Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 5/9/2022. Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s arguments with regards to claim interpretation under 35 USC 112(f) has been considered and deemed not persuasive.  In claim 1, the claim is an “appliance,” which is synonymous with a system/device.  The claim recites no explicit hardware embodiments such as hardware processors, a combination of processors or memories, etc. which implement the limitations recited. What the claim does recite that could possibly be construed as a hardware component is a “module.”  To determine if a claim should be interpreted under 112(f), a claim will have to pass a 3-Prong test.
1) “the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;” Claim 1 does not use the term means or step, but does use the term “module,” which is a generic placeholder.  This prong is explicitly met.
2). the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; all 3 “modules” in claim 1 are modified by the phrase “configured to.”  This prong is explicitly met.
3) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Similar to what examiner touched on above about hardware components, all 3 modules of claim 1 are not modified/implemented by sufficient structure, material or acts.  This prong is explicitly met as well.  
	Applicant’s arguments that the modules work with “nodes” does not affect that the modules are merely generic placeholders.  Working with “nodes,” does not make the modules some form of hardware.  While there a modules known to be hardware, there are plenty of modules which are implemented in software.  For Example, Paraskevas et al. (US 2021/0075800) Paragraph 0038 “Aspects of this disclosure may be implemented, in some embodiments, through a computer-executable program of instructions, such as program modules, generally referred to as software applications or application programs executed by an onboard vehicle computer.” Emphasis added.  This is one of many examples of where modules can be software.  As a result, claim 1 stands as being interpreted under 35 USC 112(f).  
Examiner note: Paraskevas et al. (US 2021/0075800) is not relied upon for any art rejections in this case, it is merely used for references that modules can be software.




	B) Applicant argues that Ge fails to disclose, teach or even suggest “an operational technology module configured to receive data on an operational technology network from i) a set of probes, ii) by passive traffic ingestion through a location within the network, and iii) any combination of both,” with regards to claim 1.  Examiner respectfully disagrees.  
	Examiner submits that’s Ge teaches “an operational technology module configured to receive data on an operational technology network from i) a set of probes, ii) by passive traffic ingestion through a location within the network, and iii) any combination of both.” Ge, Paragraph 0120 recites “Described above is a passive and comprehensive performance anomaly detection system, which helps ISPs monitor the quality of services. In contrast to the current active probing based systems, the present system needs only a few monitoring points to monitor the service quality comprehensively. In contrast to the current active probing based systems, the present system detects anomalies based purely on passive monitored traffic without the injection of probe packets into the network. Further in contrast to current active probing based systems, the presently described system detects anomalies that affect real users other than the probing agents. Finally, in contrast to the current active probing based systems, which typically detect problems for end-to-end paths, the presently described system detects anomalies at different locations in a spatial hierarchy that comprises a relatively large collection of users. That locational detection can directly guide the operators' troubleshooting.”
	Applicant argues that Ge doesn’t recite any “Security,” but while Ge may not teach exactly security, it does teach anomaly detection in a network.  Anomalies even performance based can be signs of malicious behavior, and would need to be rectified to ensure a safe network.  Ge’s anomaly detection can be applied to numerous systems, such as James’ systems and methods for network monitoring, which does explicitly teach computer security. 
	Applicant further argues that there is no teaching with respect to “operational technology,” being industrial types of environments.  However, there is no explicit recitation in claim 1 that this has to be so.  In fact the first mention of industrial environments is recited in claim 4, where Examiner relies on James to teach this limitation. 
	Lastly, Applicant argues that Ge fails to disclose, teach or suggest “autonomous response module configured to respond to counter the cyber threat, and a user interface to program the autonomous response module.”  Applicant appears to be arguing that the system is not autonomous when an anomaly is detected.  Ge explicitly teaches that it is capable of detecting an anomaly, localizing the anomaly path and then reporting the anomaly.  Examiner has interpreted this to be an autonomous response.  An anomaly, is detected and in response the system localizes the anomaly and reports the anomaly.   As a result Ge teaches the limitations argued above.





Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “module” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 2, 4-12 and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ge et al. (US 2013/0054783) in view of James et al. (US 2018/0234302).
	As per claim 1, Ge teaches a cyber security appliance, comprising: an operational technology module configured to receive data on an operational technology network from i) a set of probes, ii) by passive traffic ingestion through a location within the network, and iii) any combination of both (Ge, Paragraph 0120 recites “Described above is a passive and comprehensive performance anomaly detection system, which helps ISPs monitor the quality of services. In contrast to the current active probing based systems, the present system needs only a few monitoring points to monitor the service quality comprehensively. In contrast to the current active probing based systems, the present system detects anomalies based purely on passive monitored traffic without the injection of probe packets into the network. Further in contrast to current active probing based systems, the presently described system detects anomalies that affect real users other than the probing agents. Finally, in contrast to the current active probing based systems, which typically detect problems for end-to-end paths, the presently described system detects anomalies at different locations in a spatial hierarchy that comprises a relatively large collection of users. That locational detection can directly guide the operators' troubleshooting.”); and
	and an autonomous response module configured to respond to counter the cyber threat, and a user interface to program the autonomous response module 	(Ge, Paragraph 0095 recites “The detected anomaly events 1135 are localized by an event localization stage 1140 using a greedy heuristic. In the example system 1100, a single underlying network event such as a link failure may manifest itself at different hierarchy levels. For example, if an underlying network event has caused an increase of RTT for all user requests associated with a common BGP prefix, the example system by design should detect the RTT anomaly for the BGP prefix involved. Due to the nature of BGP routing, those requests should share the same origin AS and AS path, and if the user requests from the BGP prefix dominate other requests of the same origin AS or AS path, the example system would also detect RTT anomalies for the corresponding origin AS and the AS path. In that case, it is desirable for the example system to localize the anomaly to the BGP prefix and report a single anomaly event. In another example, if a network event has impacted an entire AS path and created a service anomaly, all its associated children at the lower hierarchy level locations, such as the associated BGP prefixes, would experience service anomalies as well. In that case, it is desirable for the example system to localize the anomaly to the AS path and report only that anomaly.” One of ordinary skill in the art would see that this is an autonomous process since there is no interaction with an entity to perform any actions post detection).
	But fails to teach where the operational technology module is also configured to reference i) one or more machine-learning models, using machine-learning and artificial intelligence (Al) algorithms, that are trained on a normal pattern of life of users of the operational technology network, ii) one or more machine-learning models, using machine-learning and AI algorithms, that are trained on a normal pattern of life of devices in the operational technology network, and iii) one or more machine-learning models, using machine-learning and AI algorithms, that are trained on a normal pattern of life of controllers in the operational technology network; and a comparator module configured to cooperate with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat.
	However, in an analogous art James teaches where the operational technology module is also configured to reference i) one or more machine-learning models, using machine-learning and artificial intelligence (Al) algorithms, that are trained on a normal pattern of life of users of the operational technology network, ii) one or more machine-learning models, using machine-learning and AI algorithms, that are trained on a normal pattern of life of devices in the operational technology network, and iii) one or more machine-learning models, using machine-learning and AI algorithms, that are trained on a normal pattern of life of controllers in the operational technology network; and a comparator module configured to cooperate with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 2, Ge in combination with James teaches the apparatus of claim 1, Ge further teaches where the autonomous response module is configured to i) to merely make a suggested response to take to counter the cyber threat that will be presented for explicit authorization when the cyber threat is detected or ii) to autonomously take a response to counter the cyber threat without a need for a human to approve the response when the cyber threat is detected (Ge, Paragraph 0095 recites “The detected anomaly events 1135 are localized by an event localization stage 1140 using a greedy heuristic. In the example system 1100, a single underlying network event such as a link failure may manifest itself at different hierarchy levels. For example, if an underlying network event has caused an increase of RTT for all user requests associated with a common BGP prefix, the example system by design should detect the RTT anomaly for the BGP prefix involved. Due to the nature of BGP routing, those requests should share the same origin AS and AS path, and if the user requests from the BGP prefix dominate other requests of the same origin AS or AS path, the example system would also detect RTT anomalies for the corresponding origin AS and the AS path. In that case, it is desirable for the example system to localize the anomaly to the BGP prefix and report a single anomaly event. In another example, if a network event has impacted an entire AS path and created a service anomaly, all its associated children at the lower hierarchy level locations, such as the associated BGP prefixes, would experience service anomalies as well. In that case, it is desirable for the example system to localize the anomaly to the AS path and report only that anomaly.” One of ordinary skill in the art would see that this is an autonomous process since there is no interaction with an entity to perform any actions post detection).
	As per claim 4, Ge in combination with James teaches the apparatus of claim 2, James further teaches where the cyber security appliance containing the autonomous response module, the operational technology module, and the comparator module can be constructed for installation in an industrial environment with a protective housing and cooling components to allow the cyber security appliance to be installed in more hazardous locations where dust, moisture, temperature and vibration require ruggedization (James, Paragraph 0079 recites “It should also be noted that the event monitoring models 212 may not be limited to nodes 108 in a mesh network 106. Instead, the event monitoring models 212 may be applied to gateways 104. For example, in an industrial situation where there are multiple gateways 104, the learning process may be applied to a machine learning engine 210 to detect the behavior of the multiple gateways 104. The machine learning engine 210 may look at all the network traffic 222 from the nodes 108 and the gateways 104 to learn the behavior of a whole network 106. Therefore, the event monitoring models 212 may be used for the whole network 106.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 


