DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 12/30/2020.
In the instant Amendment, claim 21 has been added; claim 10 was cancelled; claims 1, 11-14 16, and 19-20 have been amended; and claims 1, 16 and 20 are independent claims.  Claims 1-9 and 11-21 have been examined and are pending.  This Action is made FINAL.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 10/29/2020, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 03/01/2017, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s argument:  “no determination of obviousness is properly established for at least the reason that the scope and content of the cited references do not teach or suggest all claimed elements or support rational inferences that one skilled in the art reasonably would be expected to draw to reach all claimed elements.”
In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, OGUMA teaches a vehicle system is constituted by a plurality of computers (ECUs) connected to a CAN bus system and authentication method and NAKAJIMA teaches an in-vehicle authentication system has a vehicle communication apparatus that is provided in a vehicle equipped with a plurality of ECUs and that communicates with each ECU of the plurality of ECUs. OGUMA and NAKAJIMA are both from the same analogous art and therefore they are combinable. One of the ordinary skill in the art before the effective filing date of the claimed invention would been motivated to combine the two references to drive at applicant invention.  Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “independent claims 1, 16 and 20 recite “based on a result of the comparison, sending a signal to the first ECU, the signal indicating a security key authentication failure with respect to the third ECU,” these elements are not taught or suggested by the cited reference, even in combination.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that NAKAJIMA discloses based on a result of the comparison, sending a signal to the first Nakajima: ¶0112 in step 105, the authentication part 101 determines whether or not the configuration authentication is successful based on the comparison result output by the configuration authentication process [...] if the comparison result is a non-match, the authentication part 101 determines that the configuration authentication is unsuccessful [...] if the configuration authentication is unsuccessful, the authentication part 101 records the ECU that has failed the configuration authentication in the authentication error list 630 in step S106; ¶0123 the display part 311 displays on the display 805 a function display screen 500 which displays whether each in-vehicle function is enabled or disabled). More specifically, NAKAJIMA discloses the display part 311 also displays an explanation that an authentication error has occurred in the rear sonar of ECU _D in the message field of the function display screen 500 [¶0126] and a determination part to determine an in-vehicle function that is realizable in the vehicle based on the authentication error list and a function correlation table which indicates correlation between an in-vehicle function realized in the vehicle and an electronic control unit used to realize the in-vehicle function [¶0014] Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “the cited portions of Oguma discuss communication between a “general ECUa” and “the master ECUm,” not communications between “a first ECU,” “a second ECU,” and “a third ECU,” as recited by claim 1.” 
¶0039]. [NOTE: relational terms such as first and second, top and bottom, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.] Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.

Applicant’s arguments: “[A]ccordingly, even in combination with Oguma, Nakajima does not teach or suggest the claimed "updated authentication data including an update to the expiration time for the security key," as recited in dependent claim 4.” 
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Nakajima discloses updated authentication data including an update to the expiration time for the security key (Nakajima: ¶0142 in step S622, the update part 103 determines an ECU to be updated based on header information 511 in the update information 650). More specifically, Nakajima discloses in step S711, the configuration data generation part 302 acquires header information 511 and ECU difference information 512 from the ECU update information 651. The header information 511 includes an ECU identification ID of an ECU to be updated [¶0161] and in step S714, the configuration data generation part 302 ¶0164]. Therefore as the metes and bounds of the limitation of been met as noted above; the examiner finds this argument not persuasive.
The newly added limitations into claims 1, 16, 20 and new claim 21 have been addressed in rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 7-9, 13, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972).

Regarding claim 1: Oguma discloses a system comprising:
a first electronic control unit (ECU) of a plurality of ECUs in a vehicle (Oguma: ¶0039 the vehicle system is constituted by a plurality of computers (ECUs) [...] four ECUs including a master ECU (100m)); and
a second ECU of the plurality of ECUs (Oguma: fig. 1 general ECU a);
the first ECU configured to enable secure communication among the plurality of ECUs by performing operations comprising:
provisioning a third ECU of the plurality of ECUs with a set of security keys to enable the third ECU to securely exchange messages with the second ECU (Oguma: ¶0041 the respective ECUs have approximately similar functional configurations, the master ECU 100, will be described as an example; ¶0051 the master ECU m generates a random number rm, using the encryption engine 121 m (S101) [...] these random numbers are generated to ensure that subsequent message exchange processes are authentication processes in a present session; ¶0052 the master ECU m transmits the random number r, to the general ECU a (S102)); and
provisioning the second ECU with authentication data for authenticating the messages exchanged between the second ECU and the third ECU (Oguma: ¶0057 when the general ECU a receives a message with a digital signature from the master ECU m, the general ECU a confirms integrity of the digital signature using the electronic certificate of the master ECU m (S205)); and 

