Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 USC 101 because the claimed invention is directed to a judicial exception (i.e., law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Claims 1-20 recite an abstract idea of predicting the vulnerability of a building management system by analyzing the data and the historical record of data feeds.
With regards to representative Claim 1 (and similarly, Claim 16), the Claim recites:
A system for predicting the vulnerability of a building management system (BMS), the system comprising: 
one or more memory devices configured to store instructions that, when executed on one or more processors, cause the one or more processors to: 
establish a first communication link to a first data source and receive a first data using a communication module communicatively coupled to the processor, wherein the first data includes information related to at least one of a plurality of IoT-enabled devices; 
generate a historical record composed of a plurality of data feeds received from a plurality of data sources at unanticipated time intervals; and 
analyze at least one of the plurality of data feeds with at least one or more of: the first data, the historical record, and another of the plurality of data feeds to predict the vulnerability of the BMS.  
The claim limitations in the abstract idea have been highlighted in bold above; the remining limitations are “additional elements.”
Under the Step 1 of the eligibility analysis, we determine whether the claims are
to a statutory category by considering whether the claimed subject matter falls within the
four statutory categories of patentable subject matter identified by 35 U.S.C. 101:
Process, machine, manufacture, or composition of matter. The above claim is
considered to be in a statutory category (machine).
Under the Step 2A, Prong One, we consider whether the claim recites a judicial exception (abstract idea). In the above claim, the underlined portion constitutes an abstract idea because, under a broadest reasonable interpretation, it recites limitations that fall into/recite an abstract idea exceptions. Specifically, under the 2019 Revised Patent Subject matter Eligibility Guidance, it falls into the grouping of subject matter when recited as such in a claim limitation that falls into the grouping of subject matter when recited as such in a claim limitation, that coversmental processes – concepts performed in the human mind including an observation, evaluation, judgement, and/or opinion.
For example, the steps of: 
“predicting the vulnerability of a building management system (BMS)”;
“analyze at least one of the plurality of data feeds with at least one or more of: the first data, the historical record, and another of the plurality of data feeds to predict the vulnerability of the BMS”; and
“generate a historical record composed of a plurality of data feeds received from a plurality of data sources at unanticipated time intervals” are treated as belonging to mental process - concepts performed in the human mind including an observation, evaluation, judgement, and/or opinion. This mental step represents a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. In the context of this claim, it encompasses the user manually analyzing the data feeds to predict the vulnerability of the BMS.
Additionally, the abstract idea (the highlighted above limitations) is considered as falling into the groupings of organizing human activity – fundamental economic principles or practices (including assessing risk). Such organizing human activity comprises, for example, activity of assessing risk of a vulnerability of the building management system (BMS) due to the IoT-enabled device fault. 
Similar limitations comprise the abstract ideas of Claims 16.
Next, under the Step 2A, Prong Two, we consider whether the claim that recites
a judicial exception is integrated into a practical application.
In this step, we evaluate whether the claim recites additional elements that
integrate the exception into a practical application of that exception.
The additional elements in Claim 1 of “memory device”, “processor”, “communication link”, “data source”, “communication module”, “IoT-enabled device”, and “unanticipated time interval”; additional elements in Claim 16 of “location coordinates”, “application software details”, and “remote controller” are not qualified for a meaningful limitation because it only generally links the use of the judicial exception to a particular technological environment or field of use. The additional limitations of “first data”; “historical record”; “data feed”; and “outlier data” represents mere data gathering steps necessary to execute the abstract idea and only add an insignificant extra-solution activity to the judicial exception, which are recited in generality and are not meaningful. It represents extra-solution activity to the judicial exception according to MPEP 2106.05(g)(3):
(3) Whether the limitation amounts to necessary data gathering and outputting, (i.e., all uses of the recited judicial exception require such data gathering or data output). See Mayo, 566 U.S. at 79, 101 USPQ2d at 1968; OIP Techs., Inc. v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1092-93 (Fed. Cir. 2015) (presenting offers and gathering statistics amounted to mere data gathering). This is considered in Step 2A Prong Two and Step 2B.
	According to the October update on 2019, the above steps are “performed in order to gather data for the mental analysis step, and is a necessary precursor for all uses of the recited exception. It is thus extra-solution activity, and does not integrate the judicial exception into a practical application”.
Therefore, the claims are directed to a judicial exception and require further analysis under the Step 2B.
Step 2B of the 2019 Guidance requires the examiner to determine whether the additional elements cause the claim to amount to significantly more than the abstract idea itself. The considerations for this particular claim are essentially the same as the considerations for Prong 2 of Step 2A, and the same analysis leads to the conclusion that the claim does not amount to significantly more than the abstract idea.
However, the above claims do not include additional element that are sufficient to amount to significantly more than the judicial exception (Step 2B analysis) because these additional elements are recited in extreme generality.
Therefore, claims 1 and 16 are rejected under 35 U.S.C. 101 as directed to an abstract idea without significantly more.
The independent claims, therefore, are not patent eligible.
With regards to the dependent claims, Claims 2-15 and 17-20 provide additional features/steps which are either part of an expanded abstract idea of the independent claims (additionally comprising mental/organizing human activity process steps (Claims 2-9, 11-14) or adding additional elements/steps that are not meaningful as they are recited in generality and/or not qualified as particular machine/ and/or eligible transformation and, therefore, do not reflect a practical application as well as not qualified for “significantly more” based on prior art or record (Claim 10 – remote computer system, Claims 15, 17-20 – notification signal)).
In conclusion, dependent claims 2-17 and 19 are not eligible for substantially similar reasons as discussed with regards to Claim 1.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims are rejected under 35 U.S.C. 103 as being unpatentable over US20120259583 to Noboa et al. (hereinafter Noboa) in view of US20180253569 to Swierk et al. (hereinafter Swierk).

