Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the amendment filed April 4, 2022, for application 16/655,071.
Claims 1-20 have been examined and are pending.  Claims 1-3, 7, 9, 10, 12, 13, 17, 19, and 20 have been amended.  Claims 1, 10, and 20 are independent claims.

Response to Arguments
 Applicants’ arguments, see Applicant Arguments/Remarks Made in an Amendment, filed 4/4/2022, with respect to the rejections of claims 1-20 have been fully considered but are not persuasive.
Applicant argues as follows:  Even if arguendo the "functional, physical, or simulation model" used by a command monitor in Cunningham is an example of a "command validation model" in claims 1, 10, and 20, respectively, Cunningham fails to teach or suggest "updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command" (as recited in claims 1 and 10) or "updating the command validation model based on new results data of the command validation for the new command, the new results data including the new command and a validity determination for the new command".
Examiner respectfully disagrees.  Regarding claim 1, Cunningham discloses, in paragraph 0100, a method, implemented by one or more computing devices comprising at least one hardware processor and one or more tangible memories coupled to the at least one hardware processor, of protecting a set of controlled infrastructure assets in an infrastructure system, the method comprising: in paragraph 0030, receiving a command for one of the set of controlled infrastructure assets; in paragraphs 0006, 0044, 0080, validating the received command, wherein the command is validated according to a command validation model, the command validation model having been generated based on data representing at least part of the infrastructure system; in paragraph 0005, responsive to a successful validation, providing the received command to the one of the set of controlled infrastructure assets.
Applicant argues as follows:  Even if arguendo Stevens describes updating a flow model for a transportation network, the flow model of Stevens is not a command validation model for one or more infrastructure assets. Stevens does not address how to update such a command validation model. By itself orPage 8 of 10 KBR:iar 04/04/22 31449-E Attorney Reference Number 23-102922-01Application Number 16/655,071in combination with Cunningham, Stevens fails to teach or suggest "updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command" (as recited in claims 1 and 10) or "updating the command validation model based on new results data of the command validation for the new command, the new results data including the new command and a validity determination for the new command" (as recited in claim 20). 
Examiner respectfully disagrees.  Stevens discloses, in paragraph 0044, updating the command validation model based on results data of the command validation.Page 9 of 10 KBR:iar 04/04/22 31449-E Attorney Reference Number 23-102922-01 
Application Number 16/655,071Applicant argues as follows:  Each of claims 9 and 19 depends from, and includes the above-cited language of, claim 1 or 10. As explained above, Cunningham fails to teach or suggest the above-cited language of claims 1 and 10, respectively. Sekiya fails to remedy the deficiencies of the rejections. Sekiya describes a portable electronic device (such as an "IC card") that determines whether or not to execute processes affecting contents according a received command. Sekiya, Abstract; 4, 49- 50. In general, Sekiya is not directed to controlling infrastructure asset(s) in an infrastructure system, nor does Sekiya teach or suggest a command validation model for one or more infrastructure assets. By itself or in combination with Cunningham, Sekiya is even further from teaching or suggesting "updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command" (as recited in claims 1 and 10) or "updating the command validation model based on new results data of the command validation for the new command, the new results data including the new command and a validity determination for the new command" (as recited in claim 20). 
Examiner respectfully disagrees. Sekiya discloses, in paragraph 0305, the results data including the received command and a validity determination for the received command.
The Examiner respectfully suggests that the claims be further amended and details in the specification be incorporated to distinguish the claimed invention over prior art of record.  Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272 5368 to schedule an interview.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b) (2) (C) for any potential 35 U.S.C. 102(a) (2) prior art against the later invention. 
Claims 1-20 are rejected under 35 U.S.C. 103 under 35 U.S.C. 103 as being unpatentable over Cunningham (US20210318670), filed July 3, 2018, in view of Stevens (US20130066610), filed September 7, 2012, and Sekiya (US20090132852), filed December 11, 2008. 
