DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/30/2022 has been entered.
Claims 1 and 28-30 have been amended. Claims 1-30 have been examined.
Response to Arguments/Amendments
Applicant's arguments on p. 8 filed 9/27/2022 have been fully considered but they are not persuasive. In response to applicant's argument that cited art of record Crabtree is nonanalogous art, it has been held that a prior art reference must either be in the field of applicant’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the applicant was concerned, in order to be relied upon as a basis for rejection of the claimed invention.  See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992).  In this case, Crabtree teaches data collection and analysis techniques which are reasonably pertinent to the field of automation system data collection and analysis as provided by the claims. Both Crabtree and the claimed invention are concerned with computer system data collection and analysis and therefore Crabtree is considered to be at least reasonably pertinent. 
Applicant’s remaining arguments, see pp. 8-9, filed 9/27/2022, with respect to the rejection(s) of claim 1 under 35 USC § 103 have been fully considered and are persuasive.  Claims 27-30 are similar to claim 1, and claims 2-26 are dependent upon claim 1. Therefore, the rejections have been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of art of record U.S. Patent Application Publication 2020/0280565 by Rogynskyy et al.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 10-11, and 27-30 are rejected under 35 U.S.C. 103 as being unpatentable over “Robust classification of salient links in complex networks” by Grady et al. (“Grady”) in view of U.S. Patent Application Publication 2012/0158933 by Shetty et al. (“Shetty”), U.S. Patent Application Publication 2018/0219919 by Crabtree (“Crabtree”), and U.S. Patent Application Publication 2020/0280565 by Rogynskyy et al. (“Rogynskyy”).

In regard to claim 1, Grady discloses:
1. A computer-implemented method comprising: See Grady, p. 7, e.g. “Methods.”
a) detecting activity in a plurality of data sources associated with an … environment; See Grady, at least pp. 7-8 and Table 2, which describes detection of activity in a variety of data networks, e.g. cash flow, air traffic, shipping, etc.
Grady does not expressly disclose automation environment. However, this is taught by Shetty. See Shetty, ¶ 0088, e.g. “Industrial automation.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s activity detection with Shetty’s automation environment in order to collect and analyze network data using sensors as suggested by Shetty.
b) determining correlation in the detected activity between two or more of the data sources; See Grady, p. 2, left column, e.g. “a variety of networks can be understood in terms of their topological connectivity (the set of nodes and links).”
c) storing records of determined correlation in the detected activity over time in a data storage system, See Grady, p. 3, left column, e.g. “Weighted networks like those depicted in Fig. 1 can be represented by a symmetric, weighted N × N matrix W , where N is the number of nodes. Elements wij≥ 0 quantify the coupling strength between nodes i and j. Depending on the context, wij might reflect … the contact rate between individuals in a social network.” Storage of such a matrix is inherent since without storage, computer processing of the matrix could not occur.
Grady does not expressly disclose wherein the records of determined correlation are associated, respectively, with timestamps; However, this is taught by Crabtree. See Crabtree, ¶ 0061, e.g. “Using a hybrid time-series graph, timestamps may be associated with ongoing changes to reveal these updates over time.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s correlation with Crabtree’s timestamps in order to reveal updates over time as suggested by Crabtree.
d) applying a link salience algorithm to the stored records of determined correlation in the detected activity to determine a salience property, and See Grady, p. 3, left column, e.g. “Elements wij≥ 0 quantify the coupling strength between nodes i and j . We define the salience S of a network as
                        
                            S
                             
                            =
                             
                            
                                
                                    T
                                
                            
                             
                            =
                             
                            
                                
                                    1
                                
                                
                                    N
                                
                            
                            
                                
                                    ∑
                                    
                                        k
                                    
                                
                                
                                    T
                                    
                                        
                                            k
                                        
                                    
                                
                            
                        
