DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed with respect to the claims being a literal translation under 35 USC 112 (b) have been fully considered and are persuasive.  The previous grounds of the rejection have been withdrawn. 
Applicant's arguments filed have been fully considered but they are not persuasive.

As per the Applicant’s argument:
“a) In claim 1, the application requirement and object of applying for the present invention is to detect the external devices in the fieldbus network, and US patent 9380070 is to judge the legal identity of the information source device in the fieldbus network, thus, there are essential differences”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  The Applicant is correct that the teachings of Cain et al is to judge information source device, however that source device, is an external device, “according to a detection result of the intrusion signal caused by an external device (col. 3, lines 48-61), effectively determining whether there is an external malicious device in the system, and determining whether the system is subjected to a physical intrusion attack (col. 3, lines 48-61).”  Cain et al further discloses that “an attack may consist of impersonating a particular ECU for sending false messages to another ECU”, col. 3, lines 42-44.  This “particular ECU” shows that an external device is being monitored for an intrusion signal, as is claimed.  The Applicant’s arguments are not persuasive, and the Examiner hereby maintains the current grounds of the rejection.

As per the Applicant’s argument:
“b) Instep S1 of claim 2 and claim 3, the patent application provides a detection method of actively sending signals, the US patent 9380070 is a detection method of passively receiving signals, in contrast, US patent 9380070 cannot detect silent monitoring external devices in the fieldbus network, but the present invention is able to identify the presence of external devices through active detection”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.  The Applicant’s arguments “US patent 9380070 cannot detect silent monitoring external devices in the fieldbus network, but the present invention is able to identify the presence of external devices through active detection” do not match the current claim language, and is unclear how the distinctions exists as alleged.  The Examiner notes that the claim language uses the terms “if” which are conditional, and furthermore, the teachings do disclose of “active detection” since attacks are detected on the bus within certain time frames, see column 5, lines 12-29.  As per the Applicant’s arguments of an “external device”, please refer above to the previous argument addressed by the Examiner. 
The Examiner maintains the position “S1: monitoring a service condition of a serial communication bus in the industrial control system according to a set time period by the bus controller (col. 5, lines 12-29); if the communication bus is in an idle state (bus logic state, col. 2, lines 64-65), sending a detection signal once by the bus controller (col. 5, lines 12-29); if the communication bus is in a data transmission state, continuing to monitor and wait until the communication bus is in an idle state (bus logic state, col. 2, lines 64-65), and sending the detection signal once by the bus controller (col. 5, lines 12-29)” (as per claim 2) and “detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein in the step S1, the detection signal is set according to a protocol specification (col. 3, lines 7-10) of the serial communication bus, and the detection signal is different from all normal communication signals in the digital sequence, and the detection signal is only capable of being identified and analyzed by a corresponding monitoring device in the serial communication bus network, and the other devices are not capable of responding to detection signals (col. 5, lines 12-29)”(as per claim 3). 

As per the Applicant’s argument:
“c) In step S2 of claim 2 and claim 4, the method proposed by the present invention is applicable to most field bus networks and is not constrained by the communication protocol, while the US patent 9380070 can only use the bus network under the CAN protocol”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.  Claim 2 recites “analysis on all communications signals on the serial communication bus”, whereas claim 4 recites “such as Modbus, CANBus, etc…” which is not limiting.  The teachings of Cain et al disclose of the use of a CAN Bus, see column 5, line 13.
The Examiner has shown that “performing sampling (col. 6, lines 43-46), receiving and protocol analysis on all communication signals (col. 3, lines 7-10) on the serial communication bus by the monitoring device deployed in the network (col. 5, lines 12-21)” (as per claim 2) and “performing protocol parsing on corresponding communication signals by adopting one corresponding protocol such as Modbus, CANBus, P-Net, ProfiBus, WorldFIP, ControlNet, FF or HART to obtain a digital signal sequence (col. 3, lines 7-10 and col. 5, lines 12-21)” (as per claim 4).  The Examiner finds the Applicant’s argument to be unpersuasive, and hereby maintains the current grounds of the rejection.

