DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/20/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-29 are rejected on the ground of nonstatutory Obviousness-Type double patenting as being unpatentable over claims 1-29 of Patent No. 10,862,919. 
Claims 1-29 of Patent No. 10,862,919contain every element of claims 1-29 of the instant application (see table below) and as such anticipate claims 1-29 of the instant application.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “  ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001).
17/067,244
10,862,919


1. A system for evaluating cyber effects in a cyber-physical system, the system comprising a device comprising one or more processors, memory, and one or more programs stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
building a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
inserting a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;




















routing one or more connections between the attacked component and the evaluated component through the control component; and


simulating the cyber-attack on the attacked component set by configuring the control component to control an output intercepted via the one or more routed connections from the attacked component set and to send the controlled output sent by the control component via the one or more routed connections to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack.
1. A system for evaluating cyber effects in a cyber-physical system, the system comprising a device comprising one or more processors, memory, and one or more programs stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for:
building a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
inserting a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;
disconnecting one or more direct connections from the simulation model, the one or more direct connections directly connecting the attacked component set to the evaluated component set;
identifying one or more indirect connections that transitively connect the attacked component set to the evaluated component set or transitively connect the evaluated component set to the attacked component set in the simulation model with the one or more direct connections being disconnected, the one or more indirect connections connecting the attacked component set or the evaluated component set to an intermediary component in the simulation model;
disconnecting the one or more indirect connections from the simulation model;
routing the one or more direct connections between the attacked component set and the evaluated component set through the control component;
routing the one or more indirect connections between the attacked component set or the evaluated component set and the intermediary component in the simulation model through the control component; and
simulating the cyber-attack on the attacked component set by configuring the control component to control an output intercepted, via a routed connection, from the attacked component set and to send the controlled output via the routed connection to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack, and wherein the routed connection comprises one of the one or more routed direct connections or the one or more routed indirect connections between the attacked component set and the evaluated component set.

2. The system of claim 1, wherein the attacked component set comprises one or more simulated components in the simulation model and the evaluated component set comprises one or more simulated components in the simulation model different from the one or more simulated components in the attacked component set.
2. The system of claim 1, wherein the attacked component set comprises one or more simulated components in the simulation model and the evaluated component set comprises one or more simulated components in the simulation model different from the one or more simulated components in the attacked component set.

3. The system of claim 1, wherein the control component comprises a plurality of sub-components.

3. The system of claim 1, wherein the control component comprises a plurality of sub-components.
4. The system of claim 1, wherein controlling the output comprises setting a value of the output, controlling whether to transmit the output, controlling when to transmit the output, or a combination thereof.

4. The system of claim 1, wherein controlling the output comprises setting a value of the output, controlling whether to transmit the output, controlling when to transmit the output, or a combination thereof.
5. The system of claim 1, wherein controlling the output comprises setting a value of the output by modifying a content of the output or originating a new output by the control component.

5. The system of claim 1, wherein controlling the output comprises setting a value of the output by modifying a content of the output or originating a new output by the control component.

6. The system of claim 1, wherein controlling the output comprises controlling when to transmit the output by setting a time to transmit the output, delaying a delivery of the output, or changing an order of delivery of outputs.
6. The system of claim 1, wherein controlling the output comprises controlling when to transmit the output by setting a time to transmit the output, delaying a delivery of the output, or changing an order of delivery of outputs.
.
7. The system of claim 1, wherein the simulation model is built as a coupled Discrete Event Systems (DEVS) model, and wherein each component in the coupled DEVS model is simulated as an atomic DEVS model or a coupled DEVS model.
7. The system of claim 1, wherein the simulation model is built as a coupled Discrete Event Systems (DEVS) model, and wherein each components in the coupled DEVS model is simulated as an atomic DEVS model or a coupled DEVS model.

8. The system of claim 1, wherein the simulation model comprises a plurality of coupled components, wherein each of the coupled components is modeled using live hardware, a modeling language, atomic or coupled DEVS models, or a general-purpose programming language.
8. The system of claim 1, wherein the simulation model comprises a plurality of coupled components, wherein each of the coupled components is modeled using live hardware, a modeling language, atomic or coupled DEVS models, or a general-purpose programming language.