                                                      (1)
so that S is a linear superposition of all SPTs. S can be calculated efficiently using a variant of a standard algorithm (see Supplementary Methods ).”
	Grady does not expressly disclose wherein the stored records of determined correlation comprise one or more data changes associated with the records of determined correlations over time; However, this is taught by Crabtree. See Crabtree, ¶ 0061, e.g. “Using a hybrid time-series graph, timestamps may be associated with ongoing changes to reveal these updates over time.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s correlation with Crabtree’s changes in order to reveal updates over time as suggested by Crabtree.
e) analyzing the salience property to determine a correlation … See Grady, p. 6, bottom right column, e.g. “link salience is highly correlated with the frequency of a link’ s appearance in infection hierarchies.”
Grady and Crabtree do not expressly teach a correlation count during a pre-determined time period based at least in part on the timestamps associated with the records of determined correlation, wherein the correlation count is indicative of the degree of correlation between two or more of the data sources; and However, this is taught by Rogynskyy. See Rogynskyy, ¶ 0116, e.g. “The node pairing engine 322 can compute a connection strength between nodes based on one or more electronic activities associated with both of the nodes.” Also see ¶ 0198 and 0228-0229, e.g. “Responsive to the data processing system determining that the incremented counter or increased score satisfies the threshold, the data processing system may transmit instructions to the system of record of the data source provider to generate a record object for John Smith. … The counters may indicate a number of electronic activities that were transmitted between the first entities and one or more entities of the data source providers within a time period (e.g., a rolling window time period of the previous day, week, month, year, or five years). … If the data processing system determines a timestamp is within the time period, the data processing system may increment the counter associated with the first entity that sent or received the electronic activity that is associated with the timestamp.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s records of determined correlation and Crabtree’s timestamps with Rogynskyy’s correlation count and timestamps in order to determine whether a condition of the communication policy is satisfied as suggested by Rogynskyy (see ¶ 0228).
f) identifying one or more subsystems in the automation environment based on the salience property and the correlation count. See Grady, p. 3, right column, e.g. “Salience thus successfully classifies network links into two groups: salient ( s≈ 1) or non-salient ( s≈ 0), and the large majority of nodes agree on the importance of a given link.” Also see Rogynskyy, ¶ 0229 as cited above.

In regard to claim 2, Grady and Shetty also teach: 
2. The method of claim 1, wherein the automation environment comprises at least one networked industrial or commercial automation system. See Shetty, ¶ 0088, e.g. “industrial automation.”

In regard to claim 3, Grady and Shetty also teach:
3. The method of claim 1, wherein the plurality of data sources comprises at least one sensor, at least one actuator, at least one effector, at least one programmable logic controller (PLC), at least one automation controller, at least one data file, at least one cloud service, or a combination thereof. See Shetty, ¶ 0088, e.g. “sensors.”

In regard to claim 4, Grady and Shetty also teach:
4. The method of claim 1, further comprising identifying a plurality of data sources associated with an automation environment. See Grady, at least pp. 7-8 and Table 2, which describes detection of activity in a variety of data networks, e.g. cash flow, air traffic, shipping, etc. Also see Shetty, ¶ 0088, e.g. “industrial automation.”
	
In regard to claim 5, Grady does not expressly disclose:
5. The method of claim 4, wherein the identifying the plurality of data sources is performed by passive discovery, active discovery, target interrogation, or a combination thereof. However, Shetty teaches a form of passive discovery. See Shetty, ¶ 0029, e.g. “That is, for source routing, other devices in the network can tell the less capable devices exactly where to send the packets.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data sources with Shetty’s discover in order to discover nodes on a network as essentially suggested by Shetty.

In regard to claim 6, Grady and Shetty also teach:
6. The method of claim 5, wherein the passive discovery comprises observing traffic on a network or a serial bus. See Shetty, ¶ 0027, e.g. “network.” 

In regard to claim 7, Grady and Shetty also teach:
7. The method of claim 6, wherein the passive discovery comprises identifying an origin or a destination for the traffic. See Shetty, ¶ 0029, e.g. “where to send the packets.”

In regard to claim 10, Grady discloses:
10. The method of claim 1, wherein the activity comprises one or more events or one or more state changes in at least one data source. See Grady, p. 7, bottom right, e.g. “the links measure the number of bills passing between pairs of counties per time.”

In regard to claim 11, Grady discloses:
11. The method of claim 1, wherein determining activity correlation comprises statistical analysis of counts of the stored records of determined correlation in the detected activity over time. See Grady, p. 5, Table 1, depicting statistical analysis. Also see p. 7, bottom right, e.g. “the links measure the number of bills passing between pairs of counties per time.”

In regard to claim 27, Grady and Shetty also teach:
27. The method of claim 1, wherein the detecting activity in a plurality of data sources is performed by a gateway, slave controller, or computer in communication with the automation environment directly, indirectly, via a cloud service, or any combination thereof. See Shetty, ¶ 0029, e.g. “Routing process (services) 244 contains computer executable instructions executed by the processor 220 to perform functions provided by one or more routing protocols, such as proactive or reactive routing protocols as will be understood by those skilled in the art. These functions may, on capable devices, be configured to manage a routing/forwarding table 245 containing, e.g., data used to make routing/forwarding decisions.” Also see ¶ 0041, e.g. “gateway.”