receiving, from the third ECU, a secure message that is cryptographically signed using a security key from the set of security keys provisioned to the third ECU (Oguma: ¶0056 the master ECU m transmits the digest value Dm, the random number rm, the random number ra, the encrypted session key EK, and the digital signature S2 to the general ECU a (S109)).
Oguma does not explicitly disclose the authentication data including one or more attributes related to communication with the third ECU based on the set of security keys; comparing the authentication data with an authentication signal and based on a result of the comparison, sending a signal to the first ECU, the signal indicating a security key authentication failure with respect to the third ECU.
However Nakajima discloses the authentication data including one or more attributes related to communication with the third ECU based on the set of security keys (Nakajima: ¶0079 ECU information 621 is an example of attribute information 20 which indicates attributes of an ECU; ¶0061 the vehicle communication apparatus 100 includes, as components, an authentication part 101, a determination part 102, an update part 103, and a key management part 110);
comparing the authentication data with an authentication signal (Nakajima: ¶0110 in step S144, the authentication part 101 compares the signature calculated in step S142 with the configuration data 601 which is the expected value acquired in step S143. The authentication part 101 compares the signature calculated in step S142 with the configuration data 601 acquired in step S143, and obtains a comparison result as to whether there is a match between them); and
Nakajima: ¶0112 in step 105, the authentication part 101 determines whether or not the configuration authentication is successful based on the comparison result output by the configuration authentication process [...] if the comparison result is a non-match, the authentication part 101 determines that the configuration authentication is unsuccessful [...] if the configuration authentication is unsuccessful, the authentication part 101 records the ECU that has failed the configuration authentication in the authentication error list 630 in step S106; ¶0123 the display part 311 displays on the display 805 a function display screen 500 which displays whether each in-vehicle function is enabled or disabled).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Nakajima with the system and method of Oguma to include authentication data including attributes related to communication with the third ECU based on the set of security keys to provide users with a means for improving safety and convenience by displaying in-vehicle functions that can be realized by ECUs (Nakajima: ¶0011).

Regarding claim 7: Oguma in view of Nakajima discloses the system of claim 1.
Nakajima further discloses the one or more attributes include a component attribute that specifies an identifier of a component of the vehicle with which the third ECU is permitted to communicate (Nakajima: ¶0061 the vehicle communication apparatus 100 includes, as components, an authentication part 101, a determination part 102, an update part 103, and a key management part 110; ¶0093 in step S100, the authentication part 101 performs configuration authentication for authenticating the validity of a configuration for each ECU of the plurality of ECUs); and
the second ECU is to authenticate the secure message by verifying that the secure message relates to operation of the component of the vehicle with which the third ECU is permitted to communicate (Nakajima: ¶0107 in step S141, the authentication part 101 acquires a key for signature verification from the storage part 104 via the key management part 110, based on the ECU identification ID acquired from the ECU information 253).
The motivation is the same that of claim 1 above.

Regarding claim 8: Oguma in view of Nakajima discloses the system of claim 1.
Nakajima further discloses the one or more attributes include an operation attribute that specifies an operation the third ECU is permitted to perform (Nakajima: ¶0117 in step S300, the determination part 102 determines in-vehicle functions that can be realized in the vehicle based on the function correlation table 640 and the authentication error list 630); and
the second ECU is to authenticate the secure message by verifying that the secure message corresponds to the operation the third ECU is permitted to perform (Nakajima: ¶0120 in step S302, the determination part 102 determines whether an ECU is registered in the authentication error list 630. If no ECU is registered in the authentication error list 630, this means that there is no authentication-error ECU. Thus, the determination part 102 determines that the authentication is successful and ends the process).
The motivation is the same that of claim 1 above.

Regarding claim 9: Oguma in view of Nakajima discloses the system of claim 1.
Oguma further discloses wherein the secure message is cryptographically signed using a combination of the authentication signal and the security key (Oguma: ¶0025 a digital signature may be created using a private key (a master ECU private key or a general ECU private key) of the host device and store the root public key in association with the digital signature).