Regarding Claim 1:  Noboa discloses:
“A system for predicting the vulnerability of a building management system (BMS)” (Abstract; para 0060 – “the statistical fault detection module 412 and the automated diagnostics module 414 to identify and diagnose unstable control issues… predictive detection and diagnostics (i.e. predicting the vulnerability, added by examiner) (e.g., to determine rule thresholds, to provide for continuous monitoring and diagnostics of building equipment).”), the system comprising:
“one or more memory devices configured to store instructions that, when executed on one or more processors, cause the one or more processors to:” (para 0034)
“establish a first communication link to a first data source and receive a first data using a communication module communicatively coupled to the processor” (para 0033, para 0035)
“generate a historical record composed of a plurality of data feeds received from a plurality of data sources” (Fig. 4; para 0055 – “The FDD layer 114 may be configured to use statistical analysis of near real-time or historical building subsystem data to rapidly identify faults in equipment operation.”; para 0062 – “The FDD layer 114 may be configured to maintain detailed historical databases (e.g., relational databases, XML databases, etc.) of relevant data and includes computer code modules that continuously, frequently, or infrequently query, aggregate, transform, search, or otherwise process the data maintained in the detailed databases. ”) at unanticipated time intervals” (para 0141 – “the performance values may be collected at equally spaced time intervals (e.g., every fifteen minutes) during a monitored period (e.g., one day). The performance values may also be collected at the same times during every monitored period (i.e. at unanticipated time intervals, added by examiner). For example, performance values for seven days may be collected in fifteen minute intervals—every day at 6:00 AM, 6:15 AM, etc.”; para 0147); and 
“analyze at least one of the plurality of data feeds with at least one or more of: the first data, the historical record, and another of the plurality of data feeds to predict the vulnerability of the BMS” (para 0045 – “inputs from a video security subsystem may be analyzed by a control algorithm of the integrated control layer 116 to make a determination regarding occupancy of a building space. Using the determination, the control algorithm may turn off the lights, adjust HVAC set points, power-down ICT devices serving the space, reduce ventilation, and the like, enabling energy savings with an acceptable loss of comfort to occupants of the building space.”; para 0056, 0057).
	Noboa is silent on:
“wherein the first data includes information related to at least one of a plurality of IoT-enabled devices”.
	However, Swierk discloses:
“wherein the first data includes information related to at least one of a plurality of IoT-enabled devices” (Fig. 1; para 0022; 0030; 0034).	 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

	Regarding Claim 2: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa is silent on:
“wherein the information contained in the first data comprises a layout having at least one or more of location information and application software details corresponding to at least one of the plurality of IoT-enabled devices”.
	However, Sweirk discloses:
“wherein the information contained in the first data comprises a layout having at least one or more of location information and application software details corresponding to at least one of the plurality of IoT-enabled devices” (para 0035 – “gateway(s) 103 may also be in communication with cloud or remote server(s) 105, which can then provide services such as IT system data integration 106A, big data analytics 106B, and visualization and reporting 106N. For example, cloud or remote server(s) may be provided or operated by a third-party remotely located with respect to the premises where the IoT device(s) 101 and gateway(s) 103 are deployed”; para 0115).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

	Regarding Claim 3: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa is silent on:
“wherein the plurality of data sources comprises at least one or more of: at least one of a plurality of IoT-enabled devices, at least one of a plurality of remote data sources, and at least one of a plurality of remote controllers”.
	However, Sweirk discloses:
“wherein the plurality of data sources comprises at least one or more of: at least one of a plurality of IoT-enabled devices, at least one of a plurality of remote data sources, and at least one of a plurality of remote controllers” (para 0035).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

