Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
Applicant’s reply filed 4/6/2026 was received and considered.
Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in India on 3/1/2024. It is noted, however, that applicant has not filed a certified copy of the IN202411015485 application as required by 37 CFR 1.55.
Response to Arguments
Applicant's arguments filed 4/6/2026 have been fully considered but they are not fully persuasive.
Applicant’s remarks (p. 10, regarding rejections under 35 U.S.C. §112) are persuasive in view of the amendments. The rejections are withdrawn.
Applicant’s remarks (pp. 10-11, regarding rejections under 35 U.S.C. §102) suggest that Pfleger’s disclosure of models associated with roles cannot be considered RBAC information (“authorization details and responsibilities assigned to the entity”). The Examiner disagrees. Pfleger’s disclosure that the user’s behavior is modeled based on the role indicates authorization details and responsibilities assigned to the entity. Pfleger discloses that the system can monitor active network connections to extract system event logs so as to actively collect data associated with user behavior, including the description and time associated with a given set of commands or interactions (¶16). Pfleger further discloses a user logging into the system (authorization) for a given role (¶18, ¶230) and utilizes credentials (¶20). The Examiner respectfully submits that Pfleger’s disclosure meets the RBAC information required by the claim language.
Applicant’s remarks (pp. 11-12) suggest that Pfleger does not suggest “wherein the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed”. Pfleger teaches generating models for normal and abnormal user behavior (¶26). However, Zimmermann teaches that it was known to detect unusual activity in an enterprise based on an anomaly/machine learning model (¶¶275-276), including setting a baseline by training a model (¶195, ¶200) based on historical activity patterns (¶285; for example, detecting logins at particular times to learn the normal temporal pattern of a user, ¶¶285-286). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Pfleger such that the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed to utilize a user’s temporal patterns to determine expected and anomalous use of a system, as taught by Zimmermann.
Applicant’s remarks (pp. 11-12) suggest that Pfleger does not teach or suggest RBAC information indicating “authorization details and responsibilities assigned to the user for operating within the OT environment”. The Examiner disagrees. Pfleger’s disclosure that the user’s behavior is modeled based on the role indicates authorization details and responsibilities assigned to the entity. Pfleger discloses that the system can monitor active network connections to extract system event logs so as to actively collect data associated with user behavior, including the description and time associated with a given set of commands or interactions (¶16). Pfleger further discloses a user logging into the system (authorization) for a given role (¶18, ¶230) and utilizes credentials (¶20). The Examiner respectfully submits that Pfleger’s disclosure meets the RBAC information required by the claim language.
Applicant’s remarks (p. 13) suggest that Pfleger and Ferguson fail to teach “wherein the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed”. However, Zimmermann teaches that it was known to detect unusual activity in an enterprise based on an anomaly/machine learning model (¶¶275-276), including setting a baseline by training a model (¶195, ¶200) based on historical activity patterns (¶285; for example, detecting logins at particular times to learn the normal temporal pattern of a user, ¶¶285-286). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Pfleger such that the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed to utilize a user’s temporal patterns to determine expected and anomalous use of a system, as taught by Zimmermann.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 6-9 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2022/0191227 A1 to Pfleger de Aguiar et al. (Pfleger) and US 2018/0027006 A1 to Zimmermann et al. (Zimmermann).
