DETAILED ACTION
This office action is in response to amendments to application 16/244,453, filed on 12/18/2020.
Claims 1-20 are currently pending and have been examined.
Definition of terms that may be used for citation purposes:
Fig. = figure, Col. = column, P. = paragraph

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant’s amendments, filed 12/18/2020, have been entered.
Regarding interpretation of claim 1 under 35 U.S.C. 112(f), the claim interpretation has been rendered moot by Applicant’s amendments.
Regarding rejections of claims 1-20 under 35 U.S.C. 112(b), the rejections are withdrawn due to amendment. However, Applicant’s amendments have introduced new rejections under 35 U.S.C. 112(b) as outlined below.
Regarding rejections of claims 1-6 and 13-20 under 35 U.S.C. 102(a)(2), the rejections are withdrawn due to amendment. The claims are now rejected under 35 U.S.C. 103 as outlined below.
Regarding rejections of claims 7-12 under 35 U.S.C. 103, the rejections are maintained.



Response to Arguments
	Applicant’s arguments, filed 12/18/2020, have been entered. Examiner’s response to arguments is found below.
Applicant’s arguments are italicized.
Examiner’s responses are bolded.
	
	Accordingly, while the Cyber-Hub 22 may aggregate data, an amount of the data transmitted to the Cyber-Hub 22 does not appear to be varied.
	Examiner respectfully disagrees based on the teachings of Galula ‘477. As indicated in the below rejections, Galula ‘477 varies the transmitted data based on whether the messages match a black or white list as well as whether or not they are indicative of a cyber attack. For instance, P. [0061] and [0045] of ‘477 teaches only logging a frequency histogram of message IDs when they are determined to not be a part of a cyber attack. In contrast, P. [0058] and [0059] teach, inter alia, storing a whole message and uploading it to the server.

	During the telephone interview,  [0058] of GALULA '477 was identified. This disclosure, however, merely indicates that a processor 41 may block a message from transmission if the message is a black list transmission. The processor 41 may thereafter upload the message to the Cyber-Hub 22. Similarly,  [0079] of GALULA '477 discloses "anomalies detected with a relatively high degree of confidence may cause an embodiment to block messages as described herein or to isolate a component for an in vehicle network, while anomalies detected with a relatively low degree of confidence may only be logged. (GALULA '477 at  [0079]). In any event, nothing in either of these sections indicates that a full log of communication data is not transmit when an anomaly level is determined to be normal. Rather, they relate to uploading anomalous messages which are blocked from transmission.
	Examiner respectfully disagrees. Among other things, ‘477 determines if a message falls under the description of either a blacklist message or a white list message. If the message ID does not fall under either, it is classified as a gray list message. It is then determined whether the message is part of a cyber attack. If not, the message ID is logged to a frequency histogram. The frequency histogram can then be uploaded to cyber hub server 22. This is described in ‘477 P. [0061] and [0045] as follows: P. [0061]: “If in decision block 134 processor 41 determines that the message received at port 52, which is classified as a gray list, does not appear indicate a cyber threat, processor 41 optionally proceeds to block 138 to aggregate the message ID by logging the ID to a frequency histogram”; P. [0045]: “In the communication mode Watchman 40 may convey data that it has acquired and/or processed to Cyber-Hub 22 and/or to a diagnostic console (not shown) via suitable wire and/or wireless communication channels.  Watchman 40 may be configured or controlled to periodically switch to the communication mode and upload … a portion of data, such as a message frequency histogram”.
	Examiner interprets a determination that a message is not part of a cyber attack to be exemplary of determining that the message is not anomalous, and a histogram indicating the frequency of message IDs transmitted to the cyber hub server 22 is exemplary of something less than the full log being transmitted to the server. In this way, the full log is not transmitted as claims 1, 19, and 20 claim.

Summary: Claims 1-20 are rejected under 35 U.S.C. 103 based on the above responses to arguments and the below rejections.

Claim Objections
Claims 1, 19, and 20 are objected to because of the following informalities:
Regarding claim 1
The claim recites “wherein the processor does not transmit the full log of the communication date”. This should read  “wherein the processor does not transmit the full log of the communication data”.
The claim recites “at least one of a feature value”. This should read “at least one 
Regarding claim 19
The claim recites “wherein the full log of the communication date is not transmit”. This should read “wherein the full log of the communication data is not transmitted”.
The claim recites “at least one of a feature value”. This should read “at least one 
The claim recites “data upon which the anomaly level is determined, is transmit”. This should read “data upon which the anomaly level is determined, is transmitted”.
Regarding claim 20
The claim recites “wherein the full log of the communication date is not transmit”. This should read “wherein the full log of the communication data is not transmitted”.
The claim recites “at least one of a feature value”. This should read “at least one 
The claim recites “data upon which the anomaly level is determined, is transmit”. This should read “data upon which the anomaly level is determined, is transmitted”.
Appropriate correction is required.
	
	
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claims 1, 19, and 20, the claims recite “wherein the full log of the communication data is not transmitted to the server and at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, is transmitted to the server when the anomaly level of the communication data is determined as being normal”. It is unclear how “anomalous communication data upon which the anomaly level is determined” exists in communication data that was “determined as being normal” and therefore is not anomalous.
Regarding claims 2-18, the claims are rejected due to their dependence on a rejected base claim.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Galula et a. (US 20170013005), hereinafter Galula, in view of Galula et al. (US 20180300477; Provisional 62/484,921 filed 04/13/2017), hereinafter ‘477.

