DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/11/2022 has been entered.

Response to Amendment
This is in response to the amendments filed on 03/11/2022. Claims 1, 4-7, and 9-21 have been amended. Claims 1-24 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see page 9, filed 03/11/2022, with respect to the objection to claim 21 has been considered and are persuasive. The objection has been withdrawn. 

Applicant’s arguments, see page 9, filed 03/11/2022, with respect to the rejection of claims 1-24 under 35 U.S.C. 112(a) have been considered and are persuasive. However, Applicant's amendment necessitated the new ground(s) of rejection as will be discussed below.
Applicant’s arguments, see page 9, filed 03/11/2022, with respect to the rejection of claim 1-24 under 35 U.S.C. 112(b) have been considered and are persuasive. However, Applicant's amendment necessitated the new ground(s) of rejection as will be discussed below.
Applicant’s arguments, see pages 10-14, filed 03/11/2022, with respect to the rejection of claims 1-24 under 35 U.S.C. 103 have been considered but are moot because the arguments do not apply to the references being used in the current rejection.
Meanwhile, on page 12 of Remarks, Applicant asserts that Caselli does not teach or suggest subject matter of "generating, from regular communication patterns based on the system-level correlations, candidate sequences of operationally valid control messages; determining sequences of operationally valid control messages that would result in actual harm based on an operational effect to the operational control system from each candidate sequence of operationally valid control messages." The Examiner respectfully disagrees.
In this regard, Caselli discloses that
we introduce some artificial example attacks into the trace to show the effectiveness against attacks; (see page. 21, 8, emphasis added)

We run our detection algorithm (Equations 1 and 2) against 1 day of traffic captured on the same network. We minimize the threshold Ɵ to 0.1 to alert any significant change within the transition probability sets. No malicious traffic is included in the dataset, therefore this test verifies detection resilience against false positives. ... To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages  concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2.). (page 22, 8.2, emphasis added)

Thus, the injected two sequence attacks and the inverted two write messages teaches generating candidate sequences. Here, the two sequence attacks are injected into the traffic, and the inverted two write messages concerns the control of two different pumps, thus the two sequence attacks and the inverted tow write messages are generated from regular communication patterns based on the system-level correlations, which teaches the candidate sequences are generated from regular communication patterns based on the system-level correlations. 
Caselli further discloses that
The Detection layer uses a set of “training models" as reference point (either of normal or abnormal behavior) and analyzes the differences of the “detection models". Furthermore, the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns; (see page 16, 4, emphasis added)

To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2.) … we replay the same 24 hours of real traffic plus the attacks to the intrusion detection system. Also in this case the SIDS raises the previous 211 false positives for the reasons discussed above. In addition, the S-IDS raises also eight correct alerts detecting both the attacks; (page 22, 8.2, emphasis added) 

Each of these commands are perfectly legal when considered individually, while sending them in the specified order will bring the system to a critical state. (see page 14, 2.2, emphasis added)

That is, the injected two sequence attacks and the inverted two write messages teaches candidate sequences as stated above. Also, Caselli describes that the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns, and the S-IDS raises also eight correct alerts detecting both the attacks, which teach determining sequences of operationally valid control messages. Caselli also describes that the specified order will bring the system to a critical state, which teaches sequences of operationally valid control messages that would result in actual harm; and we replay the same 24 hours of real traffic plus the attacks to the intrusion detection system, which teaches based on an operational effect to the operational control system.

On page 14 of Remarks, Applicant asserts that the search in the detection phase described in Caselli is directed to false positives, which when no attacks were carried out by intruders yet intrusions were detected, presumably in the same unknown/uncommon patterns described in the above paragraph. In contrast, amended claim 1 recites "determining sequences of operationally valid control messages that would result in actual harm." The Examiner respectfully disagrees.
In this regard, Caselli describes that 

To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2.) … we replay the same 24 hours of real traffic plus the attacks to the intrusion detection system. Also in this case the SIDS raises the previous 211 false positives for the reasons discussed above. In addition, the S-IDS raises also eight correct alerts detecting both the attacks; (page 22, 8.2, emphasis added) 