Regarding claim 1, Cunningham discloses a method, implemented by one or more computing devices comprising at least one hardware processor and one or more tangible memories coupled to the at least one hardware processor, of protecting a set of controlled infrastructure assets in an infrastructure system, the method comprising: (Cunningham, paragraph 0100, “Systems that implement the techniques described above can be implemented in software, in firmware, in digital electronic circuitry, or in computer hardware, or in combinations of them. The system can include a computer program product tangibly embodied in a machine-readable storage device for execution by a programmable processor, and method steps can be performed by a programmable processor executing a program of instructions to perform functions by operating on input data and generating output. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, a computer will include one or more mass storage devices for storing data recordings; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks.”); 
receiving a command for one of the set of controlled infrastructure assets (Cunningham, paragraph 0030, “A command monitor (CM) 106 is located at some point along the one or more communication paths 108, such that any command issued by a control station 104 is received (e.g., received, intercepted, or proxied) and mediated by the command monitor 106 before being issued and executed at one or more remote cyber-physical systems 102.”);
validating the received command, wherein the command is validated according to a command validation model, the command validation model having been generated based on data representing at least part of the infrastructure system (Cunningham, paragraph 0006, “ In some examples, validation of the remote commands includes simulation of the effect of the commands using a model of the cyber-physical system.”; paragraph 0044, “In some examples, the command policy is expressed using an access control model (e.g., the Attribute-Based Access Control (ABAC) model). The access control model (i.e., command validation model) includes access control rules that can be applied to state data (including system attributes) associated with one or both of the first remote cyber-physical system, R.sub.A 102A and the first control station, C.sub.A 104A. In some examples, the access control rules are also applied to attribute data associated with one or more human operators (e.g., an authentication status of an operator, system permissions, and other identity information).”; paragraph 0080, “In some examples, a single command monitor is used to receive and filter commands for multiple remote systems (e.g., a swarm of drones or a swarm of satellites). For example, as satellite deployment models switch from monolithic to constellation-based, unifying command interfaces with validation and security protections will be necessary. This is true for other types of remote cyber-physical systems (e.g., UAVs and other autonomous vehicles and remote sensors such as underwater monitors) as well, which are increasingly being deployed as swarms rather than individual units.”);
responsive to a successful validation, providing the received command to the one of the set of controlled infrastructure assets (Cunningham, paragraph 0005, “Aspects described herein address the above-described problem by including a command monitor on a communication path between a control station and a cyber-physical system. Among other features, the command monitor includes a mechanism for validating that remote commands to such systems obey an explicit command policy. By forcing commands to obey the explicit command policy, execution of malicious, inadvertently dangerous, or otherwise undesirable commands is prevented.”).
Cunningham does not explicitly disclose updating the command validation model based on results data of the command validation.
However, in an analogous art, Stevens discloses updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command (Stevens, paragraph 0044, “In general, as will be described in further detail below, the input module 400 is configured to (i) receive, store, manage, and provide a variety of existing data associated with a shipping network and used to generate a flow model thereof; and (ii) receive, store, and provide a variety of update data likewise associated with the shipping network and used to revise a flow model thereof. The validation module 500 is configured to activate a model validation tool, which calculates whether the input (e.g., updated) data results in any impacts to one or more parameters of the flow model. Any identified impacted model data is presented to a user of the tool and associated system 20. The optimization module 600 is then configured to activate a model optimization tool, which applies one or more algorithms to generate one or more optimized models based upon the existing data, the input data, and the identified impacted data.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Stevens with the system/method of Cunningham to include updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command.
One would have been motivated to provide users with the benefits of simulating an integrated flow model for a plurality of transportation networks (Stevens: paragraph 0003).
Cunningham and Stevens do not explicitly disclose the results data including the received command and a validity determination for the received command.
However, in an analogous art, Sekiya discloses the results data including the received command and a validity determination for the received command (Sekiya, paragraph 0305, “When the verify process with the key K1 is completed, the control element 11 of the IC card 1 stores the information indicating the process result of the second received command (verify command C2) in the data memory 14 as the log data L0 of transaction process, and transmits the response (response indicating the process result of the verify command C2) indicating the successful verification with the key information K1 to the IC card processing device 2.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sekiya  with the system/method/ one or more non-transitory computer-readable storage media of Cunningham and Stevens to include the results data including the received command and a validity determination for the received command.
One would have been motivated to provide users with the benefits of a portable electronic device having a high level of security (Sekiya: paragraph 0013).