In regard to claim 28, Grady discloses:
28. A system comprising at least one computing device comprising at least one processor, a memory, and instructions executable by the at least one processor to create an application comprising: See Grady, at least p. 2, left column, e.g. “computer networks.” Grady’s computer networks are systems that are inherently comprised of computing devices which require processors, memory, and programmed instructions for execution. Even if Grady’s computers did not contain such elements, it is taught by Shetty. See Shetty, ¶ 0026, e.g. “processor … memory.” Also see ¶ 0091, e.g. “For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s computers with Shetty’s computer components in order to provide programmed computers for execution as essentially suggested by Shetty.
All further limitations of claim 28 have been addressed in the above rejection of claim 1.

In regard to claim 29, Grady discloses:
29. A computer-implemented method comprising: See Grady, at least p. 7, right column, e.g. “Methods.”
…
d) applying a statistical or machine learning algorithm to the stored records of determined correlation in the detected activity to determine a property. See Grady, p. 3, left column, e.g. “Elements wij≥ 0 quantify the coupling strength between nodes i and j . We define the salience S of a network as
                        
                            S
                             
                            =
                             
                            
                                
                                    T
                                
                            
                             
                            =
                             
                            
                                
                                    1
                                
                                
                                    N
                                
                            
                            
                                
                                    ∑
                                    
                                        k
                                    
                                
                                
                                    T
                                    
                                        
                                            k
                                        
                                    
                                
                            
                        
                                                      (1)
so that S is a linear superposition of all SPTs. S can be calculated efficiently using a variant of a standard algorithm (see Supplementary Methods ).” Also see Grady, p. 3, right column, e.g. “Salience thus successfully classifies network links into two groups: salient ( s≈ 1) or non-salient ( s≈ 0), and the large majority of nodes agree on the importance of a given link.”
All further limitations of claim 29 have been addressed in the above rejection of claim 1.

In regard to claim 30, Grady discloses:
30. A system comprising at least one computing device comprising at least one processor, a memory, and instructions executable by the at least one processor to create an application comprising: See Grady, at least p. 2, left column, e.g. “computer networks.” Grady’s computer networks are systems that are inherently comprised of computing devices which require processors, memory, and programmed instructions for execution. Even if Grady’s computers did not contain such elements, it is taught by Shetty. See Shetty, ¶ 0026, e.g. “processor … memory.” Also see ¶ 0091, e.g. “For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software being stored on a tangible (non-transitory) computer-readable medium (e.g., disks/CDs/etc.) having program instructions executing on a computer, hardware, firmware, or a combination thereof.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s computers with Shetty’s computer components in order to provide programmed computers for execution as essentially suggested by Shetty.
	All further limitations of claim 30 have been addressed in the above rejection of claim 29.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2011/0087522 by Beaty et al. (“Beaty”).

In regard to claim 8, Grady does not expressly disclose:
8. The method of claim 5, wherein the active discovery comprises IP subnet scanning on a network, port scanning on a network, protocol specific ID enumeration on a control bus, issuing protocol specific discovery commands on a network, or a combination thereof. However, Beaty teaches scanning. See Beaty, ¶ 0051, e.g. “scan the network and look for packets that include information about protocols, well-known ports, and frequency of communication.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data sources with Beaty’s discovery in order to identify and characterize network communications as suggested by Beaty.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2016/0373481 by Sultan et al. (“Sultan”).

In regard to claim 9, Grady does not expressly disclose:
9. The method of claim 5, wherein the target interrogation comprises introspecting at least one device on a network. However, this is taught by Sultan. See Sultan, ¶ 0027, e.g. “Information collected at the introspection points may serve to identify what application programming interfaces are being used in the environment 100 and to what extent, which credentials or cryptographic keys are being used, information about network traffic flow, hostnames, domain names, running system processes, or user IDs.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data sources with Sultan’s interrogation in order to collect and track information in a network as suggested by Sultan.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2004/0210654 by Hrastar (“Hrastar”).

In regard to claim 12, Grady does not expressly disclose:
12. The method of claim 11, wherein the statistical analysis comprises autocorrelation/serial correlation, partial autocorrelation, cross-correlation, or a combination thereof. However, this is taught by Hrastar. See Hrastar, ¶ 0179, e.g. “autocorrelation.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s analysis with Hrastar’s autocorrelation in order to detect anomalies in a signal as suggested by Hrastar.

