DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 6/22/2022 has been placed of record in the file.
Claims 11, 13, 16-18, 20, 24-26, 28, 33, and 34 have been amended.
Claims 12, 14, 19, 21, 27, and 29 have been canceled.
Claims 11, 13, 15-18, 20, 22-26, 28, and 30-34 are now pending.
The applicant’s arguments with respect to claims 11, 13, 15-18, 20, 22-26, 28, and 30-34 have been considered but are moot in view of the following new grounds of rejection.

Response to Amendment
Claims have been amended to further define the generation of the state model.  The amendment proves a change in scope to the independent claims as the independent claims now explicitly state the use of corresponding control values by which the monitoring target is controlled as the measurement value is measured, etc.  However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 11, 13, 15-18, 20, 22-26, 28, and 30-34 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The term “substantially” in claims 11, 16-18, 24-26, 33, and 34 is a relative term which renders the claim indefinite. The term “substantially” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  As such, the limitation “exhibiting substantially linear relationships” is considered indefinite.  Claims 13, 15, 20, 22, 23, 28, and 30-32 are rejected due to their dependence on the independent claims.

Claim Rejections - 35 USC § 103
11.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
12.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

13.	Claims 11, 13, 15-18, 20, and 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Yunoki et al. (U.S. Patent Application Publication Number 2016/0085237), hereinafter referred to as Yunoki, in view of Jallon (U.S. Patent Application Publication Number 2013/0238543), further in view of Khalid (U.S. Patent Application Publication Number 2015/0267619).
Yunoki disclosed techniques for detecting abnormality in a control network based on changes in communication patterns.  In an analogous art, Jallon disclosed techniques for detecting scenarios based on an observed data sequence.  Also in an analogous art, Khalid disclosed techniques for a control system that can be adjusted to real time conditions.  All of these systems deal directly with state modeling in sensor systems.
Regarding claim 11, Yunoki discloses an attack detection apparatus comprising: processing circuitry to: generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein the processing circuitry acquires a state from the state model, based on a value of a time when each piece of communication data of the pieces of communication data is obtained, acquires communication information from each piece of communication data, and registers the acquired state and the acquired communication information in the detection rule in association with each other (paragraph 65, creates database using system and communication acquisitions).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
Regarding claim 13, the combination of Yunoki, Jallon, and Khalid discloses generates the detection rule based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of control values and the plurality of measurement values are obtained (Yunoki, paragraphs 41-43, normal patterns for each mode).
Regarding claim 15, the combination of Yunoki, Jallon, and Khalid discloses wherein when same communication information as the acquired communication information exists in a communication information list, the processing circuitry registers the acquired state and the acquired communication information in the detection rule in association with each other (Yunoki, paragraph 50, inputs set of addresses to storage unit).
Regarding claim 16, Yunoki discloses an attack detection method comprising: generating, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generating a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and determining whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein a state is acquired from the state model, based on a value of a time when each piece of communication data of the pieces of communication data is obtained, communication information is acquired from each piece of communication data, and the acquired state and the acquired communication information are registered in the detection rule in association with each other (paragraph 65, creates database using system and communication acquisitions).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
Regarding claim 17, Yunoki discloses a non-transitory computer readable medium storing an attack detection program for causing a computer to execute: a model generation process to generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); a rule generation process to generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and an attack detection process to determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein the rule generation process acquires a state from the state model, based on a value of a time when each piece of communication data of the pieces of communication data is obtained, acquires communication information from each piece of communication data, and registers the acquired state and the acquired communication information in the detection rule in association with each other (paragraph 65, creates database using system and communication acquisitions).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
Regarding claim 18, Yunoki discloses an attack detection apparatus comprising: processing circuitry to: generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein the processing circuitry selects, from the state model, a state corresponding to a value monitored in a time period during which the new communication data is communicated, selects communication information corresponding to the selected state from the detection rule, compares the selected communication information with communication information of the new communication data, and determines that the new communication data is the attack data when the communication information of the new communication data does not match the selected communication information (paragraph 50, when set of addresses not in normal patterns of communication, determines abnormality).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
Regarding claim 20, the combination of Yunoki, Jallon, and Khalid discloses generates the detection rule based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of control values and the plurality of measurement values are obtained (Yunoki, paragraphs 41-43, normal patterns for each mode).
Regarding claim 22, the combination of Yunoki, Jallon, and Khalid discloses wherein the processing circuitry acquires a state from the state model, based on a measurement value of a time when each piece of communication data of the pieces of communication data is obtained, acquires communication information from each piece of communication data, and registers the acquired state and the acquired communication information in the detection rule in association with each other (Yunoki, paragraph 65, creates database using system and communication acquisitions).
Regarding claim 23, the combination of Yunoki, Jallon, and Khalid discloses wherein when same communication information as the acquired communication information exists in a communication information list, the processing circuitry registers the acquired state and the acquired communication information in the detection rule in association with each other (Yunoki, paragraph 50, inputs set of addresses to storage unit).
Regarding claim 24, Yunoki discloses an attack detection method comprising: generating, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generating a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and determining whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein a state corresponding to a value monitored in a time period during which the new communication data is communicated is selected from the state model, communication information corresponding to the selected state is selected from the detection rule, the selected communication information is compared with communication information of the new communication data, and the new communication data is determined to be the attack data when the communication information of the new communication data does not match the selected communication information (paragraph 50, when set of addresses not in normal patterns of communication, determines abnormality).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
Regarding claim 25, Yunoki discloses a non-transitory computer readable medium storing an attack detection program for causing a computer to execute: a model generation process to generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); a rule generation process to generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); and an attack detection process to determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication), wherein the attack detection process selects, from the state model, a state corresponding to a value monitored in a time period during which the new communication data is communicated, selects communication information corresponding to the selected state from the detection rule, compares the selected communication information with communication information of the new communication data, and determines that the new communication data is the attack data when the communication information of the new communication data does not match the selected communication information (paragraph 50, when set of addresses not in normal patterns of communication, determines abnormality).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).

