Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Status of Claims:
Claims 1-12 are pending in this application.

Formal Drawings
The formal drawings received on 2/17/2020 have been entered.

Internet Communications
Applicant is encouraged to file an Internet Communications form to authorize correspondence during prosecution.  To facilitate processing of the internet communication authorization or withdraw of authorization, the Office strongly encourages use of Form PTO/SB/439, available at www.uspto.gov/patent/patents-forms. The form may be filed via EFS-Web using the document description Internet Communications Authorized or Internet Communications Authorization Withdrawn to facilitate processing.   

Examiner Comments
Additionally, the following limitations do not make the scope indeterminate, however there seems to be some inconsistencies.  Clarification is requested.  
Claim 1 recites “one of the segment” however it is not clear if the segment is referring to “a respective segment” or “at least one segment for each”.  Please clarify.
Claim 8, “the assigned” there is no antecedent basis.  Please clarify.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “wherein the at least one component monitoring unit configured to monitor”, “at least one communication monitoring unit configured to monitor communication” in claim 12.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-7 and 10-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ginter et al. (US 2009/0271504), herein after Ginter further in view of Bush et al. (US 2008/0126377), herein after Bush.

Regarding claims 1 and 12, 
Ginter teaches a method for monitoring an industrial network, comprising: dividing the industrial network into at least two hierarchical levels (see fig. 3 and paras. 34-35, monitoring an industrial network by arranging (i.e. dividing) the network into different layers or hierarchies (i.e. at least two hierarchical levels)); 
including at least one network component for each of the hierarchical levels (see fig. 3 and paras. 33-34, the different hierarchy arrangements vary in accordance with a desired degree of security the components (i.e. one network component) included in the hierarchical arrangement); 
including at least one segment for each of the hierarchical levels, the at least one segment comprising at least one network component of a respective hierarchical level (see paras. 53, including one or more agents (i.e. network component) for collecting data on a respective system (i.e. segment) (e.g. data gathered may be specific to the different devices on the system (i.e. segment) on which SNMP component may reside) they are monitoring);  
including at least one component monitoring unit for monitoring the at least one network component in a respective segment and/or including at least one communication monitoring unit for monitoring communication in the respective segment for each segment (see paras. 53, including one or more agents (i.e. component monitoring unit) for collecting data on the respective system (i.e. segment) they are monitoring);  
evaluating information for detecting attacks with a central monitoring unit included in one of the segments (see paras. 51 and 62, data produced by the agents executing in the industrial network may be received by the watch server (i.e. central monitoring unit), wherein the watch server then processes and detects (i.e. evaluates) conditions in the data, e.g. threats (i.e. attacks));  
 including at least one decentralized monitoring unit in at least one of the other segments (see paras. 47, including a SCADA (Supervisory Control and Data Acquisition) server for remotely monitoring and controlling different components for within or outside of the I/O network (i.e. decentralized monitoring), the SCADA further operates as distributed control system for the different components);   
assigning the at least one component monitoring unit and/or the at least one communication monitoring unit in the other segments to one of the at least one decentralized monitoring units (see paras. 47 and 53, including a SCADA (Supervisory Control and Data Acquisition) server for remotely monitoring and controlling different components for within or outside of the I/O network (i.e. decentralized monitoring), the SCADA further includes assigned agents 132c (i.e. component monitoring unit)(see also fig. 3));   
receiving first information from the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit with the at least one decentralized monitoring unit (see fig.4, paras. 53 and 62, agent (i.e. component monitoring unit) gathering data to then report the information (i.e. first information) to the receiver to store data in the real-time database and alarm engine);   
  - 34 -R.381920 (2179-0535) when there is a communication connection to the central monitoring unit (i) transmitting second information based on the respective received first information with the at least one decentralized monitoring unit to the central monitoring unit and (ii) evaluating the second information in order to detect attacks with the central monitoring unit (see paras. 122-123, the RTAP having a connection to the watch server (i.e. central monitoring unit) i) transmitting processed data (i.e. second information) based on the data received (i.e. first information) by an agent of the SCADA (i.e. decentralized monitoring unit) and ii) evaluating the processed data to detect security threats (i.e. detect attacks) with the threat controller of the watch server);  
and when the communication connection to the central monitoring unit is interrupted (see paras. 179 and 186, detecting that communication connection control system/watch server is abnormal or is terminated (i.e. interrupted)),
(i) evaluating the received first information with the at least one decentralized monitoring unit in order to detect attacks and/or (ii) transmitting the second information based on the received first information to a predetermined monitoring unit of the at least one decentralized monitoring unit and evaluating the second information in order to detect attacks with the predetermined monitoring unit (see paras. 49, the SCADA server (i.e. decentralized monitoring unit) may monitor flow rates and other values (i.e. first information) obtained from one or more of the different agents and may produce an alert in connection with detection of a dangerous condition (i.e. detect attacks)).
Ginter fails to explicitly teach hierarchical levels each with a different hierarchical stage.
However, in analogous art Bush teaches [hierarchical levels] each with a different hierarchical stage (see paras. 31-33, the hierarchical levels of the industrial environment can include hierarchically arranged representation of different assets (e.g. physical devices or software that control different components))).
The claimed subject matter as a whole would have been obvious, before the effective filing date of the claimed invention, to one of ordinary skill in the art.  It would have been obvious to one of ordinary skill in the art to include hierarchical levels each with a different hierarchical stage as taught in Bush because it amounts to applying a known technique (i.e. differentiating components) to a known device of Ginter (i.e. hierarchical industrial system).  One would do so for the benefit of controlling components differently based on hierarchical level (see Bush para. 31).   