	As per claim 5, Ge in combination with James teaches the apparatus of claim 1, James further teaches an informational technology module configured to monitor data from an informational technology network in order to analyze and integrate both activities occurring in the operational technology network as well as activities occurring in the informational technology network at the same time when analyzing the detected anomalies in the normal pattern of life in order to detect the cyber threat (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 6, Ge in combination with James teaches the apparatus of claim 5, James further teaches a graphical user interface is configured to display metrics, alerts, and events of both the operational technology network in light of activities occurring in the information technology network on a common display screen to allow a viewer i) to visually contextualize the metrics, alerts, and/or events occurring in the operational technology network in light of the activities occurring in the information technology network on the common display screen, and then ii) to confirm the detected cyber threat (James, Paragraph 0075 recites “A device manager 228 may respond to the classification of the event monitor 218. For example, if the event monitor 218 detects rogue or suspicious behavior, the event monitor 218 may issue an alert. The device manager 228 may limit behavior of rogue or suspicious network devices 220. For example, the device manager 228 may remove a rogue network device 220 from the network 106 or disable a rogue network device 220 in some capacity. The device manager 228 may also send a text message (e.g., SMS) or email alert to an administrator.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 7, Ge in combination with James teaches the apparatus of claim 1, James further teaches a communications messaging detector configured to analyze and understand at least content and fields in two or more of i) a data link, ii) a network protocol, iii) a transport protocol, iv) a session protocol, and v) application layers of networking protocols used in operational technology networks as well as vi) those protocols shared by and used by information technology networks (James, Paragraph 0033 recites “Some of the benefits of the described systems and methods include network monitoring that is data-driven. Hence, this fits the custom nature of various IoT network use cases. The described systems and methods also provide continuous security through surveillance. This does not require any change in the underlying IoT device or the network protocol. These solutions are very scalable with respect to the size of the IoT network and application layer models. Furthermore, these systems and methods are applicable to a variety of networks, including IoT and automotive.” And Paragraph 0036 recites “The nodes 108 may be wired or wireless communication devices. A wireless communication device may utilize one or more communication technologies or protocols. For example, one communication technology may be utilized for mobile wireless system (MWS) (e.g., cellular) communications, while another communication technology may be utilized for wireless connectivity (WCN) communications. MWS may refer to larger wireless networks (e.g., wireless wide area networks (WWANs), cellular phone networks, Long Term Evolution (LTE) networks, Global System for Mobile Communications (GSM) networks, code division multiple access (CDMA) networks, CDMA2000 networks, wideband CDMA (W-CDMA) networks, Universal mobile Telecommunications System (UMTS) networks, Worldwide Interoperability for Microwave Access (WiMAX) networks, etc.). WCN may refer to relatively smaller wireless networks (e.g., wireless local area networks (WLANs), wireless personal area networks (WPANs), IEEE 802.11 (Wi-Fi) networks, Bluetooth (BT) networks, IEEE 802.15.4 (e.g., ZigBee) networks, wireless Universal Serial Bus (USB) networks, etc.). In one approach, a mesh network 106 may use Bluetooth as the underlying radio technology to communicate between devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 
	