Regarding claim 2, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Cunningham disclose further comprising: making available state data of the set of controlled infrastructure assets and/or the results data of the command validation (Cunningham, paragraph 0030, “The command monitor 106 receives information related to a state of the remote cyber-physical systems 102 (e.g., a position, orientation, or resource levels associated with the system) as well as information related to a state of the control stations 104 (e.g., an authentication state of a control station).”; paragraph 0032, “In some examples, the command monitor 106 provides feedback to the control stations 104 including information related to an updated state of the remote cyber-physical systems 102.”; paragraph 0040, “The controller 220 provides state feedback to the command monitor 106 over the state feedback link 110A to inform the command monitor 106 of the current state of the first remote cyber-physical system, R.sub.A 102A, including a current state of the physical subsystems 222 of the first remote cyber-physical system, R.sub.A 102A.”; paragraph 0066, “But, one difference in the communication and control system 300 is that, by co-locating the command monitor 306 with the remote cyber-physical system, R.sub.Y 102Y, state information for the remote cyber-physical system, R.sub.Y 102Y is always available to the command monitor 306.  Having the command monitor co-located on the remote cyber-physical system obviates the need to send state information over a communication link (e.g., a radio link) to a remote command station.”).
Regarding claim 3, Cunningham, Stevens, and Sekiya disclose the method of claim 2.  Stevens discloses wherein the updating the command validation model is also based on the state data (Stevens, paragraph 0044, “In general, as will be described in further detail below, the input module 400 is configured to (i) receive, store, manage, and provide a variety of existing data associated with a shipping network and used to generate a flow model thereof; and (ii) receive, store, and provide a variety of update data likewise associated with the shipping network and used to revise a flow model thereof. The validation module 500 is configured to activate a model validation tool, which calculates whether the input (e.g., updated) data results in any impacts to one or more parameters of the flow model. Any identified impacted model data is presented to a user of the tool and associated system 20. The optimization module 600 is then configured to activate a model optimization tool, which applies one or more algorithms to generate one or more optimized models based upon the existing data, the input data, and the identified impacted data.”). The motivation is the same as that of the claim from which this claim depends.
Regarding claim 4, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Cunningham discloses wherein the command validation model implements a machine-learning algorithm (Cunningham, paragraph 0092, “In some examples, a digital and physical state of the remote cyber-physical system is modeled using an appropriate modeling technique. For examples, a model of the remote cyber-physical system can be encoded using a state-machine with a finite number of well-defined states, or a neural network or another suitable machine learning technique where weights are used to encode a condition or state of the system.”).
Regarding claim 5, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Cunningham discloses wherein the command validation model is a trained neural network (Cunningham, paragraph 0092, “In some examples, a digital and physical state of the remote cyber-physical system is modeled using an appropriate modeling technique. For examples, a model of the remote cyber-physical system can be encoded using a state-machine with a finite number of well-defined states, or a neural network or another suitable machine learning technique where weights are used to encode a condition or state of the system.”).
Regarding claim 6, Cunningham, Stevens, and Sekiya disclose the method of claim 1.   Cunningham discloses  wherein the data representing the at least part of the infrastructure system comprises behavioral data for the infrastructure system (Cunningham, paragraph 0009, “Receiving the state information from the remote system may include receiving one or more state variables from the remote system, and updating the data characterizing the operation of the remote system includes updating the state information of the data characterizing an operation of the remote system using the received state information.”).
Regarding claim 7, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Cunningham discloses wherein the data representing the at least part of the infrastructure system comprises results data of previous command validation within the infrastructure system (Cunningham, paragraph 0044, “In some examples, the command policy is expressed using an access control model (e.g., the Attribute-Based Access Control (ABAC) model). The access control model includes access control rules that can be applied to state data (including system attributes) associated with one or both of the first remote cyber-physical system, R.sub.A 102A and the first control station, C.sub.A 104A. In some examples, the access control rules are also applied to attribute data associated with one or more human operators (e.g., an authentication status of an operator, system permissions, and other identity information).”).