9. The system of claim 8, wherein the modeling language comprises MATLAB, Unified Modeling Language (UML), SysML (Systems Modeling Language), Simulink, or AADL (Architecture Analysis and Design Language.
9. The system of claim 8, wherein the modeling language comprises MATLAB, Unified Modeling Language (UML), SysML (Systems Modeling Language), Simulink, or AADL (Architecture Analysis and Design Language.

10. The system of claim 1, wherein routing one or more direct connections between the attacked component and the evaluated component comprises:
for at least one of the one or more direct connections that forwards outputs from the attacked component set to the evaluated component set:
adding a first new connection forwarding messages from the attacked component set to the control component; and
adding a second new connection forwarding messages from the control component to the evaluated component set.
10. The system of claim 1, wherein routing the one or more direct connections comprises:


for at least one of the one or more direct connections that forwards outputs from the attacked component set to the evaluated component set:
adding a first new connection forwarding messages from the attacked component set to the control component; and
adding a second new connection forwarding messages from the control component to the evaluated component set.

11. The system of claim 1, wherein routing one or more indirect connections between the attacked component and the evaluated component comprises:
for at least one of the one or more indirect connections forwarding messages from the attacked component set or the evaluated component set to the intermediary component:
adding a first new connection forwarding messages from the attacked component set or the evaluated component set to the control component; and
adding a second new connection forwarding messages from the control component to the intermediary component.
11. The system of claim 1, wherein routing the one or more indirect connections comprises:


for at least one of the one or more indirect connections forwarding messages from the attacked component set or the evaluated component set to the intermediary component:
adding a first new connection forwarding messages from the attacked component set or the evaluated component set to the control component; and
adding a second new connection forwarding messages from the control component to the intermediary component.

12. The system of claim 1, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein determining one or more indirect connections between the attacked component and the evaluated component comprises:
identifying a component from the plurality of simulated components that transitively connects the attacked component set to the evaluated component set;
identifying that the component is directly connected to the evaluated component set or the attacked component set; and
identifying the component as the intermediary component in response to both the identification of the component transitively connecting the attacked component set to the evaluated component set and the identification of the component being directly connected to the evaluated component set or the attacked component set.

12. The system of claim 1, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein determining the one or more indirect connections comprises:


identifying a component from the plurality of simulated components that transitively connects the attacked component set to the evaluated component set;
identifying that the component is directly connected to the evaluated component set or the attacked component set; and
identifying the component as the intermediary component in response to both the identification of the component transitively connecting the attacked component set to the evaluated component set and the identification of the component being directly connected to the evaluated component set or the attacked component set.

13. The system of claim 1, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein simulating the cyber-attack comprises:
replacing one or more simulated components of the plurality of simulated components with one or more corresponding components from the cyber-physical system.
13. The system of claim 1, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein simulating the cyber-attack comprises:
replacing one or more simulated components of the plurality of simulated components with one or more corresponding components from the cyber-physical system.

14. The system of claim 1, wherein the one or more programs include instructions for:
generating a log comprising one or more new connections added to the simulation model to route the one or more connections between the attacked component and the evaluated component through the control component; and



rerouting the cyber-physical system based on the log to enable the cyber-physical system to be tested against simulated cyber-attacks.
14. The system of claim 1, wherein the one or more programs include instructions for:
generating a log comprising the one or more disconnected direct connections, the one or more disconnected indirect connections, and one or more new connections added to the simulation model to route the one or more direct connections
and the one or more indirect connections through the control component; and
rerouting the cyber-physical system based on the log to enable the cyber-physical system to be tested against simulated cyber-attacks

15. A method for evaluating cyber effects in a cyber-physical system, comprising:
building a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
inserting a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;




















routing one or more connections between the attacked component set and the evaluated component set through the control component; and

simulating the cyber-attack on the attacked component set by configuring the control component to control an output intercepted via the one or more routed connections from the attacked component set and to send the controlled output sent by the control component via the one or more routed connections to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack.

