Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1-4, 7-14, 16, 18-21 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts have been fully considered and are persuasive. 

Allowable Subject Matter
1.	Amended claims 1-4, 7-14, 16, 18-21 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. Claims 5, 6, 15 and 17 are cancelled.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with John Curtin (attorney) for filed amended claims:
1. (Currently Amended) An unsupervised method for the continuous, real-time detection of abnormal traffic in an industrial network comprising: collecting data from endpoints of the industrial network; grouping the collected data into sets of data, each set representing data that is grouped into a set during an adjustable time period before the time period expires; aggregating and mapping the data that is within each set to a single multi- dimensional point value; normalizing each of the multi-dimensional point values whereby no individual feature of the collected data dominates any other feature of the collected data; extracting value by executing a machine learning process that computes a lower dimensional representation of the collected data; identifying each set of extracted data in real-time as normal or abnormal once the data has been grouped into groups of data by determining whether a scaled, real-time reconstruction error (RE) value is below or above a RE threshold value, the RE threshold value based on a previously computed error between what is output by the machine learning process for a given input based on data previously collected during normal operation of the industrial network; determining the number of sets of data within an adjustable, attack detection time period (hereafter "window") that have been so-identified as abnormal among all time periods within the window; computing a percentage based on the number of identified abnormal sets of data within the window divided by the total number of normal and abnormal sets of data within the window, and declaring the data, within the abnormal sets within the window, attack data when the computed percentage is greater than a threshold percentage, wherein declaring an attack when a plurality of consecutive adjustable time periods are classified attack time periods and wherein collecting the data from collection means configured and connected close to an end point of the network.  
2. (Original) The method as in claim 1 wherein the threshold percentage is 50%.  
3. (Original) The method in claim 1 wherein the RE threshold is computed as a value for which 90% of the data within a previous training set of data has lower real- time RE value and the remaining data in the training set has higher RE values.  
4. (Original) The method as in claim 1 wherein the adjustable time period is ten seconds.  
5. (Cancelled).  
6. (Cancelled).   
7. (Original) The method as in claim 1 further comprising collecting the data from collection means configured and connected close to an end point of the network.  
8. (Original) The method as in claim 1 further comprising collecting the data by executing packet capture process or virtual machine/container.  
9. (Original) The method as in claim 8 wherein the virtual machine/container comprises tcpdump.  
10. (Currently Amended) An unsupervised method for detecting the source of an attack in an industrial network comprising: collecting data from one or more endpoints of the industrial network that are suspected of being sources of an attack; Page 4 of 17normalizinq the collected data whereby no individual feature of the collected data dominates any other feature of the collected data: electronically filter out data that originates from sources that are not directed at a target; generating a scaled, RE value based on data from sources that are directing data at the target during the attack; comparing the generated, scaled RE value to a previously computed RE threshold associated with the target based on non-attack traffic patterns; declaring one or more of the sources to be a source of the attack when the generated RE value exceeds the RE threshold, wherein declaring an attack when a plurality of consecutive adjustable time periods are classified attack time periods and wherein collecting the data from collection means configured and connected close to an end point of the network.  
11. (Original) The method as in claim 1 where Machine Learning model training is repeated periodically and computing the RE threshold is repeated periodically using data collected since the last time the training was performed.  
12. (Currently Amended) A hardware controller operable to control an unsupervised, continuous, real-time detection of abnormal traffic in an industrial network by: collecting data from endpoints of the industrial network; grouping the collected data into sets of data, each set representing data that is grouped into a set during an adjustable time period before the time period expires; aggregating and mapping the data that is within each set to a single multi- dimensional point value; normalizinq each of the multi-dimensional point values so no individual feature of the collected data dominates any other feature of the collected data; extracting value by executing a machine learning process that computes a lower dimensional representation of the collected data; identifying each set of extracted data in real-time as normal or abnormal once the data has been grouped into groups of data by determining whether a scaled, real-time reconstruction error (RE) value is below or above a RE threshold value, the RE threshold value based on a previously computed error between what is output by the machine Page 5 of 17learning process for a given input based on data previously collected during normal operation of the industrial network; determining the number of sets of data within an adjustable, attack detection time period (hereafter "window") that have been so-identified as abnormal among all time periods within the window; computing a percentage based on the number of identified abnormal sets of data within the window divided by the total number of normal and abnormal sets of data within the window, and declaring the data, within the abnormal sets within the window, attack data when the computed percentage is greater than a threshold percentage, wherein declare an attack when a plurality of consecutive adjustable time periods are classified attack time periods and wherein collect the data from collection means configured and connected close to an end point of the network.  
13. (Original) The hardware controller as in claim 12 wherein the threshold percentage is 50%.  
14. (Original) The hardware controller as in claim 12 wherein the RE threshold is computed as a value for which 90% of the data within a previous training set of data has lower real-time RE value and the remaining data in the training set has higher RE values.  
15. (Cancelled).  
16. (Original) The hardware controller as in claim 12 wherein the machine learning process comprises an autoencoding process or principle component analysis process.  
17. (Cancelled).  
18. (Original) The hardware controller as in claim 12 further operable to collect the data by executing packet capture process or virtual machine/container.  
19. (Original) The hardware controller as in claim 18 wherein the virtual machine/container comprises tcpdump.  
20. (Currently Amended) The hardware controller as in claim 12 further operable to detect the source of an attack in an industrial network by: collecting data from one or more endpoints of the industrial network that are suspected of being sources of an attack; electronically filter out data that originates from sources that are not directed at a target; generating a scaled, RE value based on data from sources that are directing data at the target during the attack; comparing the generated, scaled RE value to a previously computed RE threshold associated with the target based on non-attack traffic patterns; declaring one or more of the sources to be a source of the attack when the generated, scaled RE value exceeds the RE threshold.  
21. (Original) The hardware controller as in claim 20 where the controller is operable to repeatedly and periodically complete a Machine Learning model training and where computing the RE threshold is repeated periodically using data collected since the last time the training was performed.

Reasons for Allowance
None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: aggregating and mapping the data that is within each set to a single multi- dimensional point value; normalizing each of the multi-dimensional point values whereby no individual feature of the collected data dominates any other feature of the collected data; extracting data features from each multi-dimensional point value by executing a machine learning process that computes a lower dimensional representation of the collected data; identifying each set of extracted data in real-time as normal or abnormal once the data has been grouped into groups of data by determining whether a scaled, real-time reconstruction error (RE) value is below or above a RE threshold value, the RE threshold value based on a previously computed error between what is output by the machine learning process for a given input based on data previously collected during normal operation of the industrial network; determining the number of sets of data within an adjustable, attack detection time period (hereafter "window") that have been so-identified as abnormal among all time periods within the window; computing a percentage based on the number of identified abnormal sets of data within the window divided by the total number of normal and abnormal sets of data within the window, and declaring the data, within the abnormal sets within the window, attack data when the computed percentage is greater than a threshold percentage, wherein declaring an attack when a plurality of consecutive adjustable time periods are classified attack time periods and wherein collecting the data from collection means configured and connected close to an end point of the network.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 12 mutatis mutandis.  Claims 5, 6, 15 and 17 are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.