We show that our S-IDS is able to correctly identify sequence attack instances as well as keeping the number of false positives low. (page 23, 9, emphasis added)

Each of these commands are perfectly legal when considered individually, while sending them in the specified order will bring the system to a critical state. (see page 14, 2.2, emphasis added)

That is, Caselli is also able to correctly identify sequence attack instances that would result in actual harm. Further note that any attack would result in actual harm.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-24 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claim 1 recites the limitation “generating, from regular communication patterns based on the system-level correlations, candidate sequences of operationally valid control messages”, which however, does not appear to be described within the Specification. In this regard, Applicant appears to assert that support for this amendment can be found in paragraphs [0052]-[0062]. However, the Examiner does not find any relevant description that a skilled artisan would recognize applicant was in possession of the claimed invention. For example, the Specification describes that 
This novel technique generates and test candidate message sequences that appear normal and legal. (See paragraph [0054], Emphasis added)

In exemplary implementations, semantic fuzzing searches, based on the operational effect of the candidate message sequence, the space of legal messages for sequences that cause actual harm. (See paragraph [0015], Emphasis added)

However, the Specification does not describe that candidate sequences are generated from regular communication patterns based on the system-level correlations. As such, the Examiner suggests Applicant to point to specific language within the Specification that fully discloses the above noted limitation of claim 1, otherwise Applicant should amend the claims to recite limitations fully supported within Applicant’s Specification.
Claim 14 each recites the same features recited in claim 1 stated above. Therefore claim 14 is rejected by applying the same rationale used to reject claim 1 above.
Claim 20 recites the limitation “… generate, from regular communication patterns based on the system-level correlations, predictive sequences of operationally valid control messages”, which however, does not appear to be described within the Specification. In this regard, for example, the Specification describes that 
using semantic fuzzing to generate predictive sequences of operationally valid control messages that would result in actual harm. (See paragraph [0104], Emphasis added)

However, the Specification does not describe that predictive sequences are generated from regular communication patterns based on the system-level correlations. As such, the Examiner suggests Applicant to point to specific language within the Specification that fully discloses the above noted limitation of claim 1, otherwise Applicant should amend the claims to recite limitations fully supported within Applicant’s Specification.
Claims 2-13 and 21-24 are rejected under 112(a) as being dependent from the rejected claim 1; and claims 15-19 are rejected under 112(a) as being dependent from the rejected claim 14.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1-24 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1 and 14 each recites the limitation “generating, from regular communication patterns based on the system-level correlations, candidate sequences of operationally valid control messages.” It is unclear as to what is meant by this limitation. In other words, it is unclear as to how the regular communication patterns based on the system-level correlations are used or applied for generating the candidate sequences.
Claim 14 recites the same limitation recited in claim 1 stated above. Therefore claim 14 is rejected by applying the same rationale used to reject claim 1 above.
Claim 20 recites the limitation “… generate, from regular communication patterns based on the system-level correlations, predictive sequences of operationally valid control messages.” It is unclear as to what is meant by this limitation. In other words, it is unclear as to how the regular communication patterns based on the system-level correlations are used or applied for generating the predictive sequences.
Claims 2-13 and 21-24 are rejected under 112(b) as being dependent from the rejected claim 1; and claims 1-19 are rejected under 112(b) as being dependent from the rejected claim 14.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims  1, 2, 4, 5, 9, 12-16, 19, 21 and 23-24  are rejected under 35 U.S.C. 102(a)(1)&(a)(2) as being anticipated by Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”).

