ANOMALY DETECTION SYSTEM FOR A CYBER-PHYSICAL SYSTEM

§102 §103

DETAILED ACTION This Office Action is a first Office Action on the merits of the application. Claims 1 - 11 are presented for examination. Claims 1 - 11 are rejected. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings Objection The drawings are objected to because the elements in FIG. 2 are blurry and difficult to read. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Objections Claim 5 is objected to because of the following informalities: Claim 5 recites “a P&ID file”, but it is recommended the phrase recites “a P&ID (process and instrumentation diagram) file”, to correspond to the recitation indicated in the specification. Appropriate correction is required. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1 - 3 and 6 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Feng et al (“A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems”), hereinafter “Feng”. As per claim 1, Feng discloses: a computerized method for automatically generating an anomaly detection system for a cyber-physical system comprising a set of computer devices communicative with a set of control components for controlling a set of physical processes (Feng, page 2, right column, lines 3 - 10 discloses an industrial control system (ICS) to obtain invariant rules to detect anomalies, including systematically generating invariant rules from data logs using machine learning and data mining from the process performed by the ICS.) the method comprising obtaining a directed graph based on a system design of the cyber-physical system, the directed graph comprising a set of nodes representing the control components and a set of edges representing component connections between the control components (Feng, page 3, right column, lines 40 - 43 discloses a design graph for a water distribution system, with nodes indicating components, including a tank, pump, level indicator transmitter, and lines connecting the nodes, providing a connection for each component.) traversing the directed graph to determine one or more sets of associated control components from the nodes and edges based on predefined parameters of the cyber-physical system (Feng, page 3, right column, lines 48 - 53 discloses flow of the labeled connections between the components, for instance, the flow of water from the pump to the valve and the flow from the pump to the tank, and page 3, right column, lines 57 - 58, through page 4, left column, lines 1 - 3 provide conditions regarding the invariant rules (page 3, rt col, ln 33 - 37) for the water levels measured by the sensors being high or low.) deriving a set of invariants for each set of associated control components based on a set of physical and/or chemical properties governing the respective associated control components (Feng, page 3, right column, lines 40 - 42 discloses deriving invariant rules according to the industrial control systems (ICS) design shown in FIG. 2, and page 3, right column, lines 57 - 58 through page 4, left column, lines 1 - 7 adds invariant rules derived from the design graph, in which the flow rate of water in the tank from the pump and valve are based on the sensors indicating water level, and the position of the pump (ON, OFF) and valve (OPEN, CLOSED), with the flow rate of water interpreted as a form of physical properties.) configuring the invariants as an invariant computer program executable on the computer devices as the anomaly detection system (Feng, page 6, right column, lines 35 - 41 discloses obtaining sets of data from sensor readings and actuator states of the ICS, convert the data into an itemset, and determine the invariant rules from the itemset for detecting anomalies in the system.) the invariants defining a set of conditions for detecting anomalies of the physical processes being controlled by the control components (Feng, page 3, right column, lines 33 - 39 discloses conditions defining the invariant rules, including pressure, temperature readings, PH levels, and liquid levels, with the rules used to detect differences from normal operations of a system, with page 3, right column, lines 53 - 58 through page 4, left column, lines 1 - 3 adds water levels controlled by sensors measurements, level indicator transmitters, pumps and valves.) wherein upon execution of the invariant computer program, the anomalies are detectable in response to determining that measurements from the control components have violated the invariant conditions (Feng, page 11, right column, lines 22 - 31 discloses a water treatment plant testbed, with sensors and actuators used to control the process, with measurements of conditions, including pH, conductivity, obtained to ensure the quality of water is acceptable, with page 12, right column, lines 34 - 37 discloses capturing the invariant rules using a data-driven approach to detect anomalies, and page 12, right column, lines 52 - 55 adds using invariant rule-based model to detect attacks due to deviation of collected sensor data indicating a violation of the invariant rules.) For claim 2: The prior art of Feng discloses claim 2: The method according to claim 1, wherein the control components comprise at least one sensor and/or at least one actuator (Feng, page 2, right column, lines 3 - 4 discloses using an industrial control system and invariant rules for detecting anomalies, with page 2, right column, lines 51 - 55 adds subsystems and devices for the ICS, including sensors and actuators, also shown in FIG. 1.) For claim 3: The prior art of Feng discloses claim 3: The method according to claim 1, further comprising generating the directed graph based on the system design (Feng, page 3, right column, lines 40 - 43 discloses using the industrial control system to obtain a design graph, depicting a water distribution system, shown in FIG. 2.) For claim 6: The prior art of Feng discloses claim 6: The method according to claim 1, further comprising classifying each control component represented in the directed graph by operational type, wherein the control components are associated by their operational type (Feng, page 3, right column, lines 42 - 45 discloses the design graph representing the industrial control system for a water distribution system, with elements in the graph representing sensors, a water tank, valve actuators, and a pump actuator.) Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al (“A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems”), and further in view of Umer et al. (WO 2019083444 A1), hereinafter “Umer”. As per claim 4, the prior art of Feng discloses the method of claim 3. The prior art of Feng does not expressly disclose: further comprising retrieving an electronic file representing the system design. Umer however discloses: further comprising retrieving an electronic file representing the system design (Umer, page 6, lines 18 - 23 discloses designing a SWaT (secure water treatment) system to derive design invariants, in the form of a P&ID (Process and Instrumentation Diagram).) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the invariants derived from physical specification of plant components or physics of water flow and detecting anomalies during a cyber-attack teaching of Umer. The motivation to do so would have been because Umer discloses the benefit of generating operational invariants, in which large datasets can be reduced to remove features of lower significance, with most relevant invariants from the remaining, limited features considered (Umer, page 12, lines 15 - 18). For claim 5: The combination of Feng and Umer discloses claim 5: The method according to claim 4, wherein the electronic file is a CAD file or a P&ID file (Umer, page 6, lines 19 - 23 discloses the SWaT (secure water treatment) system designed and a P&ID (Process and Instrumentation Diagram) version of the design used as input.) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the invariants derived from physical specification of plant components or physics of water flow and detecting anomalies during a cyber-attack teaching of Umer, and the additional teaching of the Process and Instrumentation Diagram version of a design, also found in Umer. The motivation to do so would have been because Umer discloses the benefit of generating operational invariants, in which large datasets can be reduced to remove features of lower significance, with most relevant invariants from the remaining, limited features considered (Umer, page 12, lines 15 - 18). Claims 7 - 9 are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al (“A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems”), and further in view of Lin et al (“Tabor: A Graphical Model-Based Approach for Anomaly Detection in Industrial Control Systems”), hereinafter “Lin”. As per claim 7, the prior art of Feng discloses the method of claim 1. The prior art of Feng does not expressly disclose: further comprising configuring the invariant computer program with a redundancy protocol to identify true and false positives from the detected anomalies. Lin however discloses: further comprising configuring the invariant computer program with a redundancy protocol to identify true and false positives from the detected anomalies (Lin, page 532, left column, lines 1 - 12 discloses anomaly detection including detecting false positive, true positive and evaluating the detection coverage, with page 533, left column, lines 6 - 14 adds a strategy of more true positives and false positives, with deviations and anomaly detection being checked.) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the false positive and true positive checked regarding anomalies teaching of Lin. The motivation to do so would have been because Lin discloses the benefit of a technique that provides an inexpensive and automated learning approach for specification mining from an industrial control system without the need of expert knowledge, while also proving a resulting specification-like model that is highly interpretable and useful for validating and localizing of abnormal sensors or actuators in a system (Lin, page 534, right column, lines 6 - 11). For claim 8: The combination of Feng and Lin discloses claim 8: The method of claim 7, wherein a true positive is identified if the anomalies have been detected successively for more than a predefined duration (Lin, page 532, left column, lines 1 - 12 and FIG 12 discloses how the false positive and true positive are defined, with the truth positive defined as the ground truth scenario and detection overlapping over a period of time in an anomaly detection.) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the false positive and true positive checked regarding anomalies teaching of Lin, and the additional teaching of the overlap between a ground truth and detection overlapping over a period of time in anomaly detection, also found in Lin. The motivation to do so would have been because Lin discloses the benefit of a technique that provides an inexpensive and automated learning approach for specification mining from an industrial control system without the need of expert knowledge, while also proving a resulting specification-like model that is highly interpretable and useful for validating and localizing of abnormal sensors or actuators in a system (Lin, page 534, right column, lines 6 - 11). For claim 9: The combination of Feng and Lin discloses claim 9: The method of claim 7, wherein a true positive is identified if a predefined number of anomalies have been detected successively (Feng, page 11, left column, lines 4 - 15 discloses metrics for detecting anomalies, including a true positive rate, calculated to reflect the number of anomalies successfully identified.) Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Feng et al (“A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems”), in view of Lin et al “Tabor: A Graphical Model-Based Approach for Anomaly Detection in Industrial Control Systems”), and further in view of Bushey et al. (U.S. PG Pub 2018/0157838 A1), hereinafter “Bushey” As per claim 10, the combination of Feng and Lin discloses the method of claim 7. The combination of Feng and Lin does not expressly disclose: further comprising configuring the invariant computer program to trigger an alert in response to identifying the true positive. Bushey however discloses: further comprising configuring the invariant computer program to trigger an alert in response to identifying the true positive (Bushey, par [0056] discloses a evaluation on a decision boundary according to a performance metric, with par [0059] discloses a performance metric for a threat detection system regarding a decision boundary and includes a ROC (receiver operator curve) with results indicated includes true positives and false positives, as par [0052] indicates an anomaly detection engine compares a result with a decision boundary and provides a threat signal.) Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the false positive and true positive checked regarding anomalies teaching of Lin and the true positive in a metric for a decision boundary compared to indicate a threat in anomaly detection teaching of Bushey. The motivation to do so would have been because Bushey discloses the benefit of ROC (receiver operator curve) measures that can be used in connection with an optimization and tuning of a cyber-threat detection algorithm to obtain low false positives (Bushey, par [0060]). Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Feng et al (“A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems”), and further in view of Bushey et al. (U.S. PG Pub 2018/0157838 A1). As per claim 11, the prior art of Feng discloses the method of claim 7. The prior art of Feng does not expressly disclose: a non-transitory computer-readable storage medium storing computer-readable instructions that, when executed, cause a computer system to perform the method according to claim 1. Bushey however discloses: a non-transitory computer-readable storage medium storing computer-readable instructions that, when executed, cause a computer system to perform the method according to claim 1 (Bushey, par [0026] discloses a computer-readable medium storing instruction for execution by a machine with regards to threat detection (par [0024]). Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the invariant rules and anomaly detection of an industrial control system (ICS) teaching of Feng with the true positive in a metric for a decision boundary compared to indicate a threat in anomaly detection teaching of Bushey. The motivation to do so would have been because Bushey discloses the benefit of ROC (receiver operator curve) measures that can be used in connection with an optimization and tuning of a cyber-threat detection algorithm to obtain low false positives (Bushey, par [0060]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CEDRIC D JOHNSON whose telephone number is (571)270-7089. The examiner can normally be reached M-Th 4:30am - 2:00pm, F 4:30am - 11:30am. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Renee Chavez can be reached at 571-270-1104. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Cedric Johnson/ Primary Examiner, Art Unit 2186 January 10, 2026