Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: Fig. 7 ref. number 306.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-3, 5-9 and 11-13 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. These claims do not fall within at least one of the four categories of patent eligible subject matter because these claims only recite of processing data and ascertaining data. Processing data and ascertaining data are mental steps, whereas devices configured to process and data and additional recitations of processors or memory are merely generic computer components. In addition, the claims do not integrate the abstract ideas into a practical application. Furthermore, upon further considering additional claim elements, they do not appear to add significantly more to the abstract ideas. For example, claim 2, 3, 5-9, and 11-13 only recites of ascertaining metadata through the determination of average frequency, duration, transfers during a time frame, and from a system to a receiver. These claims fail to recite how the ascertained data is being used. These claims amount merely performing data storage, retrieval, and manipulation. Therefore, claims 1-3, 5-9, and 11-13 are rejected under U.S.C. 101 for reciting abstract ideas. 

Claims 1-11 ad 14 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because they recite features which are directed towards software per se.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claim 1-3, 5, 6, 8, 10, 11, 13, and 14 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 5 recites the limitation "the time period".  There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination this limitation is being interpreted as “the predefinable time period”
Claim 6 recites the limitation "the ascertainment".  There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination this limitation is being interpreted as “the ascertaining” 
Claim 1-3, 8, 10, 11, 13, and 14 recites the limitation "the system".  There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination this limitation is being interpreted as “the technical system”

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: 
“device configured to” in claim 11” in claim 11.
Because this/these claim limitation is being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof, see specification [Page 12 lines 7-24] for a device. 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitations to avoid it being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, and 11-13 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by LAN (US-20210303984-A1).
Regarding claim 1, LAN teaches “A computer-implemented method for processing data of a technical system, comprising the following steps: ascertaining first pieces of information, which are associated with a data traffic of the system; ([LAN, para. 0069] “FIG. 8 is a flow diagram 800 illustrating network traffic classification processing in accordance with an embodiment of the present invention. The processing described with reference to FIG. 8 may be implemented in the form of executable instructions stored on a machine readable medium and executed by a processing resource (e.g., a microcontroller, a microprocessor, central processing unit core(s), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), and the like) and/or in the form of other types of electronic circuitry. For example, this processing may be performed by one or more computer systems of various forms, such as the computer system 900 described with reference to FIG. 9 below.”) ([LAN, para. 0070] “In the context of the present example, at block 810, a stream of packets representing a network flow is received. For example, the stream of packets may be received by a processor of a network security device (e.g., network security device 102).”) and ascertaining metadata associated with the data traffic of the system based on the first pieces of information. ([LAN, para. 0071] “At block 820, metadata is determined relating to the stream of packets. For example, metadata may be collected during a TLS handshake stage (e.g., TLS handshake stage 314) and/or an encrypted data exchange stage (e.g., encrypted data exchange 316) and may include one or more of the types of metadata listed in Table 1.”) ([LAN, claim 1] “A method comprising: receiving, by a processor of a network security device, a stream of packets representing a network flow; determining, by the processor, metadata relating to the stream of packets;”). 

Regarding claim 11, this claim recites a device configured to perform the steps of claim 1. Therefore, claim 11 is rejected in a similar manner as in the rejection of claim 1. Furthermore, LAN teaches ([LAN, para. 0005] “According to one embodiment, a stream of packets representing a network flow is received by a processor of a network security device. Metadata relating to the stream of packets is determined by the processor.”).