Regarding claim 8, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Cunningham discloses wherein the command is a first command, the method further comprising: receiving a second command for another one of the set of controlled infrastructure assets; and (Cunningham, paragraph 0041, “In some examples, the command monitor 106 includes a separate command sub-monitor 106A-C for each of the remote cyber-physical systems 102 that it monitors. For example, the command monitor 106 in FIG. 2 includes a first command sub-monitor 106A associated with the first remote cyber-physical system, R.sub.A 102A, a second command sub-monitor 106B associated with the second remote cyber-physical system, R.sub.B 102B, and a third command sub-monitor 106C associated with the third remote cyber-physical system, R.sub.C 102C. In other examples, a single command monitor 106 (with a single command sub-monitor) is used to monitor commands for multiple or all of the remote cyber-physical systems 102.”) responsive to an unsuccessful validation of the received second command, rejecting the received second command and preventing the received second command from being executed by the other one of the set of controlled infrastructure assets, wherein the received second command is malformed or the received second command is determined to result in incorrect behavior of the other one of the set of controlled infrastructure assets (Cunningham, paragraph 0046, “The state predictor 218 processes the command according to the state information from the first remote cyber-physical system, R.sub.A 102A to determine a predicted state of the first remote cyber-physical system, R.sub.A 102A that would result from execution of the command by the first remote cyber-physical system, R.sub.A 102A. The predicted state is provided to the command filter 216 which evaluates the predicted state according to one or more control rules to determine whether the predicted state is prohibited, undesirable, and/or faulty. In this successful example, the command filter 216 determines that the predicted state is not prohibited, undesirable, and/or faulty and therefore forwards the command to the first remote cyber-physical system, R.sub.A 102A via the first communication link 108A.”; paragraph 0041, “In some examples, the command monitor 106 includes a separate command sub-monitor 106A-C for each of the remote cyber-physical systems 102 that it monitors. For example, the command monitor 106 in FIG. 2 includes a first command sub-monitor 106A associated with the first remote cyber-physical system, R.sub.A 102A, a second command sub-monitor 106B associated with the second remote cyber-physical system, R.sub.B 102B, and a third command sub-monitor 106C associated with the third remote cyber-physical system, R.sub.C 102C. In other examples, a single command monitor 106 (with a single command sub-monitor) is used to monitor commands for multiple or all of the remote cyber-physical systems 102.”(i.e., second command encompasses second remote cyber-physical system)).
Regarding claim 9, Cunningham, Stevens, and Sekiya disclose the method of claim 1.  Sekiya discloses further comprising: storing the results data of the command validation (Sekiya, paragraph 0305, “When the verify process with the key K1 is completed, the control element 11 of the IC card 1 stores the information indicating the process result of the second received command (verify command C2) in the data memory 14 as the log data L0 of transaction process, and transmits the response (response indicating the process result of the verify command C2) indicating the successful verification with the key information K1 to the IC card processing device 2.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 10, Cunningham discloses one or more non-transitory computer-readable storage media storing computer- executable instructions for causing a computing system to perform operations for infrastructure system protection, the operations comprising (Cunningham, paragraph 0100, “Systems that implement the techniques described above can be implemented in software, in firmware, in digital electronic circuitry, or in computer hardware, or in combinations of them. The system can include a computer program product tangibly embodied in a machine-readable storage device for execution by a programmable processor, and method steps can be performed by a programmable processor executing a program of instructions to perform functions by operating on input data and generating output. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, a computer will include one or more mass storage devices for storing data recordings; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks.”);
receiving a command for a target infrastructure asset of a plurality of infrastructure assets, wherein the plurality of infrastructure assets are integrated into an infrastructure system  (Cunningham, paragraph 0030, “A command monitor (CM) 106 is located at some point along the one or more communication paths 108, such that any command issued by a control station 104 is received (e.g., received, intercepted, or proxied) and mediated by the command monitor 106 before being issued and executed at one or more remote cyber-physical systems 102.”);
validating the received command, wherein the command is validated according to a command validation model, the command validation model having been generated based on the plurality of infrastructure assets  (Cunningham, paragraph 0006, “ In some examples, validation of the remote commands includes simulation of the effect of the commands using a model of the cyber-physical system.”; paragraph 0044, “In some examples, the command policy is expressed using an access control model (e.g., the Attribute-Based Access Control (ABAC) model). The access control model includes access control rules that can be applied to state data (including system attributes) associated with one or both of the first remote cyber-physical system, R.sub.A 102A and the first control station, C.sub.A 104A. In some examples, the access control rules are also applied to attribute data associated with one or more human operators (e.g., an authentication status of an operator, system permissions, and other identity information).”; paragraph 0080, “In some examples, a single command monitor is used to receive and filter commands for multiple remote systems (e.g., a swarm of drones or a swarm of satellites). For example, as satellite deployment models switch from monolithic to constellation-based, unifying command interfaces with validation and security protections will be necessary. This is true for other types of remote cyber-physical systems (e.g., UAVs and other autonomous vehicles and remote sensors such as underwater monitors) as well, which are increasingly being deployed as swarms rather than individual units.”);
responsive to a successful validation, providing the received command to the target infrastructure asset (Cunningham, paragraph 0005, “Aspects described herein address the above-described problem by including a command monitor on a communication path between a control station and a cyber-physical system. Among other features, the command monitor includes a mechanism for validating that remote commands to such systems obey an explicit command policy. By forcing commands to obey the explicit command policy, execution of malicious, inadvertently dangerous, or otherwise undesirable commands is prevented.”).