	Regarding claim 1, Galula teaches a control apparatus, comprising:
a processor; a memory including a control program that, when executed by the processor, causes the processor to perform operations (see at least Galula P. [0036]: “Computing device 100 may include a controller 105 that may be, for example, a central processing unit processor (CPU), a chip or any suitable computing or computational device, an operating system 115, a memory 120, executable code 125, a storage system 130 that may include a model 136, input devices 135 and output devices 140.  Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc.”), the operations comprising:
obtaining communication data transmitted through a first network in which a plurality of electronic control units is coupled in a system (see at least Galula Fig. 1B, #40; P. [0037]: “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. … For example, included in a security enforcement unit, controller 105 may be configured to enforce cyber-security in a vehicle, e.g., by: creating, storing and/or otherwise maintaining a timing, content, or other model for an expected behavior or for one or more messages communicated over an in-vehicle network; receiving a message sent from, or sent to, at least one of the plurality of ECUs”);
determining, based on the communication data transmitting through the first network in which the plurality of electronic control units is coupled in the system, an anomaly level of the communication data or an operating state of the system (see at least Galula Abstract: “A system and method for providing security to a network may include monitoring, by a processor, traffic on a first and second network portions of an in-vehicle communication network; determining whether or not a first message detected on the first network portion is anomalous based on at least one of: an attribute of a second message detected on the second network portion and an absence of a second message from the second network portion over a predefined time period; and, if it is determined the first message is anomalous then performing at least one action.”);
(i) changing at least one of a method of transmitting a full log of the communication data and a method of storing the full log of the communication data, according to the determined anomaly level of the communication data, or (ii) performing sampling on the communication data according to a method of sampling corresponding to the determined operating state (see at least Galula P. [0052]: “A repetition period of, or associated with, a message may be a periodicity or a time interval.  For example, based on a specification of a manufacturer of a node or based on monitoring or learning a pattern of messages sent by a node, the time interval between messages (e.g., messages that include the same message ID) sent by a node may be known and may be stored in a storage system (e.g., in model 136 on storage system 130 operatively connected to SEU 40) such that SEU 40 may determine whether or not a sequence of messages sent from the node deviates from a known or expected repetition period by comparing an interval between messages to an interval stored as described.”).
Galula does not explicitly teach communicating with a server via a second network different from the first network, wherein the processor transmits the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, to the server when the anomaly level of the communication data is determined as being anomalous, and wherein the processor does not transmit the full log of the communication date and transmits at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, to the server when the anomaly level of the communication data is determined as being normal.
In the same field of endeavor, ‘477 teaches communicating with a server via a second network different from the first network (see at least ‘477 P. [0024]: “GASS 20 optionally comprises a cloud based CyberHub 22 and Watchmen 40 installed in subscriber vehicles 30 to monitor and protect their respective in-vehicle communication networks.”),
wherein the processor transmits the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, to the server when the anomaly level of the communication data is determined as being anomalous (see at least ‘477 P. [0052]: “The CAN controller stores the bits until all the bits in the CAN message to which the bits belong are received, and the complete message is assembled.  CAN controller 44 forwards the assembled message to processor 41 for processing in accordance with an embodiment of the disclosure.”; P. [0058]: “If processor 41 determines in decision block 107 that the message ID is not a message ID of a white list CAN message, the processor proceeds to a block 120 and determines whether or not the ID is a black list message ID.  If the message is a black list message, the processor optionally proceeds to a block 122 and blocks the message from entry to high-speed CAN bus 61.  Optionally, in a block 124, processor 41 logs data relevant to the message into memory 46 for possible future uploading to Cyber-Hub 22, reference, and/or analysis by the Watchman and/or the Cyber-Hub.”; P. [0059]: “If processor 41 determines that the message does not indicate a cyberattack, processor 41 proceeds to a block 138 to aggregate the message ID by logging the ID to a frequency histogram and/or to store the whole message for future uploading to Cyber-Hub 22.” *Examiner notes that while P. [0059] considers storing a whole message upon determination that the message does not indicate a cyberattack, it still stores the whole message after determining that the message matches a black list message ID (which is anomalous) for future uploading to Cyber-Hub 22, which is exemplary of transmitting a full log of communication data to a server upon determination that the message is anomalous.), and
wherein the processor does not transmit the full log of the communication date and transmits at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, to the server when the anomaly level of the communication data is determined as being normal (see at least ‘477 P. [0061]: “If in decision block 134 processor 41 determines that the message received at port 52, which is classified as a gray list, does not appear indicate a cyber threat, processor 41 optionally proceeds to block 138 to aggregate the message ID by logging the ID to a frequency histogram”; P. [0045]: “In the communication mode Watchman 40 may convey data that it has acquired and/or processed to Cyber-Hub 22 and/or to a diagnostic console (not shown) via suitable wire and/or wireless communication channels.  Watchman 40 may be configured or controlled to periodically switch to the communication mode and upload … a portion of data, such as a message frequency histogram”).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

	Regarding claim 2, Galula teaches the apparatus of claim 1.
	Galula further teaches wherein the processor determines, based on a predetermined determination rule, the anomaly level of the communication data from among a plurality of anomaly levels including anomalous, normal, and indeterminable (see at least Galula P. [0061]: “As further described herein, a model may include thresholds (e.g., a maximal deviation from a normal or expected time interval) and contexts that may be used, e.g., by an SEU 40, to determine anomalies. Accordingly, an embodiment may determine whether or not at least one message included in a plurality of messages is related to an anomaly.” *Examiner interprets that Galula’s determination that a message does not deviate beyond a normal or expected time interval to be exemplary of a “normal” anomaly level.; P. [0079]: “A response action or actions may optionally be dependent on a level of confidence the SEU 40 may attribute to the detected anomaly.  For example, anomalies detected with a relatively high degree of confidence may cause an embodiment to block messages as described herein or to isolate a component for an in-vehicle network, while anomalies detected with a relatively low degree of confidence may only be logged.” *Examiner interprets a “low degree of confidence” to be exemplary of “indeterminable”.).