Regarding claim 12, LAN teaches all limitations of claim 11. LAN further teaches “wherein the device includes: a processing unit, a memory unit associated with the processing unit for at least temporarily storing at least one of the following elements: a) data, b) a computer program configured to carry out the ascertainment of the first pieces of information and the ascertainment of the metadata.” ([LAN, para. 0041] “FIG. 2 is a block diagram illustrating functional components of a network security device 102 in accordance with an embodiment of the present invention. In the context of the present example, network security device 102 can include one or more processing resources (e.g., processor(s) 202). Processor(s) 202 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate data based on operational instructions. Among other capabilities, processor(s) 202 are configured to fetch and execute computer-readable instructions stored in a memory 204 of the network security device 102. Memory 204 can store one or more computer-readable instructions or routines, which may be fetched and executed to create or share the data units over a network service. Memory 204 can include any non-transitory storage device including, for example, volatile memory such as RAM, or non-volatile memory such as EPROM, flash memory, and the like. In an example embodiment, memory 204 may be a local memory or may be located remotely, such as a server, a file server, a data server, and the Cloud.”) (LAN, para. 0070] “In the context of the present example, at block 810, a stream of packets representing a network flow is received. For example, the stream of packets may be received by a processor of a network security device (e.g., network security device 102).”) ([LAN, para. 0071] “At block 820, metadata is determined relating to the stream of packets.”) ([LAN, para. 0005] “According to one embodiment, a stream of packets representing a network flow is received by a processor of a network security device. Metadata relating to the stream of packets is determined by the processor.”) [Examiner’s note: LAN teaches of “temporarily storing” by reciting memory 204 to be volatile memory stored in RAM].

Regarding claim 13, this claim recites a computer readable medium storing instruction which once executed perform the steps of claim 1. Therefore, claim 13 is rejected in a similar manner as in the rejection of claim 1. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-4, 6-10, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over LAN in view of RIEGER (US-20200175171-A1), hereinafter LAN-RIEGER.
Regarding claim 2, LAN teaches all limitations of claim 1. However, LAN does not teach  “wherein the ascertaining of the metadata includes at least one of the following steps: a) ascertaining an average frequency at which data transfers of the data traffic are transferred, b) ascertaining an average duration of a data transfer session, c) ascertaining an amount of data which has been transferred in a predefinable time period from the system and/or to the system.”
 In analogous teaching, RIEGER teaches “wherein the ascertaining of the metadata includes at least one of the following steps: a) ascertaining an average frequency at which data transfers of the data traffic are transferred, b) ascertaining an average duration of a data transfer session, c) ascertaining an amount of data which has been transferred in a predefinable time period from the system and/or to the system.” ([RIEGER, para. 0064] “In some embodiments, the cyber state metadata 220 may comprise, define, and/or characterize a cyber state at one or more cyber nodes (cyber nodes 124) of the control system 101. The cyber state metadata 220 may comprise, define, and/or characterize any suitable aspect of cyber communication at a cyber node 124. In some embodiments, the cyber state metadata 220 may comprise statistical characteristics of cyber communication at particular cyber nodes 124, which characteristics may include, but are not limited to: communication speed, mean time delta between messages, mean message latency, number of messages per destination, number of message sources, mean message size, number of zero size messages, mean data length, maximum data length, data speed, and/or the like. Alternatively, or in addition, the cyber state metadata 220 may comprise parameters 222 corresponding to cyber communication between particular cyber nodes 124 (e.g., communication between a controller 132 and one or more sensors 144, actuators 146, automation controllers 134, and/or the like), which may include, but are not limited to: communication speed to/from the nodes 124, mean time delta between messages to/from the nodes 124, latency of messages communicated between the nodes 124, mean size of messages communicated between the nodes 124, and/or the like. Although particular examples of cyber state metadata 220 and/or cyber state parameters 222 are described herein, the disclosure is not limited in this regard, and could be adapted to utilize any suitable information pertaining to a cyber state of a cyber-physical system 100, including acquiring, estimating, determining, and/or monitoring any suitable type of cyber state parameter 222 pertaining to any suitable characteristic and/or aspect of the cyber state of the control system 101.”)
Thus, given the teaching of RIEGER, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of ascertaining metadata through data traffic and other means by RIEGER into the teaching of method to ascertain information and metadata as taught by LAN. One of ordinary skill in the art would have been motivated to do so because RIEGER recognizes the need to have systems that are capable of detecting cyber-attacks. ([RIEGER, para. 0006] “What is needed are systems, methods, apparatus, and/or non-transitory computer-readable storage media for securing cyber-physical systems that impose minimal overhead, are capable of detecting cyber and physical attack and/or failure modes, and are capable of assessing the validity of the acquired cyber and/or physical state of the control system.”)

