Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This communication is in response to the Amendment filed on 05/09/2022.
Claims 1-20 are pending.
Claims 1-6, 7, and 14 have been amended.

Response to Arguments
The applicant's arguments/remarks filed on 05/09/2022 regarding claims 1-20 have been fully considered but are moot in view of the new ground(s) of rejection. The arguments/remarks are essentially directed towards the newly introduced limitations and they are addressed in this Office Action, below.

REJECTIONS UNDER 35 U.S.C. 103
Applicant Arguments
As to claim 1, applicant argues that the device described in Amin is not a “building device” including “a sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environmental condition of a space of a building”. Neither the traffic analysis controller, not the threat detection and prevention logic in Amin are configured to perform functions comprising one or more of receiving data from sensor or controlling actuator wherein the sensor or actuator positioned in or coupled to the housing of the device. The building device of claim 1 is not a generic network security device as described in Amin, but is a building device including “at least one of s sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environmental condition of a space of a building.”
Applicant argues that, Engler, relates to a physical intrusion detection system, and does not describe these communication paths as potentially being compromised due to a cyberattack. 
A combination of Engler and Amin teaches network monitoring devices configured to detect a physical intrusion into a secure computer room and connected to a network security device configured to analyze network traffic. However, they do not teach “a second processing circuit configured to determine whether the building device is in a compromised state due to a cyberattack” in a building device that includes a “sensor or actuator positioned in or coupled to the housing of the building device” and “ a first processing circuit configured to perform functions comprising one or more of receiving data from the sensor or controlling the actuator.”
Examiner’s Response
The applicant's arguments/remarks filed on 05/09/2022 regarding claims 1-20 have been fully considered and are not persuasive. The elements of applicant’s claimed invention are properly taught or suggested by previously cited arts, and newly recited arts, Cella et al. (hereinafter referred to as Cella) (U. S. Pub. No. 2020/0225655 A1).
As to claim 1,as title shows, Cella teaches methods, systems, kits and apparatuses for monitoring and managing industrial settings in an industrial internet of things data collection environment. 
Cella teaches wherein a sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environmental condition of a space of a building  (See at least ¶ [0356], “the platform 100 may include the local data collection system 102 deployed in the environment 104 to monitor signals from additional large machines…the platform 100 may include the local data collection system 102 deployed in the environment 104 to monitor signals from individual elements such as …actuators”).
Cella teaches wherein a second processing circuit configured to determine whether the building device is in a compromised state due to a cyberattack (See at least ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 7, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over  
Cella et al. (hereinafter referred to as Cella) (U. S. Pub. No. 2020/0225655 A1) in view of Israel et al. (hereinafter referred to as Israel) (U. S. Pub. No. 2018/0096157 A1).
As to claim 1, Cella teaches a building device with embedded intrusion detection, the building device comprising: a housing; at least one of a sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environment condition of a space of a building, the sensor or actuator positioned in or coupled to the housing (See at least ¶ [1056], “Data collection bands, or smart bands, may be of or may be configured to encompass one or more sensors or sensor data (including groups of sensors and combined signals from one or more pieces of equipment/components, areas of an installation, disparate but interconnected areas of an installation, or locations (e.g., a building in Cambridge and a building in Boston)”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”); a first processing circuit configured to perform functions comprising one or more of receiving data from the sensor or controlling the actuator (See at least ¶ [1039], “at least one processor to perform actions may comprise: providing a data collector communicatively coupled to a plurality of input channels; proving a data acquisition circuit structured to interpret a plurality of detection values”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”); a communication path configured to communicate data between the first processing circuit and one or more other components (See at least ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”); and a second processing circuit, the first processing circuit and the second processing circuit contained within the housing (See at least ¶ [2170], “an intelligent cooking system 900 may be a participant in or may be a gateway to a home appliance network that may include other kitchen appliances, sensors, monitors, user interface devices, processing devices, and the like. The home appliance network, and/or the devices configured in the home network, may be connected to each other and to other participants of the ecosystem through the  platform 800”), the second processing circuit configured to: monitor the data transmitted on the communication path (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks ; and ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”); analyze the monitored data to detect malicious or anomalous activity (See at least ¶ [1577], “An example transmission condition 12254 includes a node in a mesh or hierarchical network detected as malicious (e.g., from another supervisory process, heuristically, or as indicated to the system 12200”); determine whether the building device is in a compromised state due to a cyberattack bases on a detection of malicious or anomalous activity in the analyzed data (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”).
