DETAILED ACTION
The following claims are pending in this office action: 1-24
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 03/22/2021 are accepted.  
Claim Objections
Claims 1-23 are objected to because of the following informalities:
Claims 1, 12-13, 16-17, 20, and 23 recites the limitation “a normal state and/or nominal state” (claim 1, ln. 13; claim 12, ln. 5; claim 13, ln. 6; claim 16, ln. 2; claim 16, ln. 5; claim 17, ln. 3; claim 20, ln. 4-5; and claim 23, ln. 17-18).  If the limitation is intended to refer to the prior instance of “a normal state and/or nominal state” (claim 1, ln. 9; and claim 19, ln. 7), examiner suggests “the normal state and/or nominal state”.
Claim 16 recites the limitation “a summary statistics of the signal” (claim 16, ln. 2-3).  If the limitation is intended to refer to the prior instance of “a summary statistics of the signal” (claim 1, ln. 6), examiner suggests “the summary statistics of the signal”.
Claim 17 recites the limitation “a result of checking” (claim 17, ln. 2). It is unclear whether applicant intends to refer to “a result of checking” (claim 1, ln. 12).  If the limitation is intended to refer to the corresponding element, examiner suggests “the result of checking”.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

Claims 19-23 invokes 112(f).  The following is a list of non-structural generic placeholders that may invoke 35 U.S.C. 112(f): "mechanism for," "module for," "device for," "unit for," "component for," "element for," "member for," "apparatus for," "machine for," or "system for." See MPEP 2181 Sec. I.  The claim limitations use the generic placeholder unit and module.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder (unit and module) that is coupled with functional language (for forming, adapted to test, configured to evaluate, and suitable for carrying) without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations include: a compression unit for forming (claim 19); a test unit adapted to test (claim 19); an evaluation unit configured to evaluate (claim 20); and module suitable for carrying (claim 23).
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.  Para. 0067 of the application’s written description clarify that the module is an FPGA or functional equivalent (i.e. a processor/computer).  However, nowhere does the specification describe the corresponding structure of “a compression unit”, “a test unit”, or “an evaluation unit”.  For compression unit, see para. 0042, para. 0069, para. 0071.  For “test unit”, see para. 0042, para. 0045, para. 0070 and para. 0071.  For “evaluation unit”, see para. 0045 and para. 0071.  
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.


Claims 19-23 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  In particular, the specifications lack written description for the algorithms performed by the computer implemented “compression unit”, “a test unit”, and “an evaluation unit”.  For compression unit, see para. 0042, para. 0069, para. 0071.  For “test unit”, see para. 0042, para. 0045, para. 0070 and para. 0071.  For “evaluation unit”, see para. 0045 and para. 0071.  When a claim containing a computer-implemented 35 U.S.C. 112(f) claim limitation is found to … [fail] to disclose sufficient corresponding structure (e.g., the computer and the algorithm) in the specification that performs the entire claimed function, it will … lack written description under 35 U.S.C. 112(a).  See 2181, Section II.B.  
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-23 rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-23 recites the limitation “the operating state” (claim 1, ln. 1; and claim 19, ln. 1).  There is insufficient antecedent basis for this limitation in the claim.  Examiner suggests replacing “the operating state” with “an operating state”
Claim 14 recites the limitation “the location” (claim 14, ln. 5).  There is insufficient antecedent basis for this limitation in the claim.  Examiner suggests replacing “the location” with “a location”.  
Claim 17 recites the limitation “the system state” (claim 17, ln. 5).  There is insufficient antecedent basis for this limitation in the claim.  Examiner suggests replacing “the system state” with “a system state”.  
With respect to claims 19-23 the claim limitations a compression unit for forming (claim 19); a test unit adapted to test (claim 19); and an evaluation unit configured to evaluate (claim 20) invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is silent as to the corresponding structure of each of the units recited in the claims.  Therefore, the claims 19-23 are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.


