DETAILED ACTION
The following claims are pending in this office action: 1-16
The following claims are amended: 1-6 and 8-13 
The following claims are new: 15-16
The following claims are cancelled: -
Claims 1-16 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Objections Withdrawn
The objections to claims 1-14 are withdrawn based on the amendments. 
The 35 U.S.C. 112(d) rejection to claim 12 is withdrawn based on the amendments.
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 09/09/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Applicant notes: Independent claim 1 is amended to recite “a calculator that calculates an abnormal degree of each of one or more communications which satisfy that the element specified by the specifier is included in the one or more permitted elements indicated by the whitelist, among the plurality of communications.”  This limitation is disclosed by Yunoki et al. (US Pub. 2016/0085237) as explained below and rejected accordingly.  
Examiner notes that Konashi et al.  (US Pub. 2021/0026343) also discloses a whitelist associated with the communications, equipment states, and configurations.  For example, see para. 0002: “This anomaly detection device stores in advance a normal communication pattern (a whitelist)”.  
Independent claim 13 is amended in a similar way to claim 1.  The amended limitations are disclosed by Yunoki et al. (US Pub. 2016/0085237) as explained below and rejected accordingly.  
The additional amended elements of the dependent claims 3-12 and 14, for example, “the whitelist further includes permitted communication information”, “the whitelist further includes an equipment state whitelist indicating one or more permitted equipment states”, “the whitelist futher includes a type whitelist indicating one or more permitted types of the plurality of products”, and “the whitelist further includes a configuration whitelist indicating one or more permitted equipment configurations” are disclosed by Yunoki et al. (US Pub. 2016/0085237) and Koniki et al. (US Pub. 2018/0241719) as explained below.   
New dependent claims 15 and 16 depend on independent claims 13.  The claims are identical or substantially similar to that of amended claims 2 and 3. Therefore, they are rejected under the same rationale applied to claim 2 and 3 as explained below.
Applicant also argues that the specification discloses the corresponding structure for performing the function of the learner 270.  
The proper test for meeting the definiteness requirement is that the corresponding structure (or material or acts) of a means- (or step-) plus-function limitation must be disclosed in the specification itself in a way that one skilled in the art will understand what structure (or material or acts) will perform the recited function.  If there is no disclosure of structure, material or acts for performing the recited function, the claim fails to satisfy the requirements of 35 U.S.C. 112(b).   See MPEP 2181.II.A.
Here, Applicant mistakes the recited function itself for the structure, material, or acts that will perform the recited function.  Para.  0086-0087 of the specification recites the function intended to be performed by the learner.  The cited paragraphs state “learner 270 creates a normal model” and “performs machine learning”.  It does not explain how the learner is implemented (whether in software or hardware), or if it is computer implemented software, the acts (logic/code) necessary to create such a learner.  Although the Applicant has explained the recited function, the Applicant has not stated what structure, materials, or acts will perform the recited function, and so Applicant’s argument is not persuasive.  
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder (an obtainer, a specifier, a calculator, a determiner, a learner and an information generator) that is coupled with functional language (that obtains, that specifies, that calculates, that determines, that creates, that generates) without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations include: an obtainer that obtains… (claim 1, ln. 4); a specifier that (further) specifies … (claim 1, ln. 7-9; claim 2, ln. 5-6; claim 4, ln. 6-7; claim 5, ln. 7-8; claim 6, ln. 6-7; claim 9, ln. 6-7; claim 10, ln. 7-8; and claim 11, ln. 6-7); a calculator that calculates … (claim 1, ln. 10-12; claim 2, ln. 7-10; claim 4, ln. 8-11; claim 5, ln. 9-11; claim 6, ln. 8-12; claim 7, ln. 3-4; claim 9, ln. 8-10; claim 10, ln. 9-11; and claim 11, ln. 8-11); a determiner that (further) determines … (claim 1, ln. 15-16; and claim 3, ln. 3-6); a learner that creates … (claim 8, ln. 3-4); and an information generator that generates… (claim 8, ln. 5-7).
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.  For example, para. 0123 “each component may be realized by a program executer such as a CPU (Central Processor)”.  Fig. 7 is a flowchart/algorithm for the determination processor for the determiner as to how an unauthorized communication is determined to be normal or unauthorized.  An obtainer, specifier, calculator, and information generator are disclosed by the processor as the functions of obtaining, specifying, calculating, and generating information are ‘coextensive’ with a processor.  See MPEP 2181, Section II.B.   However, the specification is silent as to the corresponding structure of the learner.  The specification is replete with “what” the learner is creating (for example, para. 0086 “learner 270 creates a normal model for creating the abnormal degree by performing machine learning using the operation information obtained in advance”).  However, this simply restates the functions claimed, and is not an algorithm.  For example, it is unclear how the learner performs machine learning (creates a model).  As a comparison, see the algorithm disclosed by the determination process on Fig. 7, which clearly lists the criteria for the determination process.  
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 8 is rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 8 recites the limitation “a learner that creates the normal model by performing machine learning using operation information obtained in advance” (claim 8, ln. 3-4). This limitation invokes 35 U.S.C. 112(f).  However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is silent as to the corresponding structure of each of the modules recited in the claims.  For example, para. 0086 describes “learner 270 creates a normal model for creating the abnormal degree by performing machine learning using the operation information obtained in advance”.  However, this is a general implementation of the claim that is devoid of any structure that performs the function in the claim.  Therefore, the claims 8 is indefinite and is rejected under 35 U.S.C. 112(b).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 9, and 11-16 are rejected under 35 U.S.C. 103 as being unpatentable over Konashi et al.  (US Pub. 2021/0026343) (hereinafter “Konashi”) in view of Endoh et al. (US Pub. 2013/0212681) (hereinafter “Endoh”) and in view of Yunoki et al. (US Pub. 2016/0085237) (hereinafter “Yunoki”)