Although Cella teaches the substantial features of applicant’s claimed invention, Cella fails to expressly teach wherein initiate a corrective action responsive to a determination that the  building device is in the compromised state.
In analogous teaching Israel exemplifies this wherein Israel teaches wherein initiate a corrective action responsive to a determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment,  for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 2, Cella and Israel teach the building device of claim 1. Israel further teaches wherein transmitting, to a user device via a network connection, the notification (Israel further teaches wherein the corrective action comprises: generating a notification comprising information associated with the determination that the device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmitting, to a user device via a network connection, the notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment,  for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 7, Cella teaches a circuit for detecting whether a building device is in a compromised state due to a cyberattack, the circuit structured to the mounted within a housing of the building device (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks ; and ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”), the building device comprising a processor, a communication path configured to communicate data between the processor and the one or more other components of the building device, and at least one of a sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environment condition of a space of a building, the sensor or actuator positioned in or coupled to the housing (See at least ¶ [1056], “Data collection bands, or smart bands, may be of or may be configured to encompass one or more sensors or sensor data (including groups of sensors and combined signals from one or more pieces of equipment/components, areas of an installation, disparate but interconnected areas of an installation, or locations (e.g., a building in Cambridge and a building in Boston)”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”); the processor configured to receive data from the sensor and/or controlling the actuator (See at least ¶ [1039], “at least one processor to perform actions may comprise: providing a data collector communicatively coupled to a plurality of input channels; proving a data acquisition circuit structured to interpret a plurality of detection values”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”), the circuit comprising: an interface configured to receive data transmitted on the communication path (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks ; and ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”); and processing circuitry configured to: analyze the received data to detect malicious or anomalous activity (See at least ¶ [1577], “An example transmission condition 12254 includes a node in a mesh or hierarchical network detected as malicious (e.g., from another supervisory process, heuristically, or as indicated to the system 12200”); determine whether the building device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”).
Although Cella teaches the substantial features of applicant’s claimed invention, Cella fails to expressly teach wherein initiate a corrective action responsive to a determination that the building device is in the compromised state.
In analogous teaching Israel exemplifies this wherein Israel teaches wherein initiate a corrective action responsive to a determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment,  for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 13, Cella and Israel teach the circuit of claim 7. Israel teaches the processing circuitry further configured to: generate, based on a determination that the building device is in the compromised state, at least one of an alert or a report, the report comprising information associated with the determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmit, to a user device via a network connection, at least one of the alert  notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Amin, system and method for packet processing and analysis, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 19, Cella teaches the system of claim 14. Israel further teaches the processing circuitry further configured to: generate, based on a determination that the building device is in the compromised state, at least one of an alert or a report, the report comprising information associated with the determination that the building device is in the compromised state (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”); and transmit, to a user device via a network connection, at least one of the alert  notification (See at least Fig. 7B, “initiating the security alert action includes providing an alert message to a legitimate user of the device”)
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