Claim 23 rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 23 refers to “a hardware module according to claim 19 and/or … with an FPGA module … in such a way that it is programmable to become said hardware module, or another module suitable for carrying out the method of claim 1”.  This claim is not acceptable multiple dependent claim wording.  See MPEP 608.01(n) Section I.B.1, example 5 (“A gadget as in claims 1, 2, 3, 4 and/or 5, in which…” is an improper multiple dependent claim). Applicant may cancel the claim, amend the claim to place the claim in proper dependent form, rewrite the claim in independent form, or present a sufficient showing that the dependent claim complies with the statutory requirements.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 24 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 24 does not fall within at least one of the four categories of patent eligible subject matter because, using the broadest reasonable interpretation, the claim is directed to software or signals per se.  Claim 24 recites a computer program, comprising machine-readable instruction.  Although the computer program may be executed on one or more computers, what is claimed is merely the “computer program” and does not include the one or more computers.  The examiner suggests that applicant replace “computer program” in claim 24 with: “a non-transitory computer readable storage medium” or memory and a processor.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claim 19 is rejected under 35 USC § 102(a)(1) as being anticipated by Harris et al. (US Pub. 2018/0332064) (hereinafter “Harris”). 

	As per claim 19, Harris teaches a hardware module for monitoring the operating state of a computer system and/or control system, comprising: ([Harris, para. 0063] “Cybersecurity system 110 monitors activity by the plurality of monitored devices 102”; [para. 0034] “cybersecurity system 110 may be composed of one or more discrete computing devices [a hardware module]”)
	a signal interface for detecting at least one time-variable signal of the computer system and/or control system; ([Harris, para. 0058] “network activity data capture device(s) 104 [a signal interface] may include one or more computing devices that are syslog servers that collect [detecting] any syslog data [at least one time-variable signal] from any of the plurality of monitored devices 102 [computer system and/or control system]”; [para. 0060] the syslog message includes a timestamp, making the data time variable; [para. 0065] the monitored devices messages sent are signals)
	a compression unit for forming summary statistics on the signal, and; ([Harris, para. 0135] “in an operation 822, data [events including syslog data – see para. 0090-0091, and Fig. 8] is summarized over a predefined time period … to create record summary data [summary statistics of the signal]; [Para. 0111] example operations associated with ESP application 508 are described [a compression unit])
a test unit adapted to test the extent to which the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system; ([Harris, para. 0282] “concatenated summary data 536 is computed from … record summary data … to achieve a composite risk score across….data sets”; [para. 0117] “The risk value may be a numeric value used to differentiate the risk of the associated IP address from low (10) to high (100)” [to what extent]; [para. 0278] “The alert threshold may be defined as a percent and may be used to identify when network activity at a source IP address is sufficiently anomalous [in accordance with a normal state]”; [para. 0321] “a determination [checking] is made concerning whether or not the risk score is greater than the alert threshold [in accordance with a normal state]”; [Para. 0262] the determination is associated with analytic computation application 514 [a test unit]) 
	a service interface different from the signal interface, which is designed to transmit the summary statistics, and/or a characteristic variable characterizing these summary statistics, ([Hpara. 0405] “a GUI 1800 presented under control of web server application 520 [a service interface different from the signal interface] includes… selection of risk analysis tab 1804 provides [transmitting] the user of system user device 300 [an external server: see para. 0070 – “System user device is an … server computer” and para. 0078 – “Fig. 4 shows a representation of cybersystem 110 in a single device” and system user device 300 is external to that device] with detailed data, such as a composite risk score, an organizational context, a behavioral profile, correlations with existing security event logs, and network flow device interactions for investigating a single identified risk event [summary statistics, and/or at least one parameter characterizing said summary statistics]) to an external server; ([Fig. 4, para. 0083] “data and messages yet further may be transferred between cybersecurity system 110 [hardware module] and system user device 300 [to an external server]”)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-7, 11-13, 16, 18, 20-21, and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Harris et al. (US Pub. 2018/0332064) (hereinafter “Harris”) in view of De Knijf et al. (US Pub. 2018/0191746) (hereinafter “Knijf”).