	As per claim 8, Ge in combination with James teaches the apparatus of claim 7, James further teaches a graphical user interface is configured to cooperate with the communications messaging detector to examine various fields and other header information in the communications to determine whether that communication is headed to a specific operational technology component that exists beyond an endpoint gateway to operational technology components beyond that Internet Protocol address of the endpoint gateway, where the operational technology components do not have an IP address, and then display both components of the information technology network with IP addresses and identifiable operational technology network without IP addresses on a common display screen to allow a viewer to see both the components of the information technology network and components of the operational technology network on the common display screen (James, Paragraph 0036 recites “The nodes 108 may be wired or wireless communication devices. A wireless communication device may utilize one or more communication technologies or protocols. For example, one communication technology may be utilized for mobile wireless system (MWS) (e.g., cellular) communications, while another communication technology may be utilized for wireless connectivity (WCN) communications. MWS may refer to larger wireless networks (e.g., wireless wide area networks (WWANs), cellular phone networks, Long Term Evolution (LTE) networks, Global System for Mobile Communications (GSM) networks, code division multiple access (CDMA) networks, CDMA2000 networks, wideband CDMA (W-CDMA) networks, Universal mobile Telecommunications System (UMTS) networks, Worldwide Interoperability for Microwave Access (WiMAX) networks, etc.). WCN may refer to relatively smaller wireless networks (e.g., wireless local area networks (WLANs), wireless personal area networks (WPANs), IEEE 802.11 (Wi-Fi) networks, Bluetooth (BT) networks, IEEE 802.15.4 (e.g., ZigBee) networks, wireless Universal Serial Bus (USB) networks, etc.). In one approach, a mesh network 106 may use Bluetooth as the underlying radio technology to communicate between devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 9, Ge in combination with James teaches the apparatus of claim 1, Ge further teaches a graphical user interface configured to show i) components of the operational technology network and components of an information technology network and ii) detailed data flows and commands that those network components are receiving in real time and when an abnormal behavior is detected (Ge, Paragraph 0029 recites “ ANOMALY DETECTION: To detect anomalies from the time series at different locations, a new enhanced Holt-Winters algorithm is adopted, which is specially designed for real-time online anomaly detection of network performance issues. Compared to the traditional Holt-Winters algorithm, the enhanced Holt-Winters algorithm has the following features:”).

	As per claim 10, Ge in combination with James teaches the apparatus of claim 1, James further teaches a cyber threat module configured to compare a chain of one or more of the detected anomalies by referencing one or more machine-learning models trained on, at least, the cyber threat, and where once the normal pattern of life has been learned by the models, then the operational technology module can readily identify the anomalies in the normal pattern of life; and thus, unusual behaviors from the devices, users, or controllers of the operational technology network (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 11, Ge teaches a method for cyber security appliance defending an operational technology network, comprising: receiving data on the operational technology network from i) a set of probes, ii) by passive traffic ingestion through a location within the network, and iii) any combination of both (Ge, Paragraph 0120 recites “Described above is a passive and comprehensive performance anomaly detection system, which helps ISPs monitor the quality of services. In contrast to the current active probing based systems, the present system needs only a few monitoring points to monitor the service quality comprehensively. In contrast to the current active probing based systems, the present system detects anomalies based purely on passive monitored traffic without the injection of probe packets into the network. Further in contrast to current active probing based systems, the presently described system detects anomalies that affect real users other than the probing agents. Finally, in contrast to the current active probing based systems, which typically detect problems for end-to-end paths, the presently described system detects anomalies at different locations in a spatial hierarchy that comprises a relatively large collection of users. That locational detection can directly guide the operators' troubleshooting.”); and
	taking a response to counter the cyber threat based on the comparison with an autonomous response module (Ge, Paragraph 0095 recites “The detected anomaly events 1135 are localized by an event localization stage 1140 using a greedy heuristic. In the example system 1100, a single underlying network event such as a link failure may manifest itself at different hierarchy levels. For example, if an underlying network event has caused an increase of RTT for all user requests associated with a common BGP prefix, the example system by design should detect the RTT anomaly for the BGP prefix involved. Due to the nature of BGP routing, those requests should share the same origin AS and AS path, and if the user requests from the BGP prefix dominate other requests of the same origin AS or AS path, the example system would also detect RTT anomalies for the corresponding origin AS and the AS path. In that case, it is desirable for the example system to localize the anomaly to the BGP prefix and report a single anomaly event. In another example, if a network event has impacted an entire AS path and created a service anomaly, all its associated children at the lower hierarchy level locations, such as the associated BGP prefixes, would experience service anomalies as well. In that case, it is desirable for the example system to localize the anomaly to the AS path and report only that anomaly.” One of ordinary skill in the art would see that this is an autonomous process since there is no interaction with an entity to perform any actions post detection).
	But fails to teach and referencing i) one or more machine-learning models, that are trained on a normal pattern of life of users of the operational technology network, ii) one or more machine-learning models that are trained on a normal pattern of life of devices in the operational technology network, and iii) one or more machine-learning models that are trained on a normal pattern of life of controllers in the operational technology network; and comparing the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat.
	However, in an analogous art James teaches and referencing i) one or more machine-learning models, that are trained on a normal pattern of life of users of the operational technology network, ii) one or more machine-learning models that are trained on a normal pattern of life of devices in the operational technology network, and iii) one or more machine-learning models that are trained on a normal pattern of life of controllers in the operational technology network; and comparing the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 12, Ge in combination with James teaches the method of claim 11, Ge further teaches allowing an autonomous response module to respond to counter the cyber threat; and programming the autonomous response module i) to merely make a suggested response to take to counter the cyber threat that will be presented for explicit authorization when the cyber threat is detected or ii) to autonomously take a response to counter the cyber threat without a need for a human to approve the response when the cyber threat is detected (Ge, Paragraph 0095 recites “The detected anomaly events 1135 are localized by an event localization stage 1140 using a greedy heuristic. In the example system 1100, a single underlying network event such as a link failure may manifest itself at different hierarchy levels. For example, if an underlying network event has caused an increase of RTT for all user requests associated with a common BGP prefix, the example system by design should detect the RTT anomaly for the BGP prefix involved. Due to the nature of BGP routing, those requests should share the same origin AS and AS path, and if the user requests from the BGP prefix dominate other requests of the same origin AS or AS path, the example system would also detect RTT anomalies for the corresponding origin AS and the AS path. In that case, it is desirable for the example system to localize the anomaly to the BGP prefix and report a single anomaly event. In another example, if a network event has impacted an entire AS path and created a service anomaly, all its associated children at the lower hierarchy level locations, such as the associated BGP prefixes, would experience service anomalies as well. In that case, it is desirable for the example system to localize the anomaly to the AS path and report only that anomaly.” One of ordinary skill in the art would see that this is an autonomous process since there is no interaction with an entity to perform any actions post detection).