15. A method for evaluating cyber effects in a cyber-physical system, comprising:
building a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
inserting a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;
disconnecting one or more direct connections from the simulation model, the one or more direct connections directly connecting the attacked component set to the evaluated component set;
identifying one or more indirect connections that transitively connect the attacked component set to the evaluated component set or transitively connect the evaluated component set to the attacked component set in the simulation model with the one or more direct connections being disconnected, the one or more indirect connections connecting the attacked component set or the evaluated component set to an intermediary component in the simulation model;
disconnecting the one or more indirect connections from the simulation model;
routing the one or more direct connections between the attacked component set and the evaluated component set through the control component;
routing the one or more indirect connections between the attacked component set or the evaluated component set and the intermediary component in the simulation model through the control component; and
simulating the cyber-attack on the attacked component set by configuring the control component to control an output intercepted, via a routed connection, from the attacked component set and to send the controlled output via the routed connection to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack, and wherein the routed connection comprises one of the one or more routed direct connections or the one or more routed indirect connections between the attacked component set and the evaluated component set.

16. The method of claim 15, wherein the attacked component set comprises one or more simulated components in the simulation model and the evaluated component set comprises one or more simulated components in the simulation model different from the one or more simulated components in the attacked component set.
16. The method of claim 15, wherein the attacked component set comprises one or more simulated components in the simulation model and the evaluated component set comprises one or more simulated components in the simulation model different from the one or more simulated components in the attacked component set.

17. The method of claim 15, wherein the control component comprises a plurality of sub-components.
17. The method of claim 15, wherein the control component comprises a plurality of sub-components.

18. The method of claim 15, wherein controlling the output comprises setting a value of the output, controlling whether to transmit the output, controlling when to transmit the output, or a combination thereof.
18. The method of claim 15, wherein controlling the output comprises setting a value of the output, controlling whether to transmit the output, controlling when to transmit the output, or a combination thereof.

19. The method of claim 15, wherein controlling the output comprises setting a value of the output by comprises modifying a content of the output or originating a new output by the control component.

19. The method of claim 15, wherein controlling the output comprises setting a value of the output by modifying a content of the output or originating a new output by the control component.

20. The method of claim 15, wherein controlling the output comprises controlling when to transmit the output by setting a time to transmit the output, delaying a delivery of the output, or changing an order of delivery of outputs.
20. The method of claim 15, wherein controlling the output comprises controlling when to transmit the output by setting a time to transmit the output, delaying a delivery of the output, or changing an order of delivery of outputs.

21. The method of claim 15, wherein the simulation model is built as a coupled Discrete Event Systems (DEVS) model, and wherein each component in the coupled DEVS model is simulated as an atomic DEVS model or a coupled DEVS model.
21. The method of claim 15, wherein the simulation model is built as a coupled Discrete Event Systems (DEVS) model, and wherein each components in the coupled DEVS model is simulated as an atomic DEVS model or a coupled DEVS model.

22. The method of claim 15, wherein the simulation model comprises a plurality of coupled components, wherein each of the coupled components is modeled using live hardware, a modeling language, atomic or coupled DEVS models, or a general-purpose programming language.
22. The method of claim 15, wherein the simulation model comprises a plurality of coupled components, wherein each of the coupled components is modeled using live hardware, a modeling language, atomic or coupled DEVS models, or a general-purpose programming language.

23. The method of claim 22, wherein the modeling language comprises MATLAB, Unified Modeling Language (UML), SysML (Systems Modeling Language), Simulink, or AADL (Architecture Analysis and Design Language.
23. The method of claim 22, wherein the modeling language comprises MATLAB, Unified Modeling Language (UML), SysML (Systems Modeling Language), Simulink, or AADL (Architecture Analysis and Design Language.

24. The method of claim 15, wherein routing one or more direct connections between the attacked component and the evaluated component comprises:
for at least one of the one or more direct connections that forwards outputs from the attacked component set to the evaluated component set:
adding a first new connection forwarding messages from the attacked component set to the control component; and
adding a second new connection forwarding messages from the control component to the evaluated component set.

24. The method of claim 15, wherein routing the one or more direct connections comprises:


for at least one of the one or more direct connections that forwards outputs from the attacked component set to the evaluated component set:
adding a first new connection forwarding messages from the attacked component set to the control component; and
adding a second new connection forwarding messages from the control component to the evaluated component set.