As per claim 1, Konashi teaches an unauthorized communication detection device that detects an unauthorized communication ([Konashi, para. 0031] “the anomaly detection device monitors a communication pattern of one or more communication packets transmitted…” [an unauthorized communication detection device] “and detects anomaly of the communication pattern” [an unauthorized communication]) in a manufacturing system that manufactures products, ([para. 0027; Fig. 1] the anomaly detection device is implemented in a manufacturing system that for example, manufactures chemicals [a product]) the unauthorized communication detection device comprising: an obtainer that obtains operation information of the manufacturing system; ([para. 0047; Fig. 2] “The acquisition unit 201 acquires communication packets transmitted by the control network”; [operating information])
a storage that stores element information indicating one or more permitted elements among a plurality of elements ([Konashi, para. 0047; Fig. 2] “The storage unit 204 stores a model created by the packet learning unit 202 …  or the like”; [para. 0044] “The packet learning unit 202 creates a model in which a system state and a normal [permitted] characteristic of a communication pattern [one or more target elements among a plurality of elements] are associated with each other”; a whitelist indicating one or more permitted elements is taught by Yunoki below) related to manufacturing of the products.  ([Para. 0027; Fig. 2] the anomaly detection device and storage unit are implemented in a manufacturing system that manufactures products, and so is related to manufacturing of the products)
a specifier that specifies, an element ([Konashi, para. 0065] “characteristic extraction unit 401 [specifier] selects [specifies] one type to be focused on (focused pattern type) [an element] from the pattern type list”) corresponding to each of a plurality of communications performed in the manufacturing system, ([para. 0031] “a communication pattern of one or more communication packets transmitted between the engineering station 101, the HIM 102, the DCS  103, the PLC 104 [a plurality of communications performed in the manufacturing system] … Herein, the communication pattern is formed of a single communication packet [to each of the plurality of communications]) based on the operation information; ([para. 0052] “a characteristic of a communication pattern … may be … based on a command [operation information] included in a communication pattern”)
one or more communications, ([Konashi, para. 0071] “the acquisition unit 201 acquires information on a current communication pattern”) which satisfy that the element specified by the specifier is included in the one or more permitted elements indicated by the element informaton, among the plurality of communications; ([para. 0072] “the detection unit 205 calculates the… each type of the communication pattern as a characteristic of the communication pattern” [one or more target elements indicated by the element information] … “detection unit 205 determines whether or not the calculated characteristic matches [is included] a normal [permitted] characteristic [element specified by the specifier]”.  [para. 0032] a normal characteristic is associated with an authorized [permitted] communication.  A calculator that calculates an abnormal degree of each of one or more communications is taught by Endoh below.  Permitted elements indicated by the whitelist is taught by Yunoki below) 
Konashi does not teach a calculator that calculates an abnormal degree of each of one or more communications; and a determiner that determines that, when the abnormal degree calculated by the calculator is larger than a threshold value, a communication corresponding to the abnormal degree is the unauthorized communication; and a whitelist indicating one or more permitted elements.
However, Endoh teaches a calculator that calculates an abnormal degree of each of one or more communications; and ([Endoh, para. 0059] “the influence degree prediction processing unit 212 [calculator] calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
a determiner that determines that, when the abnormal degree calculated by the calculator is larger than a threshold value, a communication corresponding to the abnormal degree is the unauthorized communication. ([Endoh, para. 0059] a component [determiner] “evaluates [determines] that the communication packets [communication corresponding] are the unauthorized access [unauthorized communication] by the event pattern 200A, when the calculated degree of similarity [the abnormal degree calculated by the calculator] exceeds [is larger than] a predetermined threshold value”; [para. 0125] the operation command apparatus is configured with the function to determine)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi with the teachings of Endoh to include a calculator that calculates an abnormal degree of each of one or more communications; and a determiner that determines that, when the abnormal degree calculated by the calculator is larger than a threshold value, a communication corresponding to the abnormal degree is the unauthorized communication.  One of ordinary skill in the art would have been motivated to make this modification because calculating an abnormal degree, and using a predetermined threshold value allows the normal operation of the control system to be not interrupted by the erroneous detection.  (Endoh, para. 0012)
Konas in view of Endoh does not clearly teach a whitelist indicating one or more permitted elements.   
However, Yunoki teaches a whitelist indicating one or more permitted elements.  ([Yunoki, para. 0050; Fig. 5] “the abnormality determination unit 405 refers to the database 407 to check the list [whitelist] of the normal patterns [permitted elements]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh with the teachings of Yunoki to include a whitelist indicating one or more permitted elements.  One of ordinary skill in the art would have been motivated to make this modification because with a whitelist, when a communication that is appropriate [whitelisted permitted element] is not performed an abnormality of a system is detected, thereby a control network with high availability and reliability (higher availability and reliability than calculating an abnormal degree or specifying an element without a whitelist) can be provided.  (Yunoki, para. 0061)

