Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This action is responsive to the application 16/870,075 filed on May 8, 2020. Claims 1-20 are pending.
Claim Interpretation
Claim limitations “an interface component…; an instruction translation component…; a communication component…” has/have been interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because it uses/they use a generic placeholder “an interface component…; an instruction translation component…; a communication component…” coupled with functional language “configured to receive…”; “configured to generate…”; “configured to send…”; “configured to monitor…”; “configured to generate…”; “configured to execute…”; “configured to select…”; “configured to direct…”; “configured to determine…”; “configured to format…”; “configured to perform…”    without reciting sufficient structure to achieve the function.  Furthermore, the generic placeholder is not preceded by a structural modifier.  
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claim(s) 1, 4-9 has/have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
A review of the specification shows that the written description fails to disclose the corresponding structure described in the specification for the claimed function.  
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shulman-Peleg et al. (US 10,560,487) hereinafter “Shulman-Peleg” and in view of Bhaskar S et al. (US 2021/0194888) hereinafter “Bhaskar”.
Claim 1
Shulman-Peleg teaches a system for configuring security event management in an industrial environment, comprising: 
a memory that stores executable components [i.e. memory 825] (Shulman-Peleg, figure 8; col. 17; lines 19-25); and 
one or more processors [i.e. CPU 805] (Shulman-Peleg, figure 8; col. 17; lines 19-25), operatively coupled to the memory, that execute the executable components, the executable components comprising: 
an interface component [i.e. I/O device interface 810] configured to generate an interface display [i.e. I/O devices includes an interface capable of presenting information to the client/user] configured to receive, via interaction with the interface display, security event definition data that defines security event management policies to be applied to respective security zones of an industrial environment, wherein the security zones are defined by a security model that defines groupings of industrial devices into the security zones [i.e. receiving type of event associated with malicious code profile which defines first learned security policies to be executed by a security agent to respective a first execution environment of a first group of client machines] (Shulman-Peleg, col. 1, line 55-col. 2, line 7; col. 15, lines 60-67; col. 17; lines 19-24); 
an instruction translation component [i.e. security manager] configured to provide one or more instructions directed to one or more of the industrial devices based on the security event definition data and the security model, that cause the one or more industrial devices to implement the security event management policies in the respective security zones [i.e. provide instructions for security agent together with at least a subset of security policies to be executed to client machines in respective to the defined first execution environment utilizing the client machines; the at least subset of security policies is associated with the events] (Shulman-Peleg, col. 12, line 51- col. 13, line 13); and 
a communication component [i.e. network interface 815] configured to send the one or more configuration instructions to the one or more of the industrial devices [i.e. transmit/distribute security management instructions to client machines] (Shulman-Peleg, col. 17, lines 5-10; col. 18, lines 19-42).  
Shulman-Peleg fails to teach generate one or more configuration instructions directed to one or more of the industrial devices, wherein the one or more configuration instructions are configured to set respective device-level configuration settings on the one or more of the industrial devices in the respective security zones.
However, in an analogous art, Bhaskar teaches generate one or more configuration instructions directed to one or more of the industrial devices, wherein the one or more configuration instructions are configured to set respective device-level configuration settings on the one or more of the industrial devices in the respective security zones [i.e. configuration information related device profiles/attributes and directed to group of devices within or relevant to the organization] (Bhaskar, 0088, 0125, 0131).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the teachings of Shulman-Peleg to include the teachings of Bhaskar of generate one or more configuration instructions directed to one or more of the industrial devices, wherein the one or more configuration instructions are configured to set respective device-level configuration settings on the one or more of the industrial devices in the respective security zones. One ordinary skill in the art would be motivated to provide security controls that may not be co-extensive or compatible with full range of security policies required or desired by a particular organization (Bhaskar, 0002). 

Claim 2
Shulman-Peleg in combination with Bhaskar teach the system of claim 1, wherein the security event definition data defines, for a security event management policy of the security event management policies: 
a security zone, of the security zones, to which the security event management policy is to be applied [i.e. the event associated with malicious code profile which defines first learned security policies to be executed with respective to the first execution environment] (Shulman-Peleg, col. 1, line 55-col. 2, line 7; col. 15, lines 60-67), and 
at least one of a security event that is to initiate generation of a notification, a minimum severity level of the security event that is to initiate the generation of the notification, one or more recipient devices or entities to which the notification is to be directed, or a countermeasure to be carried out in response to detection of the security event [i.e. security agent execute action responsive to identifying anomalous event and generate alert to administrator/manager about the associated with the anomalous event] (Shulman-Peleg, col. 16, lines 15-21; col. 18, lines 19-33).  