Regarding claim 3, LAN-RIEGER teaches all limitations of claim 2. LAN further teaches “wherein the data transfers of the data traffic are from the system to a receiver.” ([LAN, para. 0045] “According to an embodiment, packets stream receiving engine 212 can receive a stream of packets that represent a network flow.”) ([LAN, para. 0074] “stream of packets is classified as being associated with a particular network service of multiple network services (e.g., a movie streaming service (e.g., Netflix, HBO GO, HBO NOW, Disney Plus, Hulu, Amazon Prime Video, Sling TV, Fubo TV, YouTube, etc.), a music streaming service (e.g., Amazon Music, Apple Music, Spotify, Google Play, etc.), or the like)”).

Regarding claim 4, LAN-RIEGER teaches all limitations of claim 2. LAN further teaches “wherein the data transfer session is a transport layer security session.” ([LAN, para. 0049] “FIG. 3 is a high-level flow diagram 300 illustrating traffic classification processing in accordance with an embodiment of the present invention. In the context of the present example, a network flow is generally represented in two stages, a TLS handshake stage 314 and an encrypted data exchange stage 316. During the TLS handshake stage 314, at block 302, responsive to receipt of a stream of data packets, the network security device collects metadata and copies unencrypted payload data to local memory.”) ([LAN, para. 0067] “In an embodiment, when selected features from a network traffic flow are extracted at TLS handshake stage 720”) ([LAN, para. 0027] “Non-limiting examples of security functions include authentication, next-generation firewall protection, antivirus scanning, content filtering, data privacy protection, web filtering, network traffic inspection (e.g., secure sockets layer (SSL) or Transport Layer Security (TLS) inspection), intrusion prevention, intrusion detection”).

Regarding claim 6, LAN teaches all limitations of claim 1. LAN further teaches “wherein the ascertainment of the metadata includes: recording and/or determining the metadata.” ([LAN, para. 0045] “According to an embodiment, packets stream receiving engine 212 can receive a stream of packets that represent a network flow. Metadata determination engine 214 can determine metadata that is related to the received stream of packets. The metadata can include any or a combination of a packet size sequence, an arrival interval sequence, an Internet Protocol (IP) family, and a layer four protocol associated with the network flow. In addition, the metadata can include any or a combination of a destination port specified by the layer four protocol, Transport Layer Security (TLS) records, and TLS hello message lengths. The packet size sequence can include sizes of an application layer payload for a predetermined number of initial packets of the network flow.”). 

Regarding claim 7, LAN teaches all limitations of claim 1. However, LAN does not teach “ascertaining estimated metadata based on data transfers of the system.”.
In analogous teaching, RIEGER teaches “ascertaining estimated metadata based on data transfers of the system.” ([REIGER, para. 0281] “In the FIG. 13A embodiment, the state engine 1290 may be further configured to determine estimated cyber-physical state metadata 1311 for the control system 101 (and/or respective regions thereof), which may comprise determining an estimated cyber-physical state 1301 of the control system 101 based on, inter alia, existing cyber-physical state metadata 111 maintained by the RS agent 110 (and/or an existing cyber-physical state 1201).”) ([REIGER, para. 0063] “In the FIG. 2 embodiment, the cyber-physical state metadata 111 may comprise, inter alia, cyber state metadata 220. The cyber state metadata 220”) ([REIGER, para. 0064] “The cyber state metadata 220 may comprise, define, and/or characterize any suitable aspect of cyber communication at a cyber node 124. In some embodiments, the cyber state metadata 220 may comprise statistical characteristics of cyber communication at particular cyber nodes 124, which characteristics may include, but are not limited to: communication speed, mean time delta between messages, mean message latency, number of messages per destination, number of message sources, mean message size, number of zero size messages, mean data length, maximum data length, data speed, and/or the like.”).
The same motivation to modify RIEGER with LAN as in the rejection of claim 2, applies. 