As per claim 1, Harris teaches a method for monitoring the operational status of a computer system and/or control system comprising the steps: ([Harris, para. 0063] “Cybersecurity system 110 monitors activity by the plurality of monitored devices 102”) detecting at least one time-variable signal in the computer system and/or control system ([para. 0058] “network activity data capture device(s) 104 may include one or more computing devices that are syslog servers that collect [detecting] any syslog data [at least one time-variable signal] from any of the plurality of monitored devices 102 [computer system and/or control system]”; [para. 0060] the syslog message includes a timestamp, making the data time variable; [para. 0065] the monitored devices messages sent are signals) and forward it to a hardware module ([para. 0068] “network activity capture device … may be configured to send [forward]… syslog data received from the plurality of monitored devices 102 to cybersecurity system 110 [hardware module]”) operating independently of the computer system and/or control system; ([Fig. 1] the cybersecurity system is independent from the monitored devices)
forming summary statistics of the signal by the hardware module over a predetermined period of time; ([Harris, para. 0135] “in an operation 822, data [events including syslog data – see para. 0090-0091, and Fig. 8] is summarized over a predefined time period … to create record summary data [summary statistics of the signal]”)
checking to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system; ([Harris, para. 0282] “concatenated summary data 536 is computed from … record summary data … to achieve a composite risk score across….data sets”; [para. 0117] “The risk value may be a numeric value used to differentiate the risk of the associated IP address from low (10) to high (100)” [to what extent]; [para. 0278] “The alert threshold may be defined as a percent and may be used to identify when network activity at a source IP address is sufficiently anomalous [in accordance with a normal state]”; [para. 0321] “a determination [checking] is made concerning whether or not the risk score is greater than the alert threshold [in accordance with a normal state]”) 
Harris does not clearly teach evaluating an operating state of the computer system and/or control system using at least a result of checking what extent the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system.
However, Knijf teaches evaluating an operating state of the computer system and/or control system using at least a result of checking what extent the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system.   ([Knijf, para. 0044] “if the score is above a certain threshold [at least a result of checking], then at block 218, the device is flagged [evaluating] as malicious [an operating state]“)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris with the teachings of Knijf to include evaluating an operating state of the computer system and/or control system using at least a result of checking what extent the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system.  One of ordinary skill in the art would have been motivated to make this modification because evaluating an operating state as malicious allows the device to shut down or quarantine the device to minimize the impact of the malicious behavior.  (Knijf, para. 0044)

As per claim 2, Harris in view of Knijf teaches claim 1. 
Harris also teaches wherein the at least one-time time-varying signal includes: at least one electrical signal from an electrical circuit of the computer system and/or control system, and or; ([Harris, para. 0065] the “monitored devices… send and receive signals… that may be wired”; [para. 0075] “…carried out by hardware [electrical] circuits”)
at least one measurement signal detected in the computer system and/or control system, and/or; ([Harris, para. 0065] the “monitored devices… send and receive signals”; [para. 0270-0275] “monitored activity such as … DistinctInternalDstIpmeasure … WebProxyDstIpmeasure … InternalBytesSent measure … ExternalBytesSentmeasure …” [etc… at least one measurement signal])
at least one stream of events output by the computer system and/or control system.  ([Harris, para. 0091] “Events 502 [time-varying signals captured by network activity data capture device 104/output by the computer system/control system – see para. 0058]… may be sent… using a streaming protocol [one stream of events])

As per claim 3, Harris in view of Knijf teaches claim 2.  
Harris also teaches wherein detecting the electronic signal on at least one address bus, at least one data bus, at least one control bus, and/or at least one communication link of the computer system and/or control system.  ([Harris, para. 0063] “Cybersecurity system 110 monitors activity by the plurality of monitored devices 102 including the communication links… [at least one communication link]”.  The phrase “and/or” is interpreted as that the terms address bus, data bus, control bus, and communication link are interchangeable terms, all synonyms for communication link)

As per claim 4, Harris in view of Knijf teaches claim 1.   
Harris also teaches wherein forming the summary statistics includes interpreting, by the hardware module, at most one physical layer of a communication protocol.  ([Harris, para. 0090] “Events 502 may be received [interpreted] by ingest application 506 of cybersecurity application 514 [the hardware module]. [Para. 0135] event data is summarized [forming the summary statistics].  [Para. 0091] “event block objects may be sent … using a streaming protocol such as RTSP [an application layer protocol of a communication protocol].  This means the forming the summary statistics does not include transporting a raw bitstream, which equates to “at most one physical layer of a communication protocol” as no physical layer communications are used)

As per claim 6, Harris in view of Knijf teaches claim 1.  
Harris also teaches wherein the summary statistics include a measure of a workload of computer system and/or control system. ([Harris, para. 0265] “a total number of bytes received in packets communicated between a specific source IP address and a specific destination IP address [a network workload of a computer system and/or control system] is accumulated from record summary data 532”)

