DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copies have been filed on 05/28/2019.

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 04/04/2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Election/Restrictions
Applicant’s election without traverse of Group I, claims 1-16, and 20 in the reply filed on 02/08/2021 is acknowledged. Claims 17-19 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected invention. Claims 1-16 and 20 are examined on the merits.
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 423, 425, 445, 448, 482, 484, 486 in FIG. 4; 226 in FIG. 7; 140, 1141, 1162, 1166, 1134, 1138, 484 in FIG. 11.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any 

Claim Objections
Claims 8 and 9 are objected to because of the following informalities: Claims 8 and 9 recite the limitation “CAN_ID”. It should read “Controller Area Network Identifier (CAN_ID) if it is correct, or it should read in appropriate full name. Appropriate correction is required.
Claim 20 is objected to because of the following informalities: Claim 20 recites the limitation “ECU security diagnostic memory” in line 10. It should read “an ECU security diagnostic memory”. Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which 


Claims 1-7 and 16 is rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099 A1; hereinafter, “Kerstein”) in view of Sakakibara (US 2012/0253586 A1; hereinafter, “Sakakibara”).

Regarding claim 1:
Kerstein teaches:
An onboard cybersecurity diagnostic system for a vehicle (claim 1: A system for monitoring intrusion anomalies in an automotive environment), comprising:
at least one In-Vehicle Network (IVN) security diagnostic sensor configured to detect and diagnose an Electronic Control Unit (ECU) attack command on a communication bus (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. --- It is noted that network security device 180 including network security monitor 185 teaches at least one In-Vehicle Network (IVN) security diagnostic sensor; a message addressed to any CAN ECU 95 teaches ECU attack command; monitors activity and a message on CAN bus 90 and determine validity teaches detect and diagnose command on a communication bus);
at least one ECU configured to …, autonomously diagnose integrity of ECU electronic control software, and diagnose integrity of ECU electronic control data by … a security diagnostic packet received from the at least one IVN security diagnostic sensor (para. [0042]: Anomaly analyzer 170 is arranged … to request from the various ECUs 30, CAN ECUs 95 and DCU 80 DTCs and diagnostic anomaly codes (DACs) … DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; para. [0043]: Anomaly analyzer 170 further serves as a target for DTCs generated by any of ECU 30, TCU 40, CAN ECU 95, and/or a DAC generated by network security device 180. Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below; para. [0014]: the system further comprising a network security monitor arranged to identify anomalies in software packets transmitted on the network to, or from, at least one of the plurality of engine control units, the anomaly analyzer further in communication with the anomaly analyzer utilizing the diagnostic over Internet protocol; para. [0009]: each ECU 30, TCU 40 and/or CAN ECU 95 may be arranged with an appropriate DoIP node. --- It is noted that anomaly analyzer 170 teaches at least on ECU; a DAC generated by network security device 180 teaches a security diagnostic packet received from the at least one IVN security diagnostic sensor; identify anomalies in software packets teaches autonomously diagnose integrity of ECU electronic control software, and diagnose integrity of ECU electronic control data); and
a cyber dashboard configured to display a security problem in an event of the security problem in the integrity of the ECU electronic control software or the integrity of the ECU electronic control data (para. [0012]: the system further comprises an anomaly monitor in communication with the anomaly analyzer, the alert message being sent to the anomaly monitor, wherein the plurality of engine control units, the anomaly analyzer and the anomaly monitor are located within a single automotive environment. --- It is noted that an anomaly monitor teaches a cyber dashboard; the alert message from the anomaly analyzer implies a security problem in an event of the security problem in the integrity of the ECU electronic control software or the integrity of the ECU electronic control data, thus the alert message being sent to the anomaly monitor teaches implies a security problem in an event of the security problem in the integrity of the ECU electronic control software or the integrity of the ECU electronic control data).
Kerstein is silent about:
… ECU configured to control an actuator based on sensor data collected from a sensor, … autonomously diagnose integrity … by combining the sensor data … 
Sakakibara, in the same field of endeavor, teaches:
… ECU configured to control an actuator based on sensor data collected from a sensor, … autonomously diagnose integrity … by combining the sensor data … (Fig. 21 & para. [0033]: Based on a detection signal from the sensor 6, each ECU 4 supplies a control signal to the actuator, thereby executing an intended-control operation that the each ECU is responsible for. When the vehicle abnormality detection apparatus 7 of the ECU 4 detects a vehicle abnormality based on no response of the actuator 5 or the sensor 6 or based on an abnormality value in vehicle information …; para. [0053]: In the present embodiment, the recording apparatus 3 acquires the behavior data and the DTC information from the CAN bus 2. When the behavior determination section 31 of the recording apparatus 3 determines the occurrence of the unexpected behavior based on the behavior data, the vehicle abnormality influence determination section 32 determines whether or not the time of the occurrence of the unexpected behavior satisfies the predetermined timing condition with respect to the time of acquiring the DTC information; para. [0041]: The behavior data provided from the ECU 4 to the CAN bus 2 includes an engine water temperature, an exhaust pipe pressure, an engine revolution, a vehicle speed, an ignition timing (e.g., advanced ignition timing), an intake air temperature, an air flow rate, a throttle opening degree, an accelerator position, and other various behavior data.  --- It is noted that ECU 4 supplies a control signal to the actuator teaches ECU configured to control an actuator; based on a detection signal from the sensor 6 teaches based on sensor data collected from a sensor; the behavior determination section 31 of the recording apparatus 3 determines the occurrence of the unexpected behavior based on the behavior data teaches autonomously diagnose integrity based on the sensor data. Further noted that the claim does not specifically define how the sensor data and a security diagnostic packet are combined, so for the sake of examination, it is interpreted as based on the sensor data and the security diagnose packet). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein’s system by enhancing Kerstein’s system to detect the anomalies based on the behavior (i.e., sensor) data and the DAC generated by network security device, as taught by Sakakibara, in order to confirm if the anomalies is a real one or temporal disturbance.
The motivation is to improve unexpected behavior determination accuracy by confirming if the unexpected behavior is real anomalies or temporal disturbance such as a disturbance noise on a sensor signal. 