Regarding claim 13: Oguma in view of Nakajima discloses the system of claim 1.
Nakajima further discloses request, from a computer system providing a security service, a new security key for the third ECU in response to receiving the signal from the second ECU (Nakajima: ¶0164 the configuration data generation part 302 generates configuration data information 611 based on the ECU information of one or more ECUs, and adds the calculated digital signature as configuration data 601 to the configuration data information 611 so as to generate new configuration data information 611).
The motivation is the same that of claim 10 above.

Regarding claim 16: Oguma discloses a system comprising:
one or more processors of a first electronic control unit (ECU) of a plurality of ECUs in a vehicle (Oguma: ¶0040 each ECU 100 has a processor (a processing device)); and
a memory device of the first ECU (Oguma: ¶0040 each ECU 100 has a [...] memory), the memory device to store:
Oguma: ¶0057 when the general ECU a receives a message with a digital signature from the master ECU m, the general ECU a confirms integrity of the digital signature using the electronic certificate of the master ECU m (S205)); and
a set of instructions that, when executed by the one or more processors, cause the first ECU to perform operations comprising:
receiving, from the second ECU, a secure message that is cryptographically signed using a security key from the set of security keys provisioned to the second ECU (Oguma: ¶0056 the master ECU m transmits the digest value Dm, the random number rm, the random number ra, the encrypted session key EK, and the digital signature S2 to the general ECU a (S109)).
Oguma does not explicitly disclose the authentication data including one or more attributes related to communication with the second ECU based on a set of security keys provisioned to the second ECU; comparing the authentication data with an authentication signal maintained by the first ECU and based on a result of the comparison, sending a signal to the first ECU, the signal indicating a security key authentication failure with respect to the third ECU, based on a result of the comparison, sending a signal to the first ECU, the signal indicating a security key authentication failure with respect to the third ECU.
However Nakajima discloses the authentication data including one or more attributes related to communication with the second ECU based on a set of security keys provisioned to the second ECU (Nakajima: ¶0079 ECU information 621 is an example of attribute information 20 which indicates attributes of an ECU; ¶0061 the vehicle communication apparatus 100 includes, as components, an authentication part 101, a determination part 102, an update part 103, and a key management part 110);
comparing the authentication data with an authentication signal maintained by the first ECU (Nakajima: ¶0110 in step S144, the authentication part 101 compares the signature calculated in step S142 with the configuration data 601 which is the expected value acquired in step S143. The authentication part 101 compares the signature calculated in step S142 with the configuration data 601 acquired in step S143, and obtains a comparison result as to whether there is a match between them); and
based on a result of the comparison, sending a signal to the first ECU, the signal indicating a security key authentication failure with respect to the third ECU (Nakajima: ¶0112 in step 105, the authentication part 101 determines whether or not the configuration authentication is successful based on the comparison result output by the configuration authentication process [...] if the comparison result is a non-match, the authentication part 101 determines that the configuration authentication is unsuccessful [...] if the configuration authentication is unsuccessful, the authentication part 101 records the ECU that has failed the configuration authentication in the authentication error list 630 in step S106; ¶0123 the display part 311 displays on the display 805 a function display screen 500 which displays whether each in-vehicle function is enabled or disabled).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Nakajima with the system and method of Oguma to include authentication data including attributes related to communication with the third ECU based on the set of security keys to provide users with a Nakajima: ¶0011).

Regarding claim 18: Oguma in view of Nakajima discloses the system of claim 16.
Oguma further discloses a third ECU of the plurality of ECUs in the vehicle (Oguma: fig. 1; ¶0039 the vehicle system is constituted by a plurality of computers (ECUs)), the third ECU to enable secure communication between the plurality of ECUs by performing operations comprising:
provisioning the first ECU with the authentication data for authenticating messages exchanged between the first ECU and the second ECU (Oguma: ¶0051 the master ECU m generates a random number rm, [...] to ensure that subsequent message exchange processes are authentication processes in a present session).
Nakajima further discloses provisioning the second ECU of the plurality of ECUs with the set of security keys to enable the second ECU to securely exchange messages with the first ECU (Nakajima: ¶0120 if an ECU is registered in the authentication error list 630, this means that there is an authentication-error ECU. Thus, the determination part 102 determines that the authentication is unsuccessful and proceeds to step S303).
The motivation is the same that of claim 16 above.