As per claim 7, Harris in view of Knijf teaches claim 6.  
Harris also teaches determining a change in the workload of the computer system and/or control system at a temporal rate satisfying a predetermined criterion to be indicative of an abnormal operating condition.  ([Harris, para. 0271] “bytes transferred variables …  identifies devices of the plurality of monitored devices 102 with excessive [indicative of an abnormal operating condition] data transfer activity [a temporal rate satisfying a predetermined criterion – see para. 0265: bytes transferred are associated with a time period and para. 0278: a predefined alert value is used]”)

As per claim 11, Harris in view of Knijf teaches claim 1. 
 Harris also teaches wherein the hardware module is further configured to passively read out the time-varying signal from the computer system and/or control system. ([Harris, para. 0126] “the event block object [time-varying signal from the computer system and/or control system– see para. 0090] is automatically received [passively read] … from ingest application 506 [the hardware module/cybersecurity system 110 – see para. 0083]”)

As per claim 12, Harris in view of Knijf teaches claim 1. 
 Harris also teaches further comprising transmitting the summary statistics, and/or at least one parameter characterizing said summary statistics ([Harris, para. 0405] “selection of risk analysis tab 1804 provides [transmitting] the user of system user device 300 [an external server: see para. 0070 – “System user device is an … server computer” and para. 0078 – “Fig. 4 shows a representation of cybersystem 110 in a single device” and system user device 300 is external to that device] with detailed data, such as a composite risk score, an organizational context, a behavioral profile, correlations with existing security event logs, and network flow device interactions for investigating a single identified risk event [summary statistics, and/or at least one parameter characterizing said summary statistics]) from the hardware module to an external server, ([Fig. 4, para. 0083] “data and messages yet further may be transferred between cybersecurity system 110 [hardware module] and system user device 300 [to an external server]”) and wherein checking the extent to which the summary statistics is in accordance with a normal state and/or nominal state of the computer system and/or control system is performed at least in part on the external server.  ([para. 0095] “The plurality of system user devices 108 [external device/system user device 300 – see para. 0070] are devices that access information stored by cybersecurity system 110 [summary statistics] to… investigate [checking performed at least in part] potential cybersecurity issues [in accordance with a normal state]”)

As per claim 13, Harris in view of Knijf teaches claim 12. 
Harris also teaches further comprises merging, on the external server, summary statistics from a plurality of computer system and/or control systems ([Harris, para. 0419; Fig. 26] “selection of high risk selector 2420 may result in presentation of a high risk device data view 2600 in summary pane 1812 as shown in FIG. 26 that includes a listing [merging summary statistics] of devices [a plurality of computer system and/or control systems] associated with high risk scores”) for checking to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system ([para. 0436] “Cybersecurity system 110 further allows a system user to investigate and track [checking] identified anomalous activity [to what extent the summary statistics are in accordance with a normal state and/or nominal state]”)

	As per claim 16, Harris in view of Knijf teaches claim 1.  
	Harris does not clearly teach wherein in a normal state and/or nominal state of the computer system and/or control system, a summary statistics of the signal, and/or at least one characteristic variable characterizing this summary statistics, is learned and used for subsequent checks as to whether a normal state and/or nominal state is present
However, Knijf teaches wherein in a normal state and/or nominal state of the computer system and/or control system, a summary statistics of the signal, and/or at least one characteristic variable characterizing this summary statistics, ([Knijf, para. 0039] “normal device behavior can include data that describes the usual behavior of devices that belong to that group“; The phrase “and/or” is interpreted as that the terms are interchangeable as a risk value is a summary statistics, indicates whether a computer is normal, and is also a characteristic variable characterizing this summary statistics) learned and used for subsequent checks as to whether a normal state and/or nominal state is present.  ([para. 0040] “the learning process can be a continuous process… in order to update [used for subsequent checks] the estimates for normal behavior [whether a normal and/or nominal state is present]”)
  It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris with the teachings of Knijf to include wherein in a normal state and/or nominal state of the computer system and/or control system, a summary statistics of the signal, and/or at least one characteristic variable characterizing this summary statistics, is learned and used for subsequent checks as to whether a normal state and/or nominal state is present.  One of ordinary skill in the art would have been motivated to make this modification because it is very likely that behavior of devices will change over time making the update desirable.  (Knijf, para. 0040)