Cunningham does not explicitly disclose updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command.
However, in an analogous art, Stevens discloses updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command (Stevens, paragraph 0044, “In general, as will be described in further detail below, the input module 400 is configured to (i) receive, store, manage, and provide a variety of existing data associated with a shipping network and used to generate a flow model thereof; and (ii) receive, store, and provide a variety of update data likewise associated with the shipping network and used to revise a flow model thereof. The validation module 500 is configured to activate a model validation tool, which calculates whether the input (e.g., updated) data results in any impacts to one or more parameters of the flow model. Any identified impacted model data is presented to a user of the tool and associated system 20. The optimization module 600 is then configured to activate a model optimization tool, which applies one or more algorithms to generate one or more optimized models based upon the existing data, the input data, and the identified impacted data.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Stevens with the system/method of Cunningham to include updating the command validation model based on results data of the command validation, the results data including the received command and a validity determination for the received command.
One would have been motivated to provide users with the benefits of simulating an integrated flow model for a plurality of transportation networks (Stevens: paragraph 0003).
Cunningham and Stevens do not explicitly disclose the results data including the received command and a validity determination for the received command.
However, in an analogous art, Sekiya discloses the results data including the received command and a validity determination for the received command (Sekiya, paragraph 0305, “When the verify process with the key K1 is completed, the control element 11 of the IC card 1 stores the information indicating the process result of the second received command (verify command C2) in the data memory 14 as the log data L0 of transaction process, and transmits the response (response indicating the process result of the verify command C2) indicating the successful verification with the key information K1 to the IC card processing device 2.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sekiya  with the system/method/ one or more non-transitory computer-readable storage media of Cunningham and Stevens to include the results data including the received command and a validity determination for the received command.
One would have been motivated to provide users with the benefits of a portable electronic device having a high level of security (Sekiya: paragraph 0013).
Regarding claim 11, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command validation model is configured to identify commands resulting in normal asset behavior when executed and/or commands resulting in abnormal asset behavior when executed (Cunningham, paragraph 0054, “The fifth control station, C.sub.E 104E has a malicious operator 224E who has somehow managed to establish a trusted connection with the command monitor 106. The malicious operator 224E may attempt to issue commands to place the first remote cyber-physical system into a prohibited, undesirable, and/or faulty state. But, the commands issued by malicious operator 224E will only be forwarded to the first remote cyber-physical system, R.sub.A 102A by the command monitor 106 if the command monitor 106 determines that they will not place the system into a prohibited, undesirable, and/or faulty state. So, the malicious operator 224E will fail to place the first remote cyber-physical system, R.sub.A 102A into a prohibited, undesirable, and/or faulty state.”). 