Regarding claim 20: Oguma discloses a method comprising:
Oguma: ¶0039 the vehicle system is constituted by a plurality of computers (ECUs) [...] four ECUs including a master ECU (100m));
receiving, by the first ECU, a secure message from the second ECU, the secure message being cryptographically signed using a security key from the set of security keys provisioned to the second ECU (Oguma: ¶0056 the master ECU m transmits the digest value Dm, the random number rm, the random number ra, the encrypted session key EK, and the digital signature S2 to the general ECU a (S109)).
Oguma does not explicitly disclose authentication data including one or more attributes related to communication with a second ECU based on a set of security keys provisioned to the second ECU; comparing the authentication data with an authentication signal maintained by the first ECU and based on a result of the comparison, sending a signal from the first ECU to the second ECU, the signal indicating a security key authentication failure with respect to the third ECU.
However Nakajima discloses authentication data including one or more attributes related to communication with a second ECU based on a set of security keys provisioned to the second ECU (Nakajima: ¶0079 ECU information 621 is an example of attribute information 20 which indicates attributes of an ECU; ¶0061 the vehicle communication apparatus 100 includes, as components, an authentication part 101, a determination part 102, an update part 103, and a key management part 110);
comparing the authentication data with an authentication signal maintained by the first ECU (Nakajima: ¶0110 in step S144, the authentication part 101 compares the signature calculated in step S142 with the configuration data 601 which is the expected value acquired in step S143. The authentication part 101 compares the signature calculated in step S142 with the configuration data 601 acquired in step S143, and obtains a comparison result as to whether there is a match between them); and
based on a result of the comparison, sending a signal from the first ECU to the second ECU, the signal indicating a security key authentication failure with respect to the third ECU (Nakajima: ¶0112 in step 105, the authentication part 101 determines whether or not the configuration authentication is successful based on the comparison result output by the configuration authentication process [...] if the comparison result is a non-match, the authentication part 101 determines that the configuration authentication is unsuccessful [...] if the configuration authentication is unsuccessful, the authentication part 101 records the ECU that has failed the configuration authentication in the authentication error list 630 in step S106; ¶0123 the display part 311 displays on the display 805 a function display screen 500 which displays whether each in-vehicle function is enabled or disabled).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Nakajima with the system and method of Oguma to include authentication data including attributes related to communication with the third ECU based on the set of security keys to provide users with a means for improving safety and convenience by displaying in-vehicle functions that can be realized by ECUs (Nakajima: ¶0011).

Claims 2-5 are rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972) and Alrabady US 2007/0130469.

Regarding claim 2: Oguma in view of Nakajima discloses the system of claim 1.
Oguma further discloses the one or more attributes include a temporal attribute defining an expiration time for the security key (Oguma: ¶0046 the general ECUa is constituted by a public key 21 of the general ECUa, an expiration date 22 of a private key of the general ECUa).
Oguma in view of Nakajima does not explicitly disclose the authentication signal comprises a clock signal maintained by the second ECU and wherein the expiration time is compared to the clock signal for the comparing of the authentication data with the authentication signal.
However Alrabady discloses the authentication signal comprises a clock signal maintained by the second ECU (Alrabady: ¶0007 the system and method rely on a clock signal to assure that the vehicle and server receive proper messages); and
wherein the expiration time is compared to the clock signal for the comparing of the authentication data with the authentication signal (Alrabady: ¶0017 the vehicle 12 will then compare the current time of the vehicles local clock that has been previously synchronized to the signal 24 with the time encoded in the received message at box 46. If the two times are within a predefined time window, the vehicle 12 accepts the message 18 and performs the function in the message 18 at box 48).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Alrabady with the system Alrabady: ¶0007).

Regarding claim 3: Oguma in view of Nakajima and Alrabady discloses the system of claim 2.
Alrabady further discloses wherein the second ECU is further to maintain the clock signal based on one or more updates provided by a computer system in communication with the first ECU (Alrabady: ¶0013 the vehicle 12 and the server 16 receive signals 24 and 26, respectively, from a satellite 22 that include a clock signal of the current time. The vehicle 12 and the server 16 will periodically capture the signals 24 and 26 to update their internal clocks to be synchronized to each other).
The motivation is the same that of claim 2 above.

Regarding claim 4: Oguma in view of Nakajima and Alrabady discloses the system of claim 2.
 Nakajima further discloses requesting, from a computer system of a security system, updated authentication data for updating the authentication data, the updated authentication data including an update to the expiration time for the security key (Nakajima: ¶0142 in step S622, the update part 103 determines an ECU to be updated based on header information 511 in the update information 650); and
Nakajima: ¶0142 the update part 103 delivers the ECU difference information 512 and the update software 513 to the ECU to be updated, using the transmission part 106 and via the in-vehicle network 201).
The motivation is the same that of claim 1 above.

