DETAILED ACTION
This office action is in response to the amendment of September 7, 2022. 
Claims 1-20 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see remarks, filed September 7, 2022, with respect to the rejection(s) of claim(s) 1-20 under §103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of prior art as applied below. 





Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-7,9,10, 12,14 -20 are rejected under 35 U.S.C. 103 as being unpatentable over “Park” (US Patent 10,250,619) in view of “Njemanze” (US Patent 7219239) and further in view of “Chittigala” (US PG Pub 2012/0254607) and further in view of “Khanolkar” (US PG Pub 2007/0234426). 

Regading Claim 1, Park teaches: 
1. An electronic device, comprising: an embedded computer, comprising one or more processors configured to: receive one or more security event messages from a security appliance, the one or more security event messages each indicating a security event associated with a protected component; (See e.g. 210, Fig. 5, monitoring protected system for event messages e.g. Col. 12, Ln 15-47, see further embedded security devices in Col 14 Ln 30-65). 
determine one or more presentation or control actions to be performed based upon the customized severity characterization;(See 230-250 fig. 5, Col. 12, Ln 48 to Col. 13 Ln 47 describing identifying notification and correction steps to take in response to security events detected)
 and perform the one or more presentation or control actions.  (See 230-250 fig. 5, Col. 12, Ln 48 to Col. 13 Ln 47 describing completing notification and correction steps to take in response to security events detected)

Park does not explicitly teach, but Njemanze teaches: 
identify a customized severity characterization of the one or more security event messages; (Col. 15, Ln 26-60 “The translator 216 can also perform other functions, such as value scaling.  For example, if Value 2 represented the seriousness of the security event as determined by the network device, this seriousness may be on a different scale than the one used by the uniform schema 218.  In one embodiment, the uniform schema 218 uses four severity levels: low, medium, 
high, and very high. Thus, if the scale used by the network device has eight levels, one possible severity mapping would map severity level 1 2 to low, 3 4 to medium, and so on.  However, other mappings may be more appropriate depending on the network device.  For example, if a network device overrates the seriousness of events as compared to other heterogeneous network devices, its reported severity may be mapped to lower severity levels to normalize the severities in relation to these other network devices. Furthermore, map 214 can also map one value to any number of fields.  This is demonstrated in FIG. 7 by Value 3 being used to populate both Field 1 and Field 5.  For example, the seriousness of the security event can be mapped through a translator 216 that performs the severity mapping, and can also mapped unaltered, that is as originally reported by the network device, to another field to preserve all the values contained in the security event.”)

In addition, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Park and those of Njemanze as each is directed to cyber security event management and Njemanze recognized that “If intrusions can be detected and the appropriate personnel notified 
in a prompt fashion, measures can be taken to avoid compromises to the 
protected system” and provides methods including severity translation to carryout such notification and correction. (Col. 2, Ln1-13). 

Park et al do not explicitly teach, but Gebhart teaches:
 based at least in part upon an indication of a type of program logging the one or more security event messages;  (See Chittigala ¶21 “…adjusted by setting definitions for critical versus non-critical messages, such as based upon the type of application associated with the message.”) 
In addition, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Park with those of Chittigala as each is directed to networked systems including prioritization methods for methods therein and Chittigala teaches a method including prioritizing based on the associated type of application to allow for differentiating between “critical versus non-critical messages” (¶21) in the application of limited resources, such as those in Park’s system. 
Park et al further do not teach, but Khanolkar teaches: 
identify, from a code in the one or more security event messages, an indication of type of program logging the one or more security event message; (See Khanolkar e.g. ¶¶32-34, 45 describing receiving syslog messages identifying security events including codes identifying the application, and further see e.g. ¶¶67-68 teaching filtering and identifying this information based on application type) 
In addition, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Park with those of Khanolkar as each is directed to security message processing and Khanolkar recognized (¶4) “What is needed is a system to process and organize network intrusion events and log data from a number of network systems and provide them to a user in an interface that summarizes them, yet has links to more detailed information, that provides for real time notice and communications regarding current events, and that allows for the compilation and recalling of past log data and intrusion events for detection of patterns of activity for later use and consultation.” 


Regarding the dependent claims, Park and Njemanze further teach: 

2. The electronic device of claim 1, wherein the customized severity characterization is determined by executing a mapping script that maps one or more characteristics of the one or more security event messages received by the security appliance to a particular customized severity characterization expected by the embedded computer.  (Njemanze Col. 15, Ln 26-60 above).


3. The electronic device of claim 2, wherein the one or more characteristics of the one or more security event messages received by the security appliance comprises a first severity level and the particular customized severity characterization expected by the embedded computer is a second severity level.  (Njemanze Col. 15, Ln 26-60 above).