	As per claim 18, Harris in view of Knijf teaches claim 1.  
	Harris also teaches wherein the computer system and/or control system includes at least one of a camera module, a sensor module, and/or an actuator module.  ([Harris, para. 0065] “the plurality of monitored devices 102 may include computers of any form factor such as a smart phone [a sensor module  - i.e. the accelerometer of a smartphone and/or an actuator i.e. the vibration module of a smartphone] … a camera”)
	
As per claim 20, Harris teaches claim 19.
Harris does not clearly teach an evaluation unit configured to evaluate the operating state of the computer system and/or control system from an analysis result obtained from the test unit, and/or from the external server, to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system.
	However, Knijf teaches an evaluation unit configured to evaluate the operating state of the computer system and/or control system ([Knijf para. 0043-0044] “Data steam monitor 106 [evaluation unit] determines if the … device behavior is within a threshold… if the score is above a certain threshold [at least a result of checking], then at block 218, the device is flagged [evaluating] as malicious [an operating state]“) from an analysis result obtained from the test unit, and/or from the external server, ([Fig. 2, para. 0041] the normal behavior data used to evaluate the operating state of the computer system is deployed [an analysis result] to the data steam monitor 106 from the behavior analyzer that is not on a local network [a test unit and/or from the external server]) to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system. ([Para. 0043] “data monitor 106 can calculate a score that reflects how likely it is that the current behavior of an IoT device [the summary statistics] is in accordance with the normal behavior [a normal state]“)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris with the teachings of Knijf to include an evaluation unit configured to evaluate the operating state of the computer system and/or control system from an analysis result obtained from the test unit, and/or from the external server, to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system.  One of ordinary skill in the art would have been motivated to make this modification because evaluating an operating state as malicious allows the device to shut down or quarantine the device to minimize the impact of the malicious behavior.  (Knijf, para. 0044)

	As per claim 21, Harris in view of Knijf teaches claim 20.  
Harris also teaches a system interface different from the signal interface and the service interface for acting on the computer system and/or control system based on the evaluated operational state.  
However, Knijf teaches further comprising a system interface different from the signal interface and the service interface for acting on the computer system and/or control system based on the evaluated operational state.  ([Knijf, Para. 0044] “the device behavior is flagged as malicious. A user or administrator of local network 102 can be alerted to the malicious IoT device”; [Claim 1] “a monitor node on the one or more local networks [a system interface] is configured to indicate malicious behavior”.  The monitor node is different from the signal interface [network interface device – see para. 0049 and claim 8] and the service interface [user interface/behavior database – see para. 0049 and claim 19])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Harris in view of Knijf for the same reasons as disclosed above. 

	As per claim 23, Harris in view of Knijf teaches claim 19.  
Harris also teaches a camera module, sensor module, and/or actuator module with the hardware module according to claim 19, and/or with an FPGA module which is integrated in the camera module, sensor module and/or actuator module in terms of circuitry in such a way that it is programmable to become said hardware module or another module suitable for carrying out the method of claim 1.  ([Harris, para. 0065] “the plurality of monitored devices 102 may include computers of any form factor such as a smart phone [a sensor module  - i.e. the accelerometer of a smartphone and/or an actuator i.e. the vibration module of a smartphone] … a camera”. The phrase “and/or” is interpreted as that the FPGA synonymous with hardware/a processor suitable for carrying out the method of claim 1.  [Para. 0034] “Cybersecurity system 110 may be composed of one or more discrete computing devices” [hardware module suitable for carrying out the method of claim 1 – see claim 1 above].   “Each of the plurality of monitored devices 102 … cybersecurity system 110 … through a direct connection [integrated in]”.

As per claim 24, Harris teaches a computer program comprising machine-readable instructions that, when executed on one or more computer, cause the one or more computers to execute a method.  
The computer program executes the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus the computer-readable medium claim is rejected with the same rational applied against claim 1.  

