS logic unit (160, 162, 164); Charging station management system (130); CADS logic unit (166); Para. 0014:  the charging station management system 130 may include a CADS logic unit 166, similar to the CADS logic units 160, 162, 164. As such, the CADS logic unit 166 may be configured to receive information (e.g., measurements, logs and system status) from the EV chargers 150, 152, 154 and execute the cyberattack detection (e.g., CADS) operations described with reference to the CADS logic units 160, 162, 164). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein decision fusion resides in in both a Centralized Distribution Substation Energy Management System ("EMS-DS") and a Charging Station Energy Management System ("EMS-Si") as disclosed by Hong. One of ordinary skill in the art would have been motivated to make this modification in order to detect abnormal activities in an electric vehicle charging station as suggested by Hong (Hong: abstract).
Regarding claim 15, combination of Karner, Levy, Nara, Evans and Hong teaches the system of claim 14.
In addition, Hong teaches wherein the EMS-Si aggregates information within the charging site to make a cyber protection decision; and the EMS-DS aggregates both the decision output and the device information from each EMS-Si to address a covert attack and coordinated attacks on multiple stations (Hong: Para. 0014:  the charging station management system 130 may include a CADS logic unit 166, similar to the CADS logic units 160, 162, 164. As such, the CADS logic unit 166 may be configured to receive information (e.g., measurements, logs and system status) from the EV chargers 150, 152, 154 and execute the cyberattack detection (e.g., CADS) operations described with reference to the CADS logic units 160, 162, 164; Para. 0020: The machine learning-based mitigation logic unit 234 may be embodied as any device or circuitry (e.g., a processor, an ASIC, etc.) configured to be trained (e.g., as a neural network or other machine learning algorithm) with training data indicative of normal operations (e.g., operations deemed normal, or operations with corresponding values (e.g., voltage values, current values, charging time periods, etc.) that fall within a predefined range (e.g., predefined tolerances)) and data indicative of anomalies (e.g., anomalies that have been previously identified as attacks against components of the charging station 110, operations that fall outside of predefined tolerances, operations associated with malfunctions, etc.). The training data may be continually updated (e.g., as new cyberattacks are identified). As such, the machine learning-based mitigation logic unit 234, in the illustrative embodiment, enables the CADS logic unit 160 to identify abnormal activities (e.g., anomalies) occurring within the electric vehicle charger 150 (e.g., based on data monitored by the host-based anomaly detection logic unit 230) and/or abnormal activities in communication connections with other devices (e.g., based on data monitored by the network-based anomaly detection logic unit 232). Furthermore, in the illustrative embodiment, the machine learning-based mitigation logic unit 234 is configured to determine a responsive action to perform, based on a determination of whether a cyberattack has been identified and the type of cyberattack that has been identified). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the EMS-Si aggregates information within the charging site to make a cyber protection decision; and the EMS-DS aggregates both the decision output and the device information from each EMS-Si to .
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy, Nara and Evans, and further in view of Li et al. (US20190215240, hereinafter Li).
Regarding claim 22, combination of Karner, Levy, Nara and Evans teaches the system of claim 7.
Yet, the combination does not teach wherein information from each of the plurality of monitoring nodes is normalized and an output is expressed as a weighted linear combination of basis functions.
However, in the same field of endeavor, Li teaches wherein information from each of the plurality of monitoring nodes is normalized and an output is expressed as a weighted linear combination of basis functions (Li: Para. 0046: contain four different components calculated as shown in blocks 706, 708, 710, and 712 and represented by the four terms in:
S jk=β1 X1,jk+β2 X2,jk+β3 X3,jk+β4 X4,jk,  
Para. 0047: The weighting coefficients β1, β2, β3, and β4 may be determined by experts of the electric grid. In one implementation β1, β2, β3, and β4 may be respectively set as 0.25; Para. 0103: the time-dependent load level for each network device may include a weighted linear combination of a service load capacity of each network device normalized to a total service load capacity of the service network and an forecasted time-dependent service load for each network device normalized between a forecasted next-month maximum and a minimum service load of each network device according to the historical service load data). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein information from each of the plurality of monitoring nodes is normalized and an output is . 
Claim 23, 30-33 are rejected under 35 U.S.C. 103 as being unpatentable over Karner in view of Levy, Nara and Evans, and further in view of Bushey et al. (US20170359366, hereinafter Bushey).
Regarding claim 23, combination of Karner, Levy, Nara and Evans teaches the system of claim 7.
Yet, the combination does not teach wherein the at least one decision boundary is associated with at least one of: (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary.
