DETAILED ACTION
This office action is in response to applicant’s RCE amendment filed on 01/20/2022.   Claims 1 and 11 have been amended.  Claims 1-20 are pending and are directed towards systems and method for Industrial Asset Cyber-Attack Detection Algorithm Verification using Secure Distributed Ledger.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1.	Applicant’s arguments filed 01/20/2022 have been fully considered.
A) Applicant’s arguments, with respect to the amended limitation of claim 1, that Chand, Mestha, and Pattanaik fail to teach “independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, and mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata” and that Chand fails to show “an independently created version of the compressed representation” (page 10-11 of the present response) have been fully considered but they are not persuasive.
	Regarding A) Chand teaches independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client (para 78, line 1-6 and 82, line 1-15 and 84, line 1-12; security device 31 communicating with network 24 to receive operating thumbprint from control devices 16 and compare with stored thumbprint, where the stored thumbprint are populated in a security table 92 of security device 31 along with timestamp of valid operating thumbprint 70 from a given control device 16).  The stored thumbprint populated in a security table 92 of security device 31 corresponds to the independently created version of the compressed representation in the claimed limitation.  In addition, Chand teaches mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 78, line 1-6 and para 80, line 1-3; the thumbprint 70 is compared with a corresponding stored thumbprint to establish a reasonable probability that the source data of the control device 17 has not been modified or tampered with and the thumbprint may also include digital signature 82 and timestamp for detection of tampering).  Chand teaches the features of the limitations in question and, therefore, Chand teaches the claimed limitations of claim 1.
B) Applicant’s arguments, with respect to the amended limitation of claim 1, that Chand, Mestha, and Pattanaik fail to teach “at least one verification platform computer processor is adapted to independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client” and that “even if the digital operating thumbprint is considered to be "independently created," Applicant notes that the digital operating thumbprint is not generated by the same device which determines the validity of received a subset of industrial asset cyber-attack detection algorithm data” (page 11-12 of the present response) have been fully considered but they are not persuasive.
	Regarding B) as noted above, the stored thumbprint populated in a security table 92 of security device 31 corresponds to the independently created version of the compressed representation in the claimed limitation.  Chand describes the stored thumbprint are populated in a security table 92 of security device 31, which receives operating thumbprint from control devices 16 and compare with the stored thumbprint to determine if the source data 74 of the control device 16 has been modified or tampered with (see para 78, line 1-6 and para 83 and 84, line 1-12).
Claim Rejections - 35 USC § 103
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chand et al. (US Pub. 2016/0359825), hereinafter Chand, filed on Jun. 2, 2015 in view of Mestha et al. (US Pub. 2017/0310690), hereinafter Mestha, filed on Apr. 25, 2016 and Pattanaik et al. (US Pub. 2017/0366516), hereinafter Pattanaik, filed on Jun. 16, 2017. 
	Regarding claim 1, Chand teaches a system to facilitate industrial asset cyber-attack detection algorithm verification (para 76, line 1-9; system including industrial controller captures portions of data to determine whether they have been tampered with or corrupted), comprising: 
a verification platform (para 76, line 1-6; system including control device 16, security program 58, and security device 31), including: 
a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber-attack detection algorithm data (para 61, line 4-8 and para 76, line 1-6; control devices 16 may include I/O modules providing input and output lines 18 allowing communication with sensors, and the data can be used to determine whether they have been tampered with or corrupted), and 
Chand does not teach the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset
Mestha teaches the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset (para 19, line 9-23; normal space data source 110 might store, for each of a plurality of threat nodes 130, a series of normal values over time that represent normal operation of an industrial asset control system (e.g., generated by a model or collected from actual sensor 130 data))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide normal space data source might store a series of normal values over time that represent normal operation of an industrial asset control system collected from actual sensor data. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Chand teaches at least one verification platform computer processor coupled to the data connection (para 68, line 1-3; control device 16 may also execute to receive outputs from the industrial controller 12 through the network interface) and adapted to: 
mark the subset of industrial asset cyber-attack detection algorithm data as invalid, store the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store (para 76, line 1-18 and para 95, line 1-19; data captured from industrial controllers in the form of thumbprint 70 may be sent to security device 31, where they are compared with stored thumbprint 100 and may be identified as tampered in near real-time),
record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a corresponding stored thumbprint, which is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79), 
Chand and Mestha do not teach record a hash value in a secure, distributed ledger, 
receive a transaction identifier from the secure, distributed ledger, and
Pattanaik teaches record a hash value in a secure, distributed ledger (para 43, line 9-15; each block in the blockchain can contain a hash value representing each transaction), 
receive a transaction identifier from the secure, distributed ledger (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts from a central service provider 150 indicating that one or more transactions has been written to blockchain), and 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide storage of a hash value on a blockchain and receiving a transaction receipt in return. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client (para 78, line 1-6 and 82, line 1-15 and 84, line 1-12; security device 31 communicating with network 24 to receive operating thumbprint from control devices 16 and compare with stored thumbprint, where the stored thumbprint are populated in a security table 92 of security device 31 along with timestamp of valid operating thumbprint 70 from a given control device 16),
mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata (para 78, line 1-6 and para 80, line 1-3; the thumbprint 70 is compared with a corresponding stored thumbprint to establish a reasonable probability that the source data of the control device 17 has not been modified or tampered with and the thumbprint may also include digital signature 82 and timestamp for detection of tampering).
