DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


1. The following is a non-Final Office Action in response to applicant’s arguments/filing filed on March 25, 2022

Claims 1-8 are pending 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/25/2022 was filed prior to the mailing date of the first office action on 7/5/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
Acknowledgment is made of applicant’s drawings submitted on 3/25/2022.

Oath/Declaration
Acknowledgment is made of applicant’s oath submitted on 3/25/2022

Application Data Sheet
Acknowledgment is made of applicant’s application data sheet submitted on 3/25/2022.




Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 1 is rejected under 35 U.S.C. 112(b) as being indefinite in that it fails to point out what is included or excluded by the claim language.  The claim language recites “…a detection module configured to:…” and invokes 35 U.S.C. 112(f). However, the written description fails to disclose sufficient corresponding structure, material, or acts for the claimed function. For a computer-implemented means-plus-function element, the corresponding structure must include the algorithm as well as the general purpose computer or microprocessor. Therefore, claims 2-4 are similarly rejected due to their dependence on the rejected independent claim.


The following is a quotation of 35 U.S.C. 112(f): 
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph: 
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or preAIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: …a detection module in claim 1 configured to: receive tag-related ..attribute vectors, compare…extracted TAVs, … issue a new tag-related…alert. A review of the specification does not appear to show the module recites sufficient structure to implement the claimed functionsBecause this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or preAIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

1.) Claims 1 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100031340, Batke in view of US 20200404010, Costante

 	In regards to claim 1,  Batke teaches an abnormal human-machine interface (HMI) behavior (AHB) detection module of an HMI server in an industrial control system (ICS) network, the AHB detection module configured 670to: 
i. obtain data packets communicated between the HMI server and assets in the ICS network(see US 20100031340, Batke, para. 0039 and 0041, where an industrial control system may communicate[i.e. via packets] with a human machine interface via an ethernet network), wherein the assets comprise one or more PLCs(see US 20100031340, Batke, para. 0039, where the industrial control system may control a controller that executes a stored program for controlling an industrial process), and wherein the HMI server comprises communication privileges while communicating with the assets(see US 20100031340, Batke, para. 0028 and 0041, where a control device may access computational resources, wherein a control device may be an HMI); and 
ii. extract attributes of the obtained data packets(see US 20100031340, Batke, para. 0059, where fingerprint information[i.e. attribute information] may be extracted from a packet); 680b. compare said extracted TAVs with whitelisted tag-related operations attributes in a tag-related operations whitelist (TWL) file in said database(see US 20100031340, Batke, para. 0049, where a match is determined between an allow list[i.e. whitelist] and one or more fields of a packet, wherein the fields may include address information[i.e. tag attribute]);
 	Batke does not teach a. receive tag-related operation attribute vectors (TAVs) extracted by a packet sniffing and analysis module (PSA) module from each data packet communicated between said HMI server and one or more programmable logic controllers (PLCs), wherein the PSA module is configured to:675
 	c. if the packet was sent from the HMI server to a PLC and extracted TAVs are not in the TWL and is not preceded by activity of input devices of the HMI server within a maximum interval before said tag- related operation, then issue a new tag-related 685operation (NT) alert; and 
 	d. If the packet is packet that sent from a PLC to the HMI server and said extracted TAVs are not in said TWL, then issue a new tag-related operation (NT) alert;However, Constante teaches a. receive tag-related operation attribute vectors (TAVs) extracted by a packet sniffing and analysis module (PSA) module from each data packet communicated between said HMI server and one or more programmable logic controllers (PLCs) (see US 20200404010, Costante, para. 0014 and 0133, where communication may occur between hosts, wherein the hosts may be HMI and PLC, may passively, extract attributes by sniffing network traffic), wherein the PSA module is configured to:675
 c. if the packet was sent from the HMI server to a PLC and extracted TAVs are not in the TWL and is not preceded by activity of input devices of the HMI server within a maximum interval before said tag- related operation, then issue a new tag-related 685operation (NT) alert(see US 20200404010, Costante, para. 0122, 0198 and 0270, where a lack of activity on a network for a period of time[i.e. max time period] enable extraction of protocol fields for derivation of attribute information, wherein if the attribute information matches a blacklist[i.e. not in a TWL] an alert is raised and a new blacklist policy is extracted[i.e. new tag-related operation]); and 
d. If the packet is packet that sent from a PLC to the HMI server and said extracted TAVs are not in said TWL, then issue a new tag-related operation (NT) alert(see US 20200404010, Costante, para. 0270, if a host/link associated with data traffic is determined to be on a blacklist[i.e. not in TWL], an alert is asserted and an operation to extract new blacklist policies[new tag-related operation] is performed).  
 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Batke with the teaching of Costante because a user would have been motivated to enhance the system security, taught by Batke, by providing a means to detect both anomalous data traffic and intrusion detection in order to provide a system with overall security protection from external threats(see Costante, para. 0002)