Regarding claim 3, Galula teaches the apparatus of claim 2.
Galula further teaches wherein the processor extracts the feature value from the communication data, and determines the anomaly level of the communication data using the extracted feature value (see at least Galula P. [0011]: “An embodiment may determine whether or not a message is anomalous based on comparing content in a first and second messages received from a respective first and second networks.  An embodiment may determine whether or not a message is anomalous based on based on a model that indicates a relation between messages on a first network and messages on a second network.  For example, a relation between messages on a first network and messages on a second network may be related to content, e.g., content of a message on a first network is related to content on a second network by a factor, e.g., the value in a message on the first network is half or is twice the value in a message on a second network, a relation between messages on a first network and messages on a second network may be related to time, e.g., a second message on a second network must, or is expected to appear 2 milliseconds after a first message appears or is seen on a first network.”).

	Regarding claim 4, Galula teaches the apparatus of claim 3.
	Galula further teaches wherein the processor obtains a plurality of communication data including the communication data (see at least Galula P. [0011]: “An embodiment may determine whether or not a message is anomalous based on comparing content in a first and second messages received from a respective first and second networks.”), and
	the processor extracts, as at least part of the feature value, a value included in at least one of the plurality of communication data having a predetermined identifier, among the plurality of communication data (see at least Galula P. [0045]: “A message as referred to herein may be one 
data unit or a group of data units that are sent to, or from, a specific node on a network, a message may be one data unit or a group of data units, packages or frames with a common identifier, or identity (both abbreviated "ID"), similar or same payload, sent or used for a common purpose and the like. When used herein, a message may refer to the general description or type for a group of messages, each with an individual specific instantiation of that message.  E.g. a message having message ID XYZ may be used to refer to a type of message having that specific ID, and any individual message within that type.”).

	Regarding claim 5, Galula teaches the apparatus of claim 3.
	Galula further teaches wherein the processor obtains a plurality of communication data including the communication data  (see at least Galula P. [0011]: “An embodiment may determine whether or not a message is anomalous based on comparing content in a first and second messages received from a respective first and second networks.”), and
the processor extracts, as at least part of the feature value, an amount of change in a value included in each of at least two of the plurality of communication data having a predetermined (see at least Galula P. [0067]: “For example, two thresholds may be calculated, included in a model, and used as described, e.g., a first threshold for determining whether or not a time interval between two messages is too short and a second threshold for determining whether or not a time interval between two messages is too long.  For example, if it is known (e.g., based on a specification of a manufacturer or based on recording intervals between messages during a learning phase, all of which may be included in a model) that the expected time interval between messages with a specific message ID is 100 ms then the first threshold may be set to 90 ms and the second threshold may be set to 110 ms and the thresholds may be included in a timing model and used, e.g., by an SEU 40, in order to evaluate time intervals between messages as described.”; P. [0118]: “Since an SEU 40 in accordance with an embodiment of the disclosure may be required to keep track of the last timestamp for each message ID”).

	Regarding claim 6, Galula teaches the apparatus of claim 3.
	Galula further teaches wherein the processor obtains a plurality of communication data including the communication data (see at least Galula P. [0011]: “An embodiment may determine whether or not a message is anomalous based on comparing content in a first and second messages received from a respective first and second networks.”), and
the processor extracts, as at least a part of the feature value, a time difference between transmission time points of at least two of the plurality of communication data each having a predetermined identifier, among the plurality of communication data (see at least Galula P. [0067]: “For example, two thresholds may be calculated, included in a model, and used as described, e.g., a first threshold for determining whether or not a time interval between two messages is too short and a second threshold for determining whether or not a time interval between two messages is too long.  For example, if it is known (e.g., based on a specification of a manufacturer or based on recording intervals between messages during a learning phase, all of which may be included in a model) that the expected time interval between messages with a specific message ID is 100 ms then the first threshold may be set to 90 ms and the second threshold may be set to 110 ms and the thresholds may be included in a timing model and used, e.g., by an SEU 40, in order to evaluate time intervals between messages as described.”).

