REACTIVE NETWORK SECURITY FOR A BUILDING AUTOMATION SYSTEM

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This office action is prepared in response to a Request for Continued Examination (RCE) filed on February 17, 2026. Claims 1-19 are pending. Claims 1-19 are rejected. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on February 17, 2026 has been entered. Response to Amendments The claim amendments and Applicant’s arguments filed on February 17, 2026 have been carefully considered. However, the amendments and arguments failed to place the application in condition for allowance for the following reasons. Regarding the pending claim 1, Applicant argued in the Remarks that the primary reference Costante did not disclose the “baseline traffic property” in the “comparing” clause. (Remarks, pages 7-8). Examiner’s response is that Costante in fact disclosed subject matter that anticipates the “baseline traffic property” and “a comparison to the baseline traffic property” in that Costante’s invention centers around a method of detecting anomalous behavior in data traffic on a data communication network using attribute based policies (Costante, Abstract and paragraphs [0008-0013, 0025-0029, 0124, 0250]), wherein an attribute based policy comprises declarative policies that define the condition and what has to be done in a protocol generic way, and a whitelist policy describes acceptable data traffic and the associated action (e.g. permit) to take when an incoming data traffic is deemed acceptable. Costante additionally disclosed in [0005] that “whitelisting systems maintain a model of the normal behavior of a system and compare the current activities with it: in case a mismatch occurs, an alert is raised.” In other words, traffic that matches the whitelist policies are considered traffic of normal behavior. Therefore, Examiner considers Costante’s acts of determining whether network activities/traffic matches whitelist policies (Costante, Fig. 4, step G) as being equivalent to comparing network activities/traffic to normal/baseline traffic behavior/property to determine whether they match. Therefore, Costante disclosed each and every element in the “comparing …” clause of claim 1. Applicant further argued that Costante did not disclose “restricting incoming external electronic communications initiated by a software application”. Examiner’s position is that Costante indeed disclosed each and every limitation in the “restricting” clause of claim 1, for reasons set forth below. Costante disclosed in paragraph [0048] that “The detecting of anomalous behavior may include one or more of: intrusion detection, discovering of network assets, characterizing network assets, identifying malicious activities by users, identifying malicious activities by network assets, etc. In an embodiment, the detecting of anomalous behavior provides for intrusion detection.” Costante then disclosed in Fig. 7 and paragraphs [0388] some examples of inconsistency detection, where network activities/traffic are matched against attribute-based consistency rules defined in the table in Fig. 7. In particular, Costante disclosed in [0388] that “if the protocols associated to a host contain values Domain Name System (DNS) and File Transfer Protocol (FTP) client while the role for the same host is PLC, there is a violation of consistency rule number 1, also suggesting a corruption of the PLC.” Examiner would like to note that in Costante, the “protos” attribute refers to layer 7 software applications such as Modbus, DNS and FTP, therefore the attribute-based policies in Costante can permit or deny/restrict network activities/traffic initiated by a software application such as FTP or DNS. Applicant further argued that Costante did not disclose “using a virtual private network to communicate within the network.” Examiner’s rationale, in addition to those presented in the Final Rejection dated November 14, 2025, is that Costante disclosed in Fig. 5 examples of host and link attributes contained in a host DB and a link DB, and the host DB shows that hosts A, B, and C use private IP addresses 10.10.x.x. This disclosure provides evidence that the hosts A, B and C are in a virtual private network. For the reasons above, Examiner conclude that Applicant’s rebuttal arguments are unpersuasive and therefore fail to overcome the prior art reference Costante. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1-19 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable over Costante (U.S. 2020/0404010). Regarding claim 1, Costante disclosed a method of providing reactive network security for a building automation system, the building automation system including a controller and a network of electronic devices connected in electronic communication (Costante, [0002-0003, 0014]) the method comprising: monitoring, by the controller, external electronic communications received by the network (Costante, [0076], “Network traffic on a data network is monitored”; [0216], “The data traffic is monitored and attributes are extracted from the data traffic”), which includes: comparing, by the controller, at least one traffic property of the external electronic communications