	Regarding claim 14, claim 14 is directed to a similar non-transitory computer readable medium associated with the method of claim 11 respectively. Claim 14 is similar in scope to claim 11, respectively, and are therefore rejected under similar rationale. 

	As per claim 15, Ge in combination with James teaches the method of claim 11, James further teaches monitoring data from an informational technology network in order to analyze and integrate both activities occurring in the operational technology network as well as activities occurring in the informational technology network at the same time when analyzing the detected anomalies in the normal pattern of life in order to detect the cyber threat (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 

	As per claim 16, Ge in combination with James teaches the method of claim 15, James further teaches displaying metrics, alerts, and events of both the operational technology network in light of activities occurring in information technology network on a common display screen to allow a viewer i) to visually contextualize the metrics, alerts, and/or events occurring in the operational technology network in light of the activities occurring in the information technology network on the common display screen, and then ii) to confirm the detected cyber threat (James, Paragraph 0075 recites “A device manager 228 may respond to the classification of the event monitor 218. For example, if the event monitor 218 detects rogue or suspicious behavior, the event monitor 218 may issue an alert. The device manager 228 may limit behavior of rogue or suspicious network devices 220. For example, the device manager 228 may remove a rogue network device 220 from the network 106 or disable a rogue network device 220 in some capacity. The device manager 228 may also send a text message (e.g., SMS) or email alert to an administrator.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 