As per claim 2, Konashi in view of Endoh and in view of Yunoki teaches claim 1.  
Konashi also teaches wherein the element information includes permitted communication information indicating one or more permitted communications ([Konashi, para. 0032] communications with abnormal communication packets are unauthorized, and communications with normal characteristics are permitted communication; normal characteristics are element information – see para. 0044; wherein the whitelist includes permitted communication information is taught by Yunoki below) as the one or more target elements, ([para. 0063] The characteristic extraction unit 401 calculates a normal characteristic of a focused pattern type) 
the element specified by the specifier is a communication itself ([para. 0064] “as the pattern type, a type of a command such as “read”, “write”, [read and write commands are, itself, communication packets] or the like is acquired”) of each of the plurality of communications, (([para. 0031] “a communication pattern of one or more communication packets transmitted”) based on the operation information, and ([para. 0052] “a characteristic of a communication pattern … may be  … based on a command [operation information] included in a communication pattern”)
satisfy that the communication specified by the specifier is included in the one or more permitted communications indicated by the permitted communication information, among the plurality of communications. ([Konashi, para. 0072] “the detection unit 205 calculates the… each type of the communication pattern as a characteristic of the communication pattern” [a normal characteristic that is a permitted communication – see para. 0063] … “detection unit 205 determines whether or not the calculated characteristic matches [is included] a normal characteristic [indicated by the permitted communicated]”. The calculator calculates the abnormal degree of each of one or more communications is taught by Endoh below)
Konashi does not teach the calculator calculates the abnormal degree of each of the one or more communications; and wherein the whitelist includes permitted communication information.  
However, Endoh teaches the calculator calculates the abnormal degree of each the of one or more communications. ([Endoh, para. 0059] “the influence degree prediction processing unit 212 [calculator] calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Konashi and Endoh for the same reasons as disclosed above.  
Konas in view of Endoh does not clearly teach wherein the whitelist includes permitted communication information.   
However, Yunoki teaches wherein the whitelist includes permitted communication information.  ([Yunoki, para. 0043; Fig. 5] “the abnormality determination unit 405 refers to the database 407 to check the list [whitelist] of the normal patterns of communication [permitted communication information]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh with the teachings of Yunoki to include a whitelist indicating one or more permitted elements.  One of ordinary skill in the art would have been motivated to make this modification because with a whitelist, when a communication that is appropriate [whitelisted permitted communication information] is not performed an abnormality of a system is detected, thereby a control network with high availability and reliability (higher availability and reliability than calculating an abnormal degree or specifying an element without a whitelist) can be provided.  (Yunoki, para. 0061)

