DETAILED ACTION
Claims 1 and 2 are pending in the present application and are under examination on the merits. This communication is the first action on the merits (FAOM).
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
Applicant filed an Information Disclosure Statement (IDS) on 6/8/2020 and 4/11/2021. This filing is in compliance with 37 C.F.R. 1.97.
As required by M.P.E.P. 609(C), the applicant's submission of the Information Disclosure Statements is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609(C), copies of the respective PTOL -1449s initialed and dated by the examiner are attached to the instant office action.

Drawings
The drawing submitted on 6/8/2020 are accepted

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1 and 2 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2017/0214701 to Hasan (hereafter referred to as Hasan) in view of U.S. Patent Application Publication Number 2014/0199664 to Sadeh-Koniecpol et al. (hereafter referred to as Sadeh-Koniecpol).
As per claim 1, Heron teaches: 
A system for protection and secure data transportation of convergent operational technology and informational technology networks, comprising: a first computing device comprising a non-volatile storage device, a memory, and a processor; a visibility toolset manager comprising a first plurality of programming instructions stored in the memory of, and operating on the processor of, the first computing device, wherein the first plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to: (Paragraph Number [0004] teaches the system having a memory that stores programmed instructions, a processor that is coupled to the memory and executes the programmed instructions and at least one database, wherein the system comprising a computer implemented system of providing designated function. Paragraph Number [0260] shows how Inner Core 334 houses the essential core functions of the system, which are directly and exclusively programmed by relevant Cybersecurity Experts 319 via a Maintenance 318 platform. The Core Code 335 is rudimentary groundwork needed to run LIZARD. Within Core 336 Fundamental Frameworks and Libraries 336 holds all the needed function to operate LIZARD such as compression and comparison functions. Within Core 336 Thread Management and Load Balancing 337 enables LIZARD to scale over a cluster of servers efficiently whilst Communication and encryption Protocols defines the types of encryption sued (i.e. AES, 
receive metadata about an operational technology system via network sensors on an operational technology network (Paragraph Number [0024] teaches ISP API request is made via the Trusted Platform and at Network Oversight network logs for the Arbitrary System and a potential file transfer to Criminal Computer are found, wherein metadata is used to decide with significant confidence which computer the file was sent to, wherein the Network Oversight discovers the network details of Criminal Computer and reroutes such information to the Trusted Platform, wherein the Trusted Platform is used to engage security APIs provided by Software and Hardware vendors to exploit any established backdoors that can aide the judicial investigation).
retrieve metadata about the operational technology system via 3rd party tools; and send the metadata to the operational technology toolset manager (Paragraph Number [0025] teaches the Trusted Platform pushes a software or firmware Update to the Criminal Computer to establish a new backdoor, wherein a Placebo Update is pushed to nearby similar machines to maintain stealth, wherein Target Identity Details are sent to the Trusted Platform, wherein the Trusted Platform communicates with a Software/Firmware Maintainer to push Placebo Updates and Backdoor Updates to the relevant computers, wherein the Backdoor Update introduces a new backdoor into the Criminal Computer's system by the using the pre-established software update system installed on the Computer, wherein the Placebo Update omits the backdoor, wherein the Maintainer transfers the Backdoor to the target, as well as to computers which have an 
an operational technology toolset manager comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the first computing device, wherein the second plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to: (Paragraph Number [0004] teaches the system having a memory that stores programmed instructions, a processor that is coupled to the memory and executes the programmed instructions and at least one database, wherein the system comprising a computer implemented system of providing designated function. Paragraph Number [0260] shows how Inner Core 334 houses the essential core functions of the system, which are directly and exclusively programmed by relevant Cybersecurity Experts 319 via a Maintenance 318 platform. The Core Code 335 is rudimentary groundwork needed to run LIZARD. Within Core 336 Fundamental Frameworks and Libraries 336 holds all the needed function to operate LIZARD such as compression and comparison functions. 