Regarding claim 7, Galula teaches the apparatus of claim 2.
Galula does not explicitly in response to the anomaly level of the communication data being determined as indeterminable, the processor (i) transmits the feature value of the communication data to the server, and (ii) transmits the full log of the communication data to the server in response to a result of determination indicating that the anomaly level of the communication data is anomalous being received from the server.
In the same field of endeavor, ‘477 teaches further comprising:
in response to the anomaly level of the communication data being determined as indeterminable, the processor (i) transmits the feature value of the communication data to the server, and (ii) transmits the full log of the communication data to the server in response to a result of determination indicating that the anomaly level of the communication data is anomalous being received from the server (see at least ‘477 P. [0033]: “State of in-vehicle network 60 may be defined responsive to a value for a derived parameter, hereinafter also referred to as a cyber-state indicator (CSI), which indicates whether or not, and/or to what degree, in-vehicle network 60 may be compromised by a cyberattack.  CSI may be determined by Watchman 40 responsive to messages transmitted over the in-vehicle network that the Watchman monitors and/or by Cyber-Hub 22 responsive to data that the Cyber-Hub receives from the Watchman and/or from a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.”; P. [0083]: “In the detective operating mode of Watchman 40, the Watchman operates to vet data and/or computer executable instructions, hereinafter node software of various nodes, for example ECUs that are connected to in-vehicle communication network 60.  In the detective mode a Watchman 40 may cooperate with an agent, hereinafter a Watchman agent that may be incorporated in the node in accordance with an embodiment of the disclosure.  The Watchman agent is configured to generate a hash of at least a portion of the node software current in the node memory when challenged by the Watchman with a challenge request to send the hash to the Watchman.  The challenge request made by the Watchman may vary each time the Watchman challenges the agent, so that the anticipated hash will not be the same for all challenges.  As a result a node will not be configurable by a cyber attacker to successfully answer Watchmen challenges with a same fixed and known hash.  In an embodiment of the disclosure, the Watchman transmits the hash along with the associated challenge that requested the hash to Cyber-Hub 22. In an embodiment, the Cyber-Hub has a copy of the node software that the node should have and can generate a copy of the expected hash, hereinafter a hash standard, under the assumption that the node software has not been changed or tampered with relative to a correct version of the software.  The Cyber-Hub compares the received hash with the hash standard and if it differs from the hash standard determines that the node firmware is damaged or has been tampered with and, optionally undertakes to have the node provided with a correct version of the firmware.”).
	Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Regarding claim 8, Galula teaches the apparatus of claim 2.
full log of the communication data (see at least Galula P. [0079]: “An SEU 40 may, in response to detecting an anomalous message, operate to undertake any of various response actions to protect system 60 (or the network and components therein) from possible damage by the anomalous message.  Response actions may, by way of example, include: blocking the message, delaying the message; limiting the frequency of the message, logging the message into a memory included in an SEU 40”); and
a second storage for temporarily storing the full log of the communication data (see at least Galula P. [0079] as above *Examiner interprets “a second storage” is inclusive of any portion of the memory not used by a previously stored log. Further, computer memory or storage is common and well known in the art, as is storing files temporarily, and creating a second storage for temporarily storing the log of the communication file would require only ordinary skill in the art as well.),
wherein the processor controls the first storage and the second storage so as to:
store the full log of the communication data in the first storage in response to the anomaly level of the communication data item being determined as anomalous (see at least Galula P. [0079]: “An SEU 40 may, in response to detecting an anomalous message, operate to undertake any of various response actions to protect system 60 (or the network and components therein) from possible damage by the anomalous message.  Response actions may, by way of example, include: blocking the message, delaying the message; limiting the frequency of the message, logging the message into a memory included in an SEU 40; and/or raising an alert responsive to the message.  A response action or actions may optionally be dependent on a level of confidence the SEU 40 may attribute to the detected anomaly.”).
Galula does not explicitly teach in response to the anomaly level of the communication data being determined as indeterminable, (i) store the full log of the communication data in the second storage, (ii-1) transfer, to the first storage, the log of the communication data stored in the second stored in the second storage in response to a second result of determination indicating that the anomaly level of the communication data is normal being received from the server.
However, Galula teaches storing a log of the communication data (Galula P. [0079] as above) and deleting a message (see at least Galula P. [0037]: “For example, an action performed by controller 105 may be or may include … removing a message from a communication bus”), and  the processes of transferring data between memories in a computer system is common and well known in the art. Galula further teaches logging a message in response to the message being determined as anomalous or indeterminable (see at least Galula P. [0079]: “A response action or actions may optionally be dependent on a level of confidence the SEU 40 may attribute to the detected anomaly.  For example, anomalies detected with a relatively high degree of confidence may cause an embodiment to block messages as described herein or to isolate a component for an in-vehicle network, while anomalies detected with a relatively low degree of confidence may only be logged.” *Examiner interprets a “low degree of confidence” to be exemplary of “indeterminate”.). Examiner therefore notes that it would be obvious to one of ordinary skill in the art to remove a message from an anomaly log file once the message has been determined as non-anomalous.
	Galula does not explicitly teach determining an anomaly level by a server. In the same field of endeavor, ‘477 teaches determining an anomaly level by a server (see at least ‘477 P. [0033]: “State of in-vehicle network 60 may be defined responsive to a value for a derived parameter, hereinafter also referred to as a cyber-state indicator (CSI), which indicates whether or not, and/or to what degree, in-vehicle network 60 may be compromised by a cyberattack.  CSI may be determined by Watchman 40 responsive to messages transmitted over the in-vehicle network that the Watchman monitors and/or by Cyber-Hub 22 responsive to data that the Cyber-Hub receives from the Watchman and/or from a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.”).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Regarding claim 9, Galula teaches the apparatus of claim 2.
