Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/19/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: 
[0046]  “514 (dotted line)” should be “516 (dotted line)”
[0046] “516 (dashed line)” should be “514 (dashed line)”
[0050] Acronym “ROC” is not found spelled out in the originally filed specification and is unclear what it is corresponding to. No new matter may be introduced in a corrective amendment (MPEP 608.04(a)).” 
[0098] “time-series measurements 2120” should be “time-series measurements 2110”
[0098] “feature extraction 2140, anomaly detection 2150, and localization techniques 2154 may be used to determine 2152” – 2152 depends on 2140 and 2150 but not 2154 according to Figure 21.
[0118] “An and operation 2810” should be “An AND operation 2810”  
Appropriate correction is required.

SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 13 and 15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 13 recites the limitation, “The system of claim 12” in line 1. Claim 15 recites the limitation, "responsive to said determination, switching the abnormal node or nodes from the virtual node values 
Regarding claim 13, “the system of claim 12” lacks antecedent basis because claim 12 does not recite a “system,” instead, claim 12 recites, “A computerized method.” As per MPEP 2173.05(e)(I), “Antecedent problems in the claims are typically drafting oversights that are easily corrected once they are brought to the attention of applicant. The examiner’s task of making sure the claim language complies with the requirements of the statute should be carried out in a positive and constructive way, so that minor problems can be identified and easily corrected, and so that the major effort is expended on more substantive issues. However, even though indefiniteness in claim language is of semantic origin, it is not rendered unobjectionable simply because it could have been corrected. In re Hammack, 427 F.2d 1384, 1388 n.5, 166 USPQ 209, 213 n.5 (CCPA 1970).”
Regarding claim 15, “said determination” may refer to one of the following limitations of claim 12: 1) “determining, by an abnormality detection computer, that at least one abnormal monitoring node is currently being attacked or experiencing a fault,” or 2) “determining when the abnormal monitoring node or nodes will switch from the virtual node values back to monitoring node values.” Therefore, there is insufficient antecedent basis for claim 15 limitation, “responsive to said determination, switching the abnormal node or nodes from the virtual node values back to monitoring node values.”

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 8-11 and 20-21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventors, at the time the application was filed, had possession of the claimed invention. 

Claims 8 and 20 recite the limitation, “the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an external input indicating that no network intrusion is currently active,” Claim 9 recites the limitation, “the external input indication that no network intrusion is currently active is based on network monitoring using supervised or unsupervised anomaly detection methods.” Claim 10 recites the limitation, “the external input indication that no network intrusion is currently active is based on network intrusion detection.” Claim 11 recites the limitation, “the network intrusion detection is based on quantum key distribution.” Claim 21 recites the limitations, “the external input indication that no network intrusion is currently active is based on at least one of (i) network monitoring using supervised or unsupervised anomaly detection methods, (ii) network intrusion detection, and (iii) quantum key distribution.”
The limitations in question do not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. The specification does not describe the limitations in sufficient detail so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention.
In MPEP 2163 (I)(A), while “There is a presumption that an adequate written description of the claimed invention is present when the application is filed”, it also states “, issues of adequate written description may arise even for original claims, for example, when an aspect of the claimed invention has not been described with sufficient particularity such that one skilled in the art would recognize that the