receive the metadata about the operational technology system from the visibility toolset manager (Paragraph Number [0025] teaches the Trusted Platform pushes a software or firmware Update to the Criminal Computer to establish a new backdoor, wherein a Placebo Update is pushed to nearby similar machines to maintain stealth, wherein Target Identity Details are sent to the Trusted Platform, wherein the Trusted Platform communicates with a Software/Firmware Maintainer to push Placebo Updates and Backdoor Updates to the relevant computers, wherein the Backdoor Update introduces a new backdoor into the Criminal Computer's system by the using the pre-established software update system installed on the Computer, wherein the Placebo Update omits the backdoor, wherein the Maintainer transfers the Backdoor to the target, as well as to computers which have an above average amount of exposure to the target, wherein upon implementation of the Exploit via the Backdoor Update the Sensitive File is quarantined and copied so that its metadata usage history can be later analyzed, wherein any supplemental forensic data is gathered and sent to the exploit's point of contact at the Trusted Platform).
generate data visualizations wherein the visualizations are hosted locally and accessed by a graphical web interface; and generate a graphical web interface (Paragraph Number [0233] teaches Management Console (MC) 23 is an intelligent 
forward the metadata as a processed metadata stream to the data tokenizer; receive an enhanced metadata stream from the data tokenizer, wherein the enhanced metadata stream comprises a cybersecurity profile of the operational technology system (Paragraph Number [0268] teaches Secret Token 424 is a security string that is generated and assigned by LIZARD. The Secret Token 424 does not prove to the Virtual Obfuscation System that the Suspicious Entity 415 is legitimate and harmless. Instead it allows the Entity that is indeed harmless to not proceed with it's job since it knows it has been subject to a Partially 391 or Fully 394 Mock Data Environment. As long as an 
combine the enhanced metadata stream into a local metadata stream, wherein the local metadata stream comprises the received metadata about the operational technology system from the visibility toolset manager (Paragraph Number [0243] teaches Customizable Visuals 164 is for use by various enterprise departments (accounting, finance, HR, IT, legal, Security/Inspector General, privacy/disclosure, union, etc.) and stakeholders (staff, managers, executives in each respective department) as well as third party partners, law enforcement, etc. Integrated Single View 165 is a single view of all the potential capabilities such as monitoring, logging, reporting, event correlation, alert processing, policy/rule set creation, corrective action, algorithm tuning, service provisioning (new customers/modifications), use of trusted platform as well as third party services (including receiving reports and alerts/logs, etc. from third party services providers & vendors). Unified view on all aspects of security 165 is a collection of 
generate new data visualizations from the local metadata stream to the graphical web interface (Paragraph Number [0233] teaches Management Console (MC) 23 is an intelligent interface for humans to monitor and control complex and semi-automated systems. Intelligent Information & Configuration Management (I.sup.2CM) 24 contains an assortment of functions that control the flow of information and authorized system leverage. Paragraph Number [0243] teaches Customizable Visuals 164 is for use by various enterprise departments (accounting, finance, HR, IT, legal, Security/Inspector General, privacy/disclosure, union, etc.) and stakeholders (staff, managers, executives in each respective department) as well as third party partners, law enforcement, etc. Integrated Single View 165 is a single view of all the potential capabilities such as monitoring, logging, reporting, event correlation, alert processing, policy/rule set creation, corrective action, algorithm tuning, service provisioning (new customers/modifications), use of trusted platform as well as third party services (including receiving reports and alerts/logs, etc. from third party services providers & vendors). Unified view on all aspects of security 165 is a collection of visuals that represent perimeter, enterprise, data center, cloud, removable media, mobile devices, etc.)
analyze the cybersecurity profile from the local metadata stream; automatically adjust operating parameters of the operational technology system based on the cybersecurity profile (Paragraph Number [0263] teaches these two inputs correlate with Fundamental Frameworks and Libraries 336 and Security Policy 340/Enterprise Goals 341. It then uses such a codeset to modify the Base Iteration 356 according to the flaws 
a data tokenizer comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the first computing device, wherein the third plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to: (Paragraph Number [0004] teaches the system having a memory that stores programmed instructions, a processor that is coupled to the memory and executes the programmed instructions and at least one database, wherein the system comprising a computer implemented system of providing designated function. Paragraph Number [0260] shows how Inner Core 334 houses the essential core functions of the system, which are directly and exclusively programmed by relevant Cybersecurity Experts 319 via a Maintenance 318 platform. The Core Code 335 is rudimentary groundwork needed to run LIZARD. Within Core 336 Fundamental Frameworks and Libraries 336 holds all the needed function to operate LIZARD such as compression and comparison functions. Within Core 336 Thread Management and Load Balancing 337 enables LIZARD to scale over a cluster of servers efficiently whilst Communication and encryption Protocols defines the types of encryption sued (i.e. AES, RSA etc.). Within Core 336 Memory Management 339 allows the data that is interpreted and processed by LIZARD is efficiently managed within the server's Random Access Memory (RAM)).