As per claim 3, Konashi in view of Endoh and in view of Yunoki teaches claim 2.  
Konashi also teaches wherein the determiner further determines that one or more non-white communications, [Konashi, para. 0002] “stores in advance a normal communication pattern [a white list] and detects, as an anomaly, a communication that does not match the normal communication pattern” [non-white communication]) which do not satisfy that the communication specified by the specifier ([para. 0072] “The detection unit 205 [determiner] determines whether or not [do not] the calculated characteristic [one or more communications] matches [satisfy] a normal characteristic [communication specified by the specifier]”) is included in the one or more permitted communications indicated by the permitted communication information, ([para. 0004] in an industrial control system … there may be [is included] a wide variety of normal communication patterns [one or more permitted communications indicated by the permitted communication pattern]) among the plurality of communications, are the unauthorized communications.  ([para. 0073] “if it is determined that there is no matching to the normal characteristic … the detection unit 205 detects that one or more communication packets [among the plurality of communications] of an abnormal communication pattern [are the unauthorized communications]”) without calculating the abnormal degree for the one or more non-white communications.  ([para. 0002] Patent Literature 1 discloses storing in advance a normal communication, and then comparing the normal communication, which would find an anomaly without calculating the abnormal degree for the anomaly)

As per claim 4, Konashi in view of Endoh and in view of Yunoki teaches claim 2.  
Konashi also teaches wherein the element information further includes an equipment state ([Konashi, para. 0044] a system state of a communication [equipment state information] is element information; whitelist further includes an equipment state whitelist is taught by Yunoki below) indicating one or more permitted equipment states among a plurality of equipment states that the manufacturing system ([para. 0040] “sensor data and actuator data indicate states of measurement … in a plurality of field apparatuses 109 [a plurality of equipment states] installed [permitted] in a plant system [the manufacturing system]… the anomaly detection device 105 analyzes the state of the field apparatuses 109 [plurality of equipment states] and thereby can recognize a detailed system state of a plant system”) is capable of taking as the one or more permitted elements, ([para. 0075] “If it is determined that the process data corresponds to the classified class [a normal system state – see para. 0050], the state determination unit 302 outputs a system state corresponding [capable of taking as the one or more permitted elements/normal system states]”)
the specifier further specifies, as the element, an equipment state ([para. 0066] “the characteristic extraction unit 401 [specifier] selects [specifies] one state [an equipment state] to be focused on”) at a time when each of the plurality of communications is performed, ([para. 0064] “the characteristic extraction unit 401 acquires all the pattern types included in a communication pattern” [communication pattern is a sequence of communication packets of the manufacturing system – see para. 0044]) based on the operation information, and ([para. 0052] “based on a command included in a communication pattern”)
further satisfy that the equipment state ([Konashi, para. 0073] “it is determined that there is no [or that there is a] corresponding system state [satisfy the system state] in the state determination process”) specified by the specifier is included in the one or more permitted states indicated by the equipment state information, ([para. 0066] “the characteristic extraction unit 401 [specifier] selects [specifies] one state [one or more permitted equipment states – see para. 0040] to be focused on from the system state list” [indicated by the equipment state information]; one or more permitted states indicated by the equipment state is taught by Yunoki below) is among the plurality of communications. ([Para. 0071] the determination unit 203 determines a system state of a plant system from the acquired process data [the plurality of communications]. The calculator calculates the abnormal degree of each of one or more communications is taught by Endoh below)
Konashi does not teach the calculator calculates the abnormal degree of each of one or more communications; and wherein the whitelist further includes an equipment state whitelist, and one or more permitted states indicated by the equipment state whitelist.  
However, Endoh teaches the calculator calculates the abnormal degree of each of one or more communications. ([Endoh, para. 0059] “the influence degree prediction processing unit 212 [calculator] calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Konashi and Endoh for the same reasons as disclosed above.  
Konashi in view of Endoh does not clearly teach wherein the whitelist further includes an equipment state whitelist, and one or more permitted states indicated by the equipment state whitelist.  
However, Yunoki teaches wherein the whitelist further includes an equipment state whitelist, and ([Yunoki, para. 0050; Fig. 5] “the abnormal determination unit 405 refers to the database 407 to check the list [whitelist] of the normal patterns of communication 502 corresponding to the current system state 50”; [para. 0041] “the system state defines a state of a group of devices [equipment state] forming the control system as a whole”)
one or more permitted states indicated by the equipment state whitelist.  ([Yunoki, para. 0040; Fig. 5] “The database 407 [equipment whitelist, as the database stores the list] shows correspondences [indicates] between system states and normal patterns [permitted states]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh with the teachings of Yunoki to include wherein the whitelist further includes an equipment state whitelist, and one or more permitted states indicated by the equipment state whitelist.    One of ordinary skill in the art would have been motivated to make this modification because with a whitelist, when a communication appropriate for a current system state [whitelisted permitted system state] is not performed an abnormality of a system is detected, thereby a control network with high availability and reliability (higher availability and reliability than calculating an abnormal degree or specifying an element without a whitelist) can be provided.  (Yunoki, para. 0061)