Regarding claim 8, LAN-REIGER teach all limitations of claim 7. Furthermore, this claim recites features similar to those recited in claim 7. Therefore, claim 8 is rejected in a similar manner as in the rejection of claim 7. REIGER further teaches “…. using at least one model, which is configured to ascertain the estimated metadata ….” ([RIEGER, para. 0285] “Determining the estimated cyber-physical state metadata 1311 may comprise using the process model(s) 1315 to determine estimated cyber state metadata 1320 from existing cyber state metadata 220, determine estimated physical state metadata 1340 from existing physical state metadata 240, and/or the like.”).
The same motivation to modify RIEGER with LAN as in the rejection of claim 2, applies. 

Regarding claim 9, LAN-REIGER teach all limitations of claim 7. REIGER further teaches “further comprising: comparing the estimated metadata to the metadata.” ([RIEGER, para. 0282] “The state estimator 1290 may be further configured to determine state estimation metrics 1375 for the acquired cyber-physical state metadata 1211 by, inter alia, comparing the acquired cyber-physical state metadata 1211 to the estimated cyber-physical state metadata 1311. The state estimation metrics 1375 may comprise cyber state estimation metrics 1376, which may be configured to quantify error, differences, and/or distances between acquired cyber state metadata 1220 and estimated cyber state metadata 1320. The state estimation metrics 1375 may further comprise physical state estimation metrics 1378, which be configured to quantify error, differences, and/or distances between acquired physical state metadata 1240 and estimated physical state metadata 1340.”).
The same motivation to modify RIEGER with LAN as in the rejection of claim 2, applies. 

Regarding claim 10, LAN-REIGER teach all limitations of claim 9. REIGER further teaches “furthermore comprising: a) influencing an operation of the system based on the comparison, and/or b) initiating an error reaction based on the comparison.” ([RIEGER, para. 0288] “The security engine 1210 may be configured to implement mitigation operations in accordance with the determined cyber and/or physical health metrics 282/284. The security engine 1210 may be configured to implement mitigation operations in response to error metrics 175 that exceed one or more error thresholds, CPSC metrics 575 that fail to satisfy one or more confidence thresholds, and so on, as disclosed herein. The security engine 1210 may be configured to detect high cyber and/or physical estimation metrics 1376/1378 (by use of one or more cyber and/or physical estimation thresholds, or the like). The security engine 1210 may be configured to implement mitigation operations in response to high cyber estimation metrics 1376, which may indicate differences between acquired cyber-state metadata 1211 and corresponding estimated cyber-physical state metadata 1376, which may be due to cyber-attack, and/or compromise of one or more cyber components 120, the CS network 122, cyber nodes 124, and/or the like. In response to detecting high cyber estimation metrics 1376, the security engine 1210 may be configured to adapt communication of subsequent state keys 160 to, inter alia, determine a source of the high cyber estimation metrics 1376, as disclosed herein (e.g., adapt communication of the subsequent state keys 160 in accordance with a cyber isolation scheme). The security engine 1210 may be further configured to implement mitigation operations in response to cyber estimation metrics 1376, which may include, but are not limited to: generating notifications pertaining to cyber estimation metrics 1376 (e.g., the notifications identifying potential causes of the high cyber estimation metrics 1376), deactivating, isolating, and/or resetting cyber-physical components 102 associated with the high cyber estimation metrics 1376 (e.g., cyber components 120, cyber nodes 124, cyber paths 126, and/or the like), and so on.”).
The same motivation to modify RIEGER with LAN as in the rejection of claim 2, applies. 