Regarding claim 5: Oguma in view of Nakajima discloses the system of claim 1.
Oguma in view of Nakajima does not explicitly disclose the one or more attributes include a temporal attribute defining a time window for sending messages cryptographically signed using the security key, the authentication signal comprises a clock signal and the second ECU is to authenticate the secure message by comparing the time window to the clock signal.
However Alrabady discloses the one or more attributes include a temporal attribute defining a time window for sending messages cryptographically signed using the security key (Alrabady: ¶0007 the vehicle will then see if the time in the message is within a predefined window of the vehicles local clock time);
the authentication signal comprises a clock signal (Alrabady: ¶0007 the system and method rely on a clock signal to assure that the vehicle and server receive proper messages); and
the second ECU is to authenticate the secure message by comparing the time window to the clock signal (Alrabady: ¶0007 when the server wishes to transmit a message wirelessly to the vehicle, it will include its local clock signal in the body of the message [...] the vehicle will then see if the time in the message is within a predefined window of the vehicles local clock time. If the transmitted time is within the predefined window of the vehicles time, the vehicle will accept the message and perform the function).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Alrabady with the system and method of Oguma and Nakajima to include to authenticate the secure message by comparing the time window to the clock signal to provide users with a means for providing secure one-way transmissions in a vehicle wireless communications system by relying on a clock signal to assure that the vehicle and server receive proper messages (Alrabady: ¶0007).

Claims 6 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972) and KISHIKAWA et al. (“Kishikawa,” US 2016/0205194).

Regarding claim 6: Oguma in view of Nakajima discloses the system of claim 1.
Oguma further discloses the message counter corresponding to messages cryptographically signed using the security key (Oguma: ¶0056 the master ECU m transmits the digest value Dm, the random number rm, the random number ra, the encrypted session key EK, and the digital signature S2 to the general ECU a (S109)).
Oguma in view of Nakajima does not explicitly disclose the one or more attributes include a message count attribute defining a maximum message count for the security key, the second ECU is to authenticate the secure message by performing operations comprising:

However Kishikawa discloses the one or more attributes include a message count attribute defining a maximum message count for the security key (Kishikawa: ¶0148 the counter value that is stored in the counter holding unit 3112 and that corresponds to the sent message ID using a MAC key corresponding to the sent message ID stored in the MAC key holding unit 3111); and
the second ECU is to authenticate the secure message by performing operations comprising:
incrementing a message counter upon receiving the secure message from the third ECU (Kishikawa: ¶0125 instep S2101, theECU2100a determines that the data frame to be sent is an event-driven data frame that does not follow the transmission period defined in the data frame generation rules, the ECU 2100a increments the value of the transmission event counter stored in the data frame generation rule holding unit 2103 by one (step S2102)); and
comparing the message counter to the maximum message count (Kishikawa: fig. 17; ¶0132 the ECU 2100b determines whether the event counter I of the data field of the data frame is the same as a value obtained by incrementing the value of the reception event counter stored in the data frame reception history holding unit 2106 by one (step S2203)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kishikawa with the system and method of Oguma and Nakajima to include incrementing a message counter upon receiving the secure message from the third ECU and comparing the message counter to Kishikawa: ¶0010).

Regarding claim 21: Oguma in view of Nakajima discloses the method of claim 20.
Oguma in view of Nakajima does not explicitly disclose wherein the one or more attributes include a message count attribute defining a maximum message count for the security key.
However Kishikawa discloses the one or more attributes include a message count attribute defining a maximum message count for the security key (Kishikawa: ¶0148 the counter value that is stored in the counter holding unit 3112 and that corresponds to the sent message ID using a MAC key corresponding to the sent message ID stored in the MAC key holding unit 3111).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kishikawa with the system and method of Oguma and Nakajima to include a message count attribute defining a maximum message count for the security key to provide users with a means for providing an electronic control unit (ECU) capable of efficiently and appropriately detecting that a fraudulent message is sent over a bus in an in-vehicle network system (Kishikawa: ¶0010).


Claims 11-12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972) and Conner et al. (“Conner,” US 2018/0234446).