As per claim 6, Konashi in view of Endoh and in view of Yunoki teaches claim 2.  
Konashi also teaches wherein the element information further includes a configuration information indicating one or more permitted equipment configurations among a plurality of equipment configurations of the manufacturing system as ([Konashi, para. 0082] “a command for changing a setting value [one or more equipment configurations] is supplied from an attacker”; [para. 0040] “sensor data and actuator data indicate … settings [a plurality of equipment configurations] in a plurality of field apparatuses 109 installed in a plant system”; “sensor data and actuator data being collectively referred to as ‘process data’”; [para. 0083] sets of process data [settings/equipment configurations] are collected from an apparatus installed and so are permitted equipment configurations; wherein the whitelist further includes a configuration whitelist indicating one or more permitted equipment configurations is taught by Yunoki below) the one or more permitted elements, ([para. 0075] “If it is determined that the process data [equipment configuration] corresponds to the classified class [a normal setting of the field apparatus – see para. 0045], the state determination unit 302 outputs a system state corresponding [the one or more permitted elements/normal setting]”)
 the specifier further specifies, as the element, an equipment configuration ([para. 0066] “the characteristic extraction unit 401 [specifier] selects [specifies] one state [setting value/equipment configuration] to be focused on”) at a time when each of the plurality of communications is performed, ([para. 0064] “the characteristic extraction unit 401 acquires all the pattern types included in a communication pattern” [communication pattern is a sequence of communication packets of the manufacturing system – see para. 0044]) based on the operation information, and ([para. 0052] “based on a command included in a communication pattern”)
further satisfy that the equipment configuration ([Konashi, para. 0073] “On the other hand, if it is determined that there is a matching [is capable of taking] to the normal characteristic [satisfy]”) specified by the specifier is included in the one or more permitted equipment configurations indicated by the configuration information, ([para. 0066] “the characteristic extraction unit 401 [specifier] selects [specifies] one state [one or more permitted/installed equipment configurations/setting values] to be focused on from the system state list” [indicated by the configuration/setting information]; one or more permitted equipment configurations indicated by the configuration whitelist is taught by Yunoki below) among the plurality of communications.  ([para. 0045 “The determination unit 203 may be configured to acquire process data [system state] from a payload of a communication packet” [a plurality of communications as per para. 0044]) 
Konashi does not teach the calculator calculates the abnormal degree of each of one or more communications; and wherein the whitelist further includes a configuration whitelist indicating one or more permitted equipment configurations.  
However, Endoh teaches the calculator calculates the abnormal degree of each of one or more communications. ([Endoh, para. 0059] “the influence degree prediction processing unit 212 [calculator] calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Konashi and Endoh for the same reasons as disclosed above.  
Konashi in view of Endoh does not clearly teach wherein the whitelist further includes a configuration whitelist indicating one or more permitted equipment configurations.  
However, Yunoki teaches wherein the whitelist further includes a configuration whitelist (([Yunoki, para. 0050; Fig. 5] “the abnormal determination unit 405 refers to the database 407 to check the list [whitelist] of the normal patterns of communication 502 corresponding to the current system state 50”; [para. 0041] “examples of the system state 501 include … setting mode 504 … indicates a state in which a target of power generation [a setting] is set … from the MES [manufacturing execution system]”) indicating one or more permitted equipment configurations.  ([para. 0040; Fig. 5] “The database 407 [setting whitelist, as the database stores the list that includes the configuration] shows correspondences [indicates] between system states and normal patterns [permitted configurations]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Konashi, Endoh and Yunoki for the same reasons as disclosed above.  