14.	Claims 26, 28, and 30-34 are rejected under 35 U.S.C. 103 as being unpatentable over Yunoki in view of Jallon, in view of Khalid, further in view of Bellingan et al. (U.S. Patent Number 10,324,779), hereinafter referred to as Bellingan.
The combination of Yunoki, Jallon, and Khalid disclosed techniques for detecting abnormality in a control network based on changes in communication patterns.  In an analogous art, Bellingan disclosed techniques for determining whether a computing node is in a normal or an abnormal condition.  Both systems deal directly with state modeling for networked computer devices.
Regarding claim 26, Yunoki discloses an attack detection apparatus comprising: processing circuitry to: generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the processing circuitry generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
The combination of Yunoki, Jallon, and Khalid does not explicitly state when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, integrate the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, the processing circuitry determines whether the new communication data is attack data, using the state model after integration and the detection rule after integration.  However, managing the states of a state model in such a fashion was well known in the art as evidenced by Bellingan.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki, Jallon, and Khalid by adding the ability for when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, integrate the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, the processing circuitry determines whether the new communication data is attack data, using the state model after integration and the detection rule after integration as provided by Bellingan (see column 11, lines 26-36, multiple similar states aggregated into one state model).  One of ordinary skill in the art would have recognized the benefit that using state models and clustering in such a way would assist in more efficiently determining when computing nodes are in an abnormal condition (see Bellingan, column 1, lines 57-66).
Regarding claim 28, the combination of Yunoki, Jallon, Khalid, and Bellingan discloses generates the detection rule based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of control values and the plurality of measurement values are obtained (Yunoki, paragraphs 41-43, normal patterns for each mode).
Regarding claim 30, the combination of Yunoki, Jallon, Khalid, and Bellingan discloses wherein the processing circuitry acquires a state from the state model, based on a measurement value of a time when each piece of communication data of the pieces of communication data is obtained, acquires communication information from each piece of communication data, and registers the acquired state and the acquired communication information in the detection rule in association with each other (Yunoki, paragraph 65, creates database using system and communication acquisitions).
Regarding claim 31, the combination of Yunoki, Jallon, Khalid, and Bellingan discloses wherein when same communication information as the acquired communication information exists in a communication information list, the processing circuitry registers the acquired state and the acquired communication information in the detection rule in association with each other (Yunoki, paragraph 50, inputs set of addresses to storage unit).
Regarding claim 32, the combination of Yunoki, Jallon, Khalid, and Bellingan discloses wherein the processing circuitry selects, from the state model, a state corresponding to a measurement value measured in a time period during which the new communication data is communicated, selects communication information corresponding to the selected state from the detection rule, compares the selected communication information with communication information of the new communication data, and determines that the new communication data is the attack data when the communication information of the new communication data does not match the selected communication information (Yunoki, paragraph 50, when set of addresses not in normal patterns of communication, determines abnormality).
Regarding claim 33, Yunoki discloses an attack detection method comprising: generating, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); generating a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); determining whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the state model is generated by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
The combination of Yunoki, Jallon, and Khalid does not explicitly state integrating, when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, a determination is made as to whether the new communication data is attack data, using the state model after integration and the detection rule after integration.  However, managing the states of a state model in such a fashion was well known in the art as evidenced by Bellingan.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki, Jallon, and Khalid by adding the ability for integrating, when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, a determination is made as to whether the new communication data is attack data, using the state model after integration and the detection rule after integration as provided by Bellingan (see column 11, lines 26-36, multiple similar states aggregated into one state model).  One of ordinary skill in the art would have recognized the benefit that using state models and clustering in such a way would assist in more efficiently determining when computing nodes are in an abnormal condition (see Bellingan, column 1, lines 57-66).