receive the processed metadata stream from the operational technology toolset manager; pseudonymize the processed metadata stream; send the pseudonymized processed metadata stream to a midserver (Paragraph Number [0268] teaches Secret Token 424 is a security string that is generated and assigned by LIZARD. The Secret Token 424 does not prove to the Virtual Obfuscation System that the Suspicious Entity 415 is legitimate and harmless. Instead it allows the Entity that is indeed harmless to not proceed with it's job since it knows it has been subject to a Partially 391 or Fully 394 Mock Data Environment. As long as an Entity is legitimate there should be no logistical problems of an employee/software etc. acting upon fake information and leading to real life issues (wrong address sent, wrong employee fired etc.) The Data Recall Trigger 414 only exists on legitimate enterprise functions and entities. By default, a legitimate entity will check an agreed upon location in the Embedded Server Environment 404 for the Token's 424 presence. If the Token is Missing 429 and 425, this indicates the likely scenario that this legitimate entity has been accidentally placed in a partially Mock Data Environment (because of the risk assessment of it being malware). Thereafter A Delayed Session 428 with the Delay Interface 426 is activated. If the Token is found 426 and 424, this indicates that the server environment is real and hence any delayed sessions are Deactivated 427).
receive a pseudonymized enhanced metadata stream from the midserver; de-pseudonymize the pseudonymized enhanced metadata stream into an enhanced metadata stream (Paragraph Number [0268] teaches Secret Token 424 is a security string that is generated and assigned by LIZARD. The Secret Token 424 does not prove to the Virtual Obfuscation System that the Suspicious Entity 415 is legitimate and harmless. Instead it 
send the enhanced metadata stream to the operational technology toolset manager (Paragraph Number [00268] teaches the Delay Interface 426 is a Module that is pre-installed directly on the entity. Upon indication of being in a Mock Environment 404, a delayed session will be activated. A delayed session means the processes of the entity are made artificially slow to grant Behavioral Analysis 403 time to make a decision about whether this entity is harmless or malicious. Practically such a delay is expected to take several seconds per action. It is extremely difficult for actual malware to ever gain a copy of the Secret Token (which itself can be changed and regenerated routinely), because it is only secretly embedded on a 100% Real Data system, which malware is almost never likely to ever be on. In the case scenario that the Secret Token is not found, the Delay Interface 426 is engaged which implies the entity acts patient until it is regranted Real Data Access by Behavioral Analysis 403).
a cloud-based cybersecurity platform comprising a fourth plurality of programming instructions stored in the memory of, and operating on the processor of, the first computing device, wherein the fourth plurality of programming instructions, when operating on the processor of the first computing device, cause the computing device to: (Paragraph Number [0004] teaches the system having a memory that stores programmed instructions, a processor that is coupled to the memory and executes the programmed instructions and at least one database, wherein the system comprising a computer implemented system of providing designated function. Paragraph Number [0260] shows how Inner Core 334 houses the essential core functions of the system, which are directly and exclusively programmed by relevant Cybersecurity Experts 319 via a Maintenance 318 platform. The Core Code 335 is rudimentary groundwork needed 
ingest the pseudonymized processed metadata stream from the midserver; transform the pseudonymized processed metadata stream into a cyber physical graph (Paragraph Number [0243] teaches at this stage of the process labelled Intelligent Contextualization 156 the remaining data now looks like a cluster of islands, each island being a cybersecurity threat. Correlations are made inter-platform to mature the security analysis. Historical data is accessed (from I.sup.2GE 21 as opposed to LIZARD 16) to understand threat patterns, and CTMP is used for critical thinking analysis. With Threat Dilemma Management 157 the cybersecurity threat is perceived from a bird's eye view (big picture). Such a threat is passed onto the management console for a graphical representation. Since calculated measurements pertaining to threat mechanics are finally merged from multiple platforms; a more informed threat management decision can be automatically performed).