Regarding claim 2,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter further teaches including the predetermined monitoring unit of the at least one decentralized monitoring unit on a hierarchically highest hierarchical level to which there is a communication connection (see fig. para. 34,  may represent a layering or hierarchical arrangement of hardware and/or software used in connecting the corporate network 12 to the industrial network 14. The different arrangements of 16 included in an embodiment may vary in accordance with a desired degree of security in accordance with the particular use of the components (i.e. including on highest hierarchical level)).Appl. No.16/232,819 

Regarding claim 3,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter further teaches evaluating the received first information, generating alarms, and forwarding the generated alarms as the second information using the at least one decentralized monitoring unit; 
processing the received first information and forwarding corresponding processed information as the second information using the at least one decentralized monitoring unit; 
and/or directly forwarding the received first information as the second information using the at least one decentralized monitoring unit (see para. 49, the SCADA server (i.e. decentralized monitoring unit), for example, may monitor flow rates and other values obtained from one or more of the different sensors (i.e. first information) and may produce an alert (i.e. alarm, second information) to an operator in connection with detection of a dangerous condition).Appl. No.16/232,819 

Regarding claim 4,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter further teaches transmitting results of the respective evaluations of the first information by the at least one decentralized monitoring unit and/or of the respective evaluations of the second information by the predetermined monitoring unit for further evaluation, when the communication connection to the central monitoring unit has been restored after the communication connection to the central monitoring unit is interrupted (see para. 49, the SCADA server (i.e. decentralized monitoring unit), for example, may monitor flow rates and other values (i.e. evaluate) obtained from one or more of the different sensors (i.e. first information) and may produce an alert (i.e. alarm, second information) to an operator in connection with detection of a dangerous condition or when an agent is disabled (i.e. communication interrupted)(see also para. 276)).Appl. No.16/232,819 

Regarding claim 5,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter further teaches respectively carrying out the evaluation of the first information and/or the second information in order to detect attacks based on a predefined segment-specific model (see paras. 122 and 227, the RTAP  may process (i.e. evaluate) the data (i.e. first information) in accordance with the threshold(s) previously specified (i.e. predefined segment specific model) in order to determine if data triggers an alarm condition (i.e. detect attacks)).Appl. No.16/232,819 

Regarding claim 6,
Ginter in view of Bush teaches the limitations as described in claim 5 above.
Ginter further teaches generating the predefined segment-specific models by collecting data from the at least one component monitoring unit and/or the respective at least one communication monitoring unit (see para. 122, generating using particular values and received RTAP data a threshold that may be stored and used by RTAP to process the data in accordance with the threshold(s) previously specified, wherein customization of security conditions, and definitions used for recording and alarming may be specified by user) Appl. No.16/232,819; 
and evaluating the data using statistical analyses, machine learning, and/or a rule-based system (see para. 122, RTAP 212 receives data reported from the different agents, RTAP 212 may process the data in accordance with the threshold(s) previously specified (i.e. rule-based system)) Appl. No.16/232,819. 