Regarding claim 1, Pfleger discloses a system (Fig. 1) comprising: a memory (¶¶40-41); and at least one processor communicatively coupled to the memory, wherein the at least one processor is configured (¶¶40-41) to: obtain real-time (ICS-PIAE, ¶18, can monitor active network connections to extract system event logs so as to actively collect data associated with user behavior, ¶16; the ICS-PIAE 106 can receive a notification that a new engineer logged into the ICS 100, ¶18) operation data (ICS-PIAE receives notification of new interaction, ¶18) corresponding to an entity (engineer, ¶18) operating within an operational technology (OT) environment of an organization (distributed control system (DCS) or industrial control system (ICS) 100, ¶13), the real-time operation data being indicative of one or more operations performed by the entity within the OT environment of the organization (ICS-PIAE 106 can receive a notification that a new engineer logged into the ICS 100, ¶18; data extraction node 115 can notify the ICS-PIAE 106 when a new interaction with the ICS 100 is detected; new interaction that is detected can be locally performed or remotely controlled, ¶16); for each of the one or more operations, identify operational information associated with the operation (log information and other sources of information being transformed into features that can be used as input for various data analytics algorithms or models , ¶24; models can be generated for a specific user or role within the ICS 100, ¶26), the operational information comprising at least one of timing information and role-based access control (RBAC) information (data mining may include sequential pattern mining, interval-based temporal pattern mining, or the like; pattern mining can extract complex spatiotemporal patterns of user-specific and/or role-specific behavior, ¶25; extracting features from the data can further include determining a role of a plurality of roles associated with users that are performing the user interactions, ¶30), wherein the timing information indicates a particular time at which the operation was performed (mining can include interval-based temporal pattern mining, which can extract complex spatiotemporal patterns of user-specific and/or role-specific behavior, ¶24; ICS 100, based on data extracted from logs or network traffic, can model the user and/or the role as opening up particular screens in a particular order at a particular time, ¶28; model that defines normal operations can include features that define sequences of one or more operations, and time durations of the one or more operations, ¶32), and wherein the RBAC information indicates authorization details and responsibilities assigned to the entity for operating within the OT environment (models can be associated with users and/or roles; the ICS 100 can identify when a user is logged-in as a particular role but the user is behaving in a different role, ¶30); and process, utilizing the anomaly detection model, the real-time operation data and the operational information to detect any anomaly in the one or more operations (generated models are used to detect anomalies, ¶15; anomalies can be detected by modeling the normal or typical behavior of users, and then comparing actual user behavior to the modeled user behavior, ¶20; ICS can identify when a user is logged into a particular workstation of the ICS 100 as an engineer but is interacting with the workstation as an operator, ¶30); and initiate one or more preventive actions within the OT environment upon detecting an anomaly in at least one of the one or more operations (in response to an anomaly being detected (at 206), an indication can be rendered by the ICS 100, for instance to an operator of the ICS 100, ¶27). Pfleger teaches generating models for normal and abnormal user behavior (¶26), but lacks wherein the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed. However, Zimmermann teaches that it was known to detect unusual activity in an enterprise based on an anomaly/machine learning model (¶¶275-276), including setting a baseline by training a model (¶195, ¶200) based on historical activity patterns (¶285; for example, detecting logins at particular times to learn the normal temporal pattern of a user, ¶¶285-286). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Pfleger such that the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed. One of ordinary skill in the art would have been motivated to perform such a modification to utilize a user’s temporal patterns to determine expected and anomalous use of a system, as taught by Zimmermann.
Regarding claim 9, the claim is similar in scope to claim 1 and is therefore rejected using a similar rationale.
Regarding claim 2, Pfleger discloses wherein the entity is one of an asset associated with the organization and a user operating the asset (cascaded consequence may include a network packet being sent or received that is only triggered after a specific user interaction, ¶16; models are used for comparing actual user behavior to the modeled user behavior, ¶20).
Regarding claims 6 and 14, Pfleger discloses wherein the one or more preventive actions include at least one of: generating a suspension signal for transmission to one or more devices associated with the organization1, wherein the suspension signal is to prevent execution of the one or more operations for which the anomaly is detected; and generating an alert notification for transmission to a supervisor on a supervisor device (in response to an anomaly being detected (at 206), an indication can be rendered by the ICS 100, for instance to an operator of the ICS 100, ¶27), wherein the alert notification is indicative of the anomaly (the indication may include an alert or alarm and can be based on the type of anomaly that is detected; indication can identify what user behavior was anomalous; alarm can be output to the HMis 116 and/or HMis 132 so that operators are informed of the issue, ¶27).
Regarding claim 7, Pfleger discloses wherein to process the real-time operation data and the operational information, the at least one processor is further configured to: obtain a historical behaviour-based pattern of the entity, wherein the historical behaviour-based pattern is indicative of historical operations performed by the entity (data collection of data indicating user interactions, ¶23) at the particular time (for example system state is collected at the time of interaction, ¶23; other examples include determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26); and compare the historical operations with the one or more operations to detect the anomaly, wherein detecting the anomaly comprises detecting a deviation of at least one operation of the one or more operations from the historical operations (anomalies can be detected; the extracted features can be used to distinguish between normal and abnormal user behavior; ¶27; see also ¶¶28-30).
Regarding claim 8, Pfleger discloses wherein to process the real-time operation data and the operational information, the at least one processor is further configured to: obtain a historical role-based pattern for the entity (data collection of data indicating user interactions, ¶23; determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26), wherein the historical role-based pattern is indicative of ideal operations performed by an ideal entity having authorization to operate within an ideal OT environment according to the authorization details and responsibilities (determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26; data mining may include sequential pattern mining, interval-based temporal pattern mining, or the like; pattern mining can extract complex spatiotemporal patterns of user-specific and/or role-specific behavior, ¶25; extracting features from the data can further include determining a role of a plurality of roles associated with users that are performing the user interactions, ¶30); and compare the ideal operations with the one or more operations to detect the anomaly (anomalies can be detected by modeling the normal or typical behavior of users, and then comparing actual user behavior to the modeled user behavior, ¶20), wherein detecting the anomaly comprises detecting a deviation of at least one operation of the one or more operations from the ideal operations (ICS can determine that windows at a particular workstation were opened in the correct order, for example by comparing the observed order to a model associated with the user, ¶27; can also determine that the windows were opened at a rate that was atypical (anomalous), for instance too slow or fast, ¶27).