Regarding claim 1:
Caselli teaches:
An intrusion detection method for protecting against sequences of operationally valid control messages that in combination harm or disrupt devices in an operational control system comprising multiple devices (page. 13, Abstract: we show how a specific series of “permitted" operations (-- sequences of operationally valid control messages that in combination) can elude standard intrusion detection systems and still damage an infrastructure (-- harm or disrupt devices in an operational control system) … we present a possible approach to the development of a sequence-aware intrusion detection system (S-IDS) (-- An intrusion detection method); page. 13, 1: Instead, they exploit the possibility to arrange “valid" events (e.g. network messages, log entries, variable values) in a way that their presence, in relation with other operations, can cause problems to targeted devices (e.g., faults, failures); page. 14, 2.1: ICS networks gather together a number of different devices. The so called “field devices" are close or connected to the physical process under control (-- devices in an operational control system comprising multiple devices)), the method including the steps of:
monitoring operationally valid control messages communicated in the operational control system (page. 16, 4: The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.) (-- which also teaches monitoring operationally control messages); page. 13, Abstract: we test the S-IDS on real ICS traffic samples (-- which teaches operationally valid control messages communicated in the operational control system) captured from a water treatment and purification facility); 
gathering current contextual information which includes a set of physical constraints on control system properties (page. 16, 4: The Reader is in charge of capturing raw information (e.g., files, network packets, data streams, etc.), and generates a uniform and identically formatted input stream for the S-IDS … We use two Reader instances to gather information from network messages and log files (-- gathering current contextual information); page. 21, 8: we test our approach on data coming from real industrial deployments. What follows shows results gathered by our S-IDS from a water treatment and purification facility that uses Modbus communication; page. 17, 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters (-- current contextual information which includes a set of physical constraints on control system properties. Note that variables represents physical or control parameters, thus which teaches current contextual information) … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries);
determining system-level correlations between different pairwise connections across the multiple devices based on the operationally valid control messages and the current contextual information (page. 17, 6: the modeling process clusters in a model's state sequence events that share the same semantic meaning (-- determining system-level correlations based on the operationally valid control messages and the current contextual information). … in the “process variable" case, the DTMC states can cluster values belonging to a specific interval (e.g., temperature values discretized to integer scale; page 21, 8: What follows shows results gathered by our S-IDS from a water treatment and purification facility that uses Modbus communication (-- which also teaches based on the operationally valid control messages and the current contextual information); page 21, 8.1: Over the four hours of training, the infrastructure shows 20 different Modbus connections: 9 PLC-to-RTU, 3 PLC to-PLC, and 6 PLC-to-SCADA Server, 1 SCADA Server-to-SCADA Server and 1 HMI-to-SCADA Server (-- which teaches determining system-level correlations between different pairwise connections across the multiple devices). Figure 6 (-- which also teaches determining system-level correlations based on the operationally valid control messages and the current contextual information) represents the result from our modeling approach applied to a communication involving a PLC and the SCADA server. Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second). Connections between PLCs and SCADA Server have instead higher variety of messages);
generating, from regular communication patterns based on the system-level correlations, candidate sequences of operationally valid control messages (page. 18. 7: During the learning phase, a sequence-aware NIDS uses the techniques shown in Section 6 to build a model of regular behavior (-- regular communication patterns). Our assumption is that no malicious activity has yet been performed until this point, i.e., the learning input is free of malicious anomalies (-- sequences of operationally valid control messages) … During the detection phase we now search for unknown or uncommon patterns that are effects of semantic or sequence attacks carried by intruders; page. 21, 8: To prove the effectiveness of the S-IDS we inject two sequence attacks (-- which also taches candidate sequences of operationally valid control messages) into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages  concerning the control of two different pumps (-- generating, from regular communication patterns based on the system-level correlations, candidate sequences; here two inverted write messages teaches candidate sequences; the two write messages are concerning the control of two different pumps, which teaches from regular communication patterns based on the system-level correlations) and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2.); and
determining sequences of operationally valid control messages that would result in actual harm based on an operational effect to the operational control system from each candidate sequence of operationally valid control messages (page 16, 4: detection mechanisms will focus on a set of features contained and hidden within the sequences … The Detection layer uses a set of “training models" as reference point (either of normal or abnormal behavior) and analyzes the differences of the “detection models". Furthermore, the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns (-- determining sequences of operationally valid control messages that would result in actual harm); page. 18. 7: During the detection phase we now search for unknown or uncommon patterns that are effects of semantic or sequence attacks carried by intruders  (-- which also teaches determining sequences of operationally valid control messages that would result in actual harm); page. 21, 8: we introduce some artificial example attacks into the trace to show the effectiveness against attacks; page 22. 8.2: we replay the same 24 hours of real traffic plus the attacks (-- based on an operational effect to the operational control system) to the intrusion detection system. Also in this case the SIDS raises the previous 211 false positives for the reasons discussed above. In addition, the S-IDS raises also eight correct alerts detecting both the attacks (-- which also teaches determining sequences of operationally valid control messages that would result in actual harm); page 23, 9: We show that our S-IDS is able to correctly identify sequence attack instances as well as keeping the number of false positives low; page 14, 2.2: Each of these commands are perfectly legal when considered individually, while sending them in the specified order will bring the system to a critical state.);
reporting a threat when a harmful sequence of messages is identified (page 16. 4: the Detection layer is in charge of arising alerts to users (-- reporting a threat) when “detection models" show malicious pat terns (-- when a harmful sequence of messages is identified); p. 22, 7.2 Detection algorithm: The detection mechanism flags as “anomalous" a DTMC state created in the detection phase that does not match with any state of a DTMC created in training phase; p. 22, 8.2 Detection Mechanism: the S-IDS raises also eight correct alerts detecting both the attacks.).