generate a cybersecurity profile of the operational technology network; generate a cybersecurity profile of the information technology network (Paragraph Number [0297] teaches with the Stacking Quantity Perception 698, instead of receiving third dimensional depth as per Dimensional 699, the security response 693A is found to be a part of a set of 
generate a new set of operating parameters for the informational technology system based on the cybersecurity profile of the information technology network (Paragraph Number [0263] teaches these two inputs correlate with Fundamental Frameworks and Libraries 336 and Security Policy 340/Enterprise Goals 341. It then uses such a codeset to modify the Base Iteration 356 according to the flaws the AST 17 found. After the differential logic is applied, a New Iteration 355 is proposed, upon which the iteration Core 347 is recursively called and undergoes the same process of being tested by AST 17. With Queued Security Scenarios 360 multiple scenarios that collectively perform a comprehensive test of the Dynamic Shell 313 at all known points of security).
generate a new set of operating parameters for the operational technology system based on the cybersecurity profile of the operational technology network (Paragraph Number [0254] teaches a special API with the Trusted Platform 10 is used to push a software or firmware Update 289 to the Criminal Computer 229 to establish a new 
combine the cybersecurity profiles, the new sets of operating parameters, and the cyber physical graphs into the enhanced metadata stream (Paragraph Number [0254] teaches a special API with the Trusted Platform 10 is used to push a software or firmware Update 289 to the Criminal Computer 229 to establish a new backdoor. A Placebo Update 288 is pushed to nearby similar machines to maintain stealth. The Enterprise System 228 sends the Target Identity Details 297 to the Trusted Platform 10. Such details include MAC Address/IP Address 239. Trusted Platform 10 communicates with a Software/Firmware Maintainer 287 to push Placebo Updates 288 and Backdoor Updates 289 to the relevant computers. A Backdoor Update introduces a new backdoor into the Criminal Computer's 229 system by the using the pre-established software update system installed on the Computer. Such an update could be for the operating system, the BIOS (firmware), a specific software like a word processor. The Placebo Update 288 omits the 
pseudonymize the enhanced metadata stream; send the pseudonymized enhanced metadata stream to the midserver (Paragraph Number [0268] teaches Secret Token 424 is a security string that is generated and assigned by LIZARD. The Secret Token 424 does not prove to the Virtual Obfuscation System that the Suspicious Entity 415 is legitimate and harmless. Instead it allows the Entity that is indeed harmless to not proceed with it's job since it knows it has been subject to a Partially 391 or Fully 394 Mock Data Environment. As long as an Entity is legitimate there should be no logistical problems of an employee/software etc. acting upon fake information and leading to real life issues (wrong address sent, wrong employee fired etc.) The Data Recall Trigger 414 only exists on legitimate enterprise functions and entities. By default, a legitimate entity will check an agreed upon location in the Embedded Server Environment 404 for the Token's 424 presence. If the Token is Missing 429 and 425, this indicates the likely scenario that this legitimate entity has been accidentally placed in a partially Mock Data Environment (because of the risk assessment of it being malware). Thereafter A Delayed Session 428 with the Delay Interface 426 is activated. If the Token is found 426 and 424, this indicates that the server environment is real and hence any delayed sessions are Deactivated 427).
a midserver comprising a second computing device comprising a non-volatile storage device, a memory, a processor, and a fifth plurality of programming instructions stored in the memory of, and operating on the processor of, the second computing device, wherein the fifth plurality of programming instructions, when operating on the processor of the second computing device, cause the midserver to: (Paragraph Number [0004] teaches the system having a memory that stores programmed instructions, a processor that is coupled to the memory and executes the programmed instructions and at least one database, wherein the system comprising a computer implemented system of providing designated function. Paragraph Number [0260] shows how Inner Core 334 houses the essential core functions of the system, which are directly and exclusively programmed by relevant Cybersecurity Experts 319 via a Maintenance 318 platform. The Core Code 335 is rudimentary groundwork needed to run LIZARD. Within Core 336 Fundamental Frameworks and Libraries 336 holds all the needed function to operate LIZARD such as compression and comparison functions. Within Core 336 Thread Management and Load Balancing 337 enables LIZARD to scale over a cluster of servers efficiently whilst Communication and encryption Protocols defines the types of encryption sued (i.e. AES, RSA etc.). Within Core 336 Memory Management 339 allows the data that is interpreted and processed by LIZARD is efficiently managed within the server's Random Access Memory (RAM)).