Claims 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2015/0281105 by Vaderna et al. (“Vaderna”).

In regard to claim 13, Grady discloses:
13. The method of claim 1, wherein determining correlation in the detected activity between two or more of the data sources comprises: 
a) identifying combinatorial pairs of data sources having activity …; See Grady, p. 8, top right, showing pairwise measurements per unit time. Grady does not expressly disclose within a predetermined time window. However, this is taught by Vaderna. See Vaderna, ¶ 0040, e.g. “traffic volume information may be, for example, either the number of bytes or the number of packets received within certain reporting periods (ROP).” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data with Vaderna’s time window in order to utilize limited data for determining traffic paths as suggested by Vaderna.
b) conducting pairwise testing for each identified combinatorial pair of data sources … to the stored records of correlation in the detected activity over time; and See Grady, Fig. 3A, depicting a graph of data sources with colored edges which show the results of pairwise comparison of data sources. Also p. 8, top right, showing pairwise measurements per unit time.
Grady does not expressly disclose by applying a correlation algorithm. However, this is taught by Vaderna. See Vaderna, ¶ 0050, e.g. “In order to find the nodes that are along the path of a given subscriber's traffic, the Pearson product-moment correlation coefficient is calculated pairwise between the traffic volume of the subscriber attachment node (i.e., source node) and the traffic volume of all the other nodes in the access network.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data sources with Vaderna’s algorithm in order to find nodes along a traffic path as suggested by Vaderna.
c) determining one or more relationships for at least one identified combinatorial pair of data sources. See Grady, p. 7, bottom right, e.g. “Link weights measures the total number of passengers traveling between a pair of networks by direct flights per year.”

In regard to claim 14, Grady and Vaderna also teach:
14. The method of claim 13, wherein the correlation algorithm comprises one or more of the following: Pearson correlation, Time Lagged Cross Correlation (TLCC), Windowed TLCC, Dynamic Time Warping (DTW), and Instantaneous Phase Synchrony. See Grady,  Table 3 on p. 9, e.g. “Pearson correlation.” Also see Vaderna, ¶ 0050, e.g. “Pearson product-moment correlation coefficient.”

Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, Rogynskyy, and Vaderna as applied above, and further in view of U.S. Patent Application Publication 2010/0014432 by Durfee et al. (“Durfee”).

In regard to claim 15, Grady does not expressly disclose:
15. The method of claim 13, wherein the correlation algorithm comprises a machine learning model. However, this is taught by Durfee. See Durfee, ¶ 0045, e.g. “The system can use various other correlation methods depending on the type of anomaly and the configuration of the network of nodes, including machine learning.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Durfee’s machine learning with Grady’s correlation in order to utilize a basis for control as suggested by Durfee (see ¶ 0054).

In regard to claim 16, Grady and Durfee also teach: 
16. The method of claim 15, wherein the machine learning model comprises one or more of the following: one or more neural networks, one or more deep neural networks, one or more support vector machines (SVM), one or more Bayesian models, linear regression, logistic regression, or k-means clustering. See Durfee, ¶ 0054, e.g. “neural networks.”

Claims 17-22 are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2011/0179027 by Das et al. (“Das”).

In regard to claim 17, Grady discloses:
17. The method of claim 1, wherein the data storage system comprises a graph [storage]. See Grady, Fig. 2(a), depicting graphical images of a computed graph data structure, which must inherently be stored in the process of computation. While implicitly suggesting the use of some form of a database, Grady does not expressly disclose a graph database. See Das, ¶ 0010, e.g. “The computer system 10 determines the relationships between the POIs with respect to their locations in the environment and outputs a representation of the POIs and their relationships that is stored in a database 14. By way of example, the representation of the POIs and their relationships may be output as a graph structure.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s graph with Das’ graph database in order to utilize storage for convenient search and retrieval as known in the art and as essentially suggested by Das (see ¶ 0010).

In regard to claim 18, Grady, Shetty, and Das also teach: 
18. The method of claim 17, wherein the graph database comprises a representation of the automation environment. See Grady, Fig. 2(a), depicting graphical images of a stored graph data structure. Also see p. 6, bottom left, e.g. “individuals in a population are represented by nodes and interaction propensities between pairs of nodes by a weighted network.” Also see Shetty, ¶ 0043, e.g. “a logical representation of the network.” Also see Das, ¶ 0010, e.g. “A digital representation of the environment.”