In MPEP 2161.01, "computer-implemented functional claim language must still be evaluated for sufficient disclosure under the written description". And MPEP 2161.01(I) "generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed." For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date.
Similarly, original claims may lack written description when the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. For software, this can occur when the algorithm or steps/procedure for performing the computer function are not explained at all or are not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient). Merely reproducing a claim limitation in the specification, or even pointing to an original claim, does not satisfy the written description requirement, unless the claim itself conveys enough information to show that the inventor had possession of the claimed invention at the time of filing.
In this case the specification does not provide sufficient details to “network intrusion detection,” “network monitoring using supervised or unsupervised anomaly detection methods,” or “quantum key distribution.” No algorithm or steps/procedure for performing the functions are found, explained at all or in sufficient detail. The portions of the specification relating to "network intrusion detection," “network monitoring using supervised or unsupervised anomaly detection methods,” and “quantum key distribution” are found in Fig. 28 and [0121]. However, reproducing a claim limitation in the specification, does not satisfy the written description requirement.
network intrusion detection,” “network monitoring using supervised or unsupervised anomaly detection methods,” and “quantum key distribution” in [0121], does not entitle the inventor to claim any and all means for achieving the objectives as claimed.
Furthermore, As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
While “network intrusion detection,” “network monitoring using supervised or unsupervised anomaly detection methods,” or “quantum key distribution” might be known, description as to how the applicant intends to implement “network intrusion detection,” “network monitoring using supervised or unsupervised anomaly detection methods,” or “quantum key distribution.”  is not described. Therefore, the specification does not provide a disclosure of the computer and algorithm in sufficient detail to demonstrate to one of ordinary skill in the art that the inventor possessed the invention under 35 U.S.C. 112(a).

Claim Rejections - 35 USC § 102

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6, 12-16 and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Park et al. (U.S. Patent No. 10,2506,19), hereinafter Park.

Regarding claim 1, Park discloses, A system to protect (Fig. 4 #100) an industrial asset (Fig. 4 #103), comprising: 
a plurality of monitoring nodes (Fig. 4 #150), each monitoring node generating a series of monitoring node values over time that represent a current operation of the industrial asset (Col 16 ln. 31-33); 
an abnormality detection computer (Fig. 4 #105) to determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 11 ln. 40-49); and 
a virtual sensor (Col 16 ln. 44-51) estimator (Fig. 4 #101, Col 16 ln. 57-62), coupled to the plurality of monitoring nodes (Fig. 4 #150, Col 16 ln. 31-37) and the abnormality detection computer (Fig. 4 #105, Col 17 ln. 4-8), to: 
(i) responsive to an indication that the at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 15 ln. 22-30), automatically replace monitoring node values from the at least one abnormal monitoring node currently being attacked or experiencing a fault with virtual node values (Col 15 ln. 39-46), and 
(ii) determine when the abnormal monitoring node or nodes (Col 13 ln. 18-21) will switch from the virtual node values back to monitoring node values (Col 19 ln. 31-39).

	Regarding claim 2, Park discloses the system of claim 1 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an attestation from a human operator (Col 13 ln. 18-24 “interactive”; Col 15 ln. 15-22).

Regarding claim 3, Park discloses the system of claim 1 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is performed automatically (Col 13 ln. 18-24, “automated”).

	Regarding claim 4, Park discloses the system of claim 1 as set forth above, and wherein the virtual sensor estimator (Fig. 4 #101) is further to: 
(iii) responsive to said determination, switch the abnormal node or nodes from the virtual node values back to monitoring node values (Col 10 ln. 19-25).
Park recites, “to restore a desired fallback or normal operating state of the protected system or device” (Col 10 ln. 19-25). Where an abnormal state corresponds to using virtual node values, a normal state corresponds to using monitoring node values as described in claim 1 (i).

	Regarding claim 6, Park discloses the system of claim 1 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a global status remaining normal (Col 12 ln. 8-16 “global operational awareness”).


determining, by an abnormality detection computer (Fig. 4 #105), that at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 11 ln. 40-49);
responsive to an indication that the at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 15 ln. 22-30), automatically replacing monitoring node values from the at least one abnormal monitoring node currently being attacked or experiencing a fault with virtual node values (Col 15 ln. 39-46); and 
determining when the abnormal monitoring node or nodes (Col 13 ln. 18-21) will switch from the virtual node values back to monitoring node values (Col 19 ln. 31-39).

	Regarding claim 13, Park discloses the system of claim 12 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an attestation from a human operator (Col 13 ln. 18-24 “interactive”; Col 15 ln. 15-22).

	Regarding claim 14, Park discloses the method of claim 12 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is performed automatically (Col 13 ln. 18-24 “automated”).


Park recites, “to restore a desired fallback or normal operating state of the protected system or device” (Col 10 ln. 19-25). Where an abnormal state corresponds to using virtual node values, a normal state corresponds to using monitoring node values as in claim 1 (i).

