DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/06/2022 has been entered.
Response to Arguments
Applicant’s arguments, see Remarks, filed 10/06/2022, with respect to the rejection(s) of independent claims 1 and 6 under 35 USC § 103 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-7 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2019/0190938 A1 to Oba et al (hereinafter “Oba”), US-PGPUB No. US 2019/0370681 A1 to Oba (hereinafter “Oba II”), and further in view of US-PGPUB No. US 2015/0381642 A1 to Kim et al. (hereinafter “Kim”)
Regarding claim 1: 
Oba discloses:
An intrusion detection device (¶103: “… anomaly detection device 100 …”), which is suitable for Modbus (¶29: “… the internal network of the control systems now use communications using open protocols such as Modbus …”) comprising: 
a connection interface (see ¶103: “… communication interface (IF) 104 …”); 
a processor (¶103: “… central processing unit (CPU) 101 …”) configured to receive a plurality of first packets through the connection interface (¶196: “Obtaining unit 110 … obtains a plurality of packets which are inspection data 212 (S32)”, ¶116: “Obtaining unit 110 is realized by … CPU 101, main memory 102, storage 103, and communication IF 104.”), 
wherein the processor is configured to: 
obtain a network protocol data (Fig 14, S34: “PROTOCOL IDENTIFYING PROCESSING”) and an industrial operation data (Fig 14, S37: “EXTRACT TARGET DATA PORTION IN PACKET”) of each of the plurality of first packets (¶196: “Obtaining unit 110 … obtains a plurality of packets which are inspection data 212 (S32)”);
tag a first internet protocol (IP) address of the network protocol data (¶136: “Anomaly detection models … include data items of model ID …”, Fig. 6, Model ID 6, source IP: “192.168.2.10”) with a first action role (¶93: “SCADA 313”, Note: Considering FIG. 6, model ID 6, the device which has IP address of 192.168.2.10 (first IP address, source IP) will connect with the device which has an IP address of 192.168.2.1(second IP address, destination IP). The destination port associated with this model (model ID 6) is 502. It is obvious to a person of ordinary skilled in the art that the default port number of a Modbus controller (Oba ¶93: “PLC 314”) is 502, thus the action role with destination port 502 is a control center (first action role) (Oba ¶93: “SCADA 313”) which tags first IP address 192.168.2.10. Because port 502 is the port number of the Modbus controller, the second IP address 192.168.2.1 is the IP address of the Modbus controller (second action role) (Oba ¶93: “PLC 314”), and thus the Modbus controller (second action role) tags IP 192.168.2.1 ) and tag a second internet protocol (IP) address of the network protocol data (Fig. 6, Model ID 6, destination IP: “192.168.2.1”) with a second action role (¶93: “PLC 314”) respectively, wherein each of the first action role and the second action role comprises one of a controller (¶93: “programmable logic controller (PLC) 314”), a control center (¶93: “… (SCADA) 313), a database, an office computer (¶93:personal computers (PC) 315, 323, and 324 …”), and a server (¶93: “… Monitoring target 300 … includes … (SCADA) 313, … (PLC) 314, … (PC) 315, 323, and 324, and router 400.…”. Note: It is obviously clear to the one skilled in the art to either implement two of the three personal computers one as a server (say PC 323) and the other as a database (say PC 324), or replace the two personal computers with a server and a database.); 
generate a rule list (¶179: “… a new model …)(¶05: “… storing the plurality of first probabilities calculated, in the memory as the anomaly detection model …”, note: what is stored is the anomaly detection model, e.g. Fig. 6, model ID 6, and ¶179: “Detection model learning unit 120 adds the identified model as a new model in step S17 …”), wherein the rule list comprises the first action role (¶93: “SCADA 313”), the first IP address (Fig. 6, Model ID 6, source IP: “192.168.2.10”), the second IP address (Fig. 6, Model ID 6, destination IP: “192.168.2.1”), and contents of the related group (Fig. 6: “… destination IP … source IP … destination port …”),
However, Oba does not explicitly disclose the following limitations taught by Oba II:
analyze a discrete degree (Oba II, ¶74-75: “… Levenshtein distances … The Levenshtein distance is a distance which can be defined between two-character strings or byte strings.”) of a first industrial device information (Oba II, see Fig 3, Profile ID 2, Clustering Target Data: UDP Payload, ¶60: “…  profile determiner 110 stores the profile information illustrated in FIG. 3 …”) and a second industrial device information (Oba II, see Fig. 3, Profile ID 3, Clustering Target Data: UDP Payload) (Oba II, ¶120: “… calculator 140 calculates the similarities between pieces of packet data having the same profile (step S45). At this time, calculator 140 calculates the Levenshtein distances between pieces of packet data as the similarities.”);