Chand does not teach receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; 
compare data points of the stream of industrial data to the decision boundary information; and generate at least one of a global alert signal or a local alert signal based on the result of the comparison.
Mestha teaches receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node (para 19, line 11-23 and para 20, line 1-10; threat detection computer 150 receives decision boundary data threat detection model creation computer 140, which includes normal space data and threatened space data from threat nodes, and monitors streams of data from nodes for industrial cyber-attack detection); 
compare data points of the stream of industrial data to the decision boundary information; and2Application Serial No.: 16/176,293 Amendment and Response to August 7, 2020 Non-Final Office Actiongenerate at least one of a global alert signal or a local alert signal based on the result of the comparison (para 20, line 1-14 and para 26, line 1-17; threat detection computer 150 compares decision boundary data and streams of data from threat nodes and may output a threat alert signal to remote monitoring user devices 170 when appropriate).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide decision boundary data in cyber-attack detection and output a threat detection alert. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Regarding claim 2, Chand, Mestha, and Pattanaik teach system of claim 1.
Chand does not teach the industrial asset cyber-attack detection algorithm data includes at least one feature-based classification boundary.
	Mestha teaches the industrial asset cyber-attack detection algorithm data includes at least one feature-based classification boundary (para 26, line 1-12; industrial asset control system receives values from a plurality of nodes and the values are used to generate feature vectors and a decision boundary for cyber-attack detection).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide sensor data from industrial assets that could be used to generate feature vectors and a decision boundary for cyber-attack detection. Doing so would allow for the investigation and response of detected potential cyber-attack on industrial control systems, as recognized by Mestha.
Regarding claim 3, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand teaches the stream of industrial asset data, including a subset of the industrial asset data (para 61, line 4-8 and para 76, line 1-6; control devices 16 may include I/O modules providing input and output lines 18 allowing communication with sensors, and the data can be used to determine whether they have been tampered with or corrupted), and 
the verification platform computer (para 68, line 1-3; control device 16 may also execute to receive outputs from the industrial controller 12 through the network interface) is further adapted to: 
store the subset of industrial asset data into the data store, the subset of industrial asset data being marked as invalid (para 76, line 1-18 and para 95, line 1-19; data captured from industrial controllers in the form of thumbprint 70 may be sent to security device 31, where they are compared with stored thumbprint 100 and may be identified as tampered in near real-time), 38Docket No: 319996_1 (G30.244) 
record a hash value associated with a compressed representation of the subset of industrial asset data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a corresponding stored thumbprint, which is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79), 
Chand and Mestha do not teach record a hash value in a secure, distributed ledger, 
receive a transaction identifier from the secure, distributed ledger, and
Pattanaik teaches record a hash value in a secure, distributed ledger (para 43, line 9-15; each block in the blockchain can contain a hash value representing each transaction), 
receive a transaction identifier from the secure, distributed ledger (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts from a central service provider 150 indicating that one or more transactions has been written to blockchain), and 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide storage of a hash value on a blockchain and receiving a transaction receipt in return. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches mark the subset of industrial asset data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset data combined with metadata (para 78, line 1-6 and para 80, line 1-3; the thumbprint 70 is compared with a corresponding stored thumbprint to establish a reasonable probability that the source data of the control device 17 has not been modified or tampered with and the thumbprint may also include digital signature 82 for detection of tampering).
Regarding claim 4, Chand, Mestha, and Pattanaik teach system of claim 3.
Chand does not teach the industrial asset sensors are associated with at least one of: (i) an engine, (ii) an aircraft, (iii) a locomotive, (iv) power generation, and (v) a wind turbine.