	Regarding claim 16, Park discloses a non-transitory, computer-readable medium storing instructions that (Col 51 ln. 20-24), when executed by a computer processor, cause the computer processor to perform (Col 51 ln. 24-27) a method to protect (Fig. 5) an industrial asset (Fig. 4 #103) associated with a plurality of monitoring nodes (Fig. 4 #150), each monitoring node generating a series of monitoring node values over time that represent current operation of the industrial asset (Col 16 ln. 31-33), the method comprising: 
determining, by an abnormality detection computer (Fig. 4 #105), that at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 11 ln. 40-49); 
responsive to an indication that the at least one abnormal monitoring node is currently being attacked or experiencing a fault (Col 15 ln. 22-30), automatically replacing monitoring node values from the at least one abnormal monitoring node currently being attacked or experiencing a fault with virtual node values (Col 15 ln. 39-46); 
and determining when the abnormal monitoring node or nodes (Col 13 ln. 18-21) will switch from the virtual node values back to monitoring node values (Col 19 ln. 31-39).

Regarding claim 18, Park discloses the medium of claim 16 as set forth above, and wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of K. Paridari et al., "A Framework for Attack-Resilient Industrial Control Systems: Attack Detection and Controller Reconfiguration," in Proceedings of the IEEE, vol. 106, no. 1, pp. 113-128, Jan. 2018, doi: 10.1109/JPROC.2017.2725482, hereinafter Paridari.

Regarding claim 5, Park discloses the system of claim 1. 
Regarding claim 17, Park discloses the medium of claim 16.
Regarding both claims 5 and 17, Park fails to explicitly disclose wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a size of a virtual sensing residual. 
However, Paridari teaches wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a size of a virtual sensing residual (Paridari, Section II.A.1, Pg 118).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park to incorporate the teachings of Paridari to include the 

Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Carpenter et al. (US-PGPUB 2016/0050225), hereinafter Carpenter.

Regarding claim 7, Park discloses the system of claim 1 as set forth above. 
Regarding claim 19, Park discloses the medium of claim 16 as set forth above.
Regarding both claims 7 and 19, Park fails to explicitly disclose wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a sensor ranking list. 
However, Carpenter teaches wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a sensor ranking list (Carpenter, [0049]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park to incorporate the teachings of Carpenter to include the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on a sensor ranking list. Such modification would be desired to “allow a determination of which of the plurality of networked devices are connected, indicating where a cyber-attack might spread if one of the plurality of networked devices is compromised, sources of the risks, and severity of the risks.” (Carpenter, [0049])

Claims 8, 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Park in view of Hanks et al. (US-PGPUB 2012/0304007), hereinafter Hanks.

Regarding claims 8 and 20, claim 8 is a system performing the instructions disclosed in claim 20. For claim 8, Park discloses the system of claim 1 as set forth above. For claim 20, Park discloses the medium of claim 16 as set forth above.
Park fails to explicitly disclose wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an external input indicating that no network intrusion is currently active. 
However, Hanks teaches wherein the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an external input (Hanks, Fig. 2 #240) indicating that no network intrusion is currently active (Hanks, [0051]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park to incorporate the teachings of Hanks to include the determination of when the abnormal monitoring node or nodes will switch from the virtual node values back to the monitoring node values is based at least in part on an external input indicating that no network intrusion is currently active. Such modification would be desired because “operating events may include communication between devices, such as a control message transmitted to a control device by a controller, such as… an external operating event from a monitoring device.” (Hanks [0050])

.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Park and Hanks in view of Paridari.