Regarding claim 7,
Ginter in view of Bush teaches the limitations as described in claim 6 above.
Ginter further teaches generating the predefined segment-specific models after configuring the at least one component monitoring unit and/or the at least one communication monitoring unit (see para. 122, generating using particular values and received RTAP data a threshold that may be stored and used by RTAP to process the data in accordance with the threshold(s) previously specified, wherein customization of security conditions, and definitions used for recording and alarming may be specified by user auto-configuration of the Watch server (see also, para. 157) Appl. No.16/232,819; 
and evaluating the data using statistical analyses, machine learning, and/or a rule-based system (see para. 122, s RTAP 212 receives data reported from the different agents, RTAP 212 may process the data in accordance with the threshold(s) previously specified (i.e. rule-based system)) Appl. No.16/232,819. 

Regarding claim 10,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter further teaches wherein a computer program is configured to prompt the industrial network to perform the method (see para. 46 and 347, The techniques herein may be performed by executing code wherein the application server may execute (i.e. prompt) an application (i.e. computer program) that performs process for agent on the industrial network) Appl. No.16/232,819. 
Regarding claim 11,
Ginter in view of Bush teaches the limitations as described in claim 10 above.
Ginter further teaches wherein the computer program is stored on a machine-readable storage medium (see para. 347, The techniques herein may be performed by executing code which is stored on any one or more different forms of computer-readable media) Appl. No.16/232,819. 


Claim(s) 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over further in view of Bush and further in view of Trenholm et al. (US 2016/0034809), herein after Trenholm.

Regarding claim 8,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter teaches a central monitoring unit, decentralized monitoring unit, and assigning configuration data to the unit.  Ginter fails teach the units are configuring the industrial network by: introducing the central monitoring unit and decentralized monitoring unit into the industrial network, authenticating the at least one decentralized monitoring unit with the central monitoring unit, receiving with the at least one decentralized monitoring unit from the central monitoring unit configuration data relating to the assigned at least one component monitoring unit, introducing the at least one component monitoring unit and authenticating the at least one component monitoring unit and/or the at least one communication monitoring unit for each segment with the assigned decentralized monitoring unit and configuring the assigned at least one component monitoring unit and evaluating the data using statistical analyses, machine learning, and/or a rule-based system. 
However, in analogous art Trenholm teaches configuring the industrial network by: introducing the central monitoring unit into the industrial network, introducing the at least one decentralized monitoring unit into the industrial network (Applicants specification provides for the central monitoring unit, the decentralized monitoring units and the component and communication monitoring being incorporated in the industrial network as executed software (p. 11) Here, see para. 72, sensor and system interfaces (i.e. central monitoring and decentralized monitoring units) provide software interfaces facilitating data transfer to the engine, optionally providing data encryption, data compression, data anonymization, auditing and logging of information, and jurisdictional certificate stamping, wherein the interfaces provisioned (i.e. included) may exist locally or cloud-based/remote (i.e. decentralized)), Appl. No.16/232,819,,
authenticating the at least one decentralized monitoring unit with the central monitoring unit, receiving with the at least one decentralized monitoring unit from the central monitoring unit configuration data relating to the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit (see para. 58, the nodes communicate securely, with encryption, and authenticate a new sensor-node request to join the group and aggregate data (i.e. authenticating decentralized monitoring unit), wherein  configuration file (i.e. configuration data) may be read at execution time that loads a saved classifier model and assigns it to a node (i.e. central monitoring unit) (see also, para. 95)), 
introducing the at least one component monitoring unit and/or the at least one communication monitoring unit for each segment (see para. 72, sensor and system interfaces (i.e. central monitoring and decentralized monitoring units) may be provisioned (i.e. introduced) for the particular station (i.e. segment)),
and authenticating the at least one component monitoring unit and/or the at least one communication monitoring unit for each segment with the assigned decentralized monitoring unit (see para. 58, the nodes communicate securely, with encryption, and authenticate a new sensor-node request to join the group and aggregate data (i.e. authenticating decentralized monitoring unit), wherein  configuration file (i.e. configuration data) may be read at execution time that loads a saved classifier model and assigns it to a node (i.e. central monitoring unit) (see also, para. 95)), 
and configuring the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit according to the configuration data using the at least one decentralized monitoring unit (see para. 95, reading the configuration file (i.e. configuring) at execution time to assign it to a node (i.e. assigned component monitoring unit)) Appl. No.16/232,819; 
and evaluating the data using statistical analyses, machine learning, and/or a rule-based system (see para. 107-109, using machine learning abstraction for processing data) Appl. No.16/232,819. 
The claimed subject matter as a whole would have been obvious, before the effective filing date of the claimed invention, to one of ordinary skill in the art.  It would have been obvious to one of ordinary skill in the art to include a central monitoring unit, decentralized monitoring unit, and assigning configuration data to the unit.  Ginter fails teach the units are configuring the industrial network by: introducing the central monitoring unit and decentralized monitoring unit into the industrial network, authenticating the at least one decentralized monitoring unit with the central monitoring unit, receiving with the at least one decentralized monitoring unit from the central monitoring unit configuration data relating to the assigned at least one component monitoring unit, introducing the at least one component monitoring unit and authenticating the at least one component monitoring unit and/or the at least one communication monitoring unit for each segment with the assigned decentralized monitoring unit and configuring the assigned at least one component monitoring unit and evaluating the data using statistical analyses, machine learning, and/or a rule-based system as taught in Trenholm.  One would do so for the benefit of provisioning interfaces (see para. 72).   