Regarding claim 2: 
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 1.
Kerstein further teaches:
wherein the communication bus includes a vehicle communication bus (para. [0041]: automotive communication network 100 comprises: … a CAN bus 90).

Regarding claim 3:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 1.
Kerstein further teaches:
(para. [0041]: DCU 80, acting as a CAN gateway, is further connected to CAN bus 90; para. [0042]: DCU 80 acts as a gateway controller between CAN bus 90 and Ethernet switch 20. --- It is noted that a CAN gateway teaches a gateway; gateway controller implies connecting an outside of the vehicle with an internal communication bus of the vehicle).

Regarding claim 4: 
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 1, further comprising:
Kerstein further teaches:
a cybersecurity diagnostic tool configured to scan data stored in IVN security diagnostic memory of the at least one IVN security diagnostic sensor and security diagnostic data stored in diagnostic memory of the at least one ECU, thereby performing precision test (FIG. 2A and 2B & para. [0049]: External tester 150 may periodically request from anomaly analyzer 170 all accumulated DACs and DTCs generated by the respective ECUs 30; network security device 180; TCUs 40 and CAN ECUs 95; para. [0043]: Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50; para. [0057]: DEM 245 transmits the generated DTC to DCM 255, which stores the generated DTC for recall by external tester 150 or anomaly analyzer 170. --- It is noted that external tester 150 teaches a cybersecurity diagnostic tool configured to scan data; DCM 255 which stores the generated DTC for recall by external tester 150 teaches scan data stored in IVN security diagnostic memory of the at least one IVN security diagnostic sensor; and Anomaly analyzer 170 comprises a memory to store the received DTCs/DACs for retrieval by external tester teaches security diagnostic data stored in diagnostic memory of the at least one ECU; it is inherent that the external tester scans the date for test). 

