Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor
to file provisions of the AIA .
Detailed Action
2. Claims 1-5 and 8-12 are pending in Instant Application.
Response to Arguments
3. Applicant’s arguments with respect to claims 1-12 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claims 1-5 and 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0018388 issued to Gendelman (Applicant IDS) and further in view of WO 2020/106470 A1 issued to Wei et al. (Wei) (Applicant IDS).
As per claim 1, Gendelman teaches a method of detecting an anomaly in operation of an industrial control system (ICS) (Gendelman: ¶ 0032 - components of an abnormal activity monitoring system comprising hardware data collectors and a monitoring server for an industrial control system), the method comprising: a) by a signal monitoring device operably connected to an input/output (I/O) line carrying signaling between a logic controller (LC) and a sensor or actuator, measuring one or more of: a. voltage on the I/O line, b. current on the I/O line (Gendelman: Fig. 1B, ¶ 0060 - the hardware component 131 may collect 158 all the hardware signals, such as electric voltages and currents, between the PLC I/0 modules 154, 155, and/or 156 and the I/0 lines 140, and may pass the data to a monitoring server 101, optionally in real time. For example, the I/0 lines connected to the PLC I/0 modules are non-intrusively monitored using a voltage sensor and/or a current sensor), thereby giving rise to data indicative of a voltage-to-time and/or current-to-time measurement of: a signal of a sensor or actuator to an LC, and/or a signal of an LC to a sensor or actuator (Gendelman: ¶ 0060 - the hardware component 131 may collect 158 all the hardware signals, such as electric voltages and currents, between the PLC I/0 modules 154, 155, and/or 156 and the I/0 lines 140 while the I/0 lines connected to the PLC I/0 modules are non-intrusively monitored using a voltage sensor and/or a current sensor (signal of a sensor to LC)) b) receiving, by a processing circuitry, first data, the first data being derivative of the voltage-to-time and/or current-to-time measurement (Gendelman: ¶ 0059 - teaches the collected hardware data may be received through a monitoring network while the hardware data collectors 131, 132, and/or 133 may measure voltages and currents of the I/0 lines of the PLC system (data being derivative of the voltage or current related to real time);
Gendelman however does not explicitly teach c) receiving, by the processing circuitry, second data derivative of at least one of: i) one or more ICS network control packets, ii) one or more statuses logged by an ICS application, and iii) one or more commands entered to an ICS application; and d) determining, by the processing circuitry, whether there is inconsistency between the first data and the second data.
Wei however explicitly teaches c) receiving, by the processing circuitry, second data derivative of at least one of: i) one or more ICS network control packets, ii) one or more statuses logged by an ICS application, and iii) one or more commands entered to an ICS application (Wei: ¶ 0026 – teaches regarding the comparison might also happen simultaneously across more than 2 levels, e.g., sensor measurement on field bus, value extracted from the PLC memory, value extracted from the ethernet communication, value extracted from HMI memory); and d) determining, by the processing circuitry, whether there is inconsistency between the first data and the second data (Wei: ¶ 0031 – teaches regarding that the Intrusion Detection System Application 135 comprises a consistency check module 167 configured to compare measurement values 122 on different automation devices 125 at different control levels 110 of the automation and control system 105 to detect the anomaly 142).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach c) receiving, by the processing circuitry, second data derivative of at least one of: i) one or more ICS network control packets, ii) one or more statuses logged by an ICS application, and iii) one or more commands entered to an ICS application; and d) determining, by the processing circuitry, whether there is inconsistency between the first data and the second data. One would be motivated to do so as comparison might also happen simultaneously across more than 2 levels, e.g., sensor measurement on field bus, value extracted from the PLC memory, value extracted from the ethernet communication, value extracted from HMI memory and regarding that the Intrusion Detection System Application comprises a consistency check module configured to compare measurement values on different automation devices at different control levels of the automation and control system 105 to detect the anomaly (Wei: ¶ 0026, ¶ 0031).
As per claim 2, the modified teaching of Gendelman teaches the method of claim 1, additionally comprising: e) responsive to whether the processing circuitry determined inconsistency, performing, by the processing circuitry, an alert action (Wei: ¶ 0031 – teaches regarding that the Intrusion Detection System Application further comprises an alert module 170 configured to trigger an alert 172 in response to one or more anomalies 142 being detected that surpass at least one threshold 175).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach additionally comprising: e) responsive to whether the processing circuitry determined inconsistency, performing, by the processing circuitry, an alert action. One would be motivated to do so as regarding that the Intrusion Detection System Application further comprises an alert module configured to trigger an alert in response to one or more anomalies being detected that surpass at least one threshold (Wei: ¶ 0031).
As per claim 3, the modified teaching of Gendelman teaches the method of claim 1, additionally comprising: f) responsive to whether the processing circuitry determined inconsistency, determining, by the processing circuitry, whether the inconsistency is indicative of a cyber attack; and g) responsive to whether the processing circuitry determined that the inconsistency is indicative of a cyber attack, performing, by the processing circuitry, an alert action (Wei: Abstract – teaches multilevel consistency check for a cyber attack detection in an automation and control system and alarm is set when detecting a first value inconsistent from a second value).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach additionally comprising: f) responsive to whether the processing circuitry determined inconsistency, determining, by the processing circuitry, whether the inconsistency is indicative of a cyber attack; and g) responsive to whether the processing circuitry determined that the inconsistency is indicative of a cyber attack, performing, by the processing circuitry, an alert action. One would be motivated to do so as multilevel consistency check for a cyber attack detection in an automation and control system and alarm is set when detecting a first value inconsistent from a second value (Wei: Abstract).