Regarding Claim 4: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa is silent on:
“wherein the plurality of data feeds comprises: a second data received from at least one of the IoT-enabled devices comprising at least one or more of: current software version information, open port information, anomalous behavior information, health information, and information pertaining to one or more control signals generated by at least one of the IoT-enabled devices”.
	However, Sweirk discloses:
“wherein the plurality of data feeds comprises: a second data received from at least one of the IoT-enabled devices comprising at least one or more of: current software version information, open port information, anomalous behavior information, health information, and information pertaining to one or more control signals generated by at least one of the IoT-enabled devices” (para 0095 (anomalous behavior information), 0104, 0061 (control signal)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

Regarding Claim 5: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa is silent on:
“wherein the plurality of data feeds comprises: a third data received from at least one of a plurality of remote data sources comprising at least one or more of: information corresponding to one or more parameters populated with the second data, and threat information pertaining to one or more of the IoT-enabled devices”.
	However, Sweirk discloses:
“wherein the plurality of data feeds comprises: a third data received from at least one of a plurality of remote data sources comprising at least one or more of: information corresponding to one or more parameters populated with the second data, and threat information pertaining to one or more of the IoT-enabled devices” (para 0115 – “IoT gateway manufacturers may provide a rugged enclosure chassis for installing gateways in harsher or environments needing more security and protection. Moreover, support may be built-in for intrusion detection (i.e. threat information, added by examiner) which can be reported/alerted to the gateway's management system.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

Regarding Claim 6: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa is silent on:
“wherein the plurality of data feeds comprises: an outlier data received from at least one of the plurality of remote controllers wherein the outlier data is data signifying an unexpected outcome based on the data being beyond a desirable range for a given IoT-enabled device”
	However, Sweirk discloses:
“wherein the plurality of data feeds comprises: an outlier data received from at least one of the plurality of remote controllers wherein the outlier data is data signifying an unexpected outcome based on the data being beyond a desirable range for a given IoT-enabled device” (Fig. 5, steps 503 – 507; para 0095 – anomalous behavior, i.e. outlier data with unexpected outcome; para 0128).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices.

Regarding Claim 7: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa further discloses:
“wherein at least one of the plurality of unanticipated time intervals periodically change” (Fig. 18; para 0172 – greater or fewer monitoring periods, i.e. unanticipated time intervals; para 0187).

Regarding Claim 8: Noboa/Sweirk combination discloses the system of claim 1.
	Noboa further discloses:
“wherein the plurality of unanticipated time intervals are the same” (para 0141 – “the performance values may be collected at equally spaced time intervals (e.g., every fifteen minutes) during a monitored period (e.g., one day). The performance values may also be collected at the same times during every monitored period (i.e. at unanticipated time intervals, added by examiner). For example, performance values for seven days may be collected in fifteen minute intervals—every day at 6:00 AM, 6:15 AM, etc.”).

Regarding Claim 9: Noboa/Sweirk combination discloses the system of claim 1.
Noboa is silent on:
“wherein at least one of the data feeds is analyzed using artificial intelligence”.
	However, Sweirk discloses:
“wherein at least one of the data feeds is analyzed using artificial intelligence” (para 0043 – “one or more of CPU(s) 201 may include a Graphics Processing Unit (GPU), field programmable gate array (FPGA), or other suitable integrated component that is specifically used to perform analytics (e.g., machine learning (i.e. artificial intelligence, added by examiner))”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system for predicting the vulnerability of a building management system, disclosed by Noboa/Sweirk combination, as taught by Swierk, in order to ensure the timely reaction to the detection of the vulnerability utilizing the Internet connection of IoT devices and artificial intelligence, which improves the analysis and make the system vulnerability detection more reliable.
Regarding Claim 10: Noboa/Sweirk combination discloses the system of claim 1.
Regarding the limitation “wherein to predict the vulnerability of BMS the system is further configured to: send the first data and at least one of the plurality of data feeds to a remote computing system; and receive a vulnerability determination from the remote computing system”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use a remote system to obtain the independent confirmation of the reliability determination.

Regarding Claim 11: Noboa/Sweirk combination discloses the system of claim 10.
Noboa further discloses:
“wherein the vulnerability determination includes a vulnerability prediction” (para 0060 – “The FDD layer 114 may also or alternatively be configured for rule-based predictive detection and diagnostics (e.g., to determine rule thresholds, to provide for continuous monitoring and diagnostics of building equipment).”).