	Regarding claim 9, Park in view of Hanks discloses the system of claim 8, but fails to explicitly disclose wherein the external input indication that no network intrusion is currently active is based on network monitoring using supervised or unsupervised anomaly detection methods. 
However, Paridari teaches wherein the external input indication that no network intrusion is currently active is based on network monitoring using supervised or unsupervised anomaly detection methods (Paridari, Section II.A.2 Pg 119).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park in view of Hanks to incorporate the teachings of Paridari to include the external input indication that no network intrusion is currently active is based on network monitoring using supervised or unsupervised anomaly detection methods. Such modification(s) would be desired to “allow the implicit patterns and dependencies in the data to be learned, building a model that represents the normal behavior of the system.” (Paridari, Section II.A, Pg 118)

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Park, Hanks and Paridari in view of Murphy et al. (US-PGPUB 2007/0110247), hereinafter Murphy.

Regarding claim 11, Park in view of Hanks and Paridari discloses the system of claim 10, but fails to disclose wherein the network intrusion detection is based on quantum key distribution. 
However, Murphy teaches wherein the network intrusion detection is based on quantum key distribution (Murphy, [0022]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park in view of Hanks and Paridari to incorporate the teachings of Murphy to include the network intrusion detection is based on quantum key distribution. Such modification(s) would be desired because “detection or measurement of the handling or disturbance of the optical fiber or cable in the key path, either as a prelude to, incident of, or as a result of an intrusion.” (Murphy, [0024])

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Park and Hanks in view of Paridari and Murphy.

	Regarding claim 21, Park in view of Hanks discloses the medium of claim 20 as set forth above, and wherein the external input indication that no network intrusion is currently active is based on at least one of (ii) network intrusion detection (Hanks, [0051]). It is noted that, “at least one of,” is an alternative form. Thus, the prior art need only satisfy one of: (i) network monitoring using supervised or unsupervised anomaly detection methods, (ii) network intrusion detection, and (iii) quantum key distribution.
Hanks fails to explicitly disclose (i) network monitoring using supervised or unsupervised anomaly detection methods. However, Paridari teaches network monitoring using supervised or unsupervised anomaly detection methods (Paridari, Section II.A.2 Pg 119).

Hanks also fails to explicitly disclose (iii) quantum key distribution. However, Murphy teaches quantum key distribution (Murphy, [0024]).
Therefore, it would be obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Park in view of Hanks to incorporate the teachings of Murphy to include quantum key distribution. Such modification would be desired because “detection or measurement of the handling or disturbance of the optical fiber or cable in the key path, either as a prelude to, incident of, or as a result of an intrusion.” (Murphy, [0024]).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 9942262 B1 – Regarding a system and techniques for cyber-physical system defense.
US PGPUB 2009/0307772 A1 – Regarding a framework for state estimation using multi-network observation
US PGPUB 2012/0328290 A1 – Regarding a quantum communication system.
US PGPUB 2013/0132149 A1 
US PGPUB 2013/0304266 A1 – Regarding a semidefinite programming formulation for state estimation of nonlinear AC power systems, resilient to outlying measurements and/or adversarial cyber-attacks.
US PGPUB 2017/0264629 A1 – Regarding systems, methods and apparatuses for enhancing security in industrial control systems by detecting and reacting to intrusions based on production process information.
EP 3618354 A1 – Regarding an industrial control system and network security monitoring method.
WO 2015/104691 – Regarding a method of detecting anomalies in an industrial control system.
M. Pajic et al, "Design and Implementation of Attack-Resilient Cyberphysical Systems: With a Focus on Attack-Resilient State Estimators," in IEEE Control Systems Magazine, vol. 37, no. 2, pp. 66-81, April 2017, doi: 10.1109/MCS.2016.2643239. – Regarding attack-resilient cyber-physical systems using state estimators.
A. Sargolzaei et al, "Resilient Design of Networked Control Systems Under Time Delay Switch Attacks, Application in Smart Grid," in IEEE Access, vol. 5, pp. 15901-15912, 2017, doi: 10.1109/ACCESS.2017.2731780. – Regarding a state estimator used to detect and recover from the destabilizing effects of time delay switch attacks.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA NEIL GONZALES whose telephone number is (571)272-0286. The examiner can normally be reached 10:00 AM-2:00 PM; 2:30-6:30 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.                                                                                                                                                                                                        

/J.N.G./Examiner, Art Unit 2496                                                                                                                                                                                                        
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496