group the first industrial device information and the second industrial device information into a related group of the first IP address (Oba II, Fig. 3, source IP: 192.168.0.5) when the discrete degree is low (Oba II, ¶75: “The Levenshtein distance is defined as a minimum number of times of insertion, deletion, and/or substitution of one character or byte needed to convert one character or byte string to the other character or byte string.”) (Oba II, see Fig. 3 for industrial devices with profile IDs 2 and 3 are clustered (grouped) as UDP payloads associated with source IP address 192.168.0.5, ¶121: “… Clusterer 150 then generates packet cluster information 20 to each packet data, packet cluster information 20 indicating the packet data in association with the cluster ID for specifying the cluster into which the data packet is clustered (step S60).”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Oba to incorporate the functionality of the method to calculate similarities between packets by a calculator, wherein the calculator calculates the Levenshtein distances between pieces of packet data to determine the similarities, and clustering the packets using the calculated similarities, as disclosed by Oba II, such modification would allow the system to determine the source IP address of the packets, and thus determine if the packet is anomalous or not based on its similarity with other packets having similar source IP address. 
The combination Oba and Oba II fails to explicitly disclose the following limitation taught by Kim:
wherein the first action role (Kim ¶65: “… the client.”, Fig. 5 “Client-SCADA Server”) on the rule list corresponds to the first industrial device information (¶70: “… client IP …”) and the second industrial device information (¶70: “… server IP …”, ¶65: “…port value … 502…”) (Kim ¶65: “… the communication pattern classifier 110 may classify the device in which the port value is 502 as the server, and as shown in FIG. 4, classify devices as the server and the client.”).  
 	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Oba and Oba II to incorporate the communication pattern classifier functions of generating an entry of a server table and an entry of a command table separately as disclosed by Kim. Obviously, this functionality can be extended to accommodate other devices of different roles and generate and implement the respective tables, and modify the entries to the tables as required. The availability of such functionality would make the searching and matching of incoming packets faster thereby providing efficient intrusion detection system. 
Regarding claim 2: 
The combination of Oba, Oba II and Kim disclose:
The intrusion detection device of claim 1, wherein the processor is further configured to: 
search a communication port of the network protocol data on a look-up table in order to tag the first IP address with the first action role and to tag the second IP address with the second action role (Oba ¶136: “The model ID is an identifier uniquely assigned to each of a plurality of models for identification. The destination IP is information which indicates the destination IP of the packets associated with the model. The destination port is information which indicates the destination port of the packets associated with the model.”, and see Fig. 6 for communication port and Model ID (tag)).  
Regarding claim 4:
The combination of Oba, Oba II and Kim disclose: 
The intrusion detection device of claim 1, wherein the processor is further configured to: 
receive a second packet through the connection interface (Oba ¶05: “obtaining a plurality of packets”,
¶76:” … for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted, the second combinations being all possible combinations of the N data units …”);
read the network protocol data and the industrial operation data of the second packet to determine whether the second packet satisfies contents of the rule list (Oba ¶151: “Detector 160 extracts all the possible second combinations of N data units out of a plurality of data units obtained by dividing a data sequence forming the payload included in the packet …”, and 
¶155: “Detector 160 determines whether or not the score calculated for the packet exceeds an alert threshold as a predetermined threshold that is based on the anomaly detection models stored in anomaly detection model DB 130.”); 
generate a warning signal in response to determining that the second packet does not satisfy the contents of the rule list (Oba ¶147: “input receiving unit 140 receives an input of a parameter related to the alert occurrence rate for generating an alert.”, and 
Kim ¶96: “…  when there is not the information identical to the combined SIP/FCode information and there is not the FCode itself in the command table, the abnormal behavior detector 130 may generate a warning of an abnormal command level 3 …”).  