Regarding claim 9,
Ginter in view of Bush teaches the limitations as described in claim 1 above.
Ginter fails to teach wherein the decentralized monitoring unit is replaced by virtue of removing the decentralized monitoring unit to be replaced from the industrial network introducing a new decentralized monitoring unit into the industrial network and the new decentralized monitoring unit authenticated by the central monitoring unit the new decentralized monitoring unit receiving, from the central monitoring unit, the configuration data relating to the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit. 
However, in analogous art Trenholm teaches wherein the decentralized monitoring unit is replaced by virtue of removing the decentralized monitoring unit to be replaced from the industrial network (see para. 313, specification of the agent configuration data setting to disable the configuration agent 1202 when agent configuration operates in accordance with the static mode causes the foregoing to disable agent configuration only when an action is taken to update the current agent configurations in accordance with the changed agent configuration data), 
introducing a new decentralized monitoring unit into the industrial network and the new decentralized monitoring unit authenticated by the central monitoring unit (see para. 58, the nodes communicate securely, with encryption, and authenticate a new sensor-node request to join the group and aggregate data (i.e. authenticating decentralized monitoring unit), wherein  configuration file (i.e. configuration data) may be read at execution time that loads a saved classifier model and assigns it to a node (i.e. central monitoring unit) (see also, para. 95)), - 37 -R.381920 (2179-0535) 
the new decentralized monitoring unit receiving, from the central monitoring unit, the configuration data relating to the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit (see para. 95, reading the configuration file (i.e. configuring) at execution time to assign it to a node (i.e. assigned component monitoring unit)).
The claimed subject matter as a whole would have been obvious, before the effective filing date of the claimed invention, to one of ordinary skill in the art.  It would have been obvious to one of ordinary skill in the art to include wherein the decentralized monitoring unit is replaced by virtue of removing the decentralized monitoring unit to be replaced from the industrial network introducing a new decentralized monitoring unit into the industrial network and the new decentralized monitoring unit authenticated by the central monitoring unit the new decentralized monitoring unit receiving, from the central monitoring unit, the configuration data relating to the assigned at least one component monitoring unit and/or the assigned at least one communication monitoring unit as taught in Trenholm.  One would do so for the benefit of provisioning interfaces (see para. 72).   

Any inquiry concerning this communication or earlier communications from the examiner should be directed to EMAD H SIDDIQI whose telephone number is (469)295-9126. The examiner can normally be reached M-F 9 am-5 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on 571-272-3980. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KEVIN T BATES/Supervisory Patent Examiner, Art Unit 2458                                                                                                                                                                                                        
/Emad Siddiqi/Examiner, Art Unit 2458