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Harris in view of Knijf as applied to claim 2 above, and further in view of Configuring Temperature and Voltage Monitoring (TVM) on the CGR 2010 Router; Software Configuration Guide [online]; Cisco Systems Inc.; July 22, 2011; Retrieved from the internet: <https://www.cisco.com/c/en/us/td/docs/routers/connectedgrid/ cgr2010/software/15_2_1_t/swcg/cgr2010_15_2_1_t_swcg.html> (hereinafter “CGR”)

As per claim 5, Harris in view of Knijf teaches claim 2.  
Harris in view of Knijf does not clearly teach wherein the measurement signal comprises a supply voltage of the computer system and/or control system, and/or a temperature measured in the computer system and/or control system.
However, CGR teaches wherein the measurement signal comprises a supply voltage of the computer system and/or control system, ([CGR, Pg. 6, Configure Power Supply Monitoring] “syslog-Generates an SNMP trap when the power supply voltage [measured signal] is out of range of the configured threshold”) and/or a temperature measured in the computer system and/or control system. ([Pg. 5, Configure Operating Temperature Monitoring] “syslog-Generates a SYSLOG message when the router operating temperature [measured signal] is out of range of the configured threshold values”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf with the teachings of CGR to include wherein the measurement signal comprises a supply voltage of the computer system and/or control system, and/or a temperature measured in the computer system and/or control system.  One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit allowing notifications when the temperature or the voltage of the device is out of the desired range.  (CGR, pg. 5-6)

Claims 8, 14, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Harris in view of Knijf as applied to claim 12 above, and further in view of Zotto et al. (US Pub. 2021/0232474) (hereinafter “Zotto”)

As per claim 8, Harris in view of Knijf teaches claim 1.  
Harris in view of Knijf does not clearly teach further comprising modifying the computer system and/or control system to change the time-varying signal upon specified events and/or system states.  
However, Zotto teaches further comprising modifying the computer system and/or control system to change the time-varying signal upon specified events and/or system states.  ([Zotto, para. 0027] “The server may send messages… based on the statistical analysis [upon specific events and/or system states] … the message may include instructions to modify … system configuration [see para. 0016 where changing the configuration changes the measured temperature, para. 0026: where the configuration file specifies the time to collect the data: both changing a time-varying signal] … changing the time of a regularly scheduled system scan” [changing the time-varying signal])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf with the teachings of Zotto to include further comprising modifying the computer system and/or control system to change the time-varying signal upon specified events and/or system states.  One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of allowing the system to provide higher performance when the system is unstable and in danger of crashing or losing data.  (Zotto, para. 0027)

As per claim 14, Harris in view of Knijf teaches claim 12.  
Harris in view of Knijf does not clearly teach wherein the external server, in response to determining that the computer system and/or control system is not in the normal state and/or nominal state, initiates a logistical action including at least one of a service call and/or equipment replacement at the location of the computer system and/or control system.  
However, Zotto teaches wherein the external server, in response to determining that the computer system and/or control system is not in the normal state and/or nominal state, initiates a logistical action including at least one of a service call and/or equipment replacement at the location of the computer system and/or control system. ([Zotto, para. 0027] “the server may additionally make suggestions to system administrators to initiate a repair or service call on the computer system corresponding to the processor”) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Harris in view of Knijf and Zotto for the same reasons as disclosed above. 

As per claim 17, Harris in view of Knijf teaches claim 1. 
Harris also teaches further comprising indicating a result of checking to what extent the summary statistics are in accordance with a normal state and/or nominal state of the computer system and/or control system ([Harris, para. 0419] “For illustration, selection of high risk selection 2420 [checking] may result in presentation of a high risk device data view 2600 in summary pane 1812 as shown in Fig. 26 that includes a listing of devices associated with high risk scores”) [extent the summary statistics are in accordance with a normal state – see para. 0321 and para. 0278: the risk score determines what extent the monitored device is abnormal/normal]) to an operator. ([para. 0405] the GUI is provided to an administrator [operator]) 
Harris in view of Knijf does not clearly teach requesting from the operator an input of the system state, and/or an action to be taken on the computer system and/or control system. 
However, Zotto teaches requesting from the operator an input of the system state, and/or an action to be taken on the computer system and/or control system.  ([Zotto, para. 0027] “the server may additionally make suggestions to system administrators [the operator] to initiate a repair [input of the system state, and/or an action to be taken] on the computer system corresponding to the processor”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Harris in view of Knijf and Zotto for the same reasons as disclosed above. 