Regarding claim 2:
Caselli teaches:
The method of claim 1.
Caselli further teaches:
wherein the operational control system is a manufacturing control system that controls machines used for manufacturing products (p. 21, 8.1: Figure 6 represents the result from our modeling approach applied to a communication involving a PLC and the SCADA server. --- It is noted that it is well known that the PLC and SCADA are used in a manufacturing control system).

Regarding claim 4:
Caselli teaches:
The method of claim 1, wherein the determining the sequences of operationally valid control messages includes …
Caselli further teaches:
using current messages as starting points and generating subsequent messages that are predicted to be harmful (page 22, 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages (-- using current messages as starting points and generating subsequent messages that are predicted to be harmful; Note that invert two write messages means invert current messages (as starting points) to two sequence attacks which are predicted to be harmful) concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2).

Regarding claim 5:
Caselli teaches:
The method of claim 1, further including …
Caselli further teaches:
evaluating harmfulness of the determined sequences of operationally valid control messages using one or more behavior oracles (page 16, 4: The Detection layer describes all detection algorithms used with the models ... The Detection layer uses a set of “training models" as reference point (either of normal or abnormal behavior) and analyzes the differences of the “detection models". Furthermore, the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns; page. 19, 7.2 Detection algorithm: In the detection phase we evaluate differences between trained DTMCs and DTMCs built up during detection. – Here, Detection algorithm and Detection model teaches one or more behavior oracles).

Regarding claim 9: 
Caselli teaches:
The method of claim 5, wherein the one or more behavior oracles include …
Caselli further teaches:
a simple static context (SSC) oracle that is configured to compare a set of values in a message sequence against an allowable range for the set of values (page 16, 3: The … extract variable values from devices' network communications and use autoregression modeling and control limits to monitor their changes over time. When a value does not fit the model or exceeds the control limits, the intrusion detection system raises an alert providing the correct expected behavior. --- It is noted that variable values teaches a set of values in a message sequence; the control limits teaches an allowable range for the set of values; a value exceeds the control limits teaches compare a set of values in a message sequence against an allowable range for the set of values; thus, this approach teaches a simple static context (SSC) oracle).