Galula further teaches further comprising: 
a storage for storing the full log of the communication data (see at least Galula P. [0079]: “An SEU 40 may, in response to detecting an anomalous message, operate to undertake any of various response actions to protect system 60 (or the network and components therein) from possible damage by the anomalous message.  Response actions may, by way of example, include: blocking the message, delaying the message; limiting the frequency of the message, logging the message into a memory included in an SEU 40; and/or raising an alert responsive to the message.”),
wherein the processor obtains a plurality of communication data including the communication data (see at least Galula Abstract: “A system and method for providing security to a network may include monitoring, by a processor, traffic on a first and second network portions of an in-vehicle communication network; determining whether or not a first message detected on the first network portion is anomalous based on at least one of: an attribute of a second message detected on the second network portion and an absence of a second message from the second network portion over a predefined time period; and, if it is determined the first message is anomalous then performing at least one action.”),
(see at least Galula P. [0079]: “An SEU 40 may, in response to detecting an anomalous message, operate to undertake any of various response actions to protect system 60 (or the network and components therein) from possible damage by the anomalous message.  Response actions may, by way of example, include: blocking the message, delaying the message; limiting the frequency of the message, logging the message into a memory included in an SEU 40; and/or raising an alert responsive to the message.”; P. [0118]: “This may be done by using a data structure that may contain a pre-calculated array of all IDs that should be handled, sorted in a way that allows an SEU 40 to quickly find the appropriate data associated with each ID in O(log(N)) using a binary search.  This will also only require O(N) space.” *Examiner notes that sorting by anomaly level would be known and obvious to one of ordinary skill in the art.), and,
the processor:
obtains a data amount of the monitoring data stored in the storage, for each of the plurality of anomaly levels (see at least Galula P. [0050]: “A CAN message in one example includes an 11 bit, or 29 bit extended, arbitration ID that may be used to identify the CAN message, a CAN message data field including a plurality of data bytes referred to as signals, and a cyclic redundancy check (CRC) code used for verifying an integrity of a message as known in the art.”).
Galula does not explicitly teach wherein the processor communicates with a server via other network different from the network; and transmits, to the server, the monitoring data according to the data amount, for each of the plurality of anomaly levels.
In the same field of endeavor, ‘477 teaches communicating with a server via other network different from the network (see at least ‘477 P. [0033]: “State of in-vehicle network 60 may be defined responsive to a value for a derived parameter, hereinafter also referred to as a cyber-state indicator (CSI), which indicates whether or not, and/or to what degree, in-vehicle network 60 may be compromised by a cyberattack.  CSI may be determined by Watchman 40 responsive to messages transmitted over the in-vehicle network that the Watchman monitors and/or by Cyber-Hub 22 responsive to data that the Cyber-Hub receives from the Watchman and/or from a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.”); and transmits, to the server, the monitoring data according to the data amount, for each of the plurality of anomaly levels (see at least ‘477 P. [0032]: “In the recording mode, a Watchman 40 monitors communications in in-vehicle communication network 60 of subscriber vehicle 30 to accumulate data from messages that it receives which may be used to characterize the messages, determine a vehicle context of the messages, and/or determine a measure of health of the vehicle.  CAN messages may be characterized for example, by their 11 bit, or 29 bit extended, arbitration ID, which of the generally four types of conventional CAN messages they are, their respective frequency of transmission, an amount and type and contents of data they include, a time stamp recording a time at which they are transmitted, and a vehicle context at a time of the time stamp.” in combination with P. [0033] above.).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Regarding claim 10, Galula teaches the apparatus of claim 9.
Galula further teaches wherein the processor:
weighs the data amount using a first weight value for each of the plurality of anomaly levels, the first weight value corresponding to the anomaly level (see at least Galula P. [0079]: “A response action or actions may optionally be dependent on a level of confidence the SEU 40 may attribute to the detected anomaly.  For example, anomalies detected with a relatively high degree of confidence may cause an embodiment to block messages as described herein or to isolate a component for an in-vehicle network, while anomalies detected with a relatively low degree of confidence may only be logged.” *Examiner interprets that a “weight” and a confidence level to be functionally equivalent.).
Galula does not explicitly teach transmits, for each of the plurality of anomaly levels, the monitoring data to the server when the data amount weighted is greater than a predetermined threshold.
In the same field of endeavor, ‘477 teaches wherein the processor transmits, for each of the plurality of anomaly levels, the monitoring data to the server when the data amount weighted is greater than a predetermined threshold (see at least ‘477 P. [0033]: “State of in-vehicle network 60 may be defined responsive to a value for a derived parameter, hereinafter also referred to as a cyber-state indicator (CSI), which indicates whether or not, and/or to what degree, in-vehicle network 60 may be compromised by a cyberattack.  CSI may be determined by Watchman 40 responsive to messages transmitted over the in-vehicle network that the Watchman monitors and/or by Cyber-Hub 22 responsive to data that the Cyber-Hub receives from the Watchman and/or from a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.”; P. [0082]: “Different configurations of confidence and criticality, and/or components of confidence and criticality associated with an anomalous message may map onto different strategies that a Watchman adopt in dealing with the message in accordance with an embodiment.”; P. [0046]: “In order to efficiently utilize available bandwidth, a Watchman 40 may optionally send the information it has acquired to Cyber-Hub 22 only after Cyber-Hub 22 has given it permission to upload the information, based on a short description of the information provided the Cyber-Hub by the Watchman.  For example if an entire fleet of vehicles is under a cyber-attack at the same time and all the Watchmen in the fleet attempt to report the cyber-attack to Cyber-Hub 22, the Cyber-Hub 22 may choose to prevent saturation of bandwidth by receiving relevant data from a relatively small number of the vehicles under attack.”).
(‘477 Abstract).

