VISUALIZING UNAUTHORIZED ACCESS TACTICS USED TO ACCESS MACHINES LOCATED ON INDUSTRIAL FLOOR

DETAILED ACTION This office action is in response to the application filed on 12/10/2025. Claim(s) 1-20 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/10/2025 has been entered. Response to Arguments 1. Applicant's arguments with respect to amended claim(s) 2, 9, and 16 have been fully considered but are moot in view of the new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 4, 7-8, 11, 14-15, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muddu(US 9,516,053 B1), hereinafter Muddu in view of Shmidt (US 2023/0236564 A1), hereinafter Shmidt in further view of Hebert(US 2013/0160079 A1), hereinafter Hebert in further view of Shubrick (US 11,783,724 B1), hereinafter Shubrick. Regarding Claim(s) 1, 8, and 15 Muddu teaches: A computer-implemented method for visualizing unauthorized access or attempted unauthorized access of machines located on an industrial floor, the method comprising: (Muddu Col. 126 Ln. 5-25 teaches, the method being executed via a processor and a computer memory.) analyzing the log files from the firewall to identify a behavior used in accessing or attempting to access one or more machines of the machines located on the industrial floor; (Muddu Col. 91 Ln. 1-7 teaches, subsequently a decision engine may detect that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. In response to detecting this divergence, the decision engine can determine that the user's activity represents an anomaly, or perhaps even a threat.) Muddu does not appear to explicitly teach but in related art: capturing log files from a firewall monitoring traffic to and from the machines located on the industrial floor; (Shmidt ¶ 8, 27, and 43 and teaches, automation network 100 which may be implemented in an automated building, an industrial plant, (i.e., machines on an industrial floor) a power grid, or other distributed architecture. The servers may perform a number of functions including collecting data logs from devices of the automation network. the active scanners 210 and/or cloud scanners 270 may conduct the active probes to obtain a snapshot of software code being used by devices in the network 300 at a particular point in time (e.g., actively running network devices 240, internal firewalls 280, external firewalls 284, and/or other assets 230). In various embodiments, the snapshot may further include any configurations for the actively running assets (e.g., operating systems that the assets run, whether certain policies are in place), or any other information suitably characterizing the software of assets 230 actively detected in the network 300.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Muddu with Shmidt, to modify the method for network security threat detection with the monitoring of an industrial plant of Shmidt. The motivation to do so, Shmidt ¶ 56, to allow for any errors to be evaluated and displayed to the manager of the network for review and further action. Muddu in view of Shmidt does not appear to explicitly teach but in related art: analyzing a knowledge base for unauthorized access tactics; and (Hebert ¶ 38 teaches, the request handler 122A may consult with the knowledge base 106, in order to, e.g., determine that a given access request is unauthorized.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Muddu in view of Shmidt with Hebert, to modify the method for network security threat detection with the monitoring of a network of an industrial plant of Shmidt with the knowledge base of Hebert. The motivation to do so, Hebert ¶ 13, to hinder illegitimate users. Muddu-Shmidt-Hebert does not appear to explicitly teach but in related art Shubrick teaches: creating an augmented reality visualization to illustrate an unauthorized access tactic being performed on the one or more machines located on the industrial floor in response to the identified behavior being associated with the unauthorized access tactic (Shubrick Col. 9 Ln. 27-36 teaches the concept, The cybersecurity risk object may be associated with a graphical indicator. The graphical indicator may visually distinguish the cybersecurity risk object from all other items within the image. In one example, the graphical indicator may correspond to a particular color. Accordingly, the cybersecurity risk object may be displayed in a particular color. In another example, the graphical indicator may correspond to a particular type of animation. Accordingly, the cybersecurity risk object may be displayed as the particular type of animation.) within a threshold degree of similarity based on the analysis of the knowledge base. (Shubrick Col. 8-9 Ln. 65-67, 1-5, 14-20 teaches the concept, Then, the server matches the extracted features with one or more features stored in the local database. When a predetermined number of extracted features for a potential item matches with the features stored in the database, the server identifies an item. Upon successful identification of an item within an image of the workspace, the cybersecurity training application may execute various protocols to associate an item identifier to the identified item. The item identifier may be used for retrieving an associated cybersecurity risk object from a database.