Regarding claim 12: 
Caselli teaches:
The method of claim 5, wherein the one or more behavior oracles include… 
Caselli further teaches:
a physical (PHY) oracle that is configured to use equipment to directly observe physical effects of sequences of operationally valid control messages (page 17, 5.3: Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries; Section 3: Security solutions such as intrusion detection systems can not recognize semantic attacks without any knowledge of the infrastructure and the physical processes under control; Section 8.2: To prove the effectiveness of the S-IDS we inject two sequence attacks into the traffic. Discussing with the operators, we decide to perform the following two attacks: 1) we invert two write messages concerning the control of two different pumps and 2) we trigger several start and stop commands on the same pump. The choice of these two attacks follows the two threat scenarios presented in Sec. 2.2. Due to the criticality of the water infrastructure we were not allowed to test the attacks on the real network. For this reason we replay the same 24 hours of real traffic plus the attacks to the intrusion detection system. Also in this case the SIDS raises the previous 211 false positives for the reasons discussed above. In addition, the S-IDS raises also eight correct alerts detecting both the attacks; Section I: Instead, they exploit the possibility to arrange “valid" events (e.g. network messages, log entries, variable values) in a way that their presence, in relation with other operations, can cause problems to targeted devices (e.g., faults, failures). … a sequence attack being the cause of “water hammer effects" … By closing and opening these valves with the right timing the authors succeed to increase the pressure to a critical value. --- It is noted that closing and opening valves and control pumps teaches use equipment; closing and opening with the right timing and start and stop commands teaches sequences of operationally valid control messages; water hammer effects teaches directly observe physical effects; thus the S-IDS of which effectiveness is proved by using the pump and valve teaches a physical (PHY) oracle).

Regarding claim 13: 
Caselli teaches:
The method of claim 1. 
Caselli further teaches:
wherein reporting the threat includes reporting anomalous message sequences or reporting an estimated failure state based on current messaging (Section 4: the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns; Section 2.2: These valves can be rapidly opened and closed causing a so-called water hammer effect, which could result in a large number of simultaneous main breaks in the pipeline. --- It is noted that result in breaks in the pipeline based on malicious patterns teaches an estimated failure state based on current messaging).

Regarding claim 14:
Claim 14 recites an intrusion detection system which corresponds to the method of claim 21, and contains no additional limitations. Therefore claim 14 is rejected by applying the same rationale used to reject claim 21 below.

Regarding claim 15:
Claim 15 recites the intrusion detection system which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 15 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 16:
Claim 16 recites the intrusion detection system which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 16 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 19:
Claim 19 recites the intrusion detection system which corresponds to the method of claim 13, and contains no additional limitations. Therefore claim 19 is rejected by applying the same rationale used to reject claim 13 above.

Regarding claim 21: 
Caselli teaches:
The method of claim 1, wherein the step of gathering the current contextual information further comprises … 
Caselli teaches:
polling one or more of the multiple devices to obtain the current contextual information (Section 8.1 & Figure 6: Over the four hours of training, the infrastructure shows 20 different Modbus connections: 9 PLC-to-RTU, 3 PLC-to-PLC, and 6 PLC-to-SCADA Server, 1 SCADA Server-to-SCADA Server and 1 HMI-to-SCADA Server. … Most of the Modbus connections involve just one or two Modbus requests and responses sent periodically (e.g., once every second); Section 5.1: … the context of network communications … communication patterns (e.g., pushing vs. polling) being used in ICS; Section 5.3: Usually, ICSs deal with thousands of variables that represent physical or control parameters. --- It is noted that most of the Modbus connections (between PLCs, RTUs, and servers) involve just one or two Modbus requests and responses sent periodically (e.g., once every second), and communication patterns (e.g., polling) is used in ICS, and ICSs deal with thousands of variables that represent physical or control parameters, thus which teaches polling one or more of the multiple devices to obtain current [contextual] information).

Regarding claim 23: 
Caselli teaches:
The method of claim 21, further comprising … 
Caselli further teaches:
measuring inter-arrival times between operationally valid control messages (Section 6: Timestamp of Modbus “Request/Response" element. --- which teaches measuring inter-arrival times between operationally valid control messages). 