to a corresponding baseline traffic property (Costante disclosed in Abstract and paragraphs [0008-0013, 0025-0029, 0124, 0250] about a method of detecting anomalous behavior in data traffic on a data communication network using attribute based policies, wherein an attribute based policy comprises declarative policies that define the condition and what has to be done in a protocol generic way, and a whitelist policy describes acceptable data traffic and the associated action (e.g. permit) to take when an incoming data traffic is deemed acceptable. Costante additionally disclosed in [0005] that “whitelisting systems maintain a model of the normal behavior of a system and compare the current activities with it: in case a mismatch occurs, an alert is raised.” In other words, traffic that matches the whitelist policies are considered traffic of normal behavior. Therefore, Examiner considers Costante’s act of determining whether network activities/traffic matches whitelist policies (Costante, Fig. 4, step G) as being equivalent to comparing network activities/traffic to normal/baseline traffic behavior/property to determine whether they match); and instituting, by the controller, a traffic communication protocol for at least one of the controller and the electronic devices based on said comparison (Costante, [0244] and the table disclosed the traffic control protocol based on comparison), the instituting of the traffic communication protocol causes one or more of: restricting of at least one type of incoming external electronic communication to the network (Costante, [0244] and table disclosed the policy P3 that deny a set of traffic based on the result of comparison), which includes at least one of: “i) restricting incoming external electronic communications initiated by a software application that caused a portion of the external electronic communications monitored by the controller (Costante disclosed in para. [0038] that “Examples of attribute-based policies may comprise: a guest device may not send reprogram commands to the e-mail server. The printer device may not transmit a scanned document to an external e-mail server. The printer device may send operating status data to a remote maintenance printer server.” Costante’s disclosure about not allowing a guest device to send reprogram commands to the e-mail server is to restrict the external communication from a guest device), or enabling a bandwidth limitation for an electric device that is one of the electronic devices in the network and an external electronic device that transmitted at least a portion of the external electronic communications monitored by the controller using a virtual private network to communicate within the network (Costante disclosed in Fig. 5 examples of host and link attributes contained in a host DB and a link DB, and the host DB shows that hosts A, B, and C use private IP addresses 10.10.x.x. This disclosure provides evidence that the hosts A, B and C are in a virtual private network), and encrypting of the electronic communication within the network (Costante disclosed in para. [0053] that “attributes-based policies such as … ‘A controller can only be reprogrammed over a secure connection (e.g., Secure Sockets Layer (SSL), HyperText Transfer Protocol Secure (HHTPS)” where SSL and HTTPS requires encryption of the communications). Claim 10 lists substantially the same elements as claim 1, but in system form rather than method form. Therefore, the rejection rationale for claim 1 applies equally as well to claim 10. Regarding claims 2 and 11, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein the monitoring, by the controller, of the external electronic communications includes: determining, by the controller, the at least one traffic property of the electronic communications (Costante, [0008-0009, 0032-0033], “parsing the data traffic to extract protocol field values of a protocol message of the data traffic; … deriving, from the extracted protocol field values, attribute values of attributes of one of the first host, the second host, and the link”). Regarding claims 3 and 12, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein the monitoring, by the controller of the external electronic communications is continuous monitoring (Costante, [0127], “The goal of the Attribute extraction component is to find as much information as possible about the monitored network, a single host, a communication link, etc., by continuously and passively monitoring the network traffic”). Regarding claims 4 and 13, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein a primary function of the controller is operating the building automation system (Costante, [0053], “In a Building Automation application, attribute extraction may be used to understand if a host is a light, a thermostat, a controller, an IP-camera a card reader etc., and to detect intrusions or malicious activities by matching against attributes-based policies such as”). Regarding claims 5 and 14, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein the monitoring includes the restricting of the type of incoming electronic communication, said restricting including at least one of: restricting