Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 3/6/2020.
Claims 1-20 have been examined.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/6/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.

The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words.  The form and legal phraseology often used in patent claims, such as "means" and "said," should be avoided.  The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.

The language should be clear and concise and should not repeat information given in the title.  It should avoid using phrases which can be implied, such as, "The disclosure concerns," "The disclosure defined by this invention," "The disclosure describes," etc.

The abstract of the disclosure is objected to because the abstract is simply a copy of claim 11.  The abstract should be directed at the entire specification in order to assist readers in deciding whether there is a need to consult the full patent text for details.  Correction is required.  See MPEP § 608.01(b).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Abbaszahed et al. (US Patent Application Publication Number 2020/0067969) hereinafter referred to as Abbaszahed.
Regarding claim 1, Abbaszahed disclosed a security monitoring process for a cyber-physical system, the process comprising: obtaining, from one or more sensors of the cyber-physical system, a plurality of sensor measurements relating to a physical process in the cyber-physical system, the physical process having a current process state (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example); performing a threat detection operation comprising determining, based on a model of the physical process and the current process state, whether the plurality of sensor measurements correspond to a security threat to the 
Regarding claim 11, Abbaszahed disclosed a system for monitoring security in a cyber-physical system, the system comprising: a packet parser configured to obtain, from network traffic in the cyber-physical system, a plurality of sensor measurements from one or more sensors of the cyber-physical system, the plurality of sensor measurements relating to a physical process in the cyber-physical system, the physical process having a current process state (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example); and a threat detector configured to determine, based on a model of the physical process and the current process state, whether the plurality of sensor measurements correspond to a security threat to the cyber-physical system (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example).

Regarding claims 2 and 12, Abbaszahed disclosed that the threat detection operation comprises determining a corresponding plurality of estimated values for the at least one parameter based on the model of the physical process (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example); and determining whether the estimated values differ from one or more expected values for the at least one parameter given the current process state (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example).
Regarding claims 3 and 13, Abbaszahed disclosed determining residuals between the estimated values and the sensor measurements (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example); determining a cumulative sum (CUSUM) of 
Regarding claims 4 and 14, Abbaszahed disclosed that the detection of the anomaly is based on a comparison of the CUSUM with a threshold (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example).
Regarding claims 5 and 15, Abbaszahed disclosed that the model is based on system identification (Abbaszahed Paragraph 0074 for example).
Regarding claims 6 and 16, Abbaszahed disclosed that the model is an autoregressive model or a linear dynamical state space (LDS) model (Abbaszahed Paragraph 0074 for example).
Regarding claims 7 and 17, Abbaszahed disclosed that the threat detection operation comprises a classification operation using a trained model that is configured to output a class prediction based on one or more input features, and wherein at least one of the input features is derived from the plurality of sensor measurements (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example).
Regarding claims 8 and 18, Abbaszahed disclosed that the one or more input features are derived from one or more of: current actuation commands; sensor signals; estimated sensor signals; residuals between sensor signals and estimated sensor signals; a window of previous 
Regarding claims 9 and 19, Abbaszahed disclosed that one of the input features is a cumulative sum (CUSUM) of normalised residuals, wherein the normalised residuals are computed according to a difference between the residuals and a historical average of the residuals for the current process state (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example).
Regarding claims 10 and 20, Abbaszahed disclosed that the one or more network traffic parameters are derived from network packets at both process level and basic control level devices of the cyber-physical system (Abbaszahed Figs. 1-3, and 18, and Paragraphs 0037-0044, 0107-0109, and 0114 for example, also not that this claim only limits the alternatively claimed limitation regarding the network traffic parameters, which are not required by the claim as they are recited in the alternative.).

Conclusion
Claims 1-20 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

US 2019/0025435 taught an anomaly detection system which used a comparison of the mean of residuals to the expected mean of the residuals to detect whether or not an attack is present, but does not appear to teach determining normalised residuals based upon a difference between the residuals and a historical average of the residuals for the current process state.
Hwang et al. (“A Survey of Fault Detection, Isolation, and Reconfiguration Methods”) taught using CUSUM to determine a moving average of the last few observations, but does not appear to teach determining normalised residuals based upon a difference between the residuals and a historical average of the residuals for the current process state.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: 





/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491