Regarding claim 24: 
Caselli teaches:
The method of claim 1, wherein the current contextual information further comprises …
Caselli further teaches:
one or more of (i) static physical context data, (ii) dynamic physical context data, (iii) static cyber context data, (iv) dynamic cyber context data, (v) any one or more of (i), (ii), (iii), (iv). (Section 5.3: A “sequence of events" related to a process variable describes how its value changes over time … Usually, ICSs deal with thousands of variables that represent physical or control parameters … modeling a quantity such as a temperature or a pressure can give useful insights on the behavior of a system component and its physical boundaries. --- It is noted that physical parameters such as a temperature or a pressure teaches dynamic physical context data; and physical boundaries teaches static physical context data. In this regard, the specification describes that static physical context comprises the fixed constraints of the system, such as the critical ranges and limits of components. … The dynamic context, on the other hand, captures the system's status during operation in real-time. This context includes the condition of the process (e.g., pressure, power level, temperature) and the transient communication patterns (e.g., message rate, observed messages, transmitting nodes). (See para. [0037]).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”) in view of Ruvio et al. (US 2018/0196941 A1; hereinafter, “Ruvio”).

Regarding claim 3: 
Caselli teaches:
The method of claim 1.
Caselli is silent about:
wherein the devices are vehicles.
Ruvio, in the same field of endeavor, teaches:
wherein the devices are vehicles (para. [0089]: Anomaly-based intrusion detection involves creating models that specify what is “normal”, or in other words, what is considered a legitimate traffic on the vehicle's network and what could be marked as suspicious. One important tool is to define the relations between different network frames; para. [0116]: The term “attack” in reference to an ‘attack originator’ refers herein to any attempted damage, unauthorized use or unauthorized access to bus communication or any connected ECU.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to apply the intrusion detection method in vehicles, as taught by Ruvio, in order to protect vehicle systems from cyber-attacks.
The motivation is to enable identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems. (Ruvio, para. [0017]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”) in view of Bowman-Amuah (WO 2001/017169 A2; hereinafter, “Bowman-Amuah”).

Regarding claim 6: 
Caselli teaches:
The method of claim 5, wherein the evaluating harmfulness includes … 
Caselli further teaches:
determining whether the determined sequences of operationally valid control messages induce operational drift towards a failure state for one or more of the multiple devices (page. 13, 1: Instead, they exploit the possibility to arrange “valid" events (e.g. network messages, log entries, variable values) in a way that their presence, in relation with other operations, can cause problems to targeted devices (e.g., faults, failures)).
Caselli is silent about:
… determining whether the … messages induce operational drift towards a failure state for one or more of the multiple devices.
Bowman-Amuah, in the same field of endeavor, teaches:
… determining whether the … messages induce operational drift towards a failure state for one or more of the multiple devices (P. 3: First, a performance of a network is monitored. Any degradation in the performance of the network is identified. A future performance of the network is then predicted based on the identified degradation in the performance of the network. Then the predicted future performance is compared to performance requirements of service level agreements of a plurality of network users to identify any future problems in meeting the performance requirements. The network is reconfigured to avoid the problems in meeting the performance requirements; p. 102: The present invention includes data mining capability that provides the capability to analyze network management data looking for patterns and correlations across multiple dimensions. The system also constructs models of the behavior of the data in order to predict future growth or problems and facilitate managing the network in a proactive, yet cost-effective manner).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to evaluate the sequences of command and data whether if they degrade the performance, as taught by Bowman-Amuah, in order to predict future performance.
The motivation is to identify and avoid the problems in meeting the performance requirements by predicting future performance of the network based on the identified degradation in the performance of the network (Bowman-Amuah, p. 3).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”) in view of Kontogiannis (“HIERARCHICAL ORACLES FOR TIME-DEPENDENT NETWORKS“, 2015; hereinafter, “Kontogiannis”).