 	In regards to claim 5, Batke teaches a method of detecting abnormal human-machine interface (HMI) behavior of an HMI server in an industrial control system (ICS) network, the method comprising: 
monitoring activity of input devices of the HMI server(see US 20100031340, Batke, para. 0041 and 0055, where a system may communicate with an HMI, wherein a software security component may monitor received packets and compare it to a sequence of previous received packets); obtaining data packets communicated between the HMI server and assets in the ICS network(see US 20100031340, Batke, para. 0039 and 0041, where an industrial control system may communicate[i.e. via packets] with a human machine interface via an ethernet network), wherein the assets comprise one or more PLCs(see US 20100031340, Batke, para. 0039, where the industrial control system may control a controller that executes a stored program for controlling an industrial process), and wherein the HMI server comprises communication privileges while communicating with the assets(see US 20100031340, Batke, para. 0028 and 0041, where a control device may access computational resources, wherein a control device may be an HMI); 
710extracting attributes of the obtained data packets(see US 20100031340, Batke, para. 0059, where fingerprint information[i.e. attribute information] may be extracted from a packet); 
comparing the extracted TAVs with whitelisted tag-related operations attributes in a tag-related operations whitelist (TWL) (see US 20100031340, Batke, para. 0049, where a match is determined between an allow list[i.e. whitelist] and one or more fields of a packet, wherein the fields may include address information[i.e. tag attribute]);
 	Batke does not teach receiving tag-related operation attribute vectors (TAVs), extracted by a packet 705sniffing and analysis module (PSA) module, from each data packet communicated between the HMI server and one or more programmable logic controllers (PLCs); 
 if the data packet was sent from the HMI server to a PLC and the extracted TAVs is not in the TWL, and is not preceded by activity of the input devices within a maximum 715interval before the tag-related operation, issuing a tag-related operation alert; and 
if the packet is sent from the PLC to the HMI server and the extracted TAVs is not in the TWL, issuing a tag-related operation alert 	However, Costante teaches receiving tag-related operation attribute vectors (TAVs), extracted by a packet 705sniffing and analysis module (PSA) module, from each data packet communicated between the HMI server and one or more programmable logic controllers (PLCs) (see US 20200404010, Costante, para. 0014 and 0133, where communication may occur between hosts, wherein the hosts may be HMI and PLC, may passively, extract attributes by sniffing network traffic); 
 if the data packet was sent from the HMI server to a PLC and the extracted TAVs is not in the TWL, and is not preceded by activity of the input devices within a maximum 715interval before the tag-related operation, issuing a tag-related operation alert(see US 20200404010, Costante, para. 0122, 0198 and 0270, where a lack of activity on a network for a period of time[i.e. max time period] enable extraction of protocol fields for derivation of attribute information, wherein if the attribute information matches a blacklist[i.e. not in a TWL] an alert is raised and a new blacklist policy is extracted[i.e. new tag-related operation]); and 
if the packet is sent from the PLC to the HMI server and the extracted TAVs is not in the TWL, issuing a tag-related operation alert(see US 20200404010, Costante, para. 0270, if a host/link associated with data traffic is determined to be on a blacklist[i.e. not in TWL], an alert is asserted and an operation to extract new blacklist policies[new tag-related operation] is performed). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Batke with the teaching of Costante because a user would have been motivated to enhance the system security, taught by Batke, by providing a means to detect both anomalous data traffic and intrusion detection in order to provide a system with overall security protection from external threats(see Costante, para. 0002)  


2.) Claims 2 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100031340, Batke in view of US 20200404010, Costante and further in view of US 20210194850, Johnson

 	In regards to claim 2, the combination of Batke and Costante teach the AHB detection module of claim 1, configured to: 
b. compare the monitored activity to data packets communicated between the HMI server and assets in the ICS network(see US 20100031340, Batke, para. 0041 and 0055, where a system may communicate with an HMI, wherein a software security component may monitor received packets compare it to a sequence of previous received packets); and 	the combination of Batke and Costante do not teach 690a. monitor activity of input devices of the HMI server, wherein the input devices comprise a keyboard and a mouse 	However, Johnson teaches a. monitor activity of input devices of the HMI server, wherein the input devices comprise a keyboard and a mouse(see US 20210194850, Johnson, para. 0041, where a monitoring system may include a mouse and keyboard). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke and Costante with the teaching of Johnson because a user would have been motivated to enhance network systems security, taught by the combination Batke and Costante, by using smart networking switches to monitor and control network traffic in real-time in order to offer protection from cyber attacks and unauthorized commands(see Johnson, para. 0016)  
 	In regards to claim 6, the combination of Batke and Costante teach the method of claim 5, comprising: 28comparing the monitored activity to data packets communicated between the HMI server and assets in the ICS network(see US 20100031340, Batke, para. 0041 and 0055, where a system may communicate with an HMI, wherein a software security component may monitor received packets compare it to a sequence of previous received packets); and
 	The combination of Batke and Costante do not teach 720monitoring activity of input devices of the HMI server, wherein the input devices comprise a keyboard and a mouse 	However, Johnson teaches monitoring activity of input devices of the HMI server, wherein the input devices comprise a keyboard and a mouse(see US 20210194850, Johnson, para. 0041, where a monitoring system may include a mouse and keyboard). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke and Costante with the teaching of Johnson because a user would have been motivated to enhance network systems security, taught by the combination Batke and Costante, by using smart networking switches to monitor and control network traffic in real-time in order to offer protection from cyber attacks and unauthorized commands(see Johnson, para. 0016)
.  

