DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Arguments
Applicant’s arguments with regards to the rejection of independent claims 1 and 6 under 35 USC § 103 have been fully considered, but they are not persuasive. 
On page 12, Applicant contends that Oba fails to disclose “tag a first internet protocol (IP) address of the network protocol data with a first action role and tag a second internet protocol (IP) address of the network protocol data with a second action role respectively …”
The examiner respectfully disagrees with the applicant’s argument. 
Oba, in Fig. 6, anomaly detection models 132 (Model IDs 1-6), clearly showed how to tag the first IP address and the second IP address with the first action role and the second action role, respectively. Considering FIG. 6, model ID 6, the device which has IP address of 192.168.2.10 (first IP address, source IP) will connect with the device which has an IP address of 192.168.2.1(second IP address, destination IP). The destination port associated with this model (model ID 6) is 502. It is obvious to a person of ordinary skilled in the art that the default port number of a Modbus controller (Oba ¶93: “PLC 314”) is 502, thus the action role with destination port 502 is a control center (first action role) (Oba ¶93: “SCADA 313”) which tags first IP address 192.168.2.10. Because port 502 is the port number of the Modbus controller, the second IP address 192.168.2.1 is the IP address of the Modbus controller (second action role) (Oba ¶93: “PLC 314”), and thus the Modbus controller (second action role) tags IP 192.168.2.1. 
Thus, the examiner asserts that Oba fully teaches and suggests “tag a first internet protocol (IP) address of the network protocol data with a first action role and tag a second internet protocol (IP) address of the network protocol data with a second action role respectively …”, and, therefore, the examiner did not find applicant’s argument persuasive and the rejection is maintained.
Further, on page 12, applicant contends that Oba does not disclose “any action role includes a controller, a control center, a database, an office computer, or a server”. 
 However, Oba in ¶93 discloses the available industrial devices (action roles) as “Monitoring target 300 is a system subjected to anomaly detection and includes supervisory control and data acquisition (SCADA) 313 (control center), programmable logic controller (PLC) 314 (controller), personal computers (PC) 315, 323, and 324, and router 400.” It is obviously clear to the one skilled in the art to either implement two of the three personal computers one as a server (say PC 323) and the other as a database (say PC 324), or replace the two personal computers one with a server and the other with a database. 
On pages 13-14, applicant notes that “it is hard for a person of ordinary skilled in the art to reach the technical feature of tagging IP with any action role”, however this is not accurate due to the disclosure of Oba at Fig. 6 which clearly shows a destination port 502 identifies a first action role(a control center, SCADA 313) which tags the source IP address (the first IP address, 168.192.2.10), and thus the second action role (a controller, PLC 314)  tags the destination IP address (the second IP address, 168.192.2.1).
Thus, the examiner asserts that Oba fully teaches the technical feature of tagging IP with any action role., and, therefore, the applicant’s argument is not persuasive.
Furthermore, on page 14 of Remarks, applicant contends that Oba fails to disclose, “… wherein the rule list comprises the first action role, the first IP address, the second IP address, and contents of the related group”. The examiner respectfully disagrees. 
In the Non-Final Rejection, the examiner referred to Fig. 6 and paragraphs 136 and 138 of Oba to disclose this limitation. Specifically, paragraph 136 discloses the anomaly detection models 131 comprises model ID, destination IP, destination port and data from which N-grams are obtained, paragraph 138 discloses the anomaly detection models 132 comprises all the items in anomaly detection models 131 and source IP.  Considering Fig. 6 model ID 6, the action role with destination port 502 is a control center (first action role, SCADA 313) with a source IP of 168.192.2.10 (first IP address), and destination IP address 168.192.2.1 (second IP address) is a controller (second action role, PLC 314). Thus, it is obviously clear that Oba discloses “… wherein the rule list comprises the first action role, the first IP address, the second IP address, and contents of the related group” and, therefore, applicant’s argument is not persuasive. 
