caDETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) are rejected under 35 USC 103(a) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant argued in the remark that the Wang network element does not send any “capability information of the application function network device to a terminal device”.Thus, the terminal devices of Wang receive an upgrade of the terminal devices, rather than any "capability information of the application function network device" .
Examiner respectfully disagrees. an application function network device (0018 fig.1, site security servers 124a, 124b, and 124n) and a data management network device (0032 controller device (e.g., controller device 326);
send first information to the data management network device ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. first information and capability information of the security services)), wherein the first information comprises capability information of the application function network device ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. first information and capability information of the security services)), and the capability information of the application function network device indicates a service mode supported by the application function network device( ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. indication of capability information of the security services)); and
wherein a service mode used by the terminal device (0028 The terminal services 230, for example, can provide a remote interface to devices) and the application function network device is based on the service mode supported by the application function network device comprising an authentication and key management for applications service or a generic bootstrapping architecture service ( 0034 The bootstrapping management component 414, for example, can be used to provide initial configurations for controller devices when the devices boot up. The defense component 416, for example, can be used to provide intrusion detection based on network traffic and [0035] The emulated device 404, for example, can include a device profile 420 and a device security component 422. The device profile 420, for example, can include information related to security capabilities that are provided by its corresponding controller device. The device security component 422, for example, can provide functions related to access control (e.g., providing access to users), authentication (e.g., validating passwords from authorized users, for human-to-device and device-to-device communication), bootstrapping management, host-based intrusion, device-specific content inspection (e.g., for analyzing packet content), software patching, and other aspects of cyber security).
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1,5-6,8,10,15,18, and 25-29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Luo et al US 2016/0087958.
As per claim 1. Luo discloses a communication system, wherein the system comprises an application function network device (0018 fig.1, site security servers 124a, 124b, and 124n) and a data management network device ( 0032 controller device (e.g., controller device 326);
the application function network device comprises at least one first processor and a first memory, and the at least one first processor is configured to execute instructions stored in the first memory to cause the application function network device to:
send first information to the data management network device ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. first information and capability information of the security services)), wherein the first information comprises capability information of the application function network device ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. first information and capability information of the security services)), and the capability information of the application function network device indicates a service mode supported by the application function network device( ( 0019 provide security services (e.g., authentication, cryptographic capabilities) , i.e. indication of capability information of the security services)); and
the data management network device(0032 controller device (e.g., controller device 326) and 0029 controller devices in the control zone 206 that are determined to require such services) comprises at least one second processor and a second memory, and the at least one second processor is configured to execute instructions stored in the second memory to cause the data management network device to: receive the capability information of the application function network device from the application function network device (0026 the site security server 224 may be used to provide cyber security functions, i.e. capability information, for an operational technology network, and for controller devices included in the operational technology network, wherein the controller device is receiving the capability information from the , site security servers 124a, 124b, and 124n), and send the capability information of the application function network device to a terminal device( 0026 site security server 224 can perform group-level and device-level security functions. To interact with the site security server 224 and/or other devices included in the DMZ 204, par 0028 discloses devices included in the DMZ 204, the terminal services 230, wherein the devices that include the terminal services/DMZ, i.e. terminal device. The DMZ/terminal service received the device level security functions by the interaction of the site security server 224).
wherein a service mode used by the terminal device (0028 The terminal services 230, for example, can provide a remote interface to devices) and the application function network device is based on the service mode supported by the application function network device comprising an authentication and key management for applications service or a generic bootstrapping architecture service ( 0034 The bootstrapping management component 414, for example, can be used to provide initial configurations for controller devices when the devices boot up. The defense component 416, for example, can be used to provide intrusion detection based on network traffic and [0035] The emulated device 404, for example, can include a device profile 420 and a device security component 422. The device profile 420, for example, can include information related to security capabilities that are provided by its corresponding controller device. The device security component 422, for example, can provide functions related to access control (e.g., providing access to users), authentication (e.g., validating passwords from authorized users, for human-to-device and device-to-device communication), bootstrapping management, host-based intrusion, device-specific content inspection (e.g., for analyzing packet content), software patching, and other aspects of cyber security).