Regarding claim 5:
The combination of Oba, Oba II and Kim disclose: 
The intrusion detection device of claim 4, wherein the processor is further configured to: 
read a third internet protocol (IP) address from the network protocol data of the second packet (Oba ¶76: “… for each of the plurality of packets obtained, (i) second combinations of N data units, out of a plurality of data units obtained by dividing a data sequence forming a payload included in the packet by A bit unit, are extracted …”); 
obtain a third action role of the third IP address according to a communication port of the network protocol data of the second packet (Oba ¶76: “… the second combinations being all possible combinations of the N data units …”, and see Fig. 6 for packets content); 
read at least one operation parameter of the industrial operation data of the second packet (Oba ¶200: “Detector 160 extracts the target data portion in the target packet in step S37.”); 
 generate the warning signal in response to determining that the third IP address, the third action role of the third IP address, and the at least one 20operation parameter have not satisfied the first action role, the first IP address, the second IP address, and the contents of the related group on the rule list (Oba ¶202: “Detector 160 determines whether or not the score calculated for the target packet exceeds the alert threshold associated with the anomaly detection model of the target packet which is stored in anomaly detection model DB 130 (S39). When detector 160 determines that the calculated score exceeds the corresponding alert threshold (Yes in S39), presentation unit 170 presents an alert (S40) …”).  
Regarding claims 6-7 and 9-10:
Claims 6-7 and 9-10 recite substantially the same limitations as claims 1-2 and 4-5 respectively. Therefore, claims 6-7 and 9-10 are rejected under the same rationale as claims 1-2 and 4-5 respectively.
Claims 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Oba, Oba II, Kim and further in view of US-PGPUB No. 2019/0089742 A1 to Hill
Regarding claim 3:
The combination of Oba, Oba II and Kim discloses the intrusion detection device of claim 2, but failed to explicitly disclose the following limitation taught by Hill:
 	wherein the processor is further configured to: 
tag the second IP address (Hill ¶121: “…asset type: basic control (controller), Asset IP address) with the second action role (Hill ¶121: “…asset type: basic control (controller)) according to the first action role (Hill ¶121: “…asset type: area supervisory control (control center)) of the first IP address (Hill ¶121: “…asset type: area supervisory control (control center), Asset IP address) and a Purdue model (Hill ¶75: “… Purdue Reference Model …: Level 0- physical process, Level 1- basic control, Level 2- area supervisory control, Level 3- site manufacturing operations and control systems, Level 4- site business planning and logistics, Level 5- enterprise.”, and  ¶121: “… the following may be identified for an asset: asset type, asset vendor, asset level (e.g., under the Purdue Model), asset IP address, asset MAC address, and protocols/ protocol behaviors. …”. Note: the asset type area supervisory control, which is the first action role (control center), tags the first IP address (Hill ¶121: “…asset type: area supervisory control, Asset IP address). In the same way, the asset type basic control, which is the second action role(controller), tags the second IP address (Hill ¶121: “asset type: basic control, Asset IP address)   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Oba, Oba II and Kim to incorporate the control hierarchy model (Purdue) of the industrial control system as disclosed by Hill. The availability of such model in the industrial control system would provide a helpful, common language for industrial control systems owners, operators, and suppliers to use to frame security discussions.
Regarding claim 8:
Claim 8 recites substantially the same limitations as claim 3. Therefore, claim 8 is rejected under the same rationale as claim 3.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
McQuillan et al.  (US-PGPUB No. 2016/0094578 A1)- disclosed SCADA system that includes a network interface configured to communicate data with a plurality of industrial control devices via an industrial control system (ICS) network.
Strohmenger et al. (US-PGPUB No. 2016/0274978 A1) discloses a cloud-based backup component comprising a modeler component that can generate a model of industrial assets of Industrial Automation Systems (IAS(s)) and relationships between industrial assets based on information obtained from the industrial assets via cloud gateways, a communication device associated with the IAS(s), or another source.
Kang et al. (US-PGPUB No. 2016/60094517 A1)- disclosed an apparatus and method for blocking abnormal communication, which are capable of protecting an industrial control system against cyber threats through the traffic analysis of an industrial firewall. 
Shimizu et al. (US-PGPUB No. 2018/0069835 A1)- disclosed a packet filtering apparatus that represents a rule set for packet filtering being a technique for preventing a cyber-attack. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491