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Muddu-Shmidt-Hebert with Shubrick, to modify the method for network security threat detection of Muddu with the monitoring of a network of an industrial plant of Shmidt with the knowledge base of Hebert with the augmented related reporting of Schubrick. The motivation to do so, Schubrick Col. 1 Ln. 54-55, to offer a perceptually-enriched cybersecurity experience to the user. Regarding Claim(s) 4, 11, and 18 Muddu-Shimdt-Hebert-Shubrick teaches: The method as recited in claim 1 further comprising: (Muddu-Shimdt-Hebert-Shubrick teaches the parent claim above.) creating one or more avatars of a security hacker and/or a detected malware; and (Shubrick Claim 4, wherein the graphicalc indicator is represented as an animated character.) illustrating the unauthorized access tactic being performed on the one or more machines located on the industrial floor in the augmented reality visualization using the created one or more avatars. (Shubrick Col. 9 Ln. 27-36 teaches the concept, The cybersecurity risk object may be associated with a graphical indicator. The graphical indicator may visually distinguish the cybersecurity risk object from all other items within the image. In one example, the graphical indicator may correspond to a particular color. Accordingly, the cybersecurity risk object may be displayed in a particular color. In another example, the graphical indicator may correspond to a particular type of animation. Accordingly, the cybersecurity risk object may be displayed as the particular type of animation.) Regarding Claim(s) 7 and 14 Muddu-Shimdt-Hebert-Shubrick teaches: The method as recited in claim 1, (Muddu-Shimdt-Hebert-Shubrick teaches the parent claim above.) wherein the augmented reality visualization is displayed on augmented reality smart glasses. (Shubrick Col. 7 Ln. 38-45 teaches, the examples of the electronic device may include, but are not limited to, a cellular phone, a tablet computer, a head-mounted display, smart glasses, wearable computer glasses, a personal data assistant, or personal computer. In augmented reality, the electronic device may be used to project or superimpose a computer-generated image (of a paper note) onto the user's view of the real world (such as of the workspace).) Claim(s) 2-3, 9-10, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu-Shimdt-Hebert-Shubrick as applied to claim(s) 1 above, and further in view of Brunschwiler (US 2009/0234705 A1), hereafter Brunsch. Regarding Claim(s) 2, 9, and 16 Muddu-Shmidt-Hebert-Schubrick teaches: The method as recited in claim 1 further comprising: (Muddu-Shmidt-Hebert-Schubrick teaches the parent claim above.) analyzing log files from the one or more machines located on the industrial floor to identify operational parameters. (Schmidt ¶ 8, 27, and 43 and teaches, automation network which may be implemented in an automated building, an industrial plant, (i.e., machines on an industrial floor) a power grid, or other distributed architecture. The servers may perform a number of functions including collecting data logs from devices of the automation network. the active scanners and/or cloud scanners may conduct the active probes to obtain a snapshot of software code being used by devices in the network at a particular point in time (e.g., actively running network devices, internal firewalls, external firewalls, and/or other assets). In various embodiments, the snapshot may further include any configurations for the actively running assets (e.g., operating systems that the assets run, whether certain policies are in place), or any other information suitably characterizing the software of assets actively detected in the network.) wherein the augmented reality visualization is configured to dynamically display a deviation of the identified operational parameters from a normal state. (Shubrick Col. 9 Ln. 27-36 teaches the concept, The cybersecurity risk object may be associated with a graphical indicator. The graphical indicator may visually distinguish the cybersecurity risk object from all other items within the image. In one example, the graphical indicator may correspond to a particular color. Accordingly, the cybersecurity risk object may be displayed in a particular color. In another example, the graphical indicator may correspond to a particular type of animation. (i.e., dynamically displaying) Accordingly, the cybersecurity risk object may be displayed as the particular type of animation.) Muddu-Shmidt-Hebert-Schubrick does not appear to explicitly teach but in related art: that are being manipulated by the unauthorized access tactic, wherein the operational parameters include at least one of the following in the group consisting of: cutting speed, coolant temperature, and material handling, (Brunsch ¶ 62 teaches the concept, Controller is also given certain instructions from an executable instruction set for the purpose of comparing the data from sensors to predetermined operational parameters such as a desired coolant exit temperature. Controller provides operating signals to operate coolant control devices for example. Controller may also accept data from district heating system, indicating, for example, whether the heat demand from users on the system is increasing or decreasing. The controller compares the operational parameters to predetermined variances (for example, coolant temperature, processor operating state, heat demand) and if the predetermined variance is exceeded, generates a signal that may be used to indicate an alarm or message to an external device.