4. The electronic device of claim 2, wherein the one or more processors of the embedded computer are configured to execute the mapping script.  (Njemanze Col. 15, Ln 26-60 above).

5. The electronic device of claim 2, wherein the customized severity characterization is received from the security appliance.  (Njemanze Col. 15, Ln 26-60 above).

6. The electronic device of claim 1, comprising a display, wherein the one or more presentation or control actions comprises:  21UNIV:0283 311993-2 presenting, via a graphical user interface (GUI) on the display, one or more alarm banners associated with the one or more security event messages, the one or more alarm banners displayed based upon the customized severity characterization; or presenting, via a stack light, one or more visual alarm indications associated with the one or more security event messages, the one or more visual alarm indications based upon the customized severity characterization; or both.  (See visual display of alerts ot the user in Col. 13, Ln4-17 of Park).

7. The electronic device of claim 1, wherein the one or more presentation or control actions comprises modifying an operational status of the protected component.  (See Park Col. 19, Ln17-38 describing reseting the system device in a corrective action in response to a security event). 


9. The electronic device of claim 1, wherein the one or more security event messages comprise a message generated in accordance with a Syslog standard for message logging.  (See Park Col. 20, Ln 27-29 syslog formatted event messages). 

10. The electronic device of claim 1, comprising: one or more input/output (I/O) devices configured to receive one or more I/O commands from an operator of the electronic device, or provide one or more output indications to the operator, or both; and a programmable logic controller (PLC) configured to: receive I/O data indicative of the one or more I/O commands, and implement the one or more I/O commands; or receive the one or more output indications, and present the one or more output indications via the one or more I/O devices; or both.  (See use of PLC in e.g. Park Col. 6, Ln 55-60, including processing I/O of commands in the security system). 



12. The electronic device of claim 10, wherein the embedded computer is configured to: determine when a continuously changing state of a variable of the PLC is not detected at the embedded computer within a threshold amount of time; (See Park Col. 47 Ln 26-53 checking periodic heartbeat signals as an indication of cybersecurity state) and providing a fault in response to not detecting the continuously changing variable state within the threshold amount of time, the fault indicating a malfunction of the embedded computer.  (See Park Col. 47 Ln 26-53 checking periodic heartbeat signals as an indication of cybersecurity state – used to detect failure state when not detected within a set period of time)

14. The electronic device of claim 10, wherein the one or more I/O devices comprise a reset switch that, when set to a reset mode, causes the embedded computer to power down, or reboot, or both.(See e.g. Park Col. 19, Ln 35-40 corrective actions include reseting the system state, further Col. 29, Ln34-48 discussing corrective actions like restarting the system, reloading the security device etc; and e.g. Col. 42, 16-30 describing resetting a valve switch in the system in response to fault)


Claims 15-18 are rejected on the same basis as claims 1, 2, 6, and 12 respectively above. 
Claims 19 and 20 are rejected on the same basis as claims 1 and 6 respectively above. 








Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over “Park” (US Patent 10,250,619) , “Njemanze” (US Patent 7219239), “Chittigala” (US PG Pub 2012/0254607) and “Khanolkar” (US PG Pub 2007/0234426) as applied above and further in view of “Harhi” (US PG Publication 2015/0039758).

Regarding Claim 8, Park et al taught the limtiations of claim 7 above but does not further teach, while Harthi teaches: 
8. The electronic device of claim 7, wherein the protected component comprises an amusement attraction.  (See Harhi e.g. ¶10 “Aspects relate to an adverse event reporting system.  In one embodiment, the system may comprise a server or other processing device with a memory and a processor.  The server or other processing device may be configured to receive an indication that a user experienced an adverse event with respect to one of several of remote devices.  At least some of the devices may be amusement devices, such as arcade games.  In another embodiment, the devices may comprise reservations kiosks, portable devices, mechanical entertainment devices, or a combination thereof.  As used herein, "an adverse event" refers to the reduced enjoyment of an intended user due to a malfunction that diminishes the intended functionality of the device.  In one embodiment, visual indicia may be placed directly one or in close proximity to a remote device, such that a consumer may view the indicia when in proximity of device.  The indicia may provide a unique identifier that is unique with respect to a first device among a plurality of other remote devices.  The unique identification may be unique for reporting an adverse event of the device.  In yet another embodiment, the unique identification is specific to a type of adverse event.”) 
In addition it would have been obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Park and Harhi as each is directed to reporting of adverse events and Harhi recognized “there exists a need for improved systems and methods for reporting and addressing adverse events experienced at remote devices.” (¶8). 




Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over “Park” (US Patent 10,250,619) in view of “Njemanze” (US Patent 7219239) and “Chittigala” (US PG Pub 2012/0254607) as applied above and further in view of “Miller” (US PG Pub 2010/0128432)
Regarding Claim 11, Park et al taught the limtiations of claim  10 above but does not further teach, while Miller teaches: 
11. The electronic device of claim 10, wherein the one or more I/O devices comprise a set of one or more lights that provide an indication of the customized severity characterization; wherein the set of one or more lights comprises a fault light-emitting diode (LED) that selectively indicates a critical severity security event when in a first state and a medium severity security event when in a second state; (See Miller ¶128 “FIG. 29c depicts an exemplary information indicator display format.  
Information indicators may be utilized to display alerts.  Different patterns 
or formats of alerts may be utilized to indicate different classes or levels of 
alerts.  For example, a first color may indicate an error condition, a second 
color may indicate a warning and a third color may indicate a notice.  A user 
may utilize a monitor associated with the computing platform for more detail.  
A user may also be able to address a condition by taking one or more actions 
such as rebooting.  Referring again to FIG. 28, a virtualization management 
system may monitor one or more virtualization platform statuses and may utilize 
proxy 2730 to manipulate one or more of RGB LEDs 2860 to provide status 
indicators, warnings, errors, notices, alerts, and/or options.  In some 
embodiments, a brightness or a speed of flashing or scrolling may indicate a 
level of severity of an alert, error, and/or warning.  Other patterns may be 
utilized.”) 
and wherein the set of one or more lights comprises a health light-emitting diode (LED) that indicates whether all expected interfaces are communicatively coupled to the electronic device.  (Miller see ¶128 above and further ¶131 “FIG. 32 depicts exemplary information indicators associated with network 
ports.  In some embodiments, one or more information indicators, such as RGB 
LEDs, may be associated with a network port.  Information indicators may enable 
a clear indication of a VLAN a port is associated with, a subnet a port is 
associated with or other attributes.”)

In addition it would have been obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Park and Miller  recognized use of  Miller’s LEDs provide notification to users that, for example, “…may also occur based on events such as a hung virtual machine and/or a security violation (e.g., a user attempts to gain root access to a console).” (¶62). 


Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over “Park” (US Patent 10,250,619) in view of “Njemanze” (US Patent 7219239) and “Chittigala” (US PG Pub 2012/0254607) as applied above and further in view of Chauvet (US PG Publication 2018/0316729). 

Regarding Claim 13, Park further teaches: 
13. The electronic device of claim 10, wherein the one or more I/O devices comprise a run/bypass switch that: when in a run mode, causes logging and presentation of one or more alarm banners associated with the one or more security event messages and causes presentation of one or more alarms associated with the one or more security event messages, as they are received; (See e.g. 210-250, Fig. 5, monitoring protected system for event messages e.g. Col. 12, Ln 15-47 including configurable notifications 240, and logging in e.g. See Park Col. 20, Ln 27-29 syslog formatted event messages). 

causes logging and presentation of the one or more alarm banners associated with the one or more security event messages, and causes refrain from presentation of the one or more alarms associated with the one or more security event messages, as they are received.  (See e.g. 210-250, Fig. 5, monitoring protected system for event messages e.g. Col. 12, Ln 15-47 including configurable notifications 240, and logging in e.g. See Park Col. 20, Ln 27-29 syslog formatted event messages). 



Park et al taught the limitations of claim 10 above but does not further teach, while
and when in a bypass mode, (Chauvet ¶189 “Similarly, the network orchestration component can cause the network controller to switch off the impacted router and/or switch ports so that traffic can bypass the impacted router and/or switch ports when flowing through the network.  In alternative embodiments, a cyber security event response 1928B including the device and/or network response can be provided to the SDA orchestration component 1916.  The SDA orchestration component 1916 can then parse the cyber security response 1928B and provide the cyber security device response 1932B to the fog orchestration component 1924 and/or the cyber security network response 1930 to the network orchestration component 1922.”)

In addition it would have been obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Park and Chauvet as each is directed to cybersecurity event logging and response and Chauvet teaches a system that “can determine the response measures (or cyber security event response 1928B) needed to mitigate the cyber security event and provide relevant network response measures.” (¶189). 



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The Prior art cited in the attached PTO-892 form includes additional prior art relevant to the logging and response to cybersecurity events. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW J BROPHY whose telephone number is (571)270-1642. The examiner can normally be reached Monday-Friday, 9am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Zhen can be reached on 571-272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



MJB
9/22/2022

/MATTHEW J BROPHY/Primary Examiner, Art Unit 2191