Regarding Claim 12: Noboa/Sweirk combination discloses the system of claim 1.
Regarding the limitation “wherein to predict the vulnerability of BMS the system is further configured to determine the vulnerability of at least one IoT-enabled device and generate a vulnerability detection signal wherein the vulnerability detection signal comprises location information of the vulnerable IoT-enabled device”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to communicate the vulnerability existence by sending a signal about, and specify the location of the vulnerable IoT device, so it can be easily identified.

Regarding Claim 13: Noboa/Sweirk combination discloses the system of claim 1.
Regarding the limitation “wherein to predict the vulnerability of BMS the system is further configured to predict the vulnerability of at least one IoT-enabled device and generate a prediction signal wherein the prediction signal comprises location information of the vulnerable IoT-enabled device”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to communicate the vulnerability prediction based on the vulnerability existence by sending a signal about, and specify the location of the vulnerable IoT device, so it can be easily identified.

Regarding Claim 14: Noboa/Sweirk combination discloses the system of claim 1.
Regarding the limitation “wherein to predict the vulnerability of BMS the system is further configured to: determine the vulnerability of at least one IoT-enabled device and generate a vulnerability detection signal wherein the vulnerability detection signal comprises location information of the vulnerable IoT-enabled device; and predict the vulnerability of at least one IoT-enabled device and generate a prediction signal wherein the prediction signal comprises location information of the vulnerable IoT- enabled device” – see the rejection for Claims 12 and 13.

Regarding Claim 15: Noboa/Sweirk combination discloses the system of claim 1.
Regarding the limitation “wherein the one or more memory devices are further configured to store instructions that, when executed on one or more processors, cause the one or more processors to: generate a vulnerability detection signal in response to determining the vulnerability of the BMS; initiate a vulnerability response unit communicatively coupled with one or more of the processors, the vulnerability response unit configured to: generate a first notification signal after receiving the vulnerability detection signal, wherein the first notification signal provides at least one or more of: an audio, visual, and textual based alert to an operator indicating the location coordinates of the IoT-enabled device that is vulnerable; and generate a second notification signal after receiving the prediction signal, wherein the second notification signal is configured to provide at least one or more of: an audio, visual, or textual alert to an operator indicating the location coordinates of the IoT-enabled device that is predicted to be vulnerable”: see the rejections for Claims 1, 12, and 13.

With regards to Claims 16, 19, and 20, Noboa/Sweirk combination discloses the claimed limitations as disclosed with regards to Claim 1.

Regarding Claim 17: Noboa/Sweirk combination discloses the method of claim 16.
Regarding the limitation: “generating a first notification signal after receiving the vulnerability detection signal, wherein the first notification signal provides at least one or more of: audio, visual, and textual based alerts to an operator indicating the location of the IoT-enabled device that is vulnerable; and generating a second notification signal after receiving the prediction signal, wherein the second notification signal is enabled to provide at least one or more of: audio, visual, and textual based alerts to the operator indicating the location of the IoT-enabled device predicted to be vulnerable”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to issue a notification signal in the form of either audio, visual, and textual alert to get the operator’s attention quickly and efficiently and be notified about the vulnerability of the particular IoT object specifically and in time.

Regarding Claim 18: Noboa/Sweirk combination discloses the method of claim 16.
Regarding the limitation: “wherein establishing the second, third, and fourth communication links comprises: generating an output signal having a constant frequency and a constant duty cycle; randomly selecting a duty cycle of the output signal to generate a trigger signal, and establishing at least one or more of: the first, second, third, and fourth communication links using the communication module after generation of the trigger signal”: it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to generate an output signal having a constant frequency and a constant duty cycle to ensure the stability of the signal, which will ensure that the signal reaches the operator in time and the system will be notified about the vulnerability appropriately.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US-20180102958-A1 to Guthrie et al. (hereinafter Guthrie) discloses a performance assessment device for evaluating a building management system.
US-20180102954-A1 to Schubert et al. (hereinafter Schubert) discloses a performance assessment device for evaluating a performance of a building management system.
US-20190238584-A1 to Somasundaram et al. (hereinafter Somasundaram) discloses system, method and apparatus for vulnerability management for connected devices on a network.
US-20200081870-A1 to McCoy et al. (hereinafter McCoy) discloses method and system for managing distributed ledgers in a system of interconnected devices.
US-20200396244-A1 to Paturi et al. (hereinafter Paturi) discloses an apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Lyudmila Zaykova-Feldman whose telephone number is (469)295-9269. The examiner can normally be reached 8:30am - 5:30pm, Monday through Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arleen M. Vazquez can be reached on 571-272-2619. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LYUDMILA ZAYKOVA-FELDMAN/            Examiner, Art Unit 2865                                                                                                                                                                                            
/ALEXANDER SATANOVSKY/           Primary Examiner, Art Unit 2863