Regarding claim 11, Galula teaches the apparatus of claim 10.
Galula further teaches wherein the processor is configured to estimate a driving state of the system (see at least Galula Fig. 5, #590; P. [0126]: “As shown the description column 592, a context may be related to a vehicle's state or operation (e.g., engine is running, vehicle is accelerating), a context may be related to an in-vehicle network (e.g., an intrusion to the network was detected) and a context may be related to nodes attached to an in-vehicle network (e.g., a fault in, or malfunction of, a node or component attached to the in-vehicle network detected).”), and
the processor uses a second weight value in addition to the first weight value in weighting the data amount, the second weight value corresponding to the estimated driving state (see at least Galula Fig. 5, #590; P. [0012]: “An embodiment may determine whether or not a message is anomalous based on a context related to at least one of: a vehicle including the in-vehicle network, the first and second network portions and a node connected to the in-vehicle network.  An embodiment may calculate a confidence level of a message being related to an anomaly and perform an action based on the confidence level.”; P. [0126]: “As shown the description column 592, a context may be related to a vehicle's state or operation (e.g., engine is running, vehicle is accelerating), a context may be related to an in-vehicle network (e.g., an intrusion to the network was detected) and a context may be related to nodes attached to an in-vehicle network (e.g., a fault in, or malfunction of, a node or component attached to the in-vehicle network detected).” *Examiner interprets the context A-E in column #591 to be exemplary of a weight.).