Regarding claim 14, LAN teaches all limitations of claim 1. However, LAN does not teach “further comprising at least one of the following steps: a) evaluating data of the technical system based on the ascertained metadata, b) recognizing attempted attacks or detecting an intrusion based on the ascertained metadata, c) carrying out a cloud-based intrusion detection method for the system based on the ascertained metadata, the system including at least one sensor or at least one sensor unit.”.
In analogous teaching, REIGER teaches “further comprising at least one of the following steps: a) evaluating data of the technical system based on the ascertained metadata, b) recognizing attempted attacks or detecting an intrusion based on the ascertained metadata, c) carrying out a cloud-based intrusion detection method for the system based on the ascertained metadata, the system including at least one sensor or at least one sensor unit.” ([REIGER, para. 0288] “The security engine 1210 may be configured to implement mitigation operations in accordance with the determined cyber and/or physical health metrics 282/284. The security engine 1210 may be configured to implement mitigation operations in response to error metrics 175 that exceed one or more error thresholds, CPSC metrics 575 that fail to satisfy one or more confidence thresholds, and so on, as disclosed herein. The security engine 1210 may be configured to detect high cyber and/or physical estimation metrics 1376/1378 (by use of one or more cyber and/or physical estimation thresholds, or the like). The security engine 1210 may be configured to implement mitigation operations in response to high cyber estimation metrics 1376, which may indicate differences between acquired cyber-state metadata 1211 and corresponding estimated cyber-physical state metadata 1376, which may be due to cyber-attack, and/or compromise of one or more cyber components 120, the CS network 122, cyber nodes 124, and/or the like. In response to detecting high cyber estimation metrics 1376, the security engine 1210 may be configured to adapt communication of subsequent state keys 160 to, inter alia, determine a source of the high cyber estimation metrics 1376, as disclosed herein (e.g., adapt communication of the subsequent state keys 160 in accordance with a cyber isolation scheme). The security engine 1210 may be further configured to implement mitigation operations in response to cyber estimation metrics 1376, which may include, but are not limited to: generating notifications pertaining to cyber estimation metrics 1376 (e.g., the notifications identifying potential causes of the high cyber estimation metrics 1376), deactivating, isolating, and/or resetting cyber-physical components 102 associated with the high cyber estimation metrics 1376 (e.g., cyber components 120, cyber nodes 124, cyber paths 126, and/or the like), and so on.”).
The same motivation to modify RIEGER with LAN as in the rejection of claim 2, applies. 

Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over LAN-RIEGER, in view of BRANDT (US-20150067844-A1).
Regarding claim 5, LAN-RIEGER teaches all limitations of claim 2. However, LAN-REIGER does not teach “wherein the time period is an hour or a day.”.
In analogous teaching, BRANDT teaches “wherein the time period is an hour or a day.” ([BRANDT, para. 0059] “For example, if the number of network requests to the asset 720 has been monitored and learned to be about 1000 requests per hour during the past month, then a threshold can be set via the user interface that triggers an alarm or causes an automated event to occur if a deviation is detected outside of the threshold (e.g., automatically disable all network requests from the other networks 730 if the number of network requests to the asset 720 exceeds a set or determined percentage of the average daily network requests detected during the training period).”) ([BRANDT, claim 6] “The system of claim 1, wherein the first pattern of data communication comprises an average number of data packet transfers between the industrial controller and the industrial asset device during a daily range of time.”).
Thus, given the teaching of BRANDT, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a time period consisting of an hour or a day by BRANDT into the teaching of method to ascertain information and metadata as taught by LAN-RIEGER. One of ordinary skill in the art would have been motivated to do so because BRANDT recognizes the need to improve security of network environments. ([BRANDT, para. 0007] “Even if a somewhat higher level of security is provided, parties employing sophisticated hacking techniques can often penetrate sensitive control systems, whereby access should be limited to authorized users and/or systems in order to mitigate potentially harmful consequences”) ([BRANDT, para. 0009] “Various systems and methodologies are provided to promote security across and/or within networks and in accordance with different automation device capabilities.”)


The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
BHANDARI (US-20200322353-A1): This prior art teaches of analyzing packets which have traversed through compromised nodes. The method includes receiving a packet including one or more metadata elements generated based on security measurements from a plurality of nodes along a path of the packet; determining a validity of the one or more metadata elements based on a comparison of one or more values in the one or more metadata elements with one or more expected values calculated for the one or more metadata elements, one or more signatures in the one or more metadata elements, and/or timing information associated with the one or more metadata elements; and based on the one or more metadata elements, determining whether the packet traversed any compromised nodes along the path of the packet.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/AFAQ ALI/Examiner, Art Unit 2434       
                                                                                                                                                                                            
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434