Regarding claim 11: Oguma in view of Nakajima discloses the system of claim 1.
Oguma in view of Nakajima does not explicitly disclose wherein the first ECU is further configured to limit operation of the vehicle in response to receiving the signal from the second ECU.
However Conner discloses wherein the first ECU is further configured to limit operation of the vehicle in response to receiving the signal from the second ECU (Conner: ¶0059 at 470, the vehicle may optionally enter a safe mode [...] entering safe mode may include [...] limiting certain engine operating parameters to stay within threshold ranges, such as limiting vehicle speed to less than a threshold speed, limiting engine torque to less than a threshold torque, limiting engine speed to less than a threshold engine speed, limiting the transmission to certain gears, and so forth).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Conner with the system and method of Oguma and Nakajima to include the first ECU is to limit operation of the vehicle in response to receiving the signal from the second ECU to provide users with a means for detection of security breaches, hacking, or malicious tampering with one or more in-vehicle systems communicatively coupled to a bus or other communicative pathway (Conner: ¶0001).

Regarding claim 12: Oguma in view of Nakajima and Conner discloses the system of claim 11.
Conner further discloses wherein the first ECU is further configured to limit operation of the vehicle by placing the third ECU in a restricted mode of operation that restricts the third ECU from performing one or more operations (Conner: ¶0059 at 470, the vehicle may optionally enter a safe mode. The vehicle may enter the safe mode automatically upon detection of potential hacking, or may first request operator authorization to enter safe mode. Entering safe mode may include restricting some or all of the functionality of the vehicle. This may include shutting down non-essential systems, such as the multimedia system, HVAC system, power windows, etc.).
The motivation is the same that of claim 11 above.

Regarding claim 19: Oguma in view of Nakajima discloses the system of claim 18.
Nakajima further discloses the set of instructions causes the first ECU to send a second signal to the third ECU in response to being unable to successfully authenticate the secure message received from the second ECU, the second signal indicating the security key authentication failure with respect to the second ECU (Nakajima: ¶0120 the determination part 102 determines that the authentication is successful and ends the process. If an ECU is registered in the authentication error list 630, this means that there is an authentication-error ECU. Thus, the determination part 102 determines that the authentication is unsuccessful and proceeds to step S303).
The motivation is the same that of claim 16 above.

However Conner discloses limiting operation of the vehicle in response to receiving the message from the first ECU (Conner: ¶0059 at 470, the vehicle may optionally enter a safe mode. The vehicle may enter the safe mode automatically upon detection of potential hacking, or may first request operator authorization to enter safe mode. Entering safe mode may include restricting some or all of the functionality of the vehicle. This may include shutting down non-essential systems, such as the multimedia system, HVAC system, power windows, etc.); and
requesting, from a computer system providing a security service, a new security key for the second ECU in response to receiving the message from the first ECU (Conner: ¶0059 at 470, the vehicle may optionally enter a safe mode. The vehicle may enter the safe mode automatically upon detection of potential hacking, or may first request operator authorization to enter safe mode. Entering safe mode may include restricting some or all of the functionality of the vehicle. This may include shutting down non-essential systems, such as the multimedia system, HVAC system, power windows, etc.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Conner with the system and method of Oguma and Nakajima to include limiting operation of the vehicle in response to receiving the message from the first ECU and requesting a new security key to provide users with a means for detection of security breaches, hacking, or malicious tampering with Conner: ¶0001).

Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972) and HAGA et al. (“Haga,” US 2017/0134164).