As per claim 5. Luo discloses the system according to claim 1, wherein the data management network device is further configured to: obtain capability information of the terminal device, wherein the capability information of the terminal device to indicates a service mode supported by the terminal device; and in response to the service mode supported by the terminal device matching the service mode supported by the application function network device, determine that the capability information of the application function network device needs to be sent to the terminal device ( 0018] The enterprise network 102 can include a management server 114 and one or more associated input/output devices (e.g., an interface device 112). The management server 114, for example, can include one or more processors configured to execute instructions stored by computer-readable media for performing various operations, such as input/output, communication, data processing and/or data maintenance. For example, the management server 114 can perform tasks such as inventory and status monitoring for various site security servers (e.g., site security servers 124a, 124b, and 124n), where each site security server is configured to provide security services (e.g., authentication, cryptographic capabilities) for a respective operational technology network (e.g., networks 104a, 104b, and 104n). Each of the site security servers 124a, 124b, and 124n, for example, can provide configuration data to controller devices included in each of the operational technology networks 104a, 104b, and 104n, and can implement an aggregate view of information from the networks. To interact with the management server 114, for example, a user can employ the interface device 112 and [0026] In general, the site security server 224 may be used to provide cyber security functions for an operational technology network, and for controller devices included in the operational technology network. Cyber security functions, for example, may include functions such as operational technology network security functions (e.g., group membership management, key and password management and distribution, group bootstrapping management, and network-level intrusion detection and prevention), device-level security functions (e.g., authentication, access control, secure communication, bootstrapping management, device-level patching, and device-level intrusion detection and prevention), and device security capability profiling. The site security server 224, for example, can handle secure communications between the management server 214 and an operational technology network in the control zone 206. When handling such communications, for example, the site security server 224 can perform group-level and device-level security functions. To interact with the site security server 224 and/or other devices included in the DMZ 204).
As per claim 6. Luo discloses the system according to claim 1, wherein the first information further comprises a target object identifier, wherein the target object identifier indicates the terminal device ( 0035 can include a device profile 420 and a device security component 422. The device profile 420, for example, can include information related to security capabilities that are provided by its corresponding controller device. The device security component 422, for example, can provide functions related to access control (e.g., providing access to users), authentication (e.g., validating passwords from authorized users, for human-to-device and device-to-device communication), bootstrapping management, host-based intrusion, device-specific content inspection (e.g., for analyzing packet content), software patching, and other aspects of cyber security. ); and the data management network device is further configured to determine, based on the target object identifier, that the capability information of the application function network device needs to be sent to the terminal device ( 0046 , the security relay 528 (e.g., similar to the security relay 328) can reference a device profile (e.g., device profile 520) for each of the query's intended recipients (e.g., the devices 250a and 252b, shown in FIG. 2), and can determine whether or not the recipient requires security services. In the present example, the security relay 528 may determine that the device 250a requires security services, whereas the device 252a is security capable. Thus, in the present example, the security relay 528 can use the decryption component 542 to decrypt the query for the device 250a ).
As per claim 8, this claim is rejected based on the same rational set forth in the claim 1.
As per claim 10. Luo discloses the method according to claim 8, wherein the sending comprises: sending, by the data management network device, the capability information of the application function network device to the terminal device by using a policy control function network device (0035 can include a device profile 420 and a device security component 422. The device profile 420, for example, can include information related to security capabilities that are provided by its corresponding controller device. The device security component 422, for example, can provide functions related to access control (e.g., providing access to users), authentication (e.g., validating passwords from authorized users, for human-to-device and device-to-device communication), bootstrapping management, host-based intrusion, device-specific content inspection (e.g., for analyzing packet content), software patching, and other aspects of cyber security.).
As per claim 15, this claim is rejected based on the same rational set forth in the claim 1.
As per claim 18, this claim is rejected based on the same rational set forth in the claim 1.