receive the pseudonymized processed metadata stream from the data tokenizer, wherein the pseudonymized processed metadata stream is received on an upstream data route; forward the pseudonymized processed metadata stream to a cloud-based cybersecurity platform (Paragraph Number [0234] teaches the Energy Network Exchange 25 is a large private extranet that connects Energy Suppliers, Producers, Purchasers, etc. This enables them to exchange security information pertaining to their common industry. The Energy Network Exchange then communicates via VPN/Extranet 12 to the MNSP 
deny all inbound network traffic from an information technology network on the upstream data route (Paragraph Number [0234] teaches Third Party Threat Intelligence (3PTI) Feeds 32 represent custom tuned information inputs provided by third parties and in accordance with pre-existing contractual obligations. Iterative Evolution 33: parallel evolutionary pathways are matured and selected. Iterative generations adapt to the same Artificial Security Threats (AST), and the pathway with the best personality traits ends up resisting the security threats the most. Paragraph Number [0235] teaches with Traffic 45 all internal and external traffic that exists in the Energy Co. Local Pattern Matching 
receive the pseudonymized enhanced metadata stream from the cloud-based cybersecurity platform, wherein the pseudonymized enhanced metadata stream is received on a downstream data route; forward the pseudonymized enhanced metadata stream to the data tokenizer (Paragraph Number [0234] teaches the Energy Network Exchange 25 is a large private extranet that connects Energy Suppliers, Producers, Purchasers, etc. This enables them to exchange security information pertaining to their common industry. The Energy Network Exchange then communicates via VPN/Extranet 12 to the MNSP Cloud 9. Such cloud communications allows for bidirectional security analysis in that 1) Important security information data is provided from the Energy Network Exchange to the MNSP cloud and 2) Important security corrective actions are provided from the MNSP cloud to the Energy Network Exchange. All EI.sup.2 (Extranet, Intranet, Internet) networking traffic of Energy Co. is always routed via VPN 12 to the MNSP cloud.  In using this secure connection, all traffic is routed via the MNSP for maximal exposure to deployed realtime and retrospective security analysis algorithms. 
deny all outbound network traffic from the operational technology network on the downstream data route (Paragraph Number [0234] teaches Third Party Threat Intelligence (3PTI) Feeds 32 represent custom tuned information inputs provided by third parties and in accordance with pre-existing contractual obligations. Iterative Evolution 33: parallel evolutionary pathways are matured and selected. Iterative generations adapt to the same Artificial Security Threats (AST), and the pathway with the best personality traits ends up resisting the security threats the most. Paragraph Number [0235] teaches with Traffic 45 all internal and external traffic that exists in the Energy Co. Local Pattern Matching Algorithms 46 consist of industry-standard software that offers an initial layer of security such as anti-viruses, adaptive firewalls etc. Corrective Action 47 is to be undertaken by the Local Pattern Matching Algorithm 46 that is initially understood to solve the security problem/risk. This may include blocking a port, a file transfer, an administrative function request etc. The energy corporation has it's System 48 isolated from the specialized security algorithms that it sends its logs and traffic information too. This is because these algorithms, LIZARD 16, I.sup.2GE 21, and CTMP 22 are based in 
Hasan teaches creating data streams and data visualizations using cybersecurity profiles but does not explicitly teach legitimizing a stream of data against deviations and anomalies which is taught by the following citations from Sadeh-Koniecpol:
legitimize the local metadata stream against deviations and anomalies; (Paragraph Number [0047] teaches the system may receive user behavior or activity data 15 and record that data over time in one or more data storage devices 1012. For example, the data may include relevant statistics relating to the user's behavior or activity over a period of time as received from the sensors. Those relevant statistics may include, for example, frequency of certain activities, frequency of certain behaviors, deviations from relevant baselines, and relevant trends. Paragraph Number [0049] teaches the system may store one or more user training needs models 18 in one or more data storage devices. A training needs model can include data and/or a rule set that the system may apply to correlate one or more behaviors or activities with training that is relevant to those behaviors or activities).
Both Hasan and Sadeh-Koniecpol are directed to providing cybersecurity and ensuring data flow is secure as it moves within a network. Hasan teaches creating data streams and data visualizations using cybersecurity profiles. Sadeh-Koniecpol improves 
As per claim 14, the claim recites a method that is substantially similar to the method performed by the system of claim 1 and is rejected for the same reasons put forth in regard to claim 1.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW H. DIVELBISS whose telephone number is (571) 270-0166. The fax phone number is 571-483-7110. The examiner can normally be reached on M-Th, 7:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MATTHEW H DIVELBISS/Examiner, Art Unit 3624