DETAILED ACTION
This Office Action is in response to application 17/042736 filed on 03/28/2019.  Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: “industrial control system module…comprising a packet accessing component configured to access; an inspection module…configured to access; the inspection module…configured to perform” in claim 1. The dependent claims also recite additional modules without reciting sufficient structure.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim 
An industrial control system comprising a processor and a memory storing instructions that when executed by the processor, provide: 
a firewall module comprising…

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-10 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, (claim 1), “a sequence check module” (claim 2), “a protocol creation module” (claim 9), and “a preliminary detection module” (claim 10). As the claims properly invoke 112(f) (see above), applicant’s specification must disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. At best, applicant’s specification details a “processing module” but that “processing module” is utilized by a control centre 102 (Paragraph 49). Applicant goes on to state that “field devices” include “sensors, motors, and/or actuators…and further comprise a processing module” (Paragraph 52). However, applicant states that the “communication network 116 is further coupled to a firewall module 122 (Paragraph 62). Figure 1B shows that the firewall module, which comprises the other claimed modules, as being separate from the communication network 116 and the sensors and controls 120. As such, there is no clear disclosure of the corresponding structure, material, or acts, for performing the entire claim function that clearly links the structure, material, or acts to the function thereby making the disclosure inadequate to support the limitation interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.









The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitations “firewall module comprising…a packet accessing component configure to access; an inspection module configured to access; the inspection module further configured to perform…” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Regarding the claim limitations “a packet accessing component configured to access…” and “an inspection module configured to access…”, applicant’s specification states:
[0229] A firewall module 1100 is provided. The firewall module 1100 may inspect one or more communication packets e.g. 1102 in an industrial control system. The firewall module 1100 comprises a packet accessing component 1104 to access a communication packet e.g. 1102. For example, the communication packet e.g. 1102 may be sent to or from a field interface device of the system.
[0230] The firewall module 1100 also comprises an inspection module 1106 that is coupled to the packet accessing component 1104 and is also coupled to a storage component 1108. The storage component 1108 may be internal or external to the firewall module 1100. In some exemplary embodiments, the storage component 1108 may be, but is not limited to, a RAM

Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 

(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-8, 10-18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thubert et al. (US 2017/0295141) in view of Korsunsky et al. (US 2011/0219035).
Regarding claim 1, Thubert disclosed:
An industrial control system firewall module (Paragraph 11, virtual firewall…within an industrial network), the firewall module comprising, 
a packet accessing component (Paragraph 47, deep packet inspection) configured to access a communication packet (Paragraph 16, data packets) of an industrial control system (Paragraph 11, installing a virtual firewall on a port of a device that communicates across a zone boundary within an industrial network. The virtual firewall performing deep packet inspection (DPI). Paragraph 16, data packets are exchanged between nodes/devices of the system); 
a firewall rules database, the firewall rules database configured to store one or more firewall rules (Paragraph 49, firewall rules are stored on the virtual firewalls at each port of the device, thus rules must be stored on a storage or database); 
an inspection module configured to access the one or more firewall rules based on an industrial protocol associated with the communication packet (Paragraph 47, the virtual firewalls are configured based on the operation of the industrial network. and relating the virtual firewall to specific industrial protocols of the industrial network in use by the port of the device. Paragraph 50, a new protocol is to be configured by a controller between peers. For each protocol iteration across zones and for each communication peer, the process determines whether the port is an input or output port. For output ports…a timed output “allow” rule (i.e., firewall rules) is installed on the virtual firewall of that port); and 
the inspection module is further configured to perform a comprehensive inspection of all header fields and data fields of the communication packet (Paragraph 47, performing deep packet inspection on the traffic).
While Thubert disclosed performing a comprehensive inspection of the packet related to the firewall rules (see above, also Paragraphs 51-52), Thubert did not explicitly disclose the inspection module is further configured to perform a comprehensive inspection of all header fields and data fields of the communication packet based on the one or more firewall rules accessed based on the industrial protocol associated with the communication packet.
However, in an analogous art, Korsunsky disclosed the inspection module is further configured to perform a comprehensive inspection of all header fields and data fields of the communication packet based on the one or more firewall rules accessed based on the industrial protocol associated with the communication packet (Paragraph 18, enforcing network security policies by inspecting a packet. The packet inspection is directed at the header and the payload of the packet. Paragraph 22, providing a firewall that processes a data flow to address patterns relevant to a variety of types of threats. Paragraph 26, the firewall helps to enforce corporate security policies (i.e., rules). Paragraph 49, the application processing module (i.e., inspection module) inspects the packets. Paragraph 61, each packet comprises a plurality of protocol layer packet data and processing the packets to determine the corresponding protocol layer for each packet data, then inspecting the packet according to the corresponding protocol layer inspection rules. Paragraph 67, processing the data flow according to the security policy. Paragraph 120, firewall operates on packets of a data flow by processing the headers and payloads of the packets in the context of a network state. This state relates to a session or connection that is associated with a particular protocol, for example, a TCP/IP connection).
	One of ordinary skill in the art would have been motivated to combine the teachings of Thubert with Korsunsky because the references both involve DPI for firewalls, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the comprehensive inspection of packets based on rules of Korsunsky with the teachings of Thubert in order to allow for more efficient, effective network security (Korsunsky, Paragraph 512).
	Regarding claim 11, the claims is substantially similar to claim 1 and is therefore rejected under the same rationale. 
	Regarding claims 2, 12, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky disclosed: the firewall module comprising, 
a sequence check module, the sequence check module coupled to the inspection module (Korsunsky, Paragraph 192, Figure 4, data flow engine 308 (i.e., sequence check module) shown coupled to application processor module 212 (i.e., inspection module)); 
(Korsunsky, Paragraph 192, data flow 444 is composed of an IP packet sequence associated with the connection orientated protocol (e.g., TCP/IP) or a connectionless protocol (e.g., UDP/IP). Each packet is composed of packet headers and packet payloads. Each header and payload include a sequence of values (i.e., sequential order of two known commands). Paragraph 206, logging database (i.e., sequence check database) contains a log of packets, data cells, and information associated with any and all of the foregoing); 
wherein the inspection module is configured to identify whether the communication packet is a sequence-oriented communication packet based on the comprehensive inspection, the identification being based on the at least two known commands (Korsunsky, Paragraph 192, the data flow is composed of an IP packet sequence associated with a specific protocol (i.e., sequence orientated). Both headers and payloads conform to a network protocol’s specification); and 
wherein if the communication packet is identified as a sequence-oriented communication packet, the sequence check module is configured to access the one or more legal sequences to determine whether the communication packet is in accordance with at least one legal sequence,2Dong LI et al. Preliminary Amendmentthe determination being based on one or more sequence states of any preceding communication packet that is in accordance with the at least one legal sequence (Korsunsky, Paragraph 192, the headers conform to the network protocols specification (i.e., legal sequence) or they may defy the network protocols specification as in malicious or erroneous cases. Paragraph 205, the action rules specify an action that occurs when the header rule and content rule match an aspect TCP packet or a sequence of TCP packets. The action can be to pass or drop the packets, among others. Paragraph 258, using relative position patterns to refer to patterns measured from the end of the previous pattern match (i.e., preceding)).
For motivation, please refer to claim 1. 

Regarding claims 3, 13, the limitations of claims 2, 12, have been addressed, Thubert and Korsunsky disclosed:
further comprising the sequence check database being configured to store the one or more sequence states of any preceding communication packet that is in accordance with the at least one legal sequence (Korsunsky, Paragraph 206, logging database (i.e., sequence check database) contains a log of packets, data cells, and information associated with any and all of the foregoing).
For motivation, please refer to claim 1.

Regarding claims 4, 14, the limitations of claims 2, 12, have been addressed. Thubert and Korsunsky disclosed:
further comprising the sequence check module being configured to allow addition of a new legal sequence to the sequence check database (Korsunsky, Paragraph 339, adding a new pattern to the pattern tree).
For motivation, please refer to claim 1.

Regarding claims 5, 15, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky disclosed:
further comprising the firewall rules database being configured to store one or more pre-defined critical states of the industrial control system (Korsunsky, Paragraph 125, network behavioral anomaly detection monitors the network data flow to detect patterns. The patterns are either a normal or anomalous (i.e., pre-defined critical state)); 
the inspection module is further configured to determine one or more instructed states of the industrial control system based on the comprehensive inspection (Korsunsky, Paragraph 162, classifying the data flow as being normal (i.e., instructed state)); and 
the inspection module is configured to monitor a difference between the one or more instructed states and the one or more pre-defined critical states (Korsunsky, Paragraph 125, using AI or machine learning to obtain a model of what data flows are normal and observing the data flows to detect anomalies (i.e., monitor a difference)).
For motivation, please refer to claim 1.	