However, in the same field of endeavor, Bushey teaches wherein the at least one decision boundary is associated with at least one of: (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary (Bushey: Para. 0022: At S230, each generated current monitoring node feature vector may be compared to a corresponding decision boundary (e.g., a linear boundary, non-linear boundary, multi-dimensional boundary, etc.) for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the at least one decision boundary is associated with at least one of: (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary as disclosed by Bushey. One of ordinary skill in the art would have been motivated to make this modification in order to detect cyber threats for industrial asset control system as suggested by Bushey (Bushey: Para. 0002). 
Regarding claim 30, combination of Karner, Levy, Nara and Evans teaches the system of claim 7. In addition, Karner teaches system(s) functioning as electric vehicle charging infrastructure (Karner: Para. 0003: This invention relates generally to systems for charging electric vehicles, and relates more particularly to such systems operating as dynamic constituents of a network of electric vehicle charging stations; Para. 0076: system 100 can be configured to monitor and regulate electric vehicle charging station 105). 
Yet, the combination does not explicitly teach a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the electric vehicle charging infrastructure; an attacked space data source storing, for each of the plurality of monitoring nodes, a series of attacked monitoring node values over time that represent attacked operation of the electric vehicle charging infrastructure; a faulty space data source storing, for each of the plurality of monitoring nodes, a series of faulty monitoring node values over time that represent faulty operation of the electric vehicle charging infrastructure; and a multi-class classifier model creation computer, coupled to the normal space data source, the attacked space data source, and the fault space data source, to: (i) receive the series of normal monitoring node values and generate a set of normal feature vectors, (ii) receive the series of attacked monitoring node values and generate a set of attacked feature vectors, (iii) receive the series of faulty monitoring node values and generate a set of faulty feature vectors, and (iv) automatically calculate and output the at least one decision boundary for the multi-class classifier model based on the set of normal feature vectors, the set of attacked feature vectors, and the set of faulty feature vectors.
However, in the same field of endeavor, Bushey teaches a detection framework for various systems (Bushey: Para. 0052: the detection framework may allow for the development of tools that facilitate proliferation of the invention to various systems (i.e., gas turbines, steam turbines, wind turbines, aviation engines, locomotive engines, power grid, etc.) in multiple geolocations), a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the system (Bushey: Para. 0014: The normal space data source 110 might store, for each of a plurality of “monitoring nodes” 130, a series of normal values over time that represent normal operation of an industrial asset control system); an The threatened space data source 120 might store, for each of the monitoring nodes 130, a series of threatened values that represent a threatened operation of the industrial asset control system (e.g., when the system is experiencing a cyber-attack); a faulty space data source storing, for each of the plurality of monitoring nodes, a series of faulty monitoring node values over time that represent faulty operation of the system (Bushey: Para. 0039: the system may detect degraded/faulty operation as opposed to a cyber-attack. Such decisions might utilize a data set associated with a degraded/faulty operating space. At the end of this process, the system may create data sets such as “attack v/s normal” and “degraded v/s normal” for use while constructing decision boundaries); and a multi-class classifier model creation computer (Bushey: Para. 0052: Thus, embodiments may enable the passive detection of indications of multi-class abnormal operations using real-time signals from monitoring nodes), coupled to the normal space data source, the attacked space data source, and the fault space data source, to: (i) receive the series of normal monitoring node values and generate a set of normal feature vectors (Bushey: Para. 0003: receiving, by a threat detection computer platform, real-time streams of monitoring node signal values over time that represent a current operation of the asset control system; means for generating, by the threat detection computer platform, a current monitoring node feature vector for each stream of monitoring node signal values), (ii) receive the series of attacked monitoring node values and generate a set of attacked feature vectors (Bushey: Para. 0003: receiving, by a threat detection computer platform, real-time streams of monitoring node signal values over time that represent a current operation of the asset control system; means for generating, by the threat detection computer platform, a current monitoring node feature vector for each stream of monitoring node signal values), (iii) receive the series of faulty monitoring node values and generate a set of faulty feature vectors (Bushey: Para. 0003: receiving, by a threat detection computer platform, real-time streams of monitoring node signal values over time that represent a current operation of the asset control system; means for generating, by the threat detection computer platform, a current monitoring node feature vector for each stream of monitoring node signal values; Para. 0039: the system may detect degraded/faulty operation as opposed to a cyber-attack. Such decisions might utilize a data set associated with a degraded/faulty operating space. At the end of this process, the system may create data sets such as “attack v/s normal” and “degraded v/s normal” for use while constructing decision boundaries), and (iv) automatically calculate and