3.) Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over US 20100031340, Batke in view of US 20200404010, Costante and further in view of US 20210194850, Johnson and further in view of US 20070036075, Rothman

 	In regards to claim 273, the combination of Batke, Costante, and Johnson teach the AHB detection module of claim 2. The combination of Batke, Costante, and Johnson do not teach wherein said maximum interval between said input device activity and said tag-related operation is 0.5 seconds 	However, Rothman teaches wherein said maximum interval between said input device activity and said tag-related operation is 0.5 seconds (see US 20070036075, Rothman, para. 0030, where a maximum time interval delay between an input activity and outgoing packet[e.g. for tag-related operation] may be specified, wherein the max interval may be customized to be 0.5 seconds). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke, Costante, and Johnson with the teaching of Rothman because a user would have been motivated to enhance the security features taught by the combination of Batke, Costante, and Johnson, by monitoring the input from conventional devices in order to determine if the device outputs were generated in response to the inputs in order to decide if the outputs should be propagated over the network(see Rothman, para. 0018)

4.) Claims 4, 7, and 8 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100031340, Batke in view of US 20200404010, Costante and further in view of US 20070036075, Rothman
  
 	In regards to claim 4, the combination of Batke and Costante teach the AHB detection module of claim 1. The combination of Batke and Costante do not teach wherein the TAVs are received during a learning period 	However, Rothman teaches wherein the TAVs are received during a learning period (see US 20070036075, Rothman, para. 0024 and 0025, where attribute information is identified for the input, wherein the filter driver learns whether the input information was entered into one of the programs that the filter driver has been configured to monitor). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke and Costante with the teaching of Rothman because a user would have been motivated to enhance the security features taught by the combination of Batke and Costante by monitoring the input from conventional devices in order to determine if the device outputs were generated in response to the inputs in order to decide if the outputs should be propagated over the network(see Rothman, para. 0018)
  
 	In regards to claim 7257, the combination of Batke and Costante teach the method of claim 5. The combination of Batke and Costante do not teach wherein the maximum interval between the input device activity and the tag-related operation is 0.5 seconds 	However, Rothman teaches wherein the maximum interval between the input device activity and the tag-related operation is 0.5 seconds (see US 20070036075, Rothman, para. 0030, where a maximum time interval delay between an input activity and outgoing packet[e.g. for tag-related operation] may be specified, wherein the max interval may be customized to be 0.5 seconds).   	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke and Costante with the teaching of Rothman because a user would have been motivated to enhance the security features taught by the combination of Batke and Costante by monitoring the input from conventional devices in order to determine if the device outputs were generated in response to the inputs in order to decide if the outputs should be propagated over the network(see Rothman, para. 0018)

 	In regards to claim 8, the combination of Batke and Costante teach the method of claim 5, wherein the TAVs are received during a learning period 	the combination of Batke and Costante do not teach wherein the TAVs are received during a learning period 	However, Rothman teaches wherein the TAVs are received during a learning period (see US 20070036075, Rothman, para. 0024 and 0025, where attribute information is identified for the input, wherein the filter driver learns whether the input information was entered into one of the programs that the filter driver has been configured to monitor). 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of the combination of Batke and Costante with the teaching of Rothman because a user would have been motivated to enhance the security features taught by the combination of Batke and Costante by monitoring the input from conventional devices in order to determine if the device outputs were generated in response to the inputs in order to decide if the outputs should be propagated over the network(see Rothman, para. 0018)

CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY LANE whose telephone number is (571)270-7469.  The examiner can normally be reached on 571 270 7469 from 8:00 AM to 6:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Taghi Arani, can be reached on 571 272 3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/GREGORY A LANE/Examiner, Art Unit 2438                                                                                                                                                                                                        



/David J Pearson/Primary Examiner, Art Unit 2438