Regarding claim 12, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the operations further comprise: making available state data of the target infrastructure asset and/or results data of the command validation (Cunningham, paragraph 0030, “The command monitor 106 receives information related to a state of the remote cyber-physical systems 102 (e.g., a position, orientation, or resource levels associated with the system) as well as information related to a state of the control stations 104 (e.g., an authentication state of a control station).”; paragraph 0032, “In some examples, the command monitor 106 provides feedback to the control stations 104 including information related to an updated state of the remote cyber-physical systems 102.”; paragraph 0040, “The controller 220 provides state feedback to the command monitor 106 over the state feedback link 110A to inform the command monitor 106 of the current state of the first remote cyber-physical system, R.sub.A 102A, including a current state of the physical subsystems 222 of the first remote cyber-physical system, R.sub.A 102A.”; paragraph 0066, “But, one difference in the communication and control system 300 is that, by co-locating the command monitor 306 with the remote cyber-physical system, R.sub.Y 102Y, state information for the remote cyber-physical system, R.sub.Y 102Y is always available to the command monitor 306.  Having the command monitor co-located on the remote cyber-physical system obviates the need to send state information over a communication link (e.g., a radio link) to a remote command station.”).
Regarding claim 13, Cunningham, Stevens, and Sekiya disclose one or more non-transitory computer-readable storage media of claim 12.  Stevens discloses wherein the updating the command validation model is also based on the state data (Stevens, paragraph 0044, “In general, as will be described in further detail below, the input module 400 is configured to (i) receive, store, manage, and provide a variety of existing data associated with a shipping network and used to generate a flow model thereof; and (ii) receive, store, and provide a variety of update data likewise associated with the shipping network and used to revise a flow model thereof. The validation module 500 is configured to activate a model validation tool, which calculates whether the input (e.g., updated) data results in any impacts to one or more parameters of the flow model. Any identified impacted model data is presented to a user of the tool and associated system 20. The optimization module 600 is then configured to activate a model optimization tool, which applies one or more algorithms to generate one or more optimized models based upon the existing data, the input data, and the identified impacted data.”).  The motivation is the same as that of the claim from which this claim depends.
Regarding claim 14, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command validation model implements a machine-learning algorithm (Cunningham, paragraph 0092, “In some examples, a digital and physical state of the remote cyber-physical system is modeled using an appropriate modeling technique. For examples, a model of the remote cyber-physical system can be encoded using a state-machine with a finite number of well-defined states, or a neural network or another suitable machine learning technique where weights are used to encode a condition or state of the system.”).
Regarding claim 15, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command validation model is a trained neural network (Cunningham, paragraph 0092, “In some examples, a digital and physical state of the remote cyber-physical system is modeled using an appropriate modeling technique. For examples, a model of the remote cyber-physical system can be encoded using a state-machine with a finite number of well-defined states, or a neural network or another suitable machine learning technique where weights are used to encode a condition or state of the system.”).
Regarding claim 16, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command validation model is based on behavioral data for at least one of the plurality of infrastructure assets in the infrastructure system (Cunningham, paragraph 0009, “Receiving the state information from the remote system may include receiving one or more state variables from the remote system, and updating the data characterizing the operation of the remote system includes updating the state information of the data characterizing an operation of the remote system using the received state information.”).
Regarding claim 17, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command validation model is based on results data of previous command validation for at least one of the plurality of infrastructure assets in the infrastructure system (Cunningham, paragraph 0044, “In some examples, the command policy is expressed using an access control model (e.g., the Attribute-Based Access Control (ABAC) model). The access control model includes access control rules that can be applied to state data (including system attributes) associated with one or both of the first remote cyber-physical system, R.sub.A 102A and the first control station, C.sub.A 104A. In some examples, the access control rules are also applied to attribute data associated with one or more human operators (e.g., an authentication status of an operator, system permissions, and other identity information).”).