25. The method of claim 15, wherein routing one or more indirect connections between the attacked component and the evaluated component comprises:
for at least one of the one or more indirect connections forwarding messages from the attacked component set or the evaluated component set to the intermediary component:
adding a first new connection forwarding messages from the attacked component set or the evaluated component set to the control component; and
adding a second new connection forwarding messages from the control component to the intermediary component.

25. The method of claim 15, wherein routing the one or more indirect connections comprises:


for at least one of the one or more indirect connections forwarding messages from the attacked component set or the evaluated component set to the intermediary component:
adding a first new connection forwarding messages from the attacked component set or the evaluated component set to the control component; and
adding a second new connection forwarding messages from the control component to the intermediary component.

26. The method of claim 15, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein determining one or more indirect connections between the attacked component and the evaluated component comprises:
identifying a component from the plurality of simulated components that transitively connects the attacked component set to the evaluated component set;
identifying that the component is directly connected to the evaluated component set or the attacked component set; and
identifying the component as the intermediary component in response to both the identification of the component transitively connecting the attacked component set to the evaluated component set and the identification of the component being directly connected to the evaluated component set or the attacked component set.
26. The method of claim 15, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein determining the one or more indirect connections comprises:


identifying a component from the plurality of simulated components that transitively connects the attacked component set to the evaluated component set;
identifying that the component is directly connected to the evaluated component set or the attacked component set; and
identifying the component as the intermediary component in response to both the identification of the component transitively connecting the attacked component set to the evaluated component set and the identification of the component being directly connected to the evaluated component set or the attacked component set.

27. The method of claim 15, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein simulating the cyber-attack comprises:
replacing one or more simulated components of the plurality of simulated components with one or more corresponding components from the cyber-physical system.
27. The method of claim 15, wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein simulating the cyber-attack comprises:
replacing one or more simulated components of the plurality of simulated components with one or more corresponding components from the cyber-physical system.

28. The method of claim 15, wherein the one or more programs include instructions for:
generating a log comprising one or more new connections added to the simulation model to route the one or more connections between the attacked component and the evaluated component through the control component; and


rerouting the cyber-physical system based on the log to enable the cyber-physical system to be tested against simulated cyber-attacks.
28. The method of claim 15, wherein the one or more programs include instructions for:
generating a log comprising the one or more disconnected direct connections, the one or more disconnected indirect connections, and one or more new connections added to the simulation model to route the one or more direct connections and the one or more indirect connections through the control component; and
rerouting the cyber-physical system based on the log to enable the cyber-physical system to be tested against simulated cyber-attacks.

29. A non-transitory computer-readable storage medium comprising one or more programs for evaluating cyber effects in a cyber-physical system, wherein the one or more programs, when executed by one or more processors, cause the one or more processors to:
build a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
insert a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;
















route one or more connections between the attacked component set and the evaluated component set through the control component; and




simulate the cyber-attack on the attacked component set by configuring the control component to control an output intercepted via the one or more routed connections from the attacked component set and to send the controlled output sent by the control component via the one or more routed connections to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack.
29. A non-transitory computer-readable storage medium comprising one or more programs for evaluating cyber effects in a cyber-physical system, wherein the one or more programs, when executed by one or more processors, cause the one or more processors to:
build a simulation model of the cyber-physical system, the simulation model comprising an attacked component set and an evaluated component set;
insert a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set;
disconnect one or more direct connections from the simulation model, the one or more direct connections directly connecting the attacked component set to the evaluated component set;
identify one or more indirect connections that transitively connect the attacked component set to the evaluated component set or transitively connect the evaluated component set to the attacked component set in the simulation model with the one or more direct connections being disconnected, the one or more indirect connections connecting the attacked component set or the evaluated component set to an intermediary component in the simulation model;
disconnect the one or more indirect connections from the simulation model;
route the one or more direct connections between the attacked component set and the evaluated component set through the control component;
route the one or more indirect connections between the attacked component set or the evaluated component set and the intermediary component in the simulation model through the control component; and
simulate the cyber-attack on the attacked component set by configuring the control component to control an output intercepted, via a routed connection, from the attacked component set and to send the controlled output via the routed connection to the evaluated component set, wherein the controlled output simulates the attacked component set under cyber-attack, and wherein the routed connection comprises one of the one or more routed direct connections or the one or more routed indirect connections between the attacked component set and the evaluated component set.





Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 10-11, 13, 15-20, 24-25, 27 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (Pub. No.: US 2016/0285907, hereinafter Nguyen) in view of Arisoylu et al. (Pub. No.: US 2015/0149812, hereinafter Arisoylu).
Regarding claim 1: Nguyen discloses A system for evaluating cyber effects in a cyber-physical system, the system comprising a device comprising one or more processors, memory (Nguyen - [0096]: computer-readable storage media may also be used in accordance with the particular embodiment of computer system 106), and one or more programs stored in the memory and configured to be executed by the one or more processors (Nguyen - [0096]: executable program code (e.g., a computer program product) provided to computer system 106, and executable by a data processing system or processor unit), the one or more programs including instructions for:
building a simulation model (Nguyen - Fig. 1 and 2) of the cyber-physical system, the simulation model comprising an attacked component set (Nguyen - cyber-attack 214) and an evaluated component set (Nguyen - Aircraft 138);
simulating the cyber-attack on the attacked component set [by configuring the control component to control an output intercepted via the one or more routed connections from the attacked component set and to send the controlled output sent by the control component via the one or more routed connections to the evaluated component set], wherein the controlled output simulates the attacked component set under cyber-attack (Nguyen - [0081]: Cyber-attack analysis tool 136 may assess an effect or impact of cyber-attack simulation 226 on aircraft simulation 248 (e.g., on one or more aircraft system simulations 250 and/or one or more aircraft component simulations 252) based on at least one of simulated aircraft response data 194 (e.g., simulated system response data 262 and/or simulated component response data 264)).
However Nguyen doesn’t explicitly teach, but Arisoylu discloses: 
inserting a control component into the simulation model, the control component used to simulate a cyber-attack on the attacked component set (Arisoylu - [0048]: network device 108 is communicatively coupled to clients/servers 101-102 (which shall herein be referred to simply as clients) via networks 103-104, respectively. [0052]: Controller 110 includes debug module 120. In at least one embodiment, debug module 120 is configured to generate realistic debug traffic … As used herein, “realistic debug traffic” refers to traffic that simulates traffic received from an external network device);
routing one or more connections between the attacked component and the evaluated component through the control component (Arisoylu - [0059]: traffic flow 130 can originate from client 101 and enters network device 108 via network 103. In this example, traffic flow 130 enters network device 108 via line card 115 and exits network device 108 via line card 116. Traffic flow 130 then travels to its destination (e.g., client 102) via network 104); and
 [by configuring the control component to control an output intercepted via the one or more routed connections from the attacked component set and to send the controlled output sent by the control component via the one or more routed connections to the evaluated component set (Arisoylu - [0051]: control plane 113 includes controller 110 operable to manage, configure, and control network device 108. For example, controller 110 configures data plane 114 with information that enables line cards 115-116 to receive and forward traffic flows).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Nguyen with Arisoylu so that the simulation system disclosed in Nguyen could be modified to include an intermediate network device between two end devices to route the traffic. The modification would have allowed the system to be more secure by introducing an intermediate device to avoid attacking data directly reaching to the destination. 
Regarding claim 2: Nguyen as modified discloses wherein the attacked component set comprises one or more simulated components in the simulation model and the evaluated component set comprises one or more simulated components in the simulation model different from the one or more simulated components in the attacked component set (Nguyen - [0039]: Cyber-attack scenario 244 may include one or more cyber-attack simulations 226. Attack vector simulation 254 may be an artificial re-creation (e.g., a virtual representation) of attack vector 142 (FIG. 1). In other words, cyber-attack simulation 226 may be a simulated re-creation of a cyber-attack (e.g., cyber-attack 214) on an aircraft (e.g., aircraft 138) and/or one or more systems and/or component of the aircraft (e.g., aircraft systems 140 and/or aircraft components 114), including the path taken by the cyber-attack to gain access to the targeted systems and/or components of the aircraft (e.g., attack vector 142) and the effect of the payload (e.g., payload 146) of the cyber-attack on the systems and/or components of the aircraft).
Regarding claim 3: Nguyen as modified discloses wherein the control component comprises a plurality of sub-components (Arisoylu - Fig. 1, Network device 108 and [0051]).
Arisoylu is combined with Nguyen herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 4: Nguyen as modified discloses wherein controlling the output comprises setting a value of the output, controlling whether to transmit the output, controlling when to transmit the output, or a combination thereof (Nguyen - [0087-0092]: Evaluator 206 may generate one or more recommendations (e.g., modified cyber-attack data 280) for modified cyber-attack simulation 282 and/or one or more recommendations (e.g., modified cyber defense data 286) for modified cyber defense simulation 288. For example, the impact on aircraft simulation 248, aircraft system simulation 250, aircraft component simulation 252 and/or pilot 102 from cyber-attack simulation 226 without implementing cyber defense simulation 228 may be compared to the impact on aircraft simulation 248, aircraft system simulation 250, aircraft component simulation 252 and/or pilot 102 from cyber-attack simulation 226 implementing cyber defense simulation 228. Evaluator 206 may measure an effectiveness of cyber-attack simulation 226 against cyber defense simulation 228 and/or aircraft system simulation 250 and/or aircraft component simulation 252. Evaluator 206 may recommend modifications in cyber-attack simulation 226 (e.g., modified cyber-attack data 280). Similarly, evaluator 206 may measure an effectiveness of cyber defense simulation 228 against cyber-attack simulation 226. Evaluator 206 may recommend modifications in cyber defense simulation 228 (e.g., modified cyber defense data 286). Accordingly, information for mitigating the impact or effects from cyber-attack simulation 226 on aircraft simulation 248 and/or pilot 102 may be obtained).
Regarding claim 5: Nguyen as modified discloses wherein controlling the output comprises setting a value of the output by modifying a content of the output or originating a new output by the control component (Nguyen - [0039]: Cyber-attack simulation 226 may include one or more attack vector simulations 254. Attack vector simulation 254 may be an artificial re-creation (e.g., a virtual representation) of attack vector 142 (FIG. 1)). 
Regarding claim 6: Nguyen as modified discloses wherein controlling the output comprises controlling when to transmit the output by setting a time to transmit the output, delaying a delivery of the output, or changing an order of delivery of outputs (Arisoylu - [0075]: network device 108 can be configured to collect debug information for only a percentage (e.g., 10%) of the debug traffic over a configurable period of time. In one embodiment, the percentage and the time period can be configured for each traffic flow).
Arisoylu is combined with Nguyen herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 10: Nguyen as modified discloses wherein routing one or more direct connections between the attacked component and the evaluated component comprises:
for at least one of the one or more direct connections that forwards outputs from the attacked component set to the evaluated component set:
adding a first new connection forwarding messages from the attacked component set to the control component; and
adding a second new connection forwarding messages from the control component to the evaluated component set (Arisoylu - Fig. 1 and [0059]).
Arisoylu is combined with Nguyen herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 11: Nguyen as modified discloses wherein routing one or more indirect connections between the attacked component and the evaluated component comprises:
for at least one of the one or more indirect connections forwarding messages from the attacked component set or the evaluated component set to the intermediary component:
adding a first new connection forwarding messages from the attacked component set or the evaluated component set to the control component; and
adding a second new connection forwarding messages from the control component to the intermediary component (Arisoylu - Fig. 1 and [0059]).
Arisoylu is combined with Nguyen herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 13: Nguyen as modified discloses wherein the simulation model comprises a plurality of simulated components to simulate the cyber-physical system, and wherein simulating the cyber-attack comprises:
replacing one or more simulated components of the plurality of simulated components with one or more corresponding components from the cyber-physical system (Nguyen - [0050]: flight data 120 used to run flight simulation 108 may include at least one of actual flight data 126 from tests of the aircraft prior to entering into service, simulated flight data 128 from previous simulations, and in-service data 124).
Regarding claims 15-20, 24-25 and 27: Claims are directed to method claims and do not teach or further define over the limitations recited in claims 1-6, 10-11 and 13. Therefore, claims 15-20, 24-25 and 27 are also rejected for similar reasons set forth in claims 1-6, 10-11 and 13. 
Regarding claim 29: this claim defines a computer readable medium claim that corresponds to system claim 1 and does not define beyond limitations of claim 1. Therefore, claim 29 is rejected with the same rational as in the rejection of claim 1. 