output the at least one decision boundary for the multi-class classifier model based on the set of normal feature vectors, the set of attacked feature vectors, and the set of faulty feature vectors (Bushey: Para. 0015: Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior); Para. 0022: a decision boundary might be generated, for example, in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the electric vehicle charging infrastructure; an attacked space data source storing, for each of the plurality of monitoring nodes, a series of attacked monitoring node values over time that represent attacked operation of the electric vehicle charging infrastructure; a faulty space data source storing, for each of the plurality of monitoring nodes, a series of faulty monitoring node values over time that represent faulty operation of the electric vehicle charging infrastructure; and a multi-class classifier model creation computer, coupled to the normal space data source, the attacked space data source, and the fault space data source, to: (i) 
Regarding claim 31, combination of Karner, Levy, Nara, Evans and Bushey teaches the system of claim 30. In addition, Bushey teaches wherein at least one of the series of normal monitoring node values, the series of attacked monitoring node values, and the series of faulty monitoring node values are associated with a high-fidelity equipment model (Bushey: Para. 0030: A threat detection system 360 may include one or more high-fidelity physics based models 342 associated with the power plant 332 to create normal data 310 and/or threat data 320; Para. 0022: a decision boundary might be generated, for example, in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein at least one of the series of normal monitoring node values, the series of attacked monitoring node values, and the series of faulty monitoring node values are associated with a high-fidelity equipment model as disclosed by Bushey. One of ordinary skill in the art would have been motivated to make this modification in order to detect cyber threats for industrial asset control system as suggested by Bushey (Bushey: Para. 0002).
Regarding claim 32, combination of Karner, Levy, Nara, Evans and Bushey teaches the system of claim 30. In addition, Bushey teaches wherein at least one decision boundary exists in a multi-dimensional space and is associated with at least one of: (i) a dynamic model, (ii) design of experiment data, (iii) machine learning techniques, (iv) a support vector machine, (v) a full factorial process, (vi) Taguchi screening, (vii) a central composite methodology, (viii) a Box-Behnken methodology, (ix) real-world operating conditions, (x) a full-factorial design, (xi) a screening design, and (xii) a central composite design (Bushey: Para. 0026: multiple algorithmic methods (e.g., support vector machines or machine learning techniques) may be used to generate decision boundaries). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein at least one decision boundary exists in a multi-dimensional space and is associated with machine learning techniques as disclosed by Bushey. One of ordinary skill in the art would have been motivated to make this modification in order to detect cyber threats for industrial asset control system as suggested by Bushey (Bushey: Para. 0002).
Regarding claim 33, combination of Karner, Levy, Nara, Evans and Bushey teaches the system of claim 30. In addition, Karner teaches system(s) functioning as electric vehicle charging infrastructure (Karner: Para. 0003: This invention relates generally to systems for charging electric vehicles, and relates more particularly to such systems operating as dynamic constituents of a network of electric vehicle charging stations; Para. 0076: system 100 can be configured to monitor and regulate electric vehicle charging station 105).
In addition, Bushey teaches wherein at least one of the normal, attacked, and faulty monitoring node values are obtained by running design of experiments on a system (Bushey: Para. 0039: the detailed physical response of the system must be known to create acceptable decision boundaries. This might be accomplished, for example, by constructing data sets for normal and abnormal regions by running Design of Experiments (“DoE”) experiments on high-fidelity models….. these DoE methods are also used to collect data from real-world power generator systems; Para. 0026: appropriate decision boundaries may be constructed in a multi-dimensional space using a data set which is obtained via scientific principles associated with DoE techniques). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein at least one of the normal, attacked, and faulty monitoring node values are obtained by running design of experiments on an electric vehicle charging infrastructure as disclosed by Bushey. One of ordinary skill in the art would have been motivated to make this modification in order to detect cyber threats for industrial asset control system as suggested by Bushey (Bushey: Para. 0002).

Allowable Subject Matter
Independent claim 34 would be allowable if filed a Terminal Disclaimer to overcome the rejection(s) under nonstatutory double patenting, set forth in this Office action.
Dependent claim 35 would also be allowed because it’s dependent on claim 34. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Mouftah et al., US20180336551: authentication between EV and CS with certificates
Sidle et al., US20190163178: Fig. 10, collecting data from faulty sensors
DeBoer et al., US20130141040: charging limiting and current monitoring for CS
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/L.C./Examiner, Art Unit 2438                                                                                                                                                                                                                                                                                                                                                                                                                                    /TAGHI T ARANI/                     Supervisory Patent Examiner, Art Unit 2438