	Mestha teaches the industrial asset sensors are associated with at least one of: (i) an engine, (ii) an aircraft, (iii) a locomotive, (iv) power generation, and (v) a wind turbine (para 20, line 1-11 and para 25, line 1-13; monitor streams of data from threat nodes 130 comprising sensor data in industrial control system associated with power turbine, a jet engine, and a locomotive).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide sensor data in industrial control system associated with power turbine, a jet engine, and a locomotive. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Regarding claim 5, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand teaches the data store, wherein the data store is adapted to provide information marked as being valid to a consuming platform (para 84, line 1-6 and para 86, line 1-7; the populated security table 92 containing valid thumbprints may be used to generate a number of standard security templates 120, which may be provided to standard control devices 16 by a packaging line).
Regarding claim 6, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand teaches the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a thumbprint is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79)
Chand and Mestha do not teach the compressed representation comprises a trie
Pattanaik teaches the compressed representation comprises a trie (Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree for generating hashed blocks of transaction records 590).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a binary hash tree for generating hashed blocks of transaction records. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 7, Chand, Mestha, and Pattanaik teach system of claim 6.
	Chand teaches the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a thumbprint is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79)
Chand and Mestha do not teach the compressed representation comprises a Patricia-Merkle trie.
Pattanaik teaches the compressed representation comprises a Patricia-Merkle trie (Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree (e.g. a Merkle tree) for generating hashed blocks of transaction records 590).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a Merkle tree for generating hashed blocks of transaction records. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 8, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand teaches the metadata includes at least one of (i) a pseudo identifier, (ii) a time stamp, (iii) a unique client identifier (para 80, line 1-12; thumbprint may include a digital signature and a timestamp for detection of tampering of the thumbprint), and (iv) data shape information.
Regarding claim 9, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand teaches the verification platform is associated with at least one of: (i) a single network cloud-hosted topology, (ii) a multiple network cloud-hosted topology, and (iii) a participant hosted intranet environment (para 62, line 1-10; industrial controllers 12 may communicate with control devices 16 by means of an industrial control network 24 for high reliability of data transmission).
Regarding claim 10, Chand, Mestha, and Pattanaik teach system of claim 1.
	Chand and Mestha do not teach the secure, distributed ledger comprises blockchain technology.
	Pattanaik teaches the secure, distributed ledger comprises blockchain technology (para 76, line 1-6; transaction management module 310 can maintain a ledger that is continuously updated for each transaction involving various parties in the blockchain).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a ledger continuously updated for each transaction involving various parties in a blockchain. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 11, Chand teaches a method associated with industrial asset cyber-attack detection algorithm verification (para 76, line 1-9; system including industrial controller captures portions of data to determine whether they have been tampered with or corrupted), comprising: 
receiving, at a computer processor of a verification platform, a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber- attack detection algorithm data (para 61, line 4-8 and para 76, line 1-6; control devices 16 may include I/O modules providing input and output lines 18 allowing communication with sensors, and the data can be used to determine whether they have been tampered with or corrupted);
Chand does not teach the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset
Mestha teaches the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset (para 19, line 9-23; normal space data source 110 might store, for each of a plurality of threat nodes 130, a series of normal values over time that represent normal operation of an industrial asset control system (e.g., generated by a model or collected from actual sensor 130 data))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide normal space data source might store a series of normal values over time that represent normal operation of an industrial asset control system collected from actual sensor data. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Chand teaches marking, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data as invalid, storing, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store (para 76, line 1-18 and para 95, line 1-19; data captured from industrial controllers in the form of thumbprint 70 may be sent to security device 31, where they are compared with stored thumbprint 100 and may be identified as tampered in near real-time); 
recording, by the verification platform, a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a corresponding stored thumbprint, which is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79)
Chand and Mestha do not teach record a hash value in a secure, distributed ledger; 
receiving, at the verification platform, a transaction identifier from the secure, distributed ledger; 
Pattanaik teaches record a hash value in a secure, distributed ledger (para 43, line 9-15; each block in the blockchain can contain a hash value representing each transaction),
receiving, at the verification platform, a transaction identifier from the secure, distributed ledger (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts from a central service provider 150 indicating that one or more transactions has been written to blockchain); and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide storage of a hash value on a blockchain and receiving a transaction receipt in return. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches independently create, by the verification platform, a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client (para 78, line 1-6 and 82, line 1-15 and 84, line 1-12; security device 31 communicating with network 24 to receive operating thumbprint from control devices 16 and compare with stored thumbprint, where the stored thumbprint are populated in a security table 92 of security device 31 along with timestamp of valid operating thumbprint 70 from a given control device 16),
marking the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify, at the verification platform, that the recorded hash value matches a hash value associated with the independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata (para 78, line 1-6 and para 80, line 1-3; the thumbprint 70 is compared with a corresponding stored thumbprint to establish a reasonable probability that the source data of the control device 17 has not been modified or tampered with and the thumbprint may also include digital signature 82 for detection of tampering).