Claims 7-8 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (Pub. No.: US 2016/0285907, hereinafter Nguyen) in view of Arisoylu et al. (Pub. No.: US 2015/0149812, hereinafter Arisoylu) and JEBBAR et al. (Pub. No.: US 2019/0278692, hereinafter JEBBAR).
Regarding claims 7 and 21: Nguyen as modified doesn’t explicitly teach but JEBBAR discloses wherein the simulation model is built as a coupled Discrete Event Systems (DEVS) model, and wherein each component in the coupled DEVS model is simulated as an atomic DEVS model or a coupled DEVS model (JEBBAR - [0030]: A DEVS model can be atomic to capture the behavior of a component, or coupled to capture the structure of a system and the components composing it).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Nguyen and Arisoylu with JEBBAR so that atomic or coupled Discrete Event Systems is used. The modification would have allowed the system to interact with its environment through input and output events, leading to a transition from one state to another (JEBBAR - [0030]). 
Regarding claims 8 and 22: Nguyen as modified doesn’t explicitly teach but JEBBAR discloses wherein the simulation model comprises a plurality of coupled components, wherein each of the coupled components is modeled using live hardware, a modeling language, atomic or coupled DEVS models, or a general-purpose programming language (JEBBAR - [0030]: A DEVS model can be atomic to capture the behavior of a component, or coupled to capture the structure of a system and the components composing it).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Nguyen and Arisoylu with JEBBAR so that atomic or coupled Discrete Event Systems is used. The modification would have allowed the system to interact with its environment through input and output events, leading to a transition from one state to another (JEBBAR - [0030]).