	As per claim 17, Ge in combination with James teaches the method of claim 11, James further teaches analyzing and understanding content and fields in two or more of i) a data link protocol, ii) a network protocol, iii) a transport protocol, iv) a session protocol, and v) application layers of networking protocols used in operational technology networks as well as vi) those protocols shared by and used by information technology networks (James, Paragraph 0033 recites “Some of the benefits of the described systems and methods include network monitoring that is data-driven. Hence, this fits the custom nature of various IoT network use cases. The described systems and methods also provide continuous security through surveillance. This does not require any change in the underlying IoT device or the network protocol. These solutions are very scalable with respect to the size of the IoT network and application layer models. Furthermore, these systems and methods are applicable to a variety of networks, including IoT and automotive.” And Paragraph 0036 recites “The nodes 108 may be wired or wireless communication devices. A wireless communication device may utilize one or more communication technologies or protocols. For example, one communication technology may be utilized for mobile wireless system (MWS) (e.g., cellular) communications, while another communication technology may be utilized for wireless connectivity (WCN) communications. MWS may refer to larger wireless networks (e.g., wireless wide area networks (WWANs), cellular phone networks, Long Term Evolution (LTE) networks, Global System for Mobile Communications (GSM) networks, code division multiple access (CDMA) networks, CDMA2000 networks, wideband CDMA (W-CDMA) networks, Universal mobile Telecommunications System (UMTS) networks, Worldwide Interoperability for Microwave Access (WiMAX) networks, etc.). WCN may refer to relatively smaller wireless networks (e.g., wireless local area networks (WLANs), wireless personal area networks (WPANs), IEEE 802.11 (Wi-Fi) networks, Bluetooth (BT) networks, IEEE 802.15.4 (e.g., ZigBee) networks, wireless Universal Serial Bus (USB) networks, etc.). In one approach, a mesh network 106 may use Bluetooth as the underlying radio technology to communicate between devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 


	As per claim 18, Ge in combination with James teaches the method of claim 17, James further teaches examining various fields and other header information in the communications to determine whether that communication is headed to a specific operational technology component that exists beyond an endpoint gateway to operational technology components beyond that Internet Protocol address of the endpoint gateway, where the operational technology components do not have an IP address, and then display both components of the information technology network with IP addresses and identifiable operational technology network without IP addresses on a common display screen to allow a viewer to see both the components of the information technology network and components of the operational technology network on the common display screen (James, Paragraph 0036 recites “The nodes 108 may be wired or wireless communication devices. A wireless communication device may utilize one or more communication technologies or protocols. For example, one communication technology may be utilized for mobile wireless system (MWS) (e.g., cellular) communications, while another communication technology may be utilized for wireless connectivity (WCN) communications. MWS may refer to larger wireless networks (e.g., wireless wide area networks (WWANs), cellular phone networks, Long Term Evolution (LTE) networks, Global System for Mobile Communications (GSM) networks, code division multiple access (CDMA) networks, CDMA2000 networks, wideband CDMA (W-CDMA) networks, Universal mobile Telecommunications System (UMTS) networks, Worldwide Interoperability for Microwave Access (WiMAX) networks, etc.). WCN may refer to relatively smaller wireless networks (e.g., wireless local area networks (WLANs), wireless personal area networks (WPANs), IEEE 802.11 (Wi-Fi) networks, Bluetooth (BT) networks, IEEE 802.15.4 (e.g., ZigBee) networks, wireless Universal Serial Bus (USB) networks, etc.). In one approach, a mesh network 106 may use Bluetooth as the underlying radio technology to communicate between devices.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 




	As per claim 19, Ge in combination with James teaches the method of claim 11, Ge further teaches using a graphical user interface to show, in real time, i) components of the operational technology network and components of an information technology network and ii) detailed data flows and commands that those network components are receiving when an abnormal behavior is detected (Ge, Paragraph 0029 recites “ ANOMALY DETECTION: To detect anomalies from the time series at different locations, a new enhanced Holt-Winters algorithm is adopted, which is specially designed for real-time online anomaly detection of network performance issues. Compared to the traditional Holt-Winters algorithm, the enhanced Holt-Winters algorithm has the following features:”).

	As per claim 20, Ge in combination with James teaches the method of claim 11, James further teaches comparing a chain of one or more of the detected anomalies by referencing one or more machine-learning models trained on, at least, the cyber threat, and where once the normal pattern of life has been learned by the models, then the operational technology module can readily identify the anomalies in the normal pattern of life; and thus, unusual behaviors from the devices, users, or controllers of the operational technology network (James, Paragraph 0115 recites “The traffic monitor 414 may monitor 512 the observed events 224 based on the event monitoring model 412. Machine learning features may be extracted from the raw network traffic feed 444 as indicated by the event monitoring model 412. The traffic monitor 414 may then apply the event monitoring model 412 to classify network behavior as normal, rogue or suspicious. For example, the traffic monitor 414 may apply decision trees and/or anomaly detection tests (e.g., Grubb test, 3-sigma test, MAD tests) to the extracted features.” And Paragraph 0052 recites (The described systems and methods provide a data-driven behavior-based machine learning (ML) solution that observes behavior of network devices 220 (e.g., IoT devices) and classifies them as normal or rogue devices. This network monitoring includes feature extraction. Some key feature extraction steps may include extracting behavior of network devices 220 in the network 106 by surveilling network activity. Event flow of the network 106 may be observed at the gateways 104 or back-end server 102. For example, the event flow may include packets communicated between the nodes 108 and gateways 104. Behavior of the network may also be extracted by observing the actions taken by nodes 108 in response to communications with users, gateways 104 and other network devices (e.g., other nodes 108, routers, etc.). Additional device actions may be observed (if available).).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use James’ systems and methods for network monitoring with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use of machine learning is an easy and efficient way to identify trends and patterns in a network. 