Chand does not teach receiving decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; 
comparing data points of the stream of industrial data to the decision boundary information; and generating at least one of a global alert signal or a local alert signal based on the result of the comparison.
Mestha teaches receiving decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node (para 19, line 11-23 and para 20, line 1-10; threat detection computer 150 receives decision boundary data threat detection model creation computer 140, which includes normal space data and threatened space data from threat nodes, and monitors streams of data from nodes for industrial cyber-attack detection); 
comparing data points of the stream of industrial data to the decision boundary information; and2Application Serial No.: 16/176,293 Amendment and Response to August 7, 2020 Non-Final Office Actiongenerating at least one of a global alert signal or a local alert signal based on the result of the comparison (para 20, line 1-14 and para 26, line 1-17; threat detection computer 150 compares decision boundary data and streams of data from threat nodes and may output a threat alert signal to remote monitoring user devices 170 when appropriate).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide decision boundary data in cyber-attack detection and output a threat detection alert. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Regarding claim 12, Chand, Mestha, and Pattanaik teach method of claim 11.
	Chand teaches the compressed representation of the subset of industrial data combined with metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a thumbprint is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79)
Chand and Mestha do not teach the compressed representation comprises a Patricia-Merkle trie.
Pattanaik teaches the compressed representation comprises a Patricia-Merkle trie (Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree (e.g. a Merkle tree) for generating hashed blocks of transaction records 590).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a Merkle tree for generating hashed blocks of transaction records. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 13, Chand, Mestha, and Pattanaik teach method of claim 11.
	Chand teaches the metadata includes at least one of (i) a pseudo identifier, (ii) a time stamp, (iii) a unique client identifier (para 80, line 1-12; thumbprint may include a digital signature and a timestamp for detection of tampering of the thumbprint), and (iv) data shape information.
Regarding claim 14, Chand, Mestha, and Pattanaik teach method of claim 11.
	Chand and Mestha do not teach the secure, distributed ledger comprises blockchain technology.
	Pattanaik teaches the secure, distributed ledger comprises blockchain technology (para 76, line 1-6; transaction management module 310 can maintain a ledger that is continuously updated for each transaction involving various parties in the blockchain).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a ledger continuously updated for each transaction involving various parties in a blockchain. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 15, Chand teaches a system to facilitate industrial asset cyber-attack detection algorithm verification (para 76, line 1-9; system including industrial controller captures portions of data to determine whether they have been tampered with or corrupted, comprising: 
a verification client (para 76, line 1-2; control device 16), including: 
a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber-attack detection algorithm data (para 61, line 4-8 and para 76, line 1-6; control devices 16 may include I/O modules providing input and output lines 18 allowing communication with sensors, and the data can be used to determine whether they have been tampered with or corrupted), and 
Chand does not teach the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset
Mestha teaches the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset (para 19, line 9-23; normal space data source 110 might store, for each of a plurality of threat nodes 130, a series of normal values over time that represent normal operation of an industrial asset control system (e.g., generated by a model or collected from actual sensor 130 data))
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide normal space data source might store a series of normal values over time that represent normal operation of an industrial asset control system collected from actual sensor data. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Chand teaches a verification client computer processor coupled to the data connection (para 68, line 1-3; control device 16 may also execute to receive outputs from the industrial controller 12 through the network interface) and adapted to: 
create a thumbprint from a hash of the subset of the industrial asset cyber-attack detection algorithm data and metadata (para 76, line 1-9 and para 80, line 5; control device 16 periodically generate a thumbprint, which is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79), 
Chand and Mestha do not teach a Patricia-Merkle trie
determine a hash trie value associated with the Patricia-Merkle trie,
receive a pseudo identifier from a verification engine, and
Pattanaik teaches a Patricia-Merkle trie (Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree (e.g. a Merkle tree) for generating hashed blocks of transaction records 590)
determine a hash trie value associated with the Patricia-Merkle trie (Fig. 5B and para 98, line 1-8; transaction receipt includes a hash value associated with thee Merkle tree), 