Regarding claims 6, 16, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky disclosed:
further comprising the inspection module being further configured to determine whether there is an abnormal activity of the communication packet based on the comprehensive inspection and based on any preceding communication packet assessed by the firewall module (Korsunsky, Paragraph 125, using AI or machine learning to obtain a model of what data flows are considered normal by observing data flows. Then, comparing the actual data flows with the model to detect anomalies. The observing and comparing includes processing headers, payloads, and protocols. Paragraph 258, using relative position patterns to refer to patterns measured from the end of the previous pattern match (i.e., preceding)).
For motivation, please refer to claim 1. 

Regarding claims 7, 17, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky disclosed:
further comprising the firewall rules database being configured to sort the one or more firewall rules using an index (Korsunsky, Paragraph 197, Figure 4, having a plurality of action rules, header rules, and content rules stored together); 
the inspection module being further configured to perform the comprehensive inspection of the all header fields and data fields of the communication packet based on using the index (Korsunsky, Paragraph 204, matching action rules to packets. The action rule includes a header rule, which describes protocol type, source address, destination address, source/destination port, and TCP direction. The action rule includes content rule, which relates to a transport level payload. Paragraph 205, the action rules specify an action that occurs when the header rule and content rule match an aspect TCP packet or sequence of TCP packets). 
For motivation, please refer to claim 1.


Regarding claims 8, 18, the limitations of claims 7, 17, have been addressed. Thubert and Korsunsky disclosed:
further comprising the firewall rules database being configured to store the sorted one or more firewall rules as one or more index trees, each index tree being associated with an industrial protocol (Korsunsky, Paragraph 125, processing headers, payloads, and protocols. The processing comprises expression matching (in the pattern tree) on protocols. Paragraph 175, locating all instances of strings in the data flow that match strings in a dictionary. Using a pattern tree (i.e., index tree) to represent a set of patterns. Each node in the tree represents a prefix of one or more strings in the dictionary for matches).
For motivation, please refer to claim 1.

Regarding claims 10, 20, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky disclosed:
the firewall module comprising, a preliminary detection module configured to access network layer information and a protocol packet format based on the industrial protocol associated with the communication packet (Korsunsky, Paragraph 51, the packet is associated with a layer of a communication protocol, such as a network layer. Paragraph 221, a network layer packet is encapsulated in the payload of a data link layer that is associated with Ethernet, WiFi, or Token ring); and 
the preliminary detection module is further configured to perform an inspection of the communication packet based on the network layer information and the protocol packet format based on the industrial protocol associated with the communication (Korsunsky, Paragraph 18, packet inspection is performed at any and all layers (i.e., network) of a communication. Paragraph 61, inspecting each packet according to the corresponding protocol layer inspection rules. Paragraph 192, the data flow is composed of an IP packet sequence (i.e., format) and is associated with a protocol (e.g., TCP/IP). Paragraph 567, the network firewall examines the structure, formation (format) and other elements of the associated data flow).
For motivation, please refer to claim 1.  

Claims 9, 19, are rejected under 35 U.S.C. 103 as being unpatentable over Thubert et al. (US 2017/0295141) in view of Korsunsky et al. (US 2011/0219035) and Lee et al. (US 10,484,334).
Regarding claims 9, 19, the limitations of claims 1, 11, have been addressed. Thubert and Korsunsky did not explicitly disclose:
further comprising a protocol creation module coupled to the firewall rules database, the protocol creation module being configured to allow creation of a new industrial protocol for addition to the firewall rules database.
However, in an analogous art, Lee disclosed further comprising a protocol creation module coupled to the firewall rules database, the protocol creation module being configured to allow creation of a new industrial protocol for addition to the firewall rules database (Column 44, Lines 13-23, the controller provides the admin with a recommendation of proposed firewall rules. Adding a protocol to a firewall rule and pushing the rules from the controller to each endpoint).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate adding a new industrial protocol to firewall rules of Lee with the teachings of Thubert and Korsunsky in order to optimize or improve the firewall system (Lee, Column 16, Lines 24-25).

Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663. The examiner can normally be reached M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/S.C.N/Examiner, Art Unit 2451                                                                                                                                                                                                        

/Chris Parry/Supervisory Patent Examiner, Art Unit 2451