Regarding claim 7:  
Caselli teaches:
The method of claim 5. 
Caselli further teaches:
wherein the one or more behavior oracles include a set of … oracles … (page 16, 4: The Detection layer describes all detection algorithms used with the models ... The Detection layer uses a set of “training models" as reference point (either of normal or abnormal behavior) and analyzes the differences of the “detection models". Furthermore, the Detection layer is in charge of arising alerts to users when “detection models" show malicious patterns; page. 19, 7.2 Detection algorithm: In the detection phase we evaluate differences between trained DTMCs and DTMCs built up during detection. – Here, Detection algorithm and Detection model teaches one or more behavior oracles.--- It is noted that algorithms teaches behavior oracles).
Caselli is silent about:
… a set of hierarchical oracles, and wherein a subset of the set of hierarchical oracles are used for the evaluating.
Kontogiannis teaches:
… a set of hierarchical oracles, and wherein a subset of the set of hierarchical oracles are used for the evaluating (p. 10, Section 5.2: Performance of HORN (This stands for Hierarchical ORacle for time-dependent Networks, see p, 8). The construction of the required travel-time summaries for HORN is based on the BIS + TRAP preprocessing scenario; p. 2: That algorithm, called the bisection method (BIS), is based on bisecting the common departure-time axis for a given origin and all possible destinations, when the arc-cost metric satisfies a slightly stricter assumption than just the FIFO property. BIS requires … time-dependent shortest path functions …; p. 3: A novel efficient algorithm (TRAP) for constructing one-to-all (1 + ε)-summaries of the time dependent shortest path function). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to use a hierarchical oracle of time-dependent function, as taught by Kontogiannis, in consideration of computationally expensive.
The motivation is to minimize computationally expensive by using a hierarchical oracle of time-dependent function identify and avoid the problems (Kontogiannis, p. 3, section 1.2).

Claims 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”) in view of Scheidt (US 2016/0063870 A1; hereinafter, “Scheidt”).

Regarding claim 10: 
Caselli teaches:
The method of claim 5, wherein the one or more behavior oracles include … 
Caselli is silent about:
a high fidelity simulator (HFS) oracle that is configured to simulate an environment for the operational control system to determine effects of message sequences on normal operations.
Scheidt, in the same field of endeavor, teaches:
a high fidelity simulator (HFS) oracle that is configured to simulate an environment for the operational control system to determine effects of message sequences on normal operations (para. [0003]: since the AUV is expected to be tested on a test range where both the test environment and the real world environment must be considered relative to safety concerns, it can be appreciated that the testing of such platforms can be difficult. Thus, a mechanism by which to evaluate AUV performance with improved realism in a cost effective manner is clearly desirable; para. [0021]: The high fidelity stimulator 154 may include (or otherwise operate under the control of) processing circuitry that is configured to send or generate high fidelity simulation data for the AUV 100. The high fidelity simulation data may include high complexity fluid dynamics related data or other complex modeling data to create very accurate information for consumption by the AUV 100 to simulate encounters with other devices, objects, or vehicles).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to utilize the high fidelity simulator, as taught by Scheidt, in order to evaluate system performance.
The motivation is to evaluate system performance with improved realism in a cost effective manner (Scheidt, paras. [0003]&[0021]).

Regarding claim 18:
Claim 18 recites the intrusion detection system which corresponds to the method of claim 10, and contains no additional limitations. Therefore claim 18 is rejected by applying the same rationale used to reject claim 10 above.

Claims 11 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”) in view of Yao et al. (“Provenance-based Indexing Support in Micro-blog Platforms”, 2012; hereinafter, “Yao”).

Regarding claim 11:  
Caselli teaches:
The method of claim 5, wherein the one or more behavior oracles used include … 
Caselli is silent about:
a message provenance oracle that is configured to predict subsequent sequences of non-harmful control messages. 
Yao, in the same field of endeavor, teaches:
a message provenance oracle that is configured to predict subsequent sequences of non-harmful control messages (p. 559, left col.: we propose a provenance based indexing approach to explore and manage the micro-blog messages. Provenance discovery [5], [6] is an important technique to derive the source and transformation from large amounts of data. Provenance information describes the origin and the development of data in their life cycles. It has been demonstrated useful in many domains, such as business workflow, scientific processing and database query analysis).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to includes a provenance based indexing approach, as taught by Yao, in order to predict the probability of an element. 
The motivation is to predict the probability of an element by deriving the source and transformation from the sequence of elements using the provenance based indexing approach (Yao, p. 559, left col.).