As per claim 9, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 11, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

As per claim 12, Konashi in view of Endoh and in view of Yunoki teaches claim 1. 
Konashi also teaches a manufacturing system that manufactures products, the manufacturing system comprising: manufacturing equipment; and ([Konashi, para. 0027; Fig. 1] the system includes engineering station 101)
the unauthorized communication detection device. ([Konashi, para. 0027; Fig. 1] the anomaly detection device is implemented in a manufacturing system that for example, manufactures chemicals [a product])

As per claim 13, Konashi teaches an unauthorized communication detection method ([Konashi, para. 0086] embodiments include a method that causes the configuration of each of the example embodiments) in which unauthorized communication in a manufacturing system that manufactures products is detected, ([para. 0031] “detects anomaly of the communication pattern” [an unauthorized communication is detected]; [para. 0027; Fig. 1] the method is implemented in a manufacturing system that for example, manufactures chemicals [a product])) the unauthorized communication detection method comprising: obtaining operation information of the manufacturing system; ([para. 0047; Fig. 2] “The acquisition unit 201 acquires communication packets transmitted by the control network”; [operating information])
reading element information indicating one or more permitted elements among a plurality of elements ([Konashi, para. 0047; Fig. 2] “The storage unit 204 stores [and the determination unit reads/uses – see para. 0072: “the determination unit… uses a model stored in storage unit 204”] a model created by the packet learning unit 202 …  or the like”; [para. 0044] “The packet learning unit 202 creates a model in which a system state and a normal [permitted] characteristic of a communication pattern [one or more target elements among a plurality of elements] are associated with each other”; a whitelist indicating one or more permitted elements is taught by Yunoki below) related to manufacturing of the products out of a storage; ([Para. 0027; Fig. 2] the anomaly detection device and storage unit are implemented in a manufacturing system that manufactures products, and so is related to manufacturing of the products)
specifying, ([Konashi, para. 0065] “characteristic extraction unit 401 selects [specifies] one type to be focused on from the pattern type list”) for each of a plurality of communications performed in the manufacturing system, ([para. 0064] “the characteristic extraction unit 401 acquires all the pattern types included in a communication pattern” [communication pattern is a sequence of communication packets of the manufacturing system – see para. 0044]an element corresponding to the communication, ([para. 0052] “a characteristic of a communication pattern”) based on the operation information; and ([para. 0052] “based on a command included in a communication pattern”)
one or more communications, ([Konashi, para. 0071] “the acquisition unit 201 acquires information on a current communication pattern”) which satisfy that the element specified is included in one or more target elements indicated by the element information, among the plurality of communications; and.  ([para. 0072] “the detection unit 205 calculates the… each type of the communication pattern as a characteristic of the communication pattern” [one or more target elements indicated by the element information] … “detection unit 205 determines whether or not the calculated characteristic matches [is included] a normal characteristic [element specified by the specifier]”.  Calculating an abnormal degree of each of one or more communications is taught by Endoh below)
Konashi does not teach calculating an abnormal degree of each of one or more communications; and determining that a communication corresponding to the abnormal degree is the unauthorized communication when the abnormal degree calculated exceeds a threshold value; and a whitelist indicating one or more permitted elements.
However, Endoh teaches calculating an abnormal degree of each of one or more communications; and ([Endoh, para. 0059] “the influence degree prediction processing unit 212 calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
determining that a communication corresponding to the abnormal degree is the unauthorized communication when the abnormal degree calculated exceeds a threshold value.  ([Endoh, para. 0059] a component “evaluates [determines] that the communication packets [communication corresponding] are the unauthorized access [unauthorized communication] by the event pattern 200A, when the calculated degree of similarity [the abnormal degree calculated by the calculator] exceeds [is larger than] a predetermined threshold value”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi with the teachings of Endoh to include calculating an abnormal degree of each of one or more communications; and determining that a communication corresponding to the abnormal degree is the unauthorized communication when the abnormal degree calculated exceeds a threshold value.  One of ordinary skill in the art would have been motivated to make this modification because calculating an abnormal degree, and using a predetermined threshold value allows the normal operation of the control system to be not interrupted by the erroneous detection.  (Endoh, para. 0012)
Konas in view of Endoh does not clearly teach a whitelist indicating one or more permitted elements.   
However, Yunoki teaches a whitelist indicating one or more permitted elements.  ([Yunoki, para. 0050; Fig. 5] “the abnormality determination unit 405 refers to the database 407 to check the list [whitelist] of the normal patterns [permitted elements]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh with the teachings of Yunoki to include a whitelist indicating one or more permitted elements.  One of ordinary skill in the art would have been motivated to make this modification because with a whitelist, when a communication that is appropriate [whitelisted permitted element] is not performed an abnormality of a system is detected, thereby a control network with high availability and reliability (higher availability and reliability than calculating an abnormal degree or specifying an element without a whitelist) can be provided.  (Yunoki, para. 0061)