Regarding claim 12, Galula teaches the apparatus of claim 1.
Galula further teaches a storage and the storage stores the communication data on which the sampling is performed (see at least Galula P. [0037]: “For example, an action performed by controller 105 may be or may include, logging or recording an event (e.g., for further or future investigation or analysis), removing a message from a communication bus, modifying a message and/or changing a configuration of an in-vehicle network or of at least one of the ECUs connected to the in-vehicle network.”).
Galula does not explicitly teach a transmitter or wherein the transmitter transmits the communication data on which the sampling is performed, to a server external to the system.
In the same field of endeavor, ‘477 teaches a transmitter, wherein the transmitter, in operation, transmits the communication data on which the sampling is performed, to a server external to the system (see at least ‘477 P. [0033]: “State of in-vehicle network 60 may be defined responsive to a value for a derived parameter, hereinafter also referred to as a cyber-state indicator (CSI), which indicates whether or not, and/or to what degree, in-vehicle network 60 may be compromised by a cyberattack.  CSI may be determined by Watchman 40 responsive to messages transmitted over the in-vehicle network that the Watchman monitors and/or by Cyber-Hub 22 responsive to data that the Cyber-Hub receives from the Watchman and/or from a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.”).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Regarding claim 13, Galula teaches the apparatus of claim 1.
Galula further teaches the plurality of electronic control units is grouped into different groups, with each group including one or more electronic control units among the plurality of electronic control units (see at least Galula Fig. 1C, ECUs #62-66 and ECUs #72-76, each grouped by a different CAN bus; P. [0073]: “As shown, an in-vehicle communication network that may include two portions (e.g., CAN 61 and CAN 71) may be protected by a set of SEUs 40A, 40B, 40C and 40D that may protect the network and specific control systems included in vehicle 30.”),
wherein in the method of sampling, a sampling rate is determined for each group (see at least Galula P. [0074]: “The control systems and/or their respective components may be connected to, for example, high-speed and medium-speed CAN buses (or other bus bars or systems as known in the art) 61 and 71.  For example, medium-speed CAN bus 71 may be a class B CAN bus that operates at data transmission speeds of up to 125 kilobits per second (Kbps), to support communications between nodes, such as components of vehicle body control systems and infotainment systems that can function properly receiving and transmitting data at relatively low data transmission rates.”), and
the processor performs the sampling on the communication data in each group, according to the determined sampling rate for each group (see at least Galula P. [0078]: “SEU 40A may operate in accordance with an embodiment of the invention to monitor CAN messages that are transmitted between high-speed bus CAN 61 and CAN gateway 80 and to detect anomalous messages that are transmitted to pass through CAN gateway 80 from one to the other of buses CAN 61 and CAN 71.  SDU 40B may be connected to high-speed CAN bus 61 to eavesdrop on communications over the high-speed bus and to monitor and detect anomalous messages propagating in the high speed bus.” *Examiner notes that the sampling rate is performed based on the operational baud rate of each SEU and therefore that the communications are sampled according to the determined sampling rate for each group or SEU.).

Regarding claim 14, Galula teaches the apparatus of claim 13.
Galula teaches wherein in the first network, the plurality of electronic control units is coupled to one another by CAN buses in the system (see at least Galula P. [0078]: “SEU 40A may operate in accordance with an embodiment of the invention to monitor CAN messages that are transmitted between high-speed bus CAN 61 and CAN gateway 80 and to detect anomalous messages that are transmitted to pass through CAN gateway 80 from one to the other of buses CAN 61 and CAN 71.  SDU 40B may be connected to high-speed CAN bus 61 to eavesdrop on communications over the high-speed bus and to monitor and detect anomalous messages propagating in the high speed bus.”), and
each group includes the one or more electronic control units coupled to a same CAN bus among the CAN buses (see at least Galula P. [0079] as above).

Regarding claim 15, Galula teaches the apparatus of claim 13.
Galula further teaches wherein each group includes the one or more electronic control units each of which transmits a message related to a same function and included in the communication data (see at least Galula P. [0077]: “In some embodiments, an in-vehicle network (e.g., a network including CAN 61, CAN 71 and nodes as described and shown, e.g., in FIG. 1C) may be monitored and/or protected by a set or plurality of, SEUs 40, e.g., SEUs 40A, 40B, 40C, and 40D as shown.  It will be understood that any number of SEUs 40 may be included in a system.”; P. [0078]: “SEU 40A may operate in accordance with an embodiment of the invention to monitor CAN messages that are transmitted between high-speed bus CAN 61 and CAN gateway 80 and to detect anomalous messages that are transmitted to pass through CAN gateway 80 from one to the other of buses CAN 61 and CAN 71.  SDU 40B may be connected to high-speed CAN bus 61 to eavesdrop on communications over the high-speed bus and to monitor and detect anomalous messages propagating in the high speed bus.”).

Regarding claim 16, Galula teaches the apparatus of claim 1.
Galula further teaches wherein the processor further determines whether the first network is in a normal state (see at least Galula P. [0044]: “An embodiment may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security, or proper function, of a vehicle and/or an in-vehicle network and nodes attached thereto.”), and
determines theP56892.A01U.S. Pat. Appl. No. 16/244,453 operating state of the system based on a result of determining whether the first network is in the normal state (see at least Galula P. [0044]: “An embodiment may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security, or proper function, of a vehicle and/or an in-vehicle network and nodes attached thereto.  In some embodiments and as described, one or more computing devices (e.g., computing devices similar to computing device 100) may be used or deployed in order to enforce security or correct functioning in an on board, or in-vehicle, network. It will be understood that enforcing security as referred to herein may include enforcing any security related measures or aspects, e.g., enforcing security in an in-vehicle network may include identifying threats, logging or recording events that may be related to threats or malicious activity, alerting, blocking messages, disabling or enabling components in a network and so on.”).

Regarding claim 17, Galula teaches the apparatus of claim 16.
Galula further teaches wherein the processor determines whether the first network is in the normal state, by determining whether a message included in the communication data is normal (see at least Galula P. [0057]: “A context or state of a node may be, for example, an operational stage or phase, e.g., the node is rebooting, the node is in an initialization sage, the node is restarting and so on.  A context or state of a node may be related to an error that occurred at the node or network or any other aspect related to the functioning of the node or network.  Accordingly, an SEU 40 may determine, detect or identify a context based on at least one of: a state or other attribute of a vehicle, an in-vehicle network, and a node connected to the network.  For example, by examining messages communicated over an in-vehicle network (and, as described, an SEU 40 may receive any of, or even all, messages sent over an in-vehicle network) an SEU 40 may know, or determine or identify, the state of the vehicle itself, nodes on the in-vehicle network as well as the state or context of any one of the nodes connected to an in-vehicle network.”).