As per claim 9, Harris in view of Knijf teaches claim 1.  
Harris does not clearly teach further comprising, in response to the evaluating of the operating condition indicating that the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system, determining at least one anomaly and further comprising performing at least one of the following actions: issuing an alarm; switching off or restarting the computer system and/or control system, or resetting the computer system and/or computer system to factory settings; installing a software update on the computer system or control system; causing the computer system and/or control system to output operational data, log data, and/or diagnostic information; causing the computer system and/or control system to send important data over a communication interface to protect the important data from being lost; causing the computer system and/or control system to delete confidential data to protect the confidential data from disclosure; causing the computer system and/or control system to enter into an emergency operation mode; initiating a self-test of the computer system and/or control system; and or initiating a self-test of the hardware module.  
However, Knijf teaches further comprising, in response to the evaluating of the operating condition indicating that the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system, determining at least one anomaly and ([Knijf, para. 0044] “If the score is above a certain threshold, then at block 218, the device behavior is flagged as malicious”)
further comprising performing at least one of the following actions: issuing an alarm; ([Knijf, para. 0044] “A user or administrator of local network 102 can be alerted to the malicious IoT device.”)
switching off or restarting the computer system and/or control system, or resetting the computer system and/or computer system to factory settings.  ([Knijf, para. 0044] “the malicious IoT device can be automatically shut down”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris with the teachings of Knijf to include further comprising, in response to the evaluating of the operating condition indicating that the summary statistics are in accordance with the normal state and/or nominal state of the computer system and/or control system, determining at least one anomaly and further comprising performing at least one of the following actions: issuing an alarm; switching off or restarting the computer system and/or control system, or resetting the computer system and/or computer system to factory settings.  One of ordinary skill in the art would have been motivated to make this modification because evaluating an operating state as malicious allows for minimizing the impact of the malicious behavior.  (Knijf, para. 0035)
Harris in view of Knijf does not clearly teach installing a software update on the computer system or control system; causing the computer system and/or control system to output operational data, log data, and/or diagnostic information; causing the computer system and/or control system to send important data over a communication interface to protect the important data from being lost; causing the computer system and/or control system to delete confidential data to protect the confidential data from disclosure; causing the computer system and/or control system to enter into an emergency operation mode; initiating a self-test of the computer system and/or control system; and or initiating a self-test of the hardware module.  
However, Zotto teaches installing a software update on the computer system or control system; ([Zotto, para. 0027] “the message from the server may include an instruction to install, update… an application”)
causing the computer system and/or control system to output operational data, log data, and/or diagnostic information. ([Zotto, para. 0027] “the message from the server may request additional data collection, which may be specified by a configuration file” [operational data, log data, and/or diagnostic information])
causing the computer system and/or control system to send important data over a communication interface to protect the important data from being lost; ([Zotto, para. 0027] “the message may include instructions to perform a system backup” [send important data via a bus to a local drive to protect the system data from being lost])
causing the computer system and/or control system to delete confidential data to protect the confidential data from disclosure; ([Zotto, para. 0027] “the message may include an instruction to … delete an application… emptying a deleted or temporary files fold… uninstall an application” [deleting data; the data is confidential data as it is data on a local system.  Protecting the data from disclosure is the intended result of a process step positively recited, and thus is not limiting.  See MPEP 2111.04)
causing the computer system and/or control system to enter into an emergency operation mode; ([Zotto, para. 0027] “the server determines the computer system … is unstable and in danger of crashing or losing data [system emergency] … instructions to modify a system configuration [a configuration modifying the system emergency, and so an emergency mode])
initiating a self-test of the computer system and/or control system ([Zotto, para. 0027] “the server may request a system scan [self-test] be performed. The system scan may include a virus scan, malware scan, or a diagnostic scan, such as on memory or storage coupled to the processor”)
initiating a self-test of the hardware module ([Zotto, para. 0027] “the server may request a system scan [self-test] be performed. The system scan may include a virus scan, malware scan, or a diagnostic scan, such as on memory or storage coupled to the processor”; [para. 0015] “the processor … may comprise… a field programmable gate array [a hardware module]”; thus initiating a self-test of the hardware module)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf with the teachings of Zotto to include installing a software update on the computer system or control system; causing the computer system and/or control system to output operational data, log data, and/or diagnostic information; causing the computer system and/or control system to send important data over a communication interface to protect the important data from being lost; causing the computer system and/or control system to delete confidential data to protect the confidential data from disclosure; causing the computer system and/or control system to enter into an emergency operation mode; initiating a self-test of the computer system and/or control system; and or initiating a self-test of the hardware module.   One of ordinary skill in the art would have been motivated to make this modification because for example, such suggestions allow system administrators to initiate a repair or service on the computer system.  (Zotto, para. 0027)