Thus, the examiner asserts that Oba fully teaches and suggests “… wherein the rule list comprises the first action role, the first IP address, the second IP address, and contents of the related group”, and therefore the rejection is maintained.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-7 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2019/0190938 A1 to Oba et al (hereinafter Oba) and further in view of US-PGPUB No. US 2015/0381642 A1 to Kim et al. (hereinafter Kim)
Regarding claim 1: 
Oba discloses:
An intrusion detection device (¶103: “… anomaly detection device 100 …”), which is suitable for Modbus (¶29: “… the internal network of the control systems now use communications using open protocols such as Modbus …”) comprising: 
a connection interface (see ¶103: “… communication interface (IF) 104 …”); 
a processor (¶103: “… central processing unit (CPU) 101 …”) configured to receive a plurality of first packets through the connection interface (¶196: “Obtaining unit 110 … obtains a plurality of packets which are inspection data 212 (S32)”, ¶116: “Obtaining unit 110 is realized by … CPU 101, main memory 102, storage 103, and communication IF 104.”), 
wherein the processor is configured to: 
obtain a network protocol data (Fig 14, S34: “PROTOCOL IDENTIFYING PROCESSING”) and an industrial operation data (Fig 14, S37: “EXTRACT TARGET DATA PORTION IN PACKET”) of each of the plurality of first packets (¶196: “Obtaining unit 110 … obtains a plurality of packets which are inspection data 212 (S32)”);
tag a first internet protocol (IP) address of the network protocol data (¶136: “Anomaly detection models … include data items of model ID …”, Fig. 6, Model ID 6, source IP: “192.168.2.10”) with a first action role (¶93: “SCADA 313”, Note: Considering FIG. 6, model ID 6, the device which has IP address of 192.168.2.10 (first IP address, source IP) will connect with the device which has an IP address of 192.168.2.1(second IP address, destination IP). The destination port associated with this model (model ID 6) is 502. It is obvious to a person of ordinary skilled in the art that the default port number of a Modbus controller (Oba ¶93: “PLC 314”) is 502, thus the action role with destination port 502 is a control center (first action role) (Oba ¶93: “SCADA 313”) which tags first IP address 192.168.2.10. Because port 502 is the port number of the Modbus controller, the second IP address 192.168.2.1 is the IP address of the Modbus controller (second action role) (Oba ¶93: “PLC 314”), and thus the Modbus controller (second action role) tags IP 192.168.2.1 ) and tag a second internet protocol (IP) address of the network protocol data (Fig. 6, Model ID 6, destination IP: “192.168.2.1”) with a second action role (¶93: “PLC 314”) respectively, wherein each of the first action role and the second action role comprises one of a controller (¶93: “programmable logic controller (PLC) 314”), a control center (¶93: “… (SCADA) 313), a database, an office computer (¶93:personal computers (PC) 315, 323, and 324 …”), and a server (¶93: “… Monitoring target 300 … includes … (SCADA) 313, … (PLC) 314, … (PC) 315, 323, and 324, and router 400.…”. Note: It is obviously clear to the one skilled in the art to either implement two of the three personal computers one as a server (say PC 323) and the other as a database (say PC 324), or replace the two personal computers with a server and a database.); 
obtain a related group (Fig. 14, S35: “Determine Model for packet”) of the first IP address (¶177: “… source IP …”), wherein the related group comprises a first industrial device information (¶177: “… source IP … protocol …”) and a second industrial device information (¶177: “… destination IP … destination port … ) (¶177: “Detection model learning unit 120 identifies the model which corresponds to at least one of the destination IP, the destination port, the protocol, and the source IP … );
generate a rule list (¶179: “… a new model …)(¶05: “… storing the plurality of first probabilities calculated, in the memory as the anomaly detection model …”, note: what is stored is the anomaly detection model, e.g. Fig. 6, model ID 6, and ¶179: “Detection model learning unit 120 adds the identified model as a new model in step S17 …”), wherein the rule list comprises the first action role (¶93: “SCADA 313”), the first IP address (Fig. 6, Model ID 6, source IP: “192.168.2.10”), the second IP address (Fig. 6, Model ID 6, destination IP: “192.168.2.1”), and contents of the related group (Fig. 6: “… destination IP … source IP … destination port …”), and 
However, Oba failed to explicitly disclose the following limitation taught by Kim:
wherein the first action role (Kim ¶65: “… the client.”, Fig. 5 “Client-SCADA Server”) on the rule list corresponds to the first industrial device information (¶70: “… client IP …”) and the second industrial device information (¶70: “… server IP …”, ¶65: “…port value … 502…”) (Kim ¶65: “… the communication pattern classifier 110 may classify the device in which the port value is 502 as the server, and as shown in FIG. 4, classify devices as the server and the client.”).  
 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Oba to incorporate the communication pattern classifier functions of generating an entry of a server table and an entry of a command table separately as disclosed by Kim. Obviously, this functionality can be extended to accommodate other devices of different roles and generate and implement the respective tables, and modify the entries to the tables as required. The availability of such functionality would make the searching and matching of incoming packets faster thereby providing efficient intrusion detection system. 
Regarding claim 2: 
The combination of Oba and Kim disclose:
The intrusion detection device of claim 1, wherein the processor is further configured to: 
search a communication port of the network protocol data on a look-up table in order to tag the first IP address with the first action role and to tag the second IP address with the second action role (Oba ¶136: “The model ID is an identifier uniquely assigned to each of a plurality of models for identification. The destination IP is information which indicates the destination IP of the packets associated with the model. The destination port is information which indicates the destination port of the packets associated with the model.”, and see Fig. 6 for communication port and Model ID (tag)).  