Regarding claim 18, Galula teaches the apparatus of claim 16.
Galula further teaches wherein in the first network, the plurality of electronic control units is coupled to one another by a CAN bus in the system, and the processor determines whether the first network is in the normal state, by determining whether the CAN bus in the first network is normal (see at least Galula P. [0056]: “Context, vehicle context or context of a vehicle (e.g., context of vehicle 30) as referred to herein may relate to a state of the vehicle, a state of the vehicle's in-vehicle communication network (e.g., a state of CAN 61)”; P. [0057]: “A context or state of a node may be, for example, an operational stage or phase, e.g., the node is rebooting, the node is in an initialization sage, the node is restarting and so on.  A context or state of a node may be related to an error that occurred at the node or network or any other aspect related to the functioning of the node or network.  Accordingly, an SEU 40 may determine, detect or identify a context based on at least one of: a state or other attribute of a vehicle, an in-vehicle network, and a node connected to the network.  For example, by examining messages communicated over an in-vehicle network (and, as described, an SEU 40 may receive any of, or even all, messages sent over an in-vehicle network) an SEU 40 may know, or determine or identify, the state of the vehicle itself, nodes on the in-vehicle network as well as the state or context of any one of the nodes connected to an in-vehicle network.”).

Regarding claim 19, Galula teaches a control method for a control apparatus, the control method comprising:
obtaining communication data transmitted through a first network in which a plurality of electronic control units is coupled in a system (see at least Galula Fig. 1B, #40; P. [0037]: “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. … For example, included in a security enforcement unit, controller 105 may be configured to enforce cyber-security in a vehicle, e.g., by: creating, storing and/or otherwise maintaining a timing, content, or other model for an expected behavior or for one or more messages communicated over an in-vehicle network; receiving a message sent from, or sent to, at least one of the plurality of ECUs”);
determining, based on the communication data transmitting through the first network in which  the plurality of electronic control units is coupled in the system, an anomaly level of the communication data or an operating state of the system (see at least Galula Abstract: “A system and method for providing security to a network may include monitoring, by a processor, traffic on a first and second network portions of an in-vehicle communication network; determining whether or not a first message detected on the first network portion is anomalous based on at least one of: an attribute of a second message detected on the second network portion and an absence of a second message from the second network portion over a predefined time period; and, if it is determined the first message is anomalous then performing at least one action.”);
(i) changing at least one of a method of transmitting a full log of the communication data and a method of storing the full log of the communication data, according to the determined anomaly level of (see at least Galula P. [0052]: “A repetition period of, or associated with, a message may be a periodicity or a time interval.  For example, based on a specification of a manufacturer of a node or based on monitoring or learning a pattern of messages sent by a node, the time interval between messages (e.g., messages that include the same message ID) sent by a node may be known and may be stored in a storage system (e.g., in model 136 on storage system 130 operatively connected to SEU 40) such that SEU 40 may determine whether or not a sequence of messages sent from the node deviates from a known or expected repetition period by comparing an interval between messages to an interval stored as described.”).
Galula does not explicitly teach communicating with a server via a second network different from the first network, wherein the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being anomalous, and wherein the full log of the communication date is not transmit to the server and at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being normal.
In the same field of endeavor, ‘477 teaches communicating with a server via a second network different from the first network (see at least ‘477 P. [0024]: “GASS 20 optionally comprises a cloud based CyberHub 22 and Watchmen 40 installed in subscriber vehicles 30 to monitor and protect their respective in-vehicle communication networks.”),
wherein the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, is transmitted to the server when the anomaly level of the communication data is determined as being anomalous (see at least ‘477 P. [0052]: “The CAN controller stores the bits until all the bits in the CAN message to which the bits belong are received, and the complete message is assembled.  CAN controller 44 forwards the assembled message to processor 41 for processing in accordance with an embodiment of the disclosure.”; P. [0058]: “If processor 41 determines in decision block 107 that the message ID is not a message ID of a white list CAN message, the processor proceeds to a block 120 and determines whether or not the ID is a black list message ID.  If the message is a black list message, the processor optionally proceeds to a block 122 and blocks the message from entry to high-speed CAN bus 61.  Optionally, in a block 124, processor 41 logs data relevant to the message into memory 46 for possible future uploading to Cyber-Hub 22, reference, and/or analysis by the Watchman and/or the Cyber-Hub.”; P. [0059]: “If processor 41 determines that the message does not indicate a cyberattack, processor 41 proceeds to a block 138 to aggregate the message ID by logging the ID to a frequency histogram and/or to store the whole message for future uploading to Cyber-Hub 22.” *Examiner notes that while P. [0059] considers storing a whole message upon determination that the message does not indicate a cyberattack, it still stores the whole message after determining that the message matches a black list message ID (which is anomalous) for future uploading to Cyber-Hub 22, which is exemplary of transmitting a full log of communication data to a server upon determination that the message is anomalous.), and
wherein the full log of the communication date is not transmit to the server and at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being normal (see at least ‘477 P. [0061]: “If in decision block 134 processor 41 determines that the message received at port 52, which is classified as a gray list, does not appear indicate a cyber threat, processor 41 optionally proceeds to block 138 to aggregate the message ID by logging the ID to a frequency histogram”; P. [0045]: “In the communication mode Watchman 40 may convey data that it has acquired and/or processed to Cyber-Hub 22 and/or to a diagnostic console (not shown) via suitable wire and/or wireless communication channels.  Watchman 40 may be configured or controlled to periodically switch to the communication mode and upload … a portion of data, such as a message frequency histogram”).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Regarding claim 20, Galula teaches a non-transitory computer-readable recording medium having a set of computer readable instructions (see at least Galula P. [0034]: “Although embodiments of the invention are not limited in this regard, discussions utilizing terms such as, for example, "processing," "computing," "calculating," "determining," "establishing", "analyzing", "checking", or the like, may refer to operation(s) and/or process(es) of a computer, a computing platform, a computing system, or other electronic computing device, that manipulates and/or transforms data represented as physical (e.g., electronic) quantities within the computer's registers and/or memories into other data similarly represented as physical quantities within the computer's registers and/or memories or other information non-transitory storage medium that may store instructions to perform operations and/or processes.”) that, when executed, causes a control apparatus to:
obtain communication data transmitted through a first network in which a plurality of electronic control units is coupled in a system (see at least Galula Fig. 1B, #40; P. [0037]: “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. … For example, included in a security enforcement unit, controller 105 may be configured to enforce cyber-security in a vehicle, e.g., by: creating, storing and/or otherwise maintaining a timing, content, or other model for an expected behavior or for one or more messages communicated over an in-vehicle network; receiving a message sent from, or sent to, at least one of the plurality of ECUs”);
determine, based on the communication data transmitting through the first network in which the plurality of electronic control units is coupled in the system (see at least Galula Fig. 1B, #40; P. [0037]: “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100.”), an anomaly level of the communication data item or an operating state of the system (see at least Galula Abstract: “A system and method for providing security to a network may include monitoring, by a processor, traffic on a first and second network portions of an in-vehicle communication network; determining whether or not a first message detected on the first network portion is anomalous based on at least one of: an attribute of a second message detected on the second network portion and an absence of a second message from the second network portion over a predefined time period; and, if it is determined the first message is anomalous then performing at least one action.”); and
(i) change at least one of a method of transmitting a full log of the communication data and a method of storing the full log of the communication data, according to the determined anomaly level of the communication data, or (ii) perform sampling on the communication data according to a method of sampling corresponding to the determined operating state (see at least Galula P. [0052]: “A repetition period of, or associated with, a message may be a periodicity or a time interval.  For example, based on a specification of a manufacturer of a node or based on monitoring or learning a pattern of messages sent by a node, the time interval between messages (e.g., messages that include the same message ID) sent by a node may be known and may be stored in a storage system (e.g., in model 136 on storage system 130 operatively connected to SEU 40) such that SEU 40 may determine whether or not a sequence of messages sent from the node deviates from a known or expected repetition period by comparing an interval between messages to an interval stored as described.”).
Galula does not explicitly teach communicate with a server via a second network different from the first network, wherein the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being anomalous, and wherein the full log of the communication date is not transmit to the server and at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being normal.
In the same field of endeavor, ‘477 teaches communicate with a server via a second network different from the first network (see at least ‘477 P. [0024]: “GASS 20 optionally comprises a cloud based CyberHub 22 and Watchmen 40 installed in subscriber vehicles 30 to monitor and protect their respective in-vehicle communication networks.”),
wherein the full log of the communication data, including anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being anomalous (see at least ‘477 P. [0052]: “The CAN controller stores the bits until all the bits in the CAN message to which the bits belong are received, and the complete message is assembled.  CAN controller 44 forwards the assembled message to processor 41 for processing in accordance with an embodiment of the disclosure.”; P. [0058]: “If processor 41 determines in decision block 107 that the message ID is not a message ID of a white list CAN message, the processor proceeds to a block 120 and determines whether or not the ID is a black list message ID.  If the message is a black list message, the processor optionally proceeds to a block 122 and blocks the message from entry to high-speed CAN bus 61.  Optionally, in a block 124, processor 41 logs data relevant to the message into memory 46 for possible future uploading to Cyber-Hub 22, reference, and/or analysis by the Watchman and/or the Cyber-Hub.”; P. [0059]: “If processor 41 determines that the message does not indicate a cyberattack, processor 41 proceeds to a block 138 to aggregate the message ID by logging the ID to a frequency histogram and/or to store the whole message for future uploading to Cyber-Hub 22.” *Examiner notes that while P. [0059] considers storing a whole message upon determination that the message does not indicate a cyberattack, it still stores the whole message after determining that the message matches a black list message ID (which is anomalous) for future uploading to Cyber-Hub 22, which is exemplary of transmitting a full log of communication data to a server upon determination that the message is anomalous.), and
wherein the full log of the communication date is not transmit to the server and at least one of a feature value of the communication data, not including the anomalous communication data upon which the anomaly level is determined, is transmit to the server when the anomaly level of the communication data is determined as being normal (see at least ‘477 P. [0061]: “If in decision block 134 processor 41 determines that the message received at port 52, which is classified as a gray list, does not appear indicate a cyber threat, processor 41 optionally proceeds to block 138 to aggregate the message ID by logging the ID to a frequency histogram”; P. [0045]: “In the communication mode Watchman 40 may convey data that it has acquired and/or processed to Cyber-Hub 22 and/or to a diagnostic console (not shown) via suitable wire and/or wireless communication channels.  Watchman 40 may be configured or controlled to periodically switch to the communication mode and upload … a portion of data, such as a message frequency histogram”).
Therefore, it would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to combine the apparatus of Galula with the anomaly transmission of ‘477 in order to classify a received message as to whether or not it is an anomalous message and if the message is classified as anomalous determine an appropriate response (‘477 Abstract).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER C BOST whose telephone number is (571)272-4606.  The examiner can normally be reached on Monday-Friday 9:30am-5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jelani Smith can be reached on (571) 270-3969.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available 




/A.C.B./Examiner, Art Unit 3662

/DALE W HILGENDORF/Primary Examiner, Art Unit 3662