Claims 9 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (Pub. No.: US 2016/0285907, hereinafter Nguyen) in view of Arisoylu et al. (Pub. No.: US 2015/0149812, hereinafter Arisoylu) and JEBBAR et al. (Pub. No.: US 2019/0278692, hereinafter JEBBAR) and HWANG et al. (Pub. No.: US 2014/0172401, hereinafter HWANG).
Regarding claims 9 and 23: Nguyen as modified doesn’t explicitly teach but HWANG discloses wherein the modeling language comprises MATLAB, Unified Modeling Language (UML), SysML (Systems Modeling Language), Simulink, or AADL (Architecture Analysis and Design Language (HWANG - [0035]: The Discrete Event Simulation (DEVS) formalism indicates a modeling theory proposed based on a function theory and a system theory, which is a sort of standardization tool serving as a Unified Modeling Language (UML) and a design pattern in developing simulation programs). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Nguyen and Arisoylu and JEBBAR with HWANG so standardization tool servive as a Unified Modeling Language (UML) and a design pattern in developing simulation programs (HWANG - [0035]).

Claims 14 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (Pub. No.: US 2016/0285907, hereinafter Nguyen) in view of Arisoylu et al. (Pub. No.: US 2015/0149812, hereinafter Arisoylu) and Dapkus et al. (Pub. No.: US 2011/0283110, hereinafter Dapkus).
Regarding claims 14 and 28: Nguyen as modified doesn’t explicitly teach but Dapkus discloses wherein the one or more programs include instructions for:
generating a log comprising one or more new connections added to the simulation model to route the one or more connections between the attacked component and the evaluated component through the control component; and
rerouting the cyber-physical system based on the log to enable the cyber-physical system to be tested against simulated cyber-attacks (Dapkus - Fig. 8A and [0156]: A client machine located in the cloud 804 (or Internet) may communicate with the on-demand service environment via one or more edge routers 808 and 812. The edge routers may communicate with one or more core switches 820 and 824 via firewall 816).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Nguyen and Arisoylu with Dapkus so plural routing path is used to route the traffic.

Allowable Subject Matter
Claims 12 and 26 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sampigethaya (Pub. No.: US 2013/0198847) - Methods and systems for cyber-physical security modeling, simulation and architecture for the smart grid
Ferragut et al. (Pub. No.: US 2018/0082058) - Cyber physical attack detectionAny inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437