Regarding claim 4:
The combination of Oba and Kim disclose: 
The intrusion detection device of claim 1, wherein the processor is further configured to: 
receive a second packet through the connection interface (Oba ¶05: “obtaining a plurality of packets”,
¶76:” … for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted, the second combinations being all possible combinations of the N data units …”);
read the network protocol data and the industrial operation data of the second packet to determine whether the second packet satisfies contents of the rule list (Oba ¶151: “Detector 160 extracts all the possible second combinations of N data units out of a plurality of data units obtained by dividing a data sequence forming the payload included in the packet …”, and 
¶155: “Detector 160 determines whether or not the score calculated for the packet exceeds an alert threshold as a predetermined threshold that is based on the anomaly detection models stored in anomaly detection model DB 130.”); 
generate a warning signal in response to determining that the second packet does not satisfy the contents of the rule list (Oba ¶147: “input receiving unit 140 receives an input of a parameter related to the alert occurrence rate for generating an alert.”, and 
Kim ¶96: “…  when there is not the information identical to the combined SIP/FCode information and there is not the FCode itself in the command table, the abnormal behavior detector 130 may generate a warning of an abnormal command level 3 …”).  
Regarding claim 5:
The combination of Oba and Kim disclose: 
The intrusion detection device of claim 4, wherein the processor is further configured to: 
read a third internet protocol (IP) address from the network protocol data of the second packet (Oba ¶76: “… for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted …”); 
obtain a third action role of the third IP address according to a communication port of the network protocol data of the second packet (Oba ¶76: “… the second combinations being all possible combinations of the N data units …”, and see Fig. 6 for packets content); 
read at least one operation parameter of the industrial operation data of the second packet (Oba ¶200: “Detector 160 extracts the target data portion in the target packet in step S37.”); 
 generate the warning signal in response to determining that the third IP address, the third action role of the third IP address, and the at least one 20operation parameter have not satisfied the first action role, the first IP address, the second IP address, and the contents of the related group on the rule list (Oba ¶202: “Detector 160 determines whether or not the score calculated for the target packet exceeds the alert threshold associated with the anomaly detection model of the target packet which is stored in anomaly detection model DB 130 (S39). When detector 160 determines that the calculated score exceeds the corresponding alert threshold (Yes in S39), presentation unit 170 presents an alert (S40) …”).  
Regarding claims 6-7 and 9-10:
Claims 6-7 and 9-10 recite substantially the same limitations as claims 1-2 and 4-5 respectively. Therefore, claims 6-7 and 9-10 are rejected under the same rationale as claims 1-2 and 4-5 respectively.
Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Oba, Kim and further in view of US-PGPUB No. 2019/0089742 A1 to Hill
Regarding claim 3:
The combination of Oba and Kim discloses the intrusion detection device of claim 2, but failed to explicitly disclose the following limitation taught by Hill:
 	wherein the processor is further configured to: 
tag the second IP address (Hill ¶121: “…asset type: basic control (controller), Asset IP address) with the second action role (Hill ¶121: “…asset type: basic control (controller)) according to the first action role (Hill ¶121: “…asset type: area supervisory control (control center)) of the first IP address (Hill ¶121: “…asset type: area supervisory control (control center), Asset IP address) and a Purdue model (Hill ¶75: “… Purdue Reference Model …: Level 0- physical process, Level 1- basic control, Level 2- area supervisory control, Level 3- site manufacturing operations and control systems, Level 4- site business planning and logistics, Level 5- enterprise.”, and  ¶121: “… the following may be identified for an asset: asset type, asset vendor, asset level (e.g., under the Purdue Model), asset IP address, asset MAC address, and protocols/ protocol behaviors. …”. Note: the asset type area supervisory control, which is the first action role (control center), tags the first IP address (Hill ¶121: “…asset type: area supervisory control, Asset IP address). In the same way, the asset type basic control, which is the second action role(controller), tags the second IP address (Hill ¶121: “asset type: basic control, Asset IP address)   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Oba and Kim to incorporate the control hierarchy model (Purdue) of the industrial control system as disclosed by Hill. The availability of such model in the industrial control system would provide a helpful, common language for industrial control systems owners, operators, and suppliers to use to frame security discussions.
Regarding claim 8:
Claim 8 recites substantially the same limitations as claim 3. Therefore, claim 8 is rejected under the same rationale as claim 3.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
McQuillan et al.  (US-PGPUB No. 2016/0094578 A1)- disclosed SCADA system that includes a network interface configured to communicate data with a plurality of industrial control devices via an industrial control system (ICS) network.
Kang et al. (US-PGPUB No. 2016/60094517 A1)- disclosed an apparatus and method for blocking abnormal communication, which are capable of protecting an industrial control system against cyber threats through the traffic analysis of an industrial firewall. 
Shimizu et al. (US-PGPUB No. 2018/0069835 A1)- disclosed a packet filtering apparatus that represents a rule set for packet filtering being a technique for preventing a cyber-attack. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491