Regarding claim 20:
Claim 20 recites an intrusion detection method which corresponds to the method of claim 21, and additionally contains message provenance. However, Yao teaches message provenance as stated below. Therefore claim 20 is rejected by applying the same rationale used to reject claim 21 and Yao’s teaching below.
Yao teaches:
… message provenance … (p. 559, left col.: we propose a provenance based indexing approach to explore and manage the micro-blog messages. Provenance discovery [5], [6] is an important technique to derive the source and transformation from large amounts of data. Provenance information describes the origin and the development of data in their life cycles. It has been demonstrated useful in many domains, such as business workflow, scientific processing and database query analysis).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to includes a provenance based indexing approach, as taught by Yao, in order to predict the probability of an element. 
The motivation is to predict the probability of an element by deriving the source and transformation from the sequence of elements using the provenance based indexing approach (Yao, p. 559, left col.).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Caselli et al. (“Sequence-aware Intrusion Detection in Industrial Control Systems”, 2015; hereinafter, “Caselli”), and further in view of Vidal et al. (US 2009/0077277 A1; hereinafter, “Vidal”).

Regarding claim 22:  
Caselli teaches:
The method of claim 21, further comprising … the current contextual information … the one or more of the multiple devices.
Caselli is silent about:
capturing, in …information, different polling frequencies used to poll the … devices.
Vidal, in the same field of endeavor, teaches:
capturing, in … information, different polling frequencies used to poll the one or more of the multiple devices (para. [0022]: In a fourth aspect of the invention, a client device adapted to communicate with a host device over a serial bus is disclosed. In one embodiment, the host device is adapted to poll the second device to determine whether the client device has data to be transferred to the host device, and the client device comprises: a first module adapted to determine whether the host device should poll the client device at a different frequency than the client device is currently being polled; and a second module adapted to transmit a signal to the host device, the signal indicating to the host device to poll the client device at the different frequency; para. [0026]: the program being adapted to selectively poll one or more client devices based on evaluation of one or more parameters (e.g., non-productive polling intervals, etc.). --- It is noted that a second module transmits a signal to the host device, and the signal indicating to the host device to poll the client device at the different frequency teaches capturing, in information, different polling frequencies used to poll; poll one or more client devices teaches poll the one or more of the multiple devices).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Caselli’s system by enhancing Caselli’s system to select a timing scheme for polling, as taught by Vidal, in order to receive the data from the different devices at different rates. 
The motivation is to preserve power in both the host and the client, and also to free up available bus bandwidth for useful operations.

Allowable Subject Matter
Claims 8 and 17 are rejected under 35 U.S.C. 112(a) and (b) as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and to overcome the rejection(s) of the rejected base claim set forth in this Office action.

The following is a statement of reasons for the indication of allowable subject matter: Caselli in view of Kontogiannis teaches the intrusion detection method of claim 7 from which claim 8 depends. 
What is missing from the prior arts is the method comprising at least two hierarchical oracles of the set of hierarchical oracles varying in computational complexity, and wherein the subset is selected based on timing constraints, recited in claim 8 when considered in view of the other limitations recited by claims 1, 5, and 7 in its entirety. Thus, claim 8 is deemed allowable over the prior art of record. Claim 17 recites a system which corresponds to the method of claim 8, and contains at least the limitations stated above. Therefore, claim 17 is also deemed allowable over the prior art of record as the same reason applied in claim 8 above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Yoon et al. (“Communication pattern monitoring: Improving the utility of anomaly detection for industrial control systems”, 2014) discloses a method for modeling ICS device communication behavior by using sequences of requests and replies, which are generated by regular communication patterns, to determine the state of a device. Ray (US 10,692,032 B2) discloses a cyber security and risk management system provided with a broad range of contextual information which consists of data from various sources including real-time operating conditions, as well as physical, operational, legal, and regulatory constraints of the enterprise business and operational processes; and real-time operating conditions, as well as physical, operational, legal, and regulatory constraints of the enterprise IT infrastructure, which also hosts the cyber security infrastructure (ST)). (See col. 7, ll. 32-45). Jorgenson et al. (US 2005/0243729 A1) discloses a cost-effective approach to fault diagnosis in computer networks which define a form of event correlation using a dynamic Bayesian network approach.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KHOI TRAN can be reached on (571)-272-6919.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/W.Y./Examiner, Art Unit 3664                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491