As per Applicant’s argument:
“d) Instep S3 of claim 2 and claim 5, US patent 9380070 fails to disclose that it is necessary to ensure the idle state of the bus network when performing the detection, so as to avoid interference and influence on normal communication, which is disclosed in the present invention”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., ensure the idle state of the bus network when performing the detection, so as to avoid interference and influence on normal communication) are not recited in the rejected claims 2 and 5.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
The Examiner has shown that Cain et al discloses “1S3: analyzing signals after parsing and determine whether to start detecting physical intrusion attack in the industrial control system (col. 5, lines 12-29)” (as per claim 2) and “S301: performing consistency detection on the digital signal sequence parsed in the step S2 and the digital sequence of the detection signal, if the signal received is the detection signal, starting detecting the physical intrusion attack in the industrial control system, and performing a step S302; if the signal received is not a detection signal, then making no response (ignoring), and continuing monitoring the bus to receive the next communication signal (col. 3, lines 25-39); S302: according to a consistency detection result between the signal received and the detection signal, continuing to determine whether the monitoring device receives the detection signal for a first time; if the signal database of the monitoring device is empty, storing the received signal data in the local database, and considering the signal is a standard signal under normal conditions of the system; if the signal data is already stored in the signal database of the monitoring device, continuing performing the step S4 (col. 3, lines 1-24).” (as per claim 5), and hereby maintains the current grounds of the rejection.

As per the Applicant’s argument:
“e) In step S4 of claim 2 and claim 6, the present invention requires a pre-standard signal during the implementation process, which is used to record the physical characteristics of the initial state of the system, so as to detect the access of external devices, which is not disclosed by the US patent 9380070, and US 9380070 needs to be pre-recorded, and there is a big difference between the arbitration ID of the information sent by the device to detect the source of the information”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., a pre-standard signal during the implementation process, which is used to record the physical characteristics of the initial state of the system) are not recited in the rejected claim 2.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Cain et al has been shown to disclose “S4: comparing signal data received with standard signal data in the database of monitoring device to obtain a difference signal therebetween (col. 5, lines 21-29)” (as per claim 2) and “the intrusion signal is a definite signal added to an original detection signal sent by the bus controller caused by the physical intrusion attack, and the intrusion signal has the same period with the detection signal (col. 3, lines 51-61 and col. 5, lines 21-29)” (as per claim 6), and the Examiner hereby maintains the current grounds of the rejection.

As per the Applicant’s argument:
“f) In step S5 of claim 2 and claim 7, the present invention uses weak signal processing technology to detect intrusion signals, specifically using time domain averaging technology to reduce noise interference, signal cross-correlation technology to extract correlation features, these technical method is the core algorithm of the patented data processing, which is not used in the patent US 9380070”
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., weak signal processing technology to detect intrusion signals, specifically using time domain averaging technology to reduce noise interference, signal cross-correlation technology to extract correlation features) are not recited in the rejected claims 2 and 7.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Cain et al is relied upon for disclosing of “S5: detecting the intrusion signal on the difference signal (col. 5, lines 21-29); if the intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is subjected to the physical intrusion attack and continuing to execute S6 (col. 5, lines 21-29); if no intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is not subjected to the physical intrusion attack and continuing to monitor the bus to receive a next communication signal (col. 5, lines 12-29)” (as per claim 2), and “comprises steps of: S501: performing noise reduction processing on the difference signal data obtained in step S4; S502: by a weak signal detection technology, detecting and determining whether the intrusion signal exists in the difference signal according to a result of the weak signal detection (col. 2, lines 59-67 and col. 3, lines 51-61)” (as per claim 7), and the Examiner hereby maintains the current grounds of the rejection.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-8 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Cain et al, U.S. Patent 9,380,070.