Claims 3-6 and 9-12 are rejected under 35 U.S.C. 103 as being unpatentable over  
Cella in view of Israel, and in view of Engler et al. (hereinafter referred to as Engler) (U. S. Pub. No. 2019/0371139 A1).
As to claim 3, Cella and Israel teach the building device of claim 1. However, Cella and Israel fail to expressly teach wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit.
In analogous teaching, Engler further teaches wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 4, Cella and Israel teach the building device of claim 1. However, Cella and Israel fail to expressly teach wherein the second processing circuit configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern.
In analogous teaching, Engler exemplifies this wherein Engler teaches wherein the second processing circuit configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern (See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 5, Cella, Israel and Engler teach the building device of claim 4. Israel further teaches wherein the second processing circuit configured to receive a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 6, Cella, Israel and Engler teach the building device of claim 5. Israel further teaches wherein the second processing circuit configured to determine that the building device is in the compromised state by: determining that the monitored data does not match the first traffic profile for the building device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or determining that the monitored data is outside of a threshold of the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 9, Cella and Israel  teach the circuit of claim 7. However, Cella and Israel fail to teach wherein the processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern.
In analogous teaching, Engler exemplifies this wherein Engler teaches wherein the processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern (See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 10, Cella, Israel and Engler teach the circuit of claim 9. Israel further teaches wherein the processing circuitry further configured to receive, from a user device, a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 11, Cella, Israel and Engler teach the circuit of claim 10. Israel further teaches wherein a determination that the building device is in the compromised state is based on: an indication that the received data does not match the first traffic profile for the building device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or indication that the received data is outside of a threshold of the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 12, Cella and Israel teach the circuit of claim 7. However, Cella and Israel fail to expressly teach wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the processor of the building device; or transmitting, via the communication path, random data to the processor of the building device.
In analogous teaching, Engler further teaches wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the processor of the building device; or transmitting, via the communication path, random data to the processor of the building device (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”). Israel teaches wherein initiating the corrective action (See at least ABSTRACT, “A security alert action may be initiated, based on a result of the determination of the statistical fit indicating a compromised state of the device”; Fig. 7B, “initiating the security alert action includes initiating a remedial action on the device”; and ¶ [0015], “Security alerts may be provided for determinations  of compromised devices (e.g., as well as remedial actions)”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, and Israel, detection of compromised devices via user states, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim 14 is rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Cella.
As to claim 14, Cella teaches a system comprising: a building device comprising: a housing: at least one of a sensor configured to detect a physical condition of a space of a building or an actuator configured to adjust an environment condition of a space of a building, the sensor or actuator positioned in or coupled to the housing (See at least ¶ [1056], “Data collection bands, or smart bands, may be of or may be configured to encompass one or more sensors or sensor data (including groups of sensors and combined signals from one or more pieces of equipment/components, areas of an installation, disparate but interconnected areas of an installation, or locations (e.g., a building in Cambridge and a building in Boston)”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”); a processor configured to perform functions comprising one or more of receiving data from the sensor or controlling the actuator (See at least ¶ [1039], “at least one processor to perform actions may comprise: providing a data collector communicatively coupled to a plurality of input channels; proving a data acquisition circuit structured to interpret a plurality of detection values”; and ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”); and a communication path configured to communicate data between the processor and one or more other components of a building (See at least ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”); wherein the processor and the communication path are contained within the housing (See at least ¶ [2170], “an intelligent cooking system 900 may be a participant in or may be a gateway to a home appliance network that may include other kitchen appliances, sensors, monitors, user interface devices, processing devices, and the like. The home appliance network, and/or the devices configured in the home network, may be connected to each other and to other participants of the ecosystem through the  platform 800”); and a circuit comprising: an interface configured to receive data transmitted on the communication path (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks ; and ¶ [1895], “certain conventional communication architectures make use of proxy servers on the communication path between a client node 125 and a server node 111”); and processing circuitry configured to: analyze the received data to detect malicious or anomalous activity without the use of an additional monitoring device (See at least ¶ [1577], “An example transmission condition 12254 includes a node in a mesh or hierarchical network detected as malicious (e.g., from another supervisory process, heuristically, or as indicated to the system 12200”); determine whether the building device is in a compromised state due to a cyberattack based on a detection of malicious or anomalous activity in the analyzed data (See at least  ¶ [1757], “approaches respond to instantaneous network behavior and learn the network’s data handling policy and state by probing for changes. In an industrial environment (building devices), this may include learning policies relating to authorization to use aspects of a network; for example, a SCADA system may allow a data path to be used only by a limited set of authorized users, services, or applications, because of the sensitivity of underlying machines or processes that are under control (including remote control) via the SCADA system and concern over potential for cyberattacks”).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cella in view of Engler.
As to claim 15, Cella teaches the system of claim 14. However, Cella fails to expressly teach wherein the  processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern.
In analogous teaching,  Engler further teaches wherein the  processing circuit further configured to: identify a traffic pattern for the communication path, wherein the traffic pattern is a pattern of the data transmitted on the communication path; and generate a first traffic profile for the device based on the traffic pattern (See at least ¶ [0021], “A standard communication path 142 communicatively couples CPU 140 to intrusion monitor 145 and a backup communication path is illustrated”; and ¶ [0036], “Block 555 indicates that data and components may be destroyed, in response to a detected intrusion event”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).