Regarding claim 15, Pfleger discloses wherein processing the real-time operation data and the RBAC information comprises: obtaining a historical role-based pattern for the asset (data collection of data indicating user interactions, ¶23; determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26), wherein the historical role-based pattern is indicative of ideal operations performed by an ideal entity having authorization to operate within an ideal OT environment according to the authorization details and responsibilities (determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26; data mining may include sequential pattern mining, interval-based temporal pattern mining, or the like; pattern mining can extract complex spatiotemporal patterns of user-specific and/or role-specific behavior, ¶25; extracting features from the data can further include determining a role of a plurality of roles associated with users that are performing the user interactions, ¶30); and comparing the ideal operations with the one or more operations to detect the anomaly, wherein detecting the anomaly comprises detecting a deviation of at least one operation of the one or more operations from the ideal operations (ICS can determine that windows at a particular workstation were opened in the correct order, for example by comparing the observed order to a model associated with the user, ¶27; can also determine that the windows were opened at a rate that was atypical (anomalous), for instance too slow or fast, ¶27).
Claims 10 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pfleger and Zimmermann, as applied to claim 9, in view of US 2017/0230391 A1 to Ferguson et al. (Ferguson).
Regarding claim 10, Pfleger discloses initiating one or more additional preventive actions within the OT environment upon detecting another anomaly in at least one of the one or more operations (¶27), but lacks for each of the one or more operations, obtaining timing information indicative of a particular time at which the operation was performed; processing, utilizing the anomaly detection model, the real-time operation data and the timing information to detect any other anomaly in the one or more operations. However, Ferguson, in an analogous art (behavioral anomaly detection ¶177), teaches that it was known to incorporate timing information (¶¶171-174) into a behavioral model (¶¶164-176), the model including user roles (¶177) to detect time-based anomalies (¶177, ¶184, ¶185). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Pfleger to include, for each of the one or more operations, identify timing information associated with the operation (per Ferguson, noting time pattern for user engaged in work activities, certain type of work, certain devise to work on at a time of day, etc., ¶¶154-158), the timing information indicating a particular time at which the operation was performed and using the timing information to detect anomalies (detecting anomalies based on timing information, ¶165, ¶184, ¶185). One of ordinary skill in the art would have been motivated to perform such a modification to detect anomalous behavior based on time, as taught by Ferguson.
Regarding claim 16, Pfleger discloses a non-transitory computer-readable medium (¶38) comprising instructions (¶38, ¶34) for detecting an anomaly in an operational technology (OT) environment, the instructions being executable by a processing resource (¶34) to: obtain real-time (can monitor active network connections to extract system event logs so as to actively collect data associated with user behavior, ¶16; the ICS-PIAE 106 can receive a notification that a new engineer logged into the ICS 100, ¶18) operation data (ICS-PIAE receives notification of new interaction, ¶18) corresponding to a user (engineer, ¶18) functioning within an operational technology (OT) environment of an organization (distributed control system (DCS) or industrial control system (ICS) 100, ¶13), the real-time operation data being indicative of one or more operations performed by the user within the OT environment of the organization (ICS-PIAE 106 can receive a notification that a new engineer logged into the ICS 100, ¶18; data extraction node 115 can notify the ICS-PIAE 106 when a new interaction with the ICS 100 is detected; new interaction that is detected can be locally performed or remotely controlled, ¶16); process, utilizing an anomaly detection model (log information and other sources of information being transformed into features that can be used as input for various data analytics algorithms or models , ¶24; models can be generated for a specific user or role within the ICS 100, ¶26), the real-time operation data to detect any deviation of the one or more operations from a historical operating pattern of the user in terms of the particular time (generated models are used to detect anomalies, ¶15; anomalies can be detected by modeling the normal or typical behavior of users, and then comparing actual user behavior to the modeled user behavior, ¶20; ICS can identify when a user is logged into a particular workstation of the ICS 100 as an engineer but is interacting with the workstation as an operator, ¶30); and initiate one or more preventive actions within the OT environment upon detecting a deviation of at least one of the one or more operations from the historical operating pattern (in response to an anomaly being detected (at 206), an indication can be rendered by the ICS 100, for instance to an operator of the ICS 100, ¶27). Pfleger teaches generating models for normal and abnormal user behavior (¶26), but as modified, lacks wherein the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed. However, Zimmermann teaches that it was known to detect unusual activity in an enterprise based on an anomaly/machine learning model (¶¶275-276), including setting a baseline by training a model (¶195, ¶200) based on historical activity patterns (¶285; for example, detecting logins at particular times to learn the normal temporal pattern of a user, ¶¶285-286). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to further modify Pfleger such that the anomaly detection model is trained based on historical operation data corresponding to one or more entities associated with the organization, the historical operation data being analyzed in correlation with a particular historical time at which each historical operation was performed. One of ordinary skill in the art would have been motivated to perform such a modification to utilize a user’s temporal patterns to determine expected and anomalous use of a system, as taught by Zimmermann. Pfleger lacks for each of the one or more operations, identify timing information associated with the operation, the timing information indicating a particular time at which the operation was performed and using the timing information to detect anomalies. However, Ferguson, in an analogous art (behavioral anomaly detection ¶177), teaches that it was known to incorporate timing information (¶¶171-174) into a behavioral model (¶¶164-176; noting time pattern for user engaged in work activities, certain type of work, certain devise to work on at a time of day, etc., ¶¶154-158), the model including user roles (¶177) to detect time-based anomalies (¶177, ¶184, ¶185). Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Pfleger to include, for each of the one or more operations, identify timing information associated with the operation, the timing information indicating a particular time at which the operation was performed and using the timing information to detect anomalies. One of ordinary skill in the art would have been motivated to perform such a modification to detect anomalous behavior based on time, as taught by Ferguson.2
Regarding claim 17, Pfleger, as modified, teaches configuration to obtain, for the organization, the historical operation data corresponding to the one or more entities associated with the organization, wherein the historical operation data is indicative of one or more historical operations performed by each of the one or more entities within the OT environment of the organization (data mining may include sequential pattern mining, interval-based temporal pattern mining, or the like; pattern mining can extract complex spatiotemporal patterns of user-specific and/or role-specific behavior, ¶25; extracting features from the data can further include determining a role of a plurality of roles associated with users that are performing the user interactions, ¶30); for each of the one or more historical operations, identify a particular historical time at which the historical operation was performed (as modified by Ferguson, incorporate timing information (¶¶171-174) into a behavioral model (¶¶164-176), the model including user roles (¶177) to detect time-based anomalies (¶177, ¶184, ¶185)); and analyze the historical operation data in correlation with the particular historical time to obtain the anomaly detection model (as modified by Ferguson, model of Pfleger further comprises timing information, Ferguson ¶¶171-174, such that the anomaly detection model is based on timing information, Ferguson ¶184).
Regarding claim 18, Pfleger, as modified, teaches configuration to identify a historical behaviour-based pattern for the user (generated models are used to detect anomalies, ¶15; anomalies can be detected by modeling the normal or typical behavior of users, and then comparing actual user behavior to the modeled user behavior, ¶20; ICS can identify when a user is logged into a particular workstation of the ICS 100 as an engineer but is interacting with the workstation as an operator, ¶30), wherein the historical behaviour-based pattern is indicative of a correlation between the one or more historical operations (ICS can identify when a user is logged into a particular workstation of the ICS 100 as an engineer but is interacting with the workstation as an operator, ¶30) and the particular historical time (as modified by Ferguson, model of Pfleger further comprises timing information, Ferguson ¶¶171-174); and analyze the historical behaviour-based pattern to obtain the anomaly detection model (as modified by Ferguson, model of Pfleger further comprises timing information, Ferguson ¶¶171-174, such that the anomaly detection model is based on timing information, Ferguson ¶184).
Regarding claim 19, Pfleger discloses wherein the one or more preventive actions include at least one of: generating a suspension signal for transmission to one or more devices associated with the organization3, wherein the suspension signal is to prevent execution of the one or more operations for which the anomaly is detected; and generating an alert notification for transmission to a supervisor on a supervisor device (in response to an anomaly being detected (at 206), an indication can be rendered by the ICS 100, for instance to an operator of the ICS 100, ¶27), wherein the alert notification is indicative of the anomaly (the indication may include an alert or alarm and can be based on the type of anomaly that is detected; indication can identify what user behavior was anomalous; alarm can be output to the HMis 116 and/or HMis 132 so that operators are informed of the issue, ¶27).