Claim 3
Shulman-Peleg in combination with Bhaskar teach the system of claim 2, wherein the security event is at least one of an increase in data traffic on a network within the security zone in excess of a defined threshold, detection of an unauthorized attempt to access an industrial device within the security zone, or an attempt to perform an unauthorized modification of a control parameter on an industrial device within the security zone [i.e. events associated with unauthorized intrusion and/or malicious attack] (Shulman-Peleg, col. 5, lines 40-47).  

Claim 4
Shulman-Peleg in combination with Bhaskar teach the system of claim 2, wherein a configuration instruction, of the configuration instructions, is configured to at least one of configure an industrial device, of the industrial devices, to monitor for the security event specified by the security event definition data, configure the industrial device to generate the notification in response to detection of the security event by the industrial device or another industrial device [i.e. generate alert to administrator/manager about the associated with the anomalous event detected by the client machine], configure the industrial device to execute a countermeasure specified by the security event definition data in response to detection of the security event, or set a communication parameter on the industrial device that facilitates implementation of the security event management policy (Shulman-Peleg, col. 16, lines 15-21; col. 18, lines 19-33).  

Claim 5
Shulman-Peleg in combination with Bhaskar teach the system of claim 1, wherein the instruction translation component is configured to, for a security event management policy of the security event management policies: 
select, based on analysis of the security model and the security event definition data, a subset of the industrial devices that are to be reconfigured in order to implement the security event management policy [i.e. the security system require reconfiguration of security policies to account for any changes resulting from authorized update to ensure the security policy is appropriately defining normal and abnormal behavior in light of the update] (Shulman-Peleg, col. 6, lines 13-22), and 
direct the one or more configuration instructions to the subset of the industrial devices [i.e. the configuration information, related device profiles/attributes, is directed to group of devices within or relevant to the organization] (Bhaskar, 0088, 0125, 0131).  It inherits motivation to combine from respective parent claim.

Claim 6
Shulman-Peleg in combination with Bhaskar teach the system of claim 5, wherein the instruction translation component is configured to select the subset of the industrial devices based on at least one of respective capabilities of the industrial devices relative to functional requirements of the security event management policy or respective processing loads on the respective industrial devices [i.e. select security policies that are applicable and push/deliver to a group of users/devices] (Bhaskar, 0131). It inherits motivation to combine from respective parent claim.

Claim 7
Shulman-Peleg in combination with Bhaskar teach the system of claim 5, wherein the instruction translation component is configured to determine, based on analysis of the security model, at least one of a device model or a device vendor of an industrial device, of the subset of the industrial devices, to which a configuration instruction is to be directed [i.e. the device profiles includes device information such as model name/number, manufacture, etc. which is used to direct the configuration information] and format the configuration instruction in accordance with the at least one of the device model or the device vendor (Bhaskar, 0085, 0125).  It inherits motivation to combine from respective parent claim.

Claim 8
Shulman-Peleg in combination with Bhaskar teach the system of claim 1, wherein the interface display is a first interface display, and the interface component is further configured to: 
generate a second interface display configured to receive, via interaction with the second interface display, zone configuration input that groups the industrial devices into the security zones [i.e. I/O devices includes an interface capable of presenting and receiving information to and from the client/user; for example, receiving type of event associated with malicious code profile which defines first learned security policies to be executed by a security agent to respective a first execution environment of a first group of client machines] (Shulman-Peleg, col. 1, line 55-col. 2, line 7; col. 15, lines 60-67), and 
generate the security model based on the zone configuration input [i.e. generating instructions for security agent together with at least a subset of security policies to be executed to client machines (which considered as security model) in respective to the defined first execution environment utilizing the client machines; the at least subset of security policies is based on the detected event from the client machines] (Shulman-Peleg, col. 12, line 51- col. 13, line 13).  

Claim 9
Shulman-Peleg in combination with Bhaskar teach the system of claim 1, wherein the communication component is further configured to: 
monitor configurations for the one or more of the industrial devices [i.e. monitoring the behavior of the host/client machine] (Shulman-Peleg, col. 5, lines 26-29), and 
perform an action in response to detection of a modification to a configuration setting for an industrial device, of the one or more of the industrial devices, that violates a security event management policy defined by the security event definition data [i.e. perform actions by reconfiguration of security policies to account for any changes/modifies resulting from authorized update to ensure the security policy is appropriately defining normal and abnormal behavior in light of the update] (Shulman-Peleg, col. 6, lines 13-22; col. 9, lines 40-59; col. 18, lines 19-33).

Claims 10-17 do not teach or define any new limitation other than above claims 1-7, 9. Therefore, claims 10-17 are rejected for similar reasons. 
Claims 18-20 do not teach or define any new limitation other than above claims 1-3. Therefore, claims 18-20 are rejected for similar reasons. 
Correspondence Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH CHAU N NGUYEN whose telephone number is (571)272-4242.  The examiner can normally be reached on M-F 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on (571)272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MINH CHAU NGUYEN/Primary Examiner, Art Unit 2459