As per claim 4, the modified teaching of Gendelman teaches the method of claim 1, wherein the determining whether there is inconsistency between the first data and the second data comprises: decoding at least part of first data, thereby giving rise to, at least, data indicative of a first sensing/actuating event; determining one or more correlated ICS network events from the second data; and determining whether the one or more correlated ICS network events are inconsistent with the first sensing/actuating event (Wei: ¶ 0009 – a computer-based method for multilevel consistency check (decoding) is provided for a cyber attack detection in an automation and control system while checking measurement consistency in an Intrusion Detection System (IDS) Application (APP) by comparing a first measurement value associated with a field device of the automation and control system at a first automation device of the first control level with a second measurement value associated with the field device of the automation and control system at a second automation device of the second control level. The method further comprises setting a first alarm when detecting the first measurement value is inconsistent from the second measurement value).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach wherein the determining whether there is inconsistency between the first data and the second data comprises: decoding at least part of first data, thereby giving rise to, at least, data indicative of a first sensing/actuating event; determining one or more correlated ICS network events from the second data; and determining whether the one or more correlated ICS network events are inconsistent with the first sensing/actuating event. One would be motivated to do so as a computer-based method for multilevel consistency check (decoding) is provided for a cyber attack detection in an automation and control system while checking measurement consistency in an Intrusion Detection System (IDS) Application (APP) by comparing a first measurement value associated with a field device of the automation and control system at a first automation device of the first control level with a second measurement value associated with the field device of the automation and control system at a second automation device of the second control level. The method further comprises setting a first alarm when detecting the first measurement value is inconsistent from the second measurement value (Wei: ¶ 0009).
As per claim 5, the modified teaching of Gendelman teaches the method of claim 1, wherein the determining whether there is inconsistency between the first data and the second data comprises: determining a first ICS event from the second data; determining one or more correlated sensing/actuating events from the first data; and determining whether the one or more correlated sensing/actuating events are inconsistent with the first ICS event (Wei: ¶ 0009 – comparing a first commands and settings value associated with the field device of the automation and control system at the first automation device of the first control level with a second commands and settings value associated with the field device of the automation and control system at the second automation device of the second control level. The method further comprises setting a second alarm when detecting the first commands and settings value is inconsistent from the second commands and settings value).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach wherein the determining whether there is inconsistency between the first data and the second data comprises: determining a first ICS event from the second data; determining one or more correlated sensing/actuating events from the first data; and determining whether the one or more correlated sensing/actuating events are inconsistent with the first ICS event. One would be motivated to do so as comparing a first commands and settings value associated with the field device of the automation and control system at the first automation device of the first control level with a second commands and settings value associated with the field device of the automation and control system at the second automation device of the second control level. The method further comprises setting a second alarm when detecting the first commands and settings value is inconsistent from the second commands and settings value (Wei: ¶ 0009).
As per claim 8, the modified teaching of Gendelman teaches the method of claim 1, wherein the second data comprises data derivative of one or more ICS control packets which comprise supervisory control and data acquisition (SCADA) data (Wei: ¶ 0002 – industrial control system (ICS) networks are often directly or indirectly connected to IT networks (office network) and the Internet, hence offering an opportunity for cyber attackers to penetrate such environments and exploit any existing vulnerabilities by using OT (Operations Technology) such as Supervisory Control and Data Acquisition (SCADA) servers).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach wherein the second data comprises data derivative of one or more ICS control packets which comprise supervisory control and data acquisition (SCADA) data. One would be motivated to do so as industrial control system (ICS) networks are often directly or indirectly connected to IT networks (office network) and the Internet, hence offering an opportunity for cyber attackers to penetrate such environments and exploit any existing vulnerabilities by using OT (Operations Technology) such as Supervisory Control and Data Acquisition (SCADA) servers (Wei: ¶ 0002).
As per claim 9, the modified teaching of Gendelman teaches the method of claim 1, wherein the second data comprises data derivative of status information logged by a SCADA human-machine interface (HMI) system (Wei: ¶ 0037 – control level of the OT (Operations Technology) network 200 may perform a supervisory function may include one or more SCADA servers and an HMI unit).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach wherein the second data comprises data derivative of status information logged by a SCADA human-machine interface (HMI) system. One would be motivated to do so as control level of the OT (Operations Technology) network 200 may perform a supervisory function may include one or more SCADA servers and an HMI unit (Wei: ¶ 0037).
As per claim 10, the modified teaching of Gendelman teaches the method of claim 1, wherein the second data comprises data derivative of commands entered to a SCADA human-machine interface (HMI) system (Wei: ¶ 0043 – in order to check consistency of commands and settings, the IPFNS (Intelligent Plant Floor Network Sensor) is configured to work as follows: reads commands/settings displayed on the HMIs).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Gendelman in view of Wei to teach herein the second data comprises data derivative of commands entered to a SCADA human-machine interface (HMI) system. One would be motivated to do so as in order to check consistency of commands and settings, the IPFNS (Intelligent Plant Floor Network Sensor) is configured to work as follows: reads commands/settings displayed on the HMIs (Wei: ¶ 0043).
As per claim 11, the claim resembles claim 1 and is rejected under the same rationale.
As per claim 12, the claim resembles claim 1 and is rejected under the same rationale while Gendelman also teaches a computer readable non-transitory storage medium containing program instructions, which program instructions when read by a processing circuitry, cause the processing circuitry to perform a method (Gendelman: claim 14 – A non-transitory computer readable medium comprising computer executable instructions).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SM AZIZUR RAHMAN whose telephone number is (571)270-7360. The examiner can normally be reached on M-F Telework;
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SM A RAHMAN/Primary Examiner, Art Unit 2434