As to claim 18, Cella teaches the system of claim 14. However, Cella fails to expressly teach wherein the processing circuitry further configured to initiate a corrective action, wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit.
In analogous teaching, Engler further teaches wherein the processing circuitry further configured to initiate a corrective action, wherein the corrective action comprises at least one of: transmitting, via the communication path, a reset signal to the first processing circuit; or transmitting, via the communication path, random data to the first processing circuit (See at least FIG. 5, “Determine first level corrective actions…issue alerts through primary (or Secondary) communication paths…destroy local data and components”; and ¶ [0027], “Output 375 may transmit security event to an internal CPU”).
Thus, given the teaching of Engler, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Engler, Intrusion detection and notification device, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to detect intrusion. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to protect data and detect intrusion (See Engler: ABSTRACT).


Claims 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Cella in view of Engler, and in view of Israel.
As to claim 16, Cella and Engler teach the system of claim 15. Israel further teaches wherein the processing circuit further configured to receive, from a user device, a second traffic profile based on previously identified patterns of data associated with known malicious data (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

As to claim 17, Cella, Engler and Israel teach the system of claim 16. Israel further teaches wherein a determination that the building device is in the compromised state is based on: an indication that the received data does not match the first traffic profile for the building device (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”), or an indication that the received data matches the second traffic profile (See at least ¶ [0057], “An example engine may run every hours and may compare the new activities’ occurrences to the devices’ profiles. If the probability is low enough (e.g., lower than a predetermined threshold value, by comparing the probability against the threshold…Further, one or more protective/remedial actions may be initiated. Then the profiles may be updated with the new data”).
Thus, given the teaching of Israel, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Israel, detection of compromised devices via user states, into Engler, Intrusion detection and notification device, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to initiate a corrective action based on monitored compromised state. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to control device security  based on obtaining activity data indicating current device activity (See Israel: ABSTRACT).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Cella, in view of Israel, and further in view of Jenkins et al.(hereinafter referred to as Jenkins) (U. S. Patent No. 10410002 B1).
As to claim 8, Cella and Israel teach the circuit of claim 1. However, Cella and Israel fail to expressly teach wherein the communication path is at least one of an address bus, a data bus, or a control bus.
In analogous teaching, Jenkins exemplifies this wherein Jenkins teaches wherein the communication path is at least one of an address bus, a data bus, or a control bus (See at least Abstract “An intrusion detection device is incorporated between a bus controller and a bus of multiplex data bus. The intrusion detection device receives message that are communicated among the bus controller and a plurality of remote terminals (by way of the bus)”).
Thus, given the teaching of Jenkins, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Jenkins, Intrusion detection apparatus, system and methods, into Israel, detection of compromised devices via user states, and Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to implement intrusion detection on the communication paths. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to detect and migrate terminal attacks on multiplex data buses (See Jenkins: ABSTRACT).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Cella  in view of Jenkins
As to claim 20, Cella teaches the system of claim 14. However, Cella fails to expressly teach wherein the communication path is at least one of an address bus, a data bus, or a control bus.
In analogous teaching, Jenkins exemplifies this wherein Jenkins teaches wherein the communication path is at least one of an address bus, a data bus, or a control bus (See at least Abstract “An intrusion detection device is incorporated between a bus controller and a bus of multiplex data bus. The intrusion detection device receives message that are communicated among the bus controller and a plurality of remote terminals (by way of the bus)”).
Thus, given the teaching of Jenkins, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to combine the teaching of Jenkins, Intrusion detection apparatus, system and methods, into Cella, method and system for monitoring and managing industrial settings in an industrial internet of things data collection environment, for a method and system to implement intrusion detection on the communication paths. One of the ordinary skills in the art would have been motivated because it would have been advantageous to have the system or method to detect and migrate terminal attacks on multiplex data buses (See Jenkins: ABSTRACT).

Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN FAN whose telephone number is (571)272-3345. The examiner can normally be reached on Monday-Friday, 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on (571)270-3037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

John Fan
/J. F. /
Examiner, Art Unit 2456
07/24/2022


/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2456