Regarding claim 20, Pfleger, as modified, teaches instructions to obtain a historical behaviour-based pattern of the user, wherein the historical behaviour-based pattern is indicative of historical operations performed by the user (data collection of data indicating user interactions, ¶23) at the particular time (for example system state is collected at the time of interaction, ¶23; other examples include determining that a user of a particular role opens windows in a particular order at a particular time, ¶28; model training can be based on sessions, ¶26; note that, as modified with respect to Ferguson, the combination teaches additionally maintaining records of operations performed at times according to the model, per Ferguson ¶¶171-174); and compare the historical operations with the one or more operations to detect the deviation (anomalies can be detected; the extracted features can be used to distinguish between normal and abnormal user behavior; ¶27; see also ¶¶28-30).
Allowable Subject Matter
Claims 3-5 and 11-13 are objected to as being dependent upon a rejected base claim, but would be likely be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding claims 3 and 11:
US 20240348663 A1 (Crabtree; Jason et al.), in an analogous art (anomaly detection based on machine learning models), teaches that it was known to utilize transfer learning to establish an anomaly detection model (¶168), including obtaining historical activity data indicating ideal operations performed within one or more environments of one or more organizations (generating a generic pre-trained model, ¶168), analyze the historical role-specific activity data to obtain an initial version of the anomaly detection model (generate initial detection model based on purchase history from related domain, ¶168), obtain, for the organization, historical operation data corresponding to one or more entities associated with the organization, wherein the historical operation data is indicative of one or more historical operations performed by each of the one or more entities within the environment of the organization (adapt this model to a specific context relevant to the target domain, ¶168; see b. Model Adaptation).
US 20220357729 A1 (XU; Rui et al.) teaches utilizing an initial model generated from high-fidelity modes for fine tuning in a target domain (¶¶63-64).
US 20250023896 A1 (HEN; Idan Yehoshua et al.) teaches training an anomaly detection model “using data that is directed to ( or, equivalently, pertains to) tenants of the managed environment 130, e.g., definitions of the roles used in the role assignments” to detect anomalous role assignments.
However, the prior art – individually, or in a reasonable combination – fails to teach the at least one processor is further configured to: obtain historical role-specific activity data indicating ideal operations performed within one or more OT environments of one or more organizations, by a plurality of authorized entities authorized to perform operations corresponding to roles assigned in at least one of the one or more organizations; analyze the historical role-specific activity data to obtain an initial version of the anomaly detection model; obtain, for the organization, the historical operation data corresponding to the one or more entities associated with the organization, wherein the historical operation data is indicative of one or more historical operations performed by each of the one or more entities within the OT environment of the organization; for each of the one or more historical operations, identify the particular historical time at which the historical operation was performed; and analyze the historical operation data in correlation with the particular historical time to obtain a final trained version of the anomaly detection model, in combination with the independent claims, when viewed as a whole.
Claims 4-5 and 12-13 inherit allowable subject matter of claims 3 and 11.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20230007023 A1 (Andrabi; Sarah et al.) teaches using a model to detect anomalous user actions (¶124), including taking into consideration the time of day and user role (¶112).
“Role-based profile analysis for scalable and accurate insider-anomaly detection” (Park, Joon S., and Joseph Giordano) teaches examiner user actions based on context and role (p. 468).
“Towards an adaptive multi-level RBAC mechanism for countering insider misuse” (Liu, Shuo, et al.) teaches preventing insider misuse using a user’s assigned role (§ III).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841. The examiner can normally be reached Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Simitoski/ Primary Examiner, Art Unit 2493
May 26, 2026
1 In response to detecting anomalies: US 20250023896 A1 (HEN; Idan Yehoshua et al.) teaches taking action, including preventing an entity from accessing a resource (¶¶19, ¶39); US 20240354215 A1 (Yuan; Peng et al.) teaches performing corrective actions (¶111); US 20250148014 A1 (Niv; Nitzan et al.) teaches automatic remediation (¶74); US 20230291755 A1 (Siebel; Thomas M. et al.) teaches presenting possible actions to be taken (¶95), including closing endpoints and eradicating malware (¶90)
2 US 20190392141 A1 (BARDINI; MATTEO et al.) similarly teaches monitoring timing information (shift, calendar, etc.) for actions (login, logout, etc.) in an industrial control system (¶¶53-60).
3 In response to detecting anomalies: US 20250023896 A1 (HEN; Idan Yehoshua et al.) teaches taking action, including preventing an entity from accessing a resource (¶¶19, ¶39); US 20240354215 A1 (Yuan; Peng et al.) teaches performing corrective actions (¶111); US 20250148014 A1 (Niv; Nitzan et al.) teaches automatic remediation (¶74); US 20230291755 A1 (Siebel; Thomas M. et al.) teaches presenting possible actions to be taken (¶95), including closing endpoints and eradicating malware (¶90)