Regarding claim 18, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Cunningham discloses wherein the command is a first command, and wherein the operations further comprise: receiving a second command for another infrastructure asset of the plurality of infrastructure assets (Cunningham, paragraph 0041, “In some examples, the command monitor 106 includes a separate command sub-monitor 106A-C for each of the remote cyber-physical systems 102 that it monitors. For example, the command monitor 106 in FIG. 2 includes a first command sub-monitor 106A associated with the first remote cyber-physical system, R.sub.A 102A, a second command sub-monitor 106B associated with the second remote cyber-physical system, R.sub.B 102B, and a third command sub-monitor 106C associated with the third remote cyber-physical system, R.sub.C 102C. In other examples, a single command monitor 106 (with a single command sub-monitor) is used to monitor commands for multiple or all of the remote cyber-physical systems 102.”) and responsive to an unsuccessful validation of the received second command, rejecting the received second command and preventing the received second command from being executed by the other infrastructure asset, wherein the received second command is malformed or the received second command is determined to result in incorrect behavior of the other infrastructure asset (Cunningham, paragraph 0046, “The state predictor 218 processes the command according to the state information from the first remote cyber-physical system, R.sub.A 102A to determine a predicted state of the first remote cyber-physical system, R.sub.A 102A that would result from execution of the command by the first remote cyber-physical system, R.sub.A 102A. The predicted state is provided to the command filter 216 which evaluates the predicted state according to one or more control rules to determine whether the predicted state is prohibited, undesirable, and/or faulty. In this successful example, the command filter 216 determines that the predicted state is not prohibited, undesirable, and/or faulty and therefore forwards the command to the first remote cyber-physical system, R.sub.A 102A via the first communication link 108A.”; paragraph 0041, “In some examples, the command monitor 106 includes a separate command sub-monitor 106A-C for each of the remote cyber-physical systems 102 that it monitors. For example, the command monitor 106 in FIG. 2 includes a first command sub-monitor 106A associated with the first remote cyber-physical system, R.sub.A 102A, a second command sub-monitor 106B associated with the second remote cyber-physical system, R.sub.B 102B, and a third command sub-monitor 106C associated with the third remote cyber-physical system, R.sub.C 102C. In other examples, a single command monitor 106 (with a single command sub-monitor) is used to monitor commands for multiple or all of the remote cyber-physical systems 102.”(i.e., second command encompasses second remote cyber-physical system)).
Regarding claim 19, Cunningham, Stevens, and Sekiya disclose the one or more non-transitory computer-readable storage media of claim 10.  Sekiya discloses wherein the operations further comprise: storing the results data of the command validation (Sekiya, paragraph 0305, “When the verify process with the key K1 is completed, the control element 11 of the IC card 1 stores the information indicating the process result of the second received command (verify command C2) in the data memory 14 as the log data L0 of transaction process, and transmits the response (response indicating the process result of the verify command C2) indicating the successful verification with the key information K1 to the IC card processing device 2.”).  The motivation is the same as that of the claim from which this claim depends.

Regarding claim 20, Cunningham discloses a system for infrastructure asset security, the system comprising: one or more memories; one or more processing units coupled to the one or more memories; and one or more computer-readable storage media storing instructions that, when loaded into the one or more memories, cause the one or more processing units to perform asset command validation operations comprising (Cunningham, paragraph 0100, “Systems that implement the techniques described above can be implemented in software, in firmware, in digital electronic circuitry, or in computer hardware, or in combinations of them. The system can include a computer program product tangibly embodied in a machine-readable storage device for execution by a programmable processor, and method steps can be performed by a programmable processor executing a program of instructions to perform functions by operating on input data and generating output. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, a computer will include one or more mass storage devices for storing data recordings; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks.”);
collecting state data of an infrastructure asset (Cunningham, paragraph 0009, “Receiving the state information from the remote system may include receiving one or more state variables from the remote system, and updating the data characterizing the operation of the remote system includes updating the state information of the data characterizing an operation of the remote system using the received state information.”);
collecting validation results data of the infrastructure asset, wherein the validation results data comprises command validation results of one or more previously processed commands for the infrastructure asset (Cunningham, paragraph 0098, “In some examples, information about authenticated users and/or components can be included as input to the command monitor, where the input is taken into consideration when determining if it is permissible to cause a predicted set of one or more outcomes that would result from execution of the one or more commands at the remote system.”