As per claim 25. Luo discloses the method according to claim 8, wherein the method further comprises: sending, by the application function network device, the first information to the data management network device (0040 the site security server 524 and the security relay 528 can each maintain lists of controller devices which require security services (e.g., encryption/decryption services). The site security server 524 and the security relay 528, for example, can use a shared cryptographic key, and can use key negotiation protocols to periodically change the shared key. When either the site security server 524 or the security relay 528 sends a message to the other on behalf of a controller device that requires security services (e.g., a device that is incapable of encryption/decryption), for example, the message may be encrypted using the shared key, whereas the message may not be encrypted when it is to be sent to a controller device that does not require security services (e.g., a device that is capable of encryption/decryption). After receiving a cleartext message from a controller device that is incapable of encryption/decryption, for example, the security relay 528 can encrypt the message with the shared key and send the encrypted message to the site security server 524. After receiving an encrypted message from the site security server 524 for a controller device that is incapable of encryption/decryption, for example, the security relay 528 can decrypt the message and send the cleartext message to the controller device).
As per claim 26. Luo discloses the method according to claim 15, wherein the determining comprises: initiating, by the apparatus based on the service mode supported by the application function network device comprising an authentication and key management for applications service or a generic bootstrapping architecture service, a connection establishment procedure to the application function network device(0041 The process 600, for example, can be performed by systems such as one or more of the example systems described above (such as the site security server 224). Briefly, the example process 600 includes authenticating a user, receiving a request for information from the user, creating a query, encrypting the query, decrypting the query, providing the query to a controller device, receiving information from the controller device, aggregating and normalizing the information, and providing the information to the user).
As per claim 27. Luo discloses the method according to claim 15, wherein the method further comprises: establishing, by the apparatus based on that the service mode supported by the application function network device does not comprise an authentication and key management for applications service, a communication connection to the application function network device by using an HTTP procedure (([0016] /0035/0039 An industrial security agent platform may be provided for protecting assets in an industrial control system in a connected networking environment. To protect assets in an operational technology network, for example, a virtual security entity (e.g., an emulated device) may be created and maintained for each controller device. Device emulators, for example, may handle network communications to and from their associated controller devices, and may provide a secure representation of the controller devices to a network. In general, the industrial security agent platform can implement cyber security controls, such as authentication and encryption, on a device emulator. Communications between a controller device and a network may be handled by the device emulator, for example, subject to implemented security controls (e.g. access, encryption, and/or decryption) for the particular device).
As per claim 28. Luo discloses the apparatus according to claim 18, wherein the instructions, when executed, cause the apparatus to: initiate, based on the service mode supported by the application function network device comprising an authentication and key management for applications service or a generic bootstrapping architecture service, a connection establishment procedure to the application function network device(0026 the site security server 224 may be used to provide cyber security functions for an operational technology network, and for controller devices included in the operational technology network. Cyber security functions, for example, may include functions such as operational technology network security functions (e.g., group membership management, key and password management and distribution, group bootstrapping management, and network-level intrusion detection and prevention), device-level security functions (e.g., authentication, access control, secure communication, bootstrapping management, device-level patching, and device-level intrusion detection and prevention), and device security capability profiling. The site security server 224, for example, can handle secure communications between the management server 214 and an operational technology network in the control zone 206. When handling such communications, for example, the site security server 224 can perform group-level and device-level security functions. To interact with the site security server 224 and/or other devices included in the DMZ 204, for example, a user can employ an interface device 222 (e.g., including one or more presentation components such as a display, and one or more input components such as a keyboard, mouse, and or touchpad)).
As per claim 29. Luo discloses the apparatus according to claim 18, wherein the instructions, when executed, cause the apparatus to: establish, based on that the service mode supported by the application function network device does not comprise an authentication and key management for applications service, a communication connection to the application function network device by using an HTTP procedure ([0016] /0035/0039 An industrial security agent platform may be provided for protecting assets in an industrial control system in a connected networking environment. To protect assets in an operational technology network, for example, a virtual security entity (e.g., an emulated device) may be created and maintained for each controller device. Device emulators, for example, may handle network communications to and from their associated controller devices, and may provide a secure representation of the controller devices to a network. In general, the industrial security agent platform can implement cyber security controls, such as authentication and encryption, on a device emulator. Communications between a controller device and a network may be handled by the device emulator, for example, subject to implemented security controls (e.g. access, encryption, and/or decryption) for the particular device).
Allowable Subject Matter
Claims 2-3,9,12,17, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims into all the independent claims respectively.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496