incoming external electrical communications initiated by a software application that caused a portion of the external electrical communications monitored by the controller, enabling an inbound traffic rule for incoming external electrical communications based on the at least one traffic property (Costante disclosed in [0006], “The invention aims to provide an anomalous behavior detection that may be adapted more easily to changes, e.g. upgrades, in the network” and in [0265] that “malicious activities that have not been noted before, i.e. for which no specific blacklist policy is available yet, may be lead to new or updated blacklist policies.” Blacklist policies block the activities/communications from/to hosts on the blacklist, which is a form of traffic restriction, or firewall protection), enabling a dynamic restriction of at least one external internet protocol address, port, and protocol that corresponds to the electrical communications monitored by the controller, enabling or modifying a firewall protection based on the at least one traffic property, and enabling a bandwidth limitation for an electric device that is one of the electronic devices in the network and an external electronic device that transmitted at least a portion of the external electrical communications monitored by the controller. Regarding claims 6 and 15, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein the at least one traffic properties of the electronic communications is metadata of the external electronic communications (Costante, Fig. 5 shows examples of attributes extracted from the monitored traffic, where information such as OS, host, vendor and role is the metadata of the communication activities). Regarding claims 7 and 16, Costante disclosed the subject matter of claims 1 and 10. Costante further disclosed wherein the instituting, by the controller, of the traffic communication protocol is in response to the at least one traffic property of the external electronic communications exceeding the corresponding baseline traffic property by a predetermined amount (Costante, [0270, 0271], “If the support to the hypothesis that a host/link in quarantine is malicious exceeds a blacklist threshold, raising an alert and using the data traffic related to the host or link to extract new blacklist policies. … updating the current policies using the extracted new whitelist or blacklist policies”). Regarding claims 8 and 17, Costante disclosed the subject matter of claims 7 and 16. Costante further disclosed wherein the instituting, by the controller, of the traffic communication protocol is configured to reduce the at least one traffic property to no longer exceed the corresponding baseline traffic property by the predetermined amount (Costante, [0342], “The system allows to automatically capture changes in the monitored network behavior with reduced false alerts.”). Regarding claims 9 and 18, Costante disclosed the subject matter of claims 7 and 16. Costante further disclosed wherein the at least one traffic property of the external electronic communications includes a count of the external electronic communications received by one of the electronic devices in a preceding time period, and the corresponding baseline traffic property is an expected total of the external electronic communications received by the one of the electronic devices in said time period, and the instituting is in response to the count of the external electronic communications received by one of the electronic devices exceeding the expected total of the electronic communications received by the one of the electronic devices by the predetermined amount (Costante, [0077], “ A link meta-model is provided which comprises the following attributes: {source IP, destination IP, protocol, source port, destination port, operation, number of occurrences}” and [0122], “the data traffic may be monitored over a relatively long period of time, e.g. hours, days, weeks, to extract the protocol field values that may enable to derive the attribute values as described”). Regarding claim 19, Costante disclosed the method of claim 1. Costante further disclosed wherein the instituting of the traffic communication protocol causes one or more of: the using of the virtual private network to communicate within the network (Costante disclosed in Fig. 5 examples of host and link attributes contained in host DB and link DB, and the host DB shows that hosts A, B, and C use private IP addresses 10.10.x.x. This disclosure provides evidence that the hosts A, B and C are in a virtual private network), and the encrypting of the electronic communication within the network (Costante disclosed in para. [0053] that “attributes-based policies such as … ‘A controller can only be reprogrammed over a secure connection (e.g., Secure Sockets Layer (SSL), HyperText Transfer Protocol Secure (HHTPS).” Note that SSL and HTTPS require encryption of the communications). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIRLEY X ZHANG whose telephone number is (571)270-5012. The examiner can normally be reached 8:30am - 5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHIRLEY X ZHANG/Primary Examiner, Art Unit 2447