configuring a command validation model, wherein the command validation model is based, at least in part, on the collected state data and the collected validation results data (Cunningham, paragraph 0042, “Each command sub-monitor 106 includes a state predictor 218 (e.g., a state machine and/or a functional, physical, or simulation model of the remote cyber-physical system, sometimes referred to as a ground-side model) and a command filter 216. Focusing on the first command sub-monitor 106A, the state predictor 218 receives and maintains the updated state of the first remote cyber-physical system, R.sub.A 102A from the controller 220 of the first remote cyber-physical system, R.sub.A 102A. With the updated state reflected in the state predictor 218, the state predictor 218 is configured to predict a state of the first remote cyber-physical system, R.sub.A 102A that would result from executing one or more commands at the first remote cyber-physical system, R.sub.A 102A.”);
intercepting a new command for the infrastructure asset, wherein intercepting the new command prevents or delays the new command from being received by the infrastructure asset  (Cunningham, paragraph 0018, “Among other advantages, command monitor authenticates command and prevents commands that would put the system in a faulty state from executing”) 
analyzing the new command according to the command validation model, wherein the analyzing comprises determining if the new command is improperly formed or if the new command meets a threshold for causing the infrastructure asset to enter a detrimental state when executed by the infrastructure asset (Cunningham, paragraph 0010, “Determining the predicted set of one or more outcomes may include simulating operation of the remote system executing the one or more commands using the operational model of the remote system and the state information for the remote system. Preventing issuance of the at least one command of the one or more commands may include determining that at least some of the predicted set of one or more outcomes violates a permitted operating state of the remote system. The command monitor”; paragraph 0021; ”The command monitor facilitates fault detection and recovery.  For example, some conventional techniques use watchdog timers to prevent execution of commands that would result in a system being configured into a faulty state. The command monitor, on the other hand catches commands that would put the system in a bad state before they are ever sent to the system.”; paragraph 0062, “The command monitor 306 includes a state predictor 318 (e.g., a state machine or a functional/simulation model of the remote cyber-physical system, sometimes referred to as a ground-side model) and a command filter 316. With the updated state reflected in the state predictor 318, the state predictor 318 is configured to predict a state of the remote cyber-physical system, R.sub.Y 102Y that would result from executing one or more commands at the remote cyber-physical system, R.sub.Y 102Y.”);
responsive to the analyzing, providing the new command to the infrastructure asset or updating a log of the analyzing without providing the new command to the infrastructure asset (Cunningham, paragraph 0005, “Aspects described herein address the above-described problem by including a command monitor on a communication path between a control station and a cyber-physical system. Among other features, the command monitor includes a mechanism for validating that remote commands to such systems obey an explicit command policy. By forcing commands to obey the explicit command policy, execution of malicious, inadvertently dangerous, or otherwise undesirable commands is prevented.”).
Cunningham does not explicitly disclose updating the command validation model based on new results data of the command validation for the new command.
However, in an analogous art, Stevens discloses updating the command validation model based on new results data of the command validation for the new command (Stevens, paragraph 0044, “In general, as will be described in further detail below, the input module 400 is configured to (i) receive, store, manage, and provide a variety of existing data associated with a shipping network and used to generate a flow model thereof; and (ii) receive, store, and provide a variety of update data likewise associated with the shipping network and used to revise a flow model thereof. The validation module 500 is configured to activate a model validation tool, which calculates whether the input (e.g., updated) data results in any impacts to one or more parameters of the flow model. Any identified impacted model data is presented to a user of the tool and associated system 20. The optimization module 600 is then configured to activate a model optimization tool, which applies one or more algorithms to generate one or more optimized models based upon the existing data, the input data, and the identified impacted data.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Stevens with the system/method of Cunningham to include updating the command validation model based on new results data of the command validation for the new command.
One would have been motivated to provide users with the benefits of simulating an integrated flow model for a plurality of transportation networks (Stevens: paragraph 0003).
Cunningham and Stevens do not explicitly disclose the new results data including the new command and a validity determination for the new command.
However, in an analogous art, Sekiya discloses the new results data including the new command and a validity determination for the new command (Sekiya, paragraph 0305, “When the verify process with the key K1 is completed, the control element 11 of the IC card 1 stores the information indicating the process result of the second received command (verify command C2) in the data memory 14 as the log data L0 of transaction process, and transmits the response (response indicating the process result of the verify command C2) indicating the successful verification with the key information K1 to the IC card processing device 2.”).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Sekiya  with the system/method/ one or more non-transitory computer-readable storage media of Cunningham and Stevens to include the new results data including the new command and a validity determination for the new command.
One would have been motivated to provide users with the benefits of a portable electronic device having a high level of security (Sekiya: paragraph 0013).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368. The examiner can normally be reached 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/W.J.M/Examiner, Art Unit 2439  



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439