receive a pseudo identifier from a verification engine (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts from a central service provider 150 indicating that one or more transactions has been written to blockchain), and
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a Merkle tree containing hashes of transaction and receiving a transaction receipt in return. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches transmit raw Patricia-Merkle trie data to a verification server along with metadata (para 77, line 1-6 and para 77, line 5-15 and para 80, line 1-3; transmit the generated thumbprint, which is generated from a hash compressed representation of environmental data from sensors, to a security device 31 and the thumbprint may also include digital signature and timestamp), 
the verification engine (para 76, line 1-6; security program 58), including: 
a verification engine computer processor (para 67, line 1-3; a processor within the control device and the control device performs operations using the security program) adapted to: 
receive the hash value from the verification client (para 76, line 1-6 and para 77, line 13-15; security program 58 generates a thumbprint using the hash on the control device 16), 
Chand and Mestha do not teach transmit a pseudo identifier to the verification client,
record the received hash trie value in a secure, distributed ledger, 
receive a transaction identifier from the secure, distributed ledger, and 
Pattanaik teaches transmit a pseudo identifier to the verification client (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts, which indicates one or more transactions on the blockchain, from a central service provider 150),
record the received hash trie value in a secure, distributed ledger (para 43, line 9-15; each block in the blockchain can contain a hash value representing each transaction), 
receive a transaction identifier from the secure, distributed ledger (Fig. 3 and para 42, line 1-3 and para 45, line 1-4; client devices 110 receives transaction receipts from a central service provider 150 indicating that one or more transactions has been written to blockchain), and 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide storage of a hash value on a blockchain and receiving a transaction receipt in return. Doing so would allow the client device to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches transmit the pseudo identifier and transaction identifier to the verification server (para 77, line 13-15 and para 80, line 1-9; transmit the digital signature 82 of the thumbprint, which is generated using a hash and may include a timestamp to the security device 31), and 
the verification server (para 83, line 1-4; security device 31 includes a memory holding a security table), including: 
a verification server computer processor (para 83, line 1-4; security device 31 includes a processor system) adapted to: 
receive the subset of the industrial asset cyber-attack detection algorithm data and metadata from the verification client (para 78, line 1-6 and para 80, line 1-9; security device 31 receives the thumbprint 70 of the source data from the control device 17 and the thumbprint may also include a timestamp for detection of tampering), 
receive the pseudo identifier and transaction identifier from the verification engine (para 77, line 13-15 and para 80, line 1-9; security device 31 receives the digital signature 82 of the thumbprint, which is generated using a hash and may include a timestamp), 
mark the subset of industrial asset cyber-attack detection algorithm data as invalid, store the subset of the industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store (para 76, line 1-18 and para 95, line 1-19; data captured from industrial controllers in the form of thumbprint 70 may be sent to security device 31, where they are compared with stored thumbprint 100 and may be identified as tampered in near real-time), 
the received subset of the industrial asset cyber-attack detection algorithm data and metadata (para 77, line 5-15 and para 78, line 3 and para 80, line 5; a corresponding stored thumbprint, which is generated from a hash compressed representation of environmental data from sensors and may include a timestamp 79),
Chand and Mestha do not teach independently create a Patricia-Merkle trie
retrieve the recorded hash value from the secure, distributed ledger, and 
Pattanaik teaches independently create a Patricia-Merkle trie (Fig. 3 and Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree (e.g. a Merkle tree) containing hashed blocks of transaction records 590 generated by the central service provider 150) 41Docket No: 319996_1 (G30.244) 
retrieve the recorded hash value from the secure, distributed ledger (Fig. 3 and para 98, line 1-8; central service provider 150 generates a transaction receipt which includes a hash value from the block of transaction of a blockchain), and
 It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide for generating a Merkle tree by the central service provider and receiving a hash value from a blockchain. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand teaches mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after verifying that the recorded hash value matches a hash value (para 77, line 13-15 and para 78, line 1-6 and para 80, line 1-3; the thumbprint 70, generated from a hash, is compared with a corresponding stored thumbprint to establish a reasonable probability that the source data of the control device 17 has not been modified or tampered with)
Chand and Mestha do not teach a hash value associated with the independently created Patricia-Merkle trie.