Regarding claim 14: Oguma in view of Nakajima discloses the system of claim 1.
Oguma further discloses receive, from a computer system providing a security service, a plurality of digital certificates, each digital certificate corresponding to one of the plurality of ECUs (Oguma: ¶0043 the master ECU 100m stores electronic certificates of all general ECUs in the system (in this case, electronic certificates 131a, 131b, and 131c corresponding to the general ECU a, the general ECU b, and the general ECU c)).
Oguma in view of Nakajima does not explicitly disclose send, to a server computer providing a service to deliver firmware, a request for firmware data for configuring firmware on each ECU in the plurality of ECUs, the request including the plurality of digital certificates, receive, from the server computer, the firmware data for each ECU of the plurality of ECUs and cause, using the firmware data, the firmware to be configured on each ECU of the plurality of ECUs.
However Haga discloses send, to a server computer providing a service to deliver firmware, a request for firmware data for configuring firmware on each ECU in the plurality of ECUs, the request including the plurality of digital certificates (Haga: ¶0054 transmitting an update message (i.e., an update requesting frame) including a message ID within the certain range determined beforehand, for updating each of firmware and shared keys of an ECU; ¶0121 the external tool 30a sends a certificate (i.e., the public key certificate 40a that the external tool 30a stores) onto the bus 500d, thereby transmitting an authentication request for communication connection to the ECU 100 (step S1001). Note that the external tool 30a may transmit an update message for updating data (shared keys, firmware) within the ECUs of the onboard network system 10);
receive, from the server computer, the firmware data for each ECU of the plurality of ECUs (Haga: ¶0140 whether or not an external tool 30 connected to the diagnostic port 600 has transmission authority for an update message to update data within certain ECUs [...] is determined based on levels set corresponding to function types of ECUs, indicated by update authority information indicating the authority that the external tool 30 has been certified for); and
cause, using the firmware data, the firmware to be configured on each ECU of the plurality of ECUs (Haga: ¶0045 the update results of data within the ECUs can be managed for each vehicle at the server).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Haga with the system and method of Oguma and Nakajima to include a request for firmware data for configuring firmware on each ECU in the plurality of ECUs to provide users with a means for providing an update management device for causing the external tool to update data within ECUs while reducing risk, and a control program for this update management device (Haga: ¶0006).

Regarding claim 15: Oguma in view of Nakajima and Haga discloses the system of claim 14.
Haga further discloses each ECU of the plurality of ECUs initially includes a portion of program code, each ECU being unable to fully operate using the portion of the program code (Haga: ¶0122 in a case where verification in step S1002 fails, the master ECU 100 performs error processing (step S1003)); and
the firmware, once configured on each ECU of the plurality of ECUs, causes each ECU to have the program code that enables the ECU to be fully operational (Haga: ¶0053 a computer program is configured by combining multiple command codes indicating commands to the processor, to achieve predetermined functions).
The motivation is the same that of claim 10 above.

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over OGUMA et al. (“Oguma,” US 2017/0111177) in view of NAKAJIMA et al. (“Nakajima,” US 2020/0151972), Alrabady (US 2007/0130469) and KISHIKAWA et al. (“Kishikawa,” US 2016/0205194).

Regarding claim 17: Oguma in view of Nakajima discloses the system of claim 16.
Oguma further discloses a first temporal attribute defining an expiration time for the security key (Oguma: ¶0046 the general ECUa is constituted by a public key 21 of the general ECUa, an expiration date 22 of a private key of the general ECUa).
Nakajima: ¶0061 the vehicle communication apparatus 100 includes, as components, an authentication part 101, a determination part 102, an update part 103, and a key management part 110; ¶0093 in step S100, the authentication part 101 performs configuration authentication for authenticating the validity of a configuration for each ECU of the plurality of ECUs), and
an operation attribute that specifies an operation the second ECU is permitted to perform (Nakajima: ¶0117 in step S300, the determination part 102 determines in-vehicle functions that can be realized in the vehicle based on the function correlation table 640 and the authentication error list 630).
The motivation is the same that of claim 16 above.
Oguma in view of Nakajima does not explicitly disclose a second temporal attribute defining a time window for sending messages cryptographically signed using the security key.
However Alrabady discloses a second temporal attribute defining a time window for sending messages cryptographically signed using the security key (Alrabady: ¶0007 the vehicle will then see if the time in the message is within a predefined window of the vehicles local clock time).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Alrabady with the system and method of Oguma and Nakajima to include a second temporal attribute defining a time window for sending messages cryptographically signed using the security key to provide Alrabady: ¶0007).
Oguma in view of Nakajima and Alrabady does not explicitly disclose a message count attribute defining a maximum message count for the security key.
However Kishikawa discloses a message count attribute defining a maximum message count for the security key (Kishikawa: ¶0148 the counter value that is stored in the counter holding unit 3112 and that corresponds to the sent message ID using a MAC key corresponding to the sent message ID stored in the MAC key holding unit 3111).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate teaching of Kishikawa with the system and method of Oguma, Nakajima and Alrabady to include a message count attribute defining a maximum message count for the security key to provide users with a means for providing an electronic control unit (ECU) capable of efficiently and appropriately detecting that a fraudulent message is sent over a bus in an in-vehicle network system (Kishikawa: ¶0010).






Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857.  The examiner can normally be reached on Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 






/FAHIMEH MOHAMMADI/    Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439