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Muddu-Shmidt-Hebert-Shubrick with Brunsch, to modify the method for network security threat detection of Muddu with the monitoring of a network of an industrial plant of Shmidt with the knowledge base of Hebert with the augmented related reporting of Schubrick with the operational parameter’s controller of Brunsch. The motivation to do so constitutes applying a known technique of monitoring operational parameters to known devices and/or methods for detecting unauthorized activity of industrial machines ready for improvement to yield predictable results of accurately monitoring the system. Regarding Claim(s) 3, 10, and 17 Muddu-Shimdt-Hebert-Shubrick-Brunsch teaches: The method as recited in claim 2 further comprising: (Muddu-Shimdt-Hebert-Shubrick teaches the claimed limitation above.) creating the augmented reality visualization to illustrate the unauthorized access tactic being performed. (Shubrick Col. 9 Ln. 27-36 teaches the concept, The cybersecurity risk object may be associated with a graphical indicator. The graphical indicator may visually distinguish the cybersecurity risk object from all other items within the image. In one example, the graphical indicator may correspond to a particular color. Accordingly, the cybersecurity risk object may be displayed in a particular color. In another example, the graphical indicator may correspond to a particular type of animation. Accordingly, the cybersecurity risk object may be displayed as the particular type of animation.) on the one or more machines located on the industrial floor using the identified operational parameters. (Brunsch ¶ 62 teaches the concept, Controller is also given certain instructions from an executable instruction set for the purpose of comparing the data from sensors to predetermined operational parameters such as a desired coolant exit temperature. Controller provides operating signals to operate coolant control devices for example. Controller may also accept data from district heating system, indicating, for example, whether the heat demand from users on the system is increasing or decreasing. The controller compares the operational parameters to predetermined variances (for example, coolant temperature, processor operating state, heat demand) and if the predetermined variance is exceeded, generates a signal that may be used to indicate an alarm or message to an external device.) Claim(s) 5-6, 12-13, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu-Shimdt-Hebert-Shubrick as applied to claim(s) 1 above, and further in view of Chong US 2021/0322877 A1), hereafter Chong. Regarding Claim(s) 5, 12, and 19 Muddu-Shimdt-Hebert-Shubrick teaches: The method as recited in claim 4 further comprising: (Muddu-Shimdt-Hebert-Shubrick teaches the parent claim above.) identifying a remedial action to address the unauthorized access tactic being performed on the one or more machines located on the industrial floor using the knowledge base; and (Muddu Col. 9 Ln. 15-22 teaches, the security platform supplies supporting evidence within context of the kill chain to enable targeted remediation of any detected anomaly or threat.) Muddu-Shimdt-Hebert-Shubrick does not appear to explicitly teach but in related art: illustrating the identified remedial action to address the unauthorized access tactic being performed on the one or more machines in the augmented reality visualization. (Chong ¶ 153 teaches, an option to attack the virus or risk 910 is presented on the augmented reality display. A user can select YES 912 or NO 914.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Muddu-Shmidt-Hebert-Shubrick with Chong, to modify the method for network security threat detection of Muddu with the monitoring of a network of an industrial plant of Shmidt with the knowledge base of Hebert with the augmented related reporting of Schubrick with the augmented reality interactions of Chong. The motivation to do so, Chong ¶ 153, it turns an intangible risk into a tangible risk that users can comprehend. Regarding Claim(s) 6, 13, and 20 Muddu-Shimdt-Hebert-Shubrick-Chong teaches: The method as recited in claim 1 further comprising: (Muddu-Shimdt-Hebert-Shubrick teaches the parent claim above.) receiving feedback regarding the augmented reality visualization; and (Chong ¶ 113 teaches, the augmented reality display provides an effective manner of communicating information to a user. The augmented reality display is consistently updated.) updating the knowledge base for unauthorized access tactics based on the feedback. (Chong ¶ 124 teaches, the risk database stores a relationship between an object and its associated risks. The risk database may be constantly updated by updated risk information from the risk practitioner device. The risk database being updated regularly.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2020/0175767 A1 - SYSTEMS AND METHODS FOR DYNAMICALLY IDENTIFYING HAZARDS, ROUTING RESOURCES, AND MONITORING AND TRAINING OF PERSONS Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.B.K./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408