In regard to claim 19, Grady, Shetty, and Das also teach:
19. The method of claim 17, wherein the graph database comprises a digital twin of the automation environment. See Grady, Fig. 2(a), depicting graphical images of a stored graph data structure. Also see p. 6, bottom left, e.g. “individuals in a population are represented by nodes and interaction propensities between pairs of nodes by a weighted network.” Also see Shetty, ¶ 0043, e.g. “a logical representation of the network.” Also see Das, ¶ 0010, e.g. “A digital representation of the environment.”

In regard to claim 20, Grady, Shetty, and Das also teach:
20. The method of claim 17, wherein individual data sources are represented as vertices in the graph database and relationships between the individual data sources are represented as edges in the graph database. See Grady, Fig. 2(a), depicting graphical images of a stored graph data structure having nodes and edges. Also see p. 6, bottom left, e.g. “individuals in a population are represented by nodes and interaction propensities between pairs of nodes by a weighted network.” Also see Shetty, ¶ 0039, e.g. “edges.”

In regard to claim 21, Grady discloses:
21. The method of claim 20, wherein each edge comprises counts of determined correlation in the detected activity over time. See Grady, p. 2, bottom left – top right column, e.g. “a number of systems are better captured by weighted networks in which links carry weights w that quantify their strengths.” Also see p. 7, bottom right, e.g. “the links measure the number of bills passing between pairs of counties per time.”

In regard to claim 22, Grady discloses:
22. The method of claim 21, wherein the counts of determined correlation in the detected activity over time are stored as a property or metadata associated with the edge. See Grady, p. 2, bottom left – top right column, e.g. “links carry weights w that quantify their strengths.” Also see Das, ¶ 003, e.g. “the edges between nodes is labeled with the determined relationships.”

Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, Rogynskyy, and Das as applied above, and further in view of U.S. Patent 8,773,437 to Goldman et al. (“Goldman”).

In regard to claim 23, Grady as modified does not expressly disclose:
23. The method of claim 17, further comprising contributing the identified subsystems back to the graph database as data enrichments. However, Goldman teaches this. See Goldman, col. 11, lines 41-42, e.g. “Also, information that was not previously in a graph can be added.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the database taught by Grady and Das with Goldman’s information enrichment in order to reflect changes in an environment as suggested by Goldman (see col. 11, lines 35-39).

In regard to claim 24, Grady, Das, and Goldman also teach:
24. The method of claim 23, wherein contributing the identified subsystems back to the graph database as data enrichments comprises creating, updating, or deleting vertices in the graph, edges in the graph, vertex properties in the graph, or edge properties in the graph. See Goldman, col. 11, lines 26-28, e.g. “The graph manager module manages the social graph of the system, adding, modifying, updating, or deleting information, nodes, and edges of the system.”

Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2004/0049699 by Griffith et al. (“Griffith”).

In regard to claim 25, Grady does not expressly disclose 
25. The method of claim 1, wherein detecting activity in a plurality of data sources comprises passive inspection of packets or payloads on an automation control network associated with the automation environment. However, Shetty teaches an automation control network associated with the automation environment. See Shetty, Figs. 1 and 2, depicting control networks associated with an automation environment. Also, Griffith teaches passive inspection of packets or payloads on an automation control network. See Griffith, ¶ 0038, e.g. “packet sniffing.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s activity detection with Griffith’s packet sniffing in order to determine relevant or interesting packets as suggested by Griffith (see ¶ 0038).

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Grady in view of Shetty, Crabtree, and Rogynskyy as applied above, and further in view of U.S. Patent Application Publication 2014/0122806 by Lin et al. (“Lin”).

In regard to claim 26, Grady does not expressly disclose: 
26. The method of claim 1, wherein the detecting activity in a plurality of data sources comprises inspection of communications in accordance with a communication protocol, wherein the communication protocol comprises S7, BACnet, KNX, or a combination thereof. However, Lin teaches this. See Lin, ¶ 0056, e.g. “the communication protocols can include … KNX, BACnet.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Grady’s data sources with Lin’s communication protocols in order to utilize a popular communication protocol as suggested by Lin.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to James D Rutten whose telephone number is (571)272-3703. The examiner can normally be reached M-F 9:00-5:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on (571)272-3768. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/James D. Rutten/Primary Examiner, Art Unit 2121