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Harris in view of Knijf and further in view of Zotto as applied to claim 9 above, and further in view of Choi (US Pub. 2019/0050578) (hereinafter “Choi”)

As per claim 10, Harris in view of Knijf, and further in view of Zotto teaches claim 9.  
Harris in view of Knijf and further in view of Zotto does not clearly teach further comprising causing the hardware module to act upon the computer system and/or control system via a unidirectional communication interface.
However, Cho teaches further comprising causing the hardware module to act upon the computer system and/or control system via a unidirectional communication interface. ([Choi, para. 0044; Fig. 2] “a control system 2a [hardware module] transfers a control command to a Programmable Logic Controller (PLC) device … [computer system] through a control network unidirectional gateway 2b for supporting only unidirectional communication”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf and further in view of Zotto with the teachings of Choi to include causing the hardware module to act upon the computer system and/or control system via a unidirectional communication interface.  One of ordinary skill in the art would have been motivated to make this modification because applying a unidirectional gateway guarantees the security of a specific system.  (Choi, para. 0004)

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Harris in view of Knijf as applied to claim 12 above, and further in view of Ranum et al. (US Pub. 2014/013434) (hereinafter “Ranum).  

As per claim 15, Harris in view of Knijf teaches claim 12.  
Harris in view of Knijf does not clearly teach further comprising evaluating, from the summary statistics a behavior, and/or an operational state of software updates installed on the computer system and/or control system.
However, Ranum teaches further comprising evaluating, from the summary statistics a behavior, and/or an operational state of software updates installed on the computer system and/or control system. ([Ranum, para. 0067] “in response to having suitably assessed [evaluating summary statistics – see para. 0015: log aggregator may analyze and correlate events to detect statistical anomalies] whether the network has been compromised in relation to any viruses or other malware [a behavior] … examining any anti-virus software deployed in the network to detect vulnerabilities associated therewith, including missing or outdated signatures associated with various anti-virus vendor technologies.”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf with the teachings of Ranum to include further comprising evaluating, from the summary statistics a behavior, and/or an operational state of software updates installed on the computer system and/or control system.  One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide an additional protection level against malware infections.  (Ranum, para. 0067)

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Harris in view of Knijf as applied to claim 21 above, further in view of Choi.  

As per claim 22, Harris in view of Knijf teaches claim 21.  
Harris in view of Knijf does not clearly teach wherein the system interface is configured for unidirectional communication from the hardware module to the computer system and/or control system. 
However, Choi teaches wherein the system interface is configured for unidirectional communication from the hardware module to the computer system and/or control system.  ([Choi, para. 0044; Fig. 2] “a control system 2a [hardware module] transfers a control command to a Programmable Logic Controller (PLC) device … [computer system] through a control network unidirectional gateway 2b [system interface] for supporting only unidirectional communication”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Harris in view of Knijf with the teachings of Choi to include wherein the system interface is configured for unidirectional communication from the hardware module to the computer system and/or control system.  One of ordinary skill in the art would have been motivated to make this modification because applying a unidirectional gateway guarantees the security of a specific system.  (Choi, para. 0035)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Zhang et al. (US Pub. 2020/0287924) discloses an aggregation device that takes logs information to determine whether behaviors of an entity are determined to be abnormal.  
Jondu et al (US Pub. 2020/0264685) discloses self-test devices of a security system where based on a signal, the security system executes a self-test.
Hart (US Pub. 2010/0071054) discloses malware control systems which use summarized statistics from management systems in order to perform coordinated defensive and offensive actions.
Sugio et al. (US Pub. 2007/0254697) discloses sending important data by a transmission unit into a predetermined server, deleting data stored to protect it, and initiating an emergency mode.
Focada et al. (US Pub. 11,256,802) discloses a computer device performing a malware scan on itself in response to detecting abnormal computer behavior.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493