Regarding claim 34, Yunoki discloses a non-transitory computer readable medium storing an attack detection program for causing a computer to execute: a model generation process to generate, based on a plurality of values obtained by monitoring a monitoring target, a state model that indicates a value in each of a plurality of states of operation of the monitoring target (paragraph 41, system state represented by different modes); a rule generation process to generate a detection rule that indicates communication information in each of the states of operation of the monitoring target, based on pieces of communication data communicated by the monitoring target in a time period during which the plurality of values are obtained (paragraph 40, correspondences between system states and normal patterns of communication); an attack detection process to determine whether new communication data is attack data, using the state model and the detection rule (paragraph 50, checks normal patterns of communication).
Yunoki does not explicitly state that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states.  However, determining particular states of a state model in such a fashion was well known in the art as evidenced by Jallon.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Yunoki by adding the ability that the values are measurement values obtained by measuring a monitoring target, wherein the model generation process generates the state model by measuring the plurality of measurement values during a general state of operation of the monitoring target, dividing the plurality of measurement values into groups exhibiting substantially similar relationships, and defining the plurality of states of operation of the monitoring target by assigning each of the groups to one of the states as provided by Jallon (see paragraphs 21-23, determines standardised measurement values of particular states based on values received, and paragraph 26, statistical models defined to determine states).  One of ordinary skill in the art would have recognized the benefit that using measurements in such a way would assist in defining sets of statistical models in sensor systems (see Jallon, paragraph 161).
The combination of Yunoki and Jallon does not explicitly state each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values.  However, generating state models in such a fashion was well known in the art as evidenced by Khalid.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki and Jallon by adding the ability for each of the measurement values being paired with a corresponding control value by which the monitoring target is controlled as the measurement value is measured, the substantially similar relationships being substantially linear relationships with the corresponding control values as provided by Khalid (see paragraph 32, determines different linear models at separate operational conditions using control vector and output vector).  One of ordinary skill in the art would have recognized the benefit that using a control signal would assist in improving system operation (see Khalid, paragraph 19).
The combination of Yunoki, Jallon, and Khalid does not explicitly state an integration process to, when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, integrate the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, the attack detection process determines whether the new communication data is attack data, using the state model after integration and the detection rule after integration.  However, managing the states of a state model in such a fashion was well known in the art as evidenced by Bellingan.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yunoki, Jallon, and Khalid by adding the ability for an integration process to, when there are multiple states in the state model having matching communication information with respect to each other in the detection rule, integrate the multiple states into one state in each of the state model and the detection rule, wherein when the multiple states are integrated into the one state, the attack detection process determines whether the new communication data is attack data, using the state model after integration and the detection rule after integration as provided by Bellingan (see column 11, lines 26-36, multiple similar states aggregated into one state model).  One of ordinary skill in the art would have recognized the benefit that using state models and clustering in such a way would assist in more efficiently determining when computing nodes are in an abnormal condition (see Bellingan, column 1, lines 57-66).

Response to Arguments
15.	The applicant’s argument concerning the claimed “states of operation” may still be relevant and is thus addressed herein.  In the remarks, the applicant argues that Yunoki does not teach the state model having a plurality of states of operation.  However, Yunoki is seen to meet this limitation.  Yunoki clearly states multiple different system states, which are seen as different modes of operation.  The applicant is directed to Yunoki, paragraph 41.

Conclusion
16.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
17.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493