Pattanaik teaches a hash value associated with the independently created Patricia-Merkle trie (Fig. 5B and para 91, line 7-11; Fig. 5B illustrates a binary hash tree (e.g. a Merkle tree) containing hashed blocks of transaction records 590 generated by the central service provider).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a Merkle tree containing hashed blocks of transaction records. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Chand does not teach receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; 
compare data points of the stream of industrial data to the decision boundary information; and generate at least one of a global alert signal or a local alert signal based on the result of the comparison.
Mestha teaches receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node (para 19, line 11-23 and para 20, line 1-10; threat detection computer 150 receives decision boundary data threat detection model creation computer 140, which includes normal space data and threatened space data from threat nodes, and monitors streams of data from nodes for industrial cyber-attack detection); 
compare data points of the stream of industrial data to the decision boundary information; and2Application Serial No.: 16/176,293 Amendment and Response to August 7, 2020 Non-Final Office Actiongenerate at least one of a global alert signal or a local alert signal based on the result of the comparison (para 20, line 1-14 and para 26, line 1-17; threat detection computer 150 compares decision boundary data and streams of data from threat nodes and may output a threat alert signal to remote monitoring user devices 170 when appropriate).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand to incorporate the teachings of Mestha to provide decision boundary data in cyber-attack detection and output a threat detection alert. Doing so would protect an industrial asset control system from cyber threats, as recognized by Mestha in para 2, line 1-12.
Regarding claim 16, Chand, Mestha, and Pattanaik teach system of claim 15.
	Chand teaches the metadata includes at least one of (i) a pseudo identifier, (ii) a time stamp, (iii) a unique client identifier (para 80, line 1-12; thumbprint may include a digital signature and a timestamp for detection of tampering of the thumbprint), and (iv) data shape information.
Regarding claim 17, Chand, Mestha, and Pattanaik teach system of claim 15.
	Chand teaches the verification platform is associated with at least one of: (i) a single network cloud-hosted topology, (ii) a multiple network cloud-hosted topology, and (iii) a participant hosted intranet environment (para 62, line 1-10; industrial controllers 12 may communicate with control devices 16 by means of an industrial control network 24 for high reliability of data transmission).
Regarding claim 18, Chand, Mestha, and Pattanaik teach system of claim 15.
	Chand and Mestha do not teach the secure, distributed ledger comprises blockchain technology.
	Pattanaik teaches the secure, distributed ledger comprises blockchain technology (para 76, line 1-6; transaction management module 310 can maintain a ledger that is continuously updated for each transaction involving various parties in the blockchain).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Chand and Mestha to incorporate the teachings of Pattanaik to provide a ledger continuously updated for each transaction involving various parties in a blockchain. Doing so would allow the client device 110 to verify that the transaction was appropriately written to the blockchain, as recognized by Pattanaik.
Regarding claim 19, Chand, Mestha, and Pattanaik teach system of claim 15.
	Chand teaches the data store, wherein the data store is adapted to provide information marked as being valid to a consuming platform (para 84, line 1-6 and para 86, line 1-7; the populated security table 92 containing valid thumbprints may be used to generate a number of standard security templates 120, which may be provided to standard control devices 16 by a packaging line).
Regarding claim 20, Chand, Mestha, and Pattanaik teach system of claim 19.
	Chand teaches the consuming platform adapted to utilize information marked as being valid in the data store (para 84, line 1-6 and para 86, line 1-7; the populated security table 92 containing valid thumbprints may be used to generate a number of standard security templates 120, which may be provided to standard control devices 16 by a packaging line).
Conclusion
4.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following are relevant prior arts: Biernat et al. (US Pub. 2019/0340269) discloses blockchain-enabled industrial devices and associated systems are configured to support the use of industrial blockchains in connection with product and machine tracking, subscription-based industrial services, and device lifecycle management; Mukkamala et al. (US Pub. 2017/0192414) discloses managing information about industrial assets or their use conditions, such as gathered from sensors embedded at or near industrial machines or assets themselves, can be aggregated, analyzed, and processed in software residing locally or remotely from the assets; Ng et al. (US Patent 10,491,624) discloses cyber attack vulnerability analyses including one or more cyber assets utilized by the entity, collecting infrastructure information regarding the one or more cyber assets, performing passive cyber security vulnerability testing on the one or more cyber assets using the collected infrastructure information, and assessing cyber security vulnerabilities of the one or more cyber assets.
5.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
6.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NHAN H NGUYEN whose telephone number is (571)272-6443.  The examiner can normally be reached on Monday-Friday 8:30am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on 571-272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NHAN HUU NGUYEN/Examiner, Art Unit 2492


/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492