Claims 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ge et al. (US 2013/0054783) and James et al. (US 2018/0234302) and in further view of Jain et al. (US 2019/0236177).

	As per claim 3, Ge in combination with James teaches the apparatus of claim 2, but fails to teach where the user interface is further configured to program in different configurations for subsets of, or zones, within the operational technology network, where in these different subsets and zones, permissions for the autonomous response module to autonomously take the response to counter the cyber threat without the need for a human to approve the response i) when the cyber threat is detected, can differ in each different zone and ii) a range of allowed responses can also differ in each different zone, iii) and a set of allowed responses can also differ in each different zone, and iv) any combination of these.
	However, in an analogous art Jain teaches where the user interface is further configured to program in different configurations for subsets of, or zones, within the operational technology network, where in these different subsets and zones, permissions for the autonomous response module to autonomously take the response to counter the cyber threat without the need for a human to approve the response i) when the cyber threat is detected, can differ in each different zone and ii) a range of allowed responses can also differ in each different zone, iii) and a set of allowed responses can also differ in each different zone, and iv) any combination of these (Jain, Paragraph 0053 recites “In step 304, the selected detection technique is applied to the time-series data set for a first set of dimensions to detect an anomaly. For example, and with continued reference to FIGS. 1 and 2, anomaly detector 206 of anomaly detection system 104 applies selected detection technique 202 to time-series data 118 for a first set of dimensions to detect an anomaly. For instance, selected detection technique 202 may be applied to a current portion of current time-series data. The first set of dimensions of time-series data 118 to which selected detection technique 202 is applied may be automatically selected by anomaly detector 206, or manually selected by a user, such as by interaction with anomaly detection system interface 110. For instance, as shown in FIG. 2, configuration data 212 may be provided from interface 110 to anomaly detector 206. Configuration data 212 includes configuration information for executing anomaly detection by anomaly detector 206, such as the first set of dimensions.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Jain’s Combination of techniques to detect anomalies in multi-dimensional time series with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use different configurations offers the advantage of flexibility in a system.  


	As per claim 13, Ge in combination with James teaches the method of claim 12, but fails to teach programming in different subsets or zones within the operational technology network, where in these different subsets and zones, permissions for the autonomous response module to autonomously take the response to counter the cyber threat without the need for a human to approve the response when the cyber threat is detected can differ.
	However, in an analogous art Jain teaches programming in different subsets or zones within the operational technology network, where in these different subsets and zones, permissions for the autonomous response module to autonomously take the response to counter the cyber threat without the need for a human to approve the response when the cyber threat is detected can differ (Jain, Paragraph 0053 recites “In step 304, the selected detection technique is applied to the time-series data set for a first set of dimensions to detect an anomaly. For example, and with continued reference to FIGS. 1 and 2, anomaly detector 206 of anomaly detection system 104 applies selected detection technique 202 to time-series data 118 for a first set of dimensions to detect an anomaly. For instance, selected detection technique 202 may be applied to a current portion of current time-series data. The first set of dimensions of time-series data 118 to which selected detection technique 202 is applied may be automatically selected by anomaly detector 206, or manually selected by a user, such as by interaction with anomaly detection system interface 110. For instance, as shown in FIG. 2, configuration data 212 may be provided from interface 110 to anomaly detector 206. Configuration data 212 includes configuration information for executing anomaly detection by anomaly detector 206, such as the first set of dimensions.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Jain’s Combination of techniques to detect anomalies in multi-dimensional time series with Ge’s passive and comprehensive hierarchical anomaly detection system and method because the use different configurations offers the advantage of flexibility in a system.  














Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439