As for claim 14, Konashi in view of Endoh and in view of Yunoki teaches claim 13.  
Konashi also teaches a non-transitory computer-readable recording medium having recorded thereon a program for causing a computer to execute the unauthorized communication detection method.  ([Konashi, para. 0086] “example embodiments includes a processing method that stores, in a storage medium, a program … and executes the program”)

As per claim 15, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 16, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

Claims 5 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Konashi in view of Endoh and in view of Yunoki as applied to claim 2 above, and further in view of Yamada et al. (US Pub. 2016/0011589) (hereinafter “Yamada”) and further in view of Koniki et al. (US Pub. 2018/0241719) (hereinafter “Koniki”)

Konashi in view of Endoh and in view of Yunoki teaches claim 5.  
Konashi also teaches the specifier further specifies, at a time when each of the plurality of communications is performed, ([Konashi, para. 0064] “the characteristic extraction unit 401 acquires all the pattern types included in a communication pattern” [communication pattern is a sequence of communication packets of the manufacturing system – see para. 0044]) based on the operation information.  ([Para. 0052] “based on a command included in a communication pattern”)
Konashi does not teach wherein the manufacturing system manufactures a plurality of the products which are of different types, the element information further includes type information indicating one or more types of the plurality of products as the one or more target elements, the specifier further specifies, as the element, a type of products manufactured; and the calculator calculates the abnormal degree of each of one or more communications, among the plurality of communications one or more communications which further satisfy that the type specified by the specifier is included in the one or more types indicated by the type information; and the whitelist further includes a type information indicating one or more permitted types of the plurality of products as the one or more permitted elements.  
However, Endoh teaches the calculator calculates the abnormal degree of each of one or more communications, among the plurality of communications.  ([Endoh, para. 0059] “the influence degree prediction processing unit 212 [calculator] calculates a degree of similarity [abnormal degree] which indicates how many event patterns are matched with the corresponding communication event information 150 [one or more communications – see para. 0044] among m pieces of the event patterns”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Konashi and Endoh for the same reasons as disclosed above.  
Konashi in view of Endoh does not teach wherein the manufacturing system manufactures a plurality of the products which are of different types, the element information further includes type information indicating one or more types of the plurality of products as the one or more target elements, the specifier further specifies, as the element, a type of products manufactured; and one or more communications which further satisfy that the type specified by the specifier is included in the one or more types indicated by the type information; and the whitelist further includes a type information indicating one or more permitted types of the plurality of products as the one or more permitted elements.  
However, Yamada teaches wherein the manufacturing system manufactures a plurality of the products which are of different types, ([Yamada, para. 0027; Fig. 1] the manufacturing support system 10 … supports… a manufacturing process for an electronic device such as a semiconductor device [a product]; [para. 0051] a plurality of production plan data are stored … concerning a type [different types as there are a plurality of production plans] of a semiconductor device [a plurality of semiconductor devices as there are a plurality of production plans]) 
the specifier further specifies, as the element, a type of products manufactured; and ([Yamada, para. 0028] specific information [the element] for specifying a target semiconductor device [a type of products] to the manufacturing supporting apparatus 20 via the client terminal 30 [the specifier])
one or more communications which further satisfy that the type specified by the specifier ([Yamada, para. 0081]  acquiring unit 53 reads out, from the knowledge DB 43, improvement history data [one or more communications] corresponding [satisfy] to a target semiconductor device [type specified by the specifier]) is included in the one or more per types indicated by the type information.  ([para. 0028] the target semiconductor device included in the improvement history data [one or more types] is as indicated by the type information)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi and Endoh with the teachings of Yamada to include wherein the manufacturing system manufactures a plurality of the products which are of different types, the element information further includes type information indicating one or more types of the plurality of products as the one or more target elements, the specifier further specifies, as the element, a type of products manufactured; and one or more communications which further satisfy that the type specified by the specifier is included in the one or more types indicated by the type information.  One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of suppressing occurrence of calculation mistakes and the like (i.e. related to manufacturing of different types of semiconductor products).  (Yamada, para. 0159)
Konashi in view of Endoh and Yamada does not clearly teach the whitelist further includes a type information indicating one or more permitted types of the plurality of products as the one or more permitted elements.  
However, Koniki teaches the whitelist further includes a type information indicating one or more permitted types of the plurality of products as the one or more permitted elements.  ([Koniki, para. 0022] “a whitelist configuration/rules module 200b implements whitelisting, which as described above means accepting [permitted] only known device types [a type information as the one or more permitted elements]”; [para. 0019] “The field device firewall has a stored list of known device types … e.g. device manufacturer id … [type of the plurality of products, as the manufacturer produces the device/product])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi, Endoh and Yamada with the teachings of Koniki to include the whitelist further includes a type information indicating one or more permitted types of the plurality of products as the one or more permitted elements.  One of ordinary skill in the art would have been motivated to make this modification because security is not built into communications in industrial plant protocols, and the vulnerabilities may be based on vendor specific information (the type whitelist), where the whitelist can prevent misuse of the product.  (Yamada, para. 0016; para. 0019)

As per claim 10, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Konashi in view of Endoh and in view of Yunoki as applied to claim 2 above, and further in view of Nakae et al. (US Pub. 2004/0172557) (hereinafter “Nakae”).