As per claim 1, it is taught of a method for detecting physical intrusion attack in industrial control system (a vehicle system, col. 2, lines 2-9) based on analysis of signals on serial communication (CAN) bus (col. 2, lines 41-49 and col. 3, lines 51-53), comprising steps of:
actively sending signals for detecting to a communication (CAN) bus via a bus (CAN) controller in a serial communication (CAN) bus network (col. 2, lines 41-55), sampling (col. 6, lines 43-46) and analyzing the signals on the communication bus by a monitoring device (col. 2, lines 59-67 and col. 3, lines 51-61), performing differential comparison with a standard signal stored in the monitoring device database, detecting an intrusion signal in a difference signal by noise reduction and weak signal detection (col. 2, lines 59-67 and col. 3, lines 51-61), and according to a detection result of the intrusion signal caused by an external device (col. 3, lines 48-61), effectively determining whether there is an external malicious device in the system, and determining whether the system is subjected to a physical intrusion attack (col. 3, lines 48-61).
As per claim 2, it is disclosed of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, specifically comprising steps of:
S1: monitoring a service condition of a serial communication bus in the industrial control system according to a set time period by the bus controller (col. 5, lines 12-29); if the communication bus is in an idle state (bus logic state, col. 2, lines 64-65), sending a detection signal once by the bus controller (col. 5, lines 12-29); if the communication bus is in a data transmission state, continuing to monitor and wait until the communication bus is in an idle state (bus logic state, col. 2, lines 64-65), and sending the detection signal once by the bus controller (col. 5, lines 12-29);
S2: performing sampling (col. 6, lines 43-46), receiving and protocol analysis on all communication signals (col. 3, lines 7-10) on the serial communication bus by the monitoring device deployed in the network (col. 5, lines 12-21);
1S3: analyzing signals after parsing and determine whether to start detecting physical intrusion attack in the industrial control system (col. 5, lines 12-29);
S4: comparing signal data received with standard signal data in the database of monitoring device to obtain a difference signal therebetween (col. 5, lines 21-29);
S5: detecting the intrusion signal on the difference signal (col. 5, lines 21-29); if the intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is subjected to the physical intrusion attack and continuing to execute S6 (col. 5, lines 21-29); if no intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is not subjected to the physical intrusion attack and continuing to monitor the bus to receive a next communication signal (col. 5, lines 12-29);
S6: according to a detection result of the intrusion signal, if the serial communication bus network of the industrial communication system is subjected to physical intrusion attack, reporting the detection result to the bus controller in the serial communication bus network, and making a quick judgment and an emergency response on the physical intrusion attack by the bus controller (col. 4, lines 6-11 and col. 5, lines 32-34).
As per claim 3, it is taught of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein in the step S1, the detection signal is set according to a protocol specification (col. 3, lines 7-10) of the serial communication bus, and the detection signal is different from all normal communication signals in the digital sequence, and the detection signal is only capable of being identified and analyzed by a corresponding monitoring device in the serial communication bus network, and the other devices are not capable of responding to detection signals (col. 5, lines 12-29).
As per claim 4, it is disclosed of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S2 specifically comprises steps of: according to types of the serial 2communication bus in the industrial control system, performing protocol parsing on corresponding communication signals by adopting one corresponding protocol such as Modbus, CANBus, P-Net, ProfiBus, WorldFIP, ControlNet, FF or HART to obtain a digital signal sequence (col. 3, lines 7-10 and col. 5, lines 12-21).
As per claim 5, it is taught of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S3 specifically comprises steps of:
S301: performing consistency detection on the digital signal sequence parsed in the step S2 and the digital sequence of the detection signal, if the signal received is the detection signal, starting detecting the physical intrusion attack in the industrial control system, and performing a step S302; if the signal received is not a detection signal, then making no response (ignoring), and continuing monitoring the bus to receive the next communication signal (col. 3, lines 25-39);
S302: according to a consistency detection result between the signal received and the detection signal, continuing to determine whether the monitoring device receives the detection signal for a first time; if the signal database of the monitoring device is empty, storing the received signal data in the local database, and considering the signal is a standard signal under normal conditions of the system; if the signal data is already stored in the signal database of the monitoring device, continuing performing the step S4 (col. 3, lines 1-24).
As per claim 6, it is disclosed of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein in the step S5, the intrusion signal is a definite signal added to an original detection signal sent by the bus controller caused by the physical intrusion attack, and the intrusion signal has the same period with the detection signal (col. 3, lines 51-61 and col. 5, lines 21-29).
As per claim 7, it is taught of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S5 specifically comprises steps of: S501: performing noise reduction processing on the difference signal data obtained in step S4; S502: by a weak signal detection technology, detecting and determining whether the intrusion signal exists in the difference signal according to a result of the weak signal detection (col. 2, lines 59-67 and col. 3, lines 51-61).
As per claim 8, it is disclosed of a method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, further comprising a step of: alerting a master station after receiving the detection signal of the physical intrusion attack by the bus controller (col. 4, lines 6-11).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431