As per claim 7, Konashi in view of Endoh and in view of Yunoki teaches claim 2.  
Konashi teaches a normal model of communication performed by the manufacturing system.  ([Konashi, para. 0002] “in an industrial control system… an anomaly detection device stores in advance a normal communication pattern [a normal model of communication] between apparatuses [performed by the manufacturing system]”)
Konashi in view of Endoh does not teach wherein the calculator calculates an outlier from a normal model of communication performed as the abnormal degree.
However, Nakae teaches wherein the calculator ([Nakae, para. 0185] “an outlier degree calculator”) calculates an outlier ([para. 0185] “calculates a ‘score value’… represents the possibility of being irregular [an outlier]”) from a normal model of communication ([para. 0185] the inverse number of a score value is considered to be the confidence level [normal model] for the input IP packet [communication]) as the abnormal degree.  ([para. 0185] “calculates a ‘score value’” [the abnormal degree])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh and Yunoki  with the teachings of Nakae to include wherein the calculator calculates an outlier from a normal model of communication performed by the manufacturing system as the abnormal degree.  One of ordinary skill in the art would have been motivated to make this modification because the outlier degree calculation allows detection of attacks “in terms of probability”, which cannot be detected or predicted by the “crisp” evaluation method of confidence.  Therefore, the effective defense against unknown attacks that may occur in the future is possible.  (Nakae, para. 0186)

As per claim 8, Konashi in view of Endoh and in view of Yunoki and further in view of Nakae teaches claim 7.  
Konashi also teaches a learner that creates the normal model ([Konashi, para. 0068] “the model creation unit [a learner] creates a model by associated a normal characteristic [a normal model]”) by performing machine learning using operation information obtained in advance; and ([para. 0042] “the anomaly detection device performs learning [machine learning] in advance [obtained in advance] based on a communication packet and process data [operation information]”)
an information generator that generates information ([Konashi, para. 0049] “the state learning unit [information generator] extracts [generates] a feature amount [information]”) indicating one or more elements corresponding to each of a plurality of communications included in operation information ([para. 0049] the state learning unit 301 then classifies the process data [each of a plurality of communications included in operation information – see para. 0043: “the acquisition unit 201 may acquire process data from a payload of the communication packet”] into a plurality of classes of system states [indicating one or more elements corresponding to communications – see para. 0044]) targeted for the machine learning ([para. 0049] the state learning machine generates the feature amount during machine learning) as the one or more target elements as the element information. ([para. 0063; para. 0066) classified system states classified [element information] by the state learning machine are used in the characteristic extraction unit to create a list of system states used to select a focused system state [one or more target elements])
Konashi in view of Endoh and further in view of Nakae does not clearly teach operation information targeted for the machine learning as the one or more target elements as the whitelist.  
However, Yunoki teaches operation information targeted for the machine learning as the one or more target elements as the whitelist.  ([Yunoki, Fig. 14] a pattern of communication [operation data from operation logs see para. 0043] is targeted for machine learning as the one or more target elements to create the database [whitelist]) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Konashi in view of Endoh and further in view of Nakae with the teachings of Yunoki to include information targeted for the machine learning as the one or more target elements as the whitelist.  One of ordinary skill in the art would have been motivated to make this modification because by this way the database [whitelist] is created automatically, thereby eliminating the necessity of manual creation of the database.  (Yunoki, para. 0068)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Bush et al. (US Pub. 2017/0214717) discloses a model-based industrial security policy and a whitelist on a firewall to permit secure communication between the devices, where the whitelists explicitly define which devices are permitted to exchange data with a given asset.  
Simkin et al. (US Pub. 2019/0318029) discloses adding a category of products to a whitelist.  
Eager et al. (US Pub. 2017/0011409) discloses a whitelist for a category of products where if a communication protection system determines that the type of product is not on a whitelist, a notification is sent to the manufacturer of the monitored product.   
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493