Regarding claim 5:
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 1, wherein the at least one IVN security diagnostic sensor comprises:
Kerstein further teaches:
an IVN attack detection sensor configured to …, identify an attacker device and an attack target ECU, and detect a cyberattack (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. In another embodiment, each received message addressed to any CAN ECU 95 is snooped, and the packet of the snooped message is analyzed statistically to determine any anomalies in the message. … In any event of determination of an invalid message, network security monitor 185 generates a DAC, which is transmitted to anomaly analyzer 170 as will be described further below. --- It is noted that network security monitor 185 teaches an IVN attack detection sensor; the source address and target address of the snooped message are compared teaches identify an attacker device and an attack target ECU; and analyzed statistically to determine any anomalies teaches detect a cyberattack);
an IVN security diagnostic memory configured to store information about the identified attacker device and the identified attack target ECU when the cyberattack is detected (para. [0048]: As each intrusion anomaly is detected by security monitor 185, the anomaly is notified to DEM 190. … In one embodiment, client DoIP of anomaly analyzer 170 requests from network security device 180 all accumulated DTCs and DACs in a single request. DCM 195 then clears its local memory to accumulate future DACs and DTCs generated by DEM 190; (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. --- It is noted that local memory of network security device 180 teaches an IVN security diagnostic memory; network security device 180 all accumulated DTCs and DACs teaches store information when the cyberattack is detected; here, DACs and DTCs are generated by DEM 190 based on the snooped message which includes the source address and target address, thus DACs and DTCs teaches information about the identified attacker device and the identified attack target ECU); and
an IVN security diagnostic software block for generating a security diagnostic trouble code (DTC) and security freeze-frame data based on a cyberattack detection result stored in the IVN security diagnostic memory (para. [0056]: Advanced ECU 230 comprises: … DEM 245, DCM 255 and DoIP node 265 are implemented as software modules within advanced ECU 230; para. [0046]: Upon detection of a intrusion anomaly, network security monitor 185 signals DEM 190 with information regarding the detected intrusion anomaly. DEM 190, responsive to the signaled detected intrusion anomaly, generates a DAC reflecting the detected intrusion anomaly and transmits the generated DAC to DCM 195. … In another embodiment, a single DAC is provided by DEM 190, with a payload carrying information indicative of the particular intrusion anomaly detected by network security monitor 185; para. [0057]: DEM 245 transmits the generated DTC to DCM 255, which stores the generated DTC for recall by external tester 150 or anomaly analyzer 170; para. [0042]: The term DAC, as used herein, is meant as a code which indicates an anomaly which deviates from the proper configuration. … DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; [0048]: As each intrusion anomaly is detected by security monitor 185, … DCM 195 then clears its local memory to accumulate future DTCs generated by DEM 190;. --- It is noted that software modules within advanced ECU 230 teaches an IVN security diagnostic software block; upon detection of an intrusion anomaly, DEM 190 generates a DAC reflecting the detected intrusion anomaly with a payload carrying information indicative of the particular intrusion anomaly teaches generating a security diagnostic trouble code (DTC) and security freeze-frame data based on a cyberattack detection result; transmits generated DAC to DCM 195 teaches stored in the IVN security diagnostic memory; here, Kerstein describes that the generated DAC is stored in DCM. In contrary, the claim recites that security diagnostic trouble code (DTC) and security freeze-frame data are generated based on a cyberattack detection result stored in the IVN security diagnostic memory. However, the claim does not specify how the security diagnostic trouble code (DTC) and security freeze-frame data is generated based on a cyberattack detection result stored in the IVN security diagnostic memory, thus, for the sake of examination, the limitation “based on” is interpreted as “related to” or equivalent meaning).
Kerstein is silent about:
an … attack detection sensor configured to identify a driving state of the vehicle …
Sakakibara teaches:
an … attack detection sensor configured to identify a driving state of the vehicle … (para. [0033]: When the vehicle abnormality detection apparatus 7 of the ECU 4 detects a vehicle abnormality based on no response of the actuator 5 or the sensor 6 or based on an abnormality value in vehicle information, the vehicle abnormality detection apparatus 7 a vehicle abnormality data (referred to also as “Diagnostic Trouble Code (DTC) data”) to the CAN bus 2 and records the DTC data in the non-volatile memory 8. Alternatively, when the vehicle abnormality detection apparatus 7 detects a signal line disconnection failure or the like, the vehicle abnormality detection apparatus 7 transmits a DTC data to the CAN bus 2 and records the DTC data in the non-volatile memory 8. For each ECU, the DTC data includes information indicating type of the vehicle abnormality and fail counter value (called “FC value”). The vehicle abnormality detection apparatus 7 includes a vehicle abnormality confirmation section 9 and a DTC information transmission section 10, which may be implemented by software and/or hardware of the microcomputer 4 a. --- It is noted that the vehicle abnormality detection apparatus 7 corresponds to an attack detection sensor; based on no response of the actuator 5 and detects a signal line disconnection failure teaches identify a driving state of the vehicle.
In this regard, Sakakibara describes that incidentally, the vehicle abnormality detection apparatus 7 may detect a DTC that temporarily occurs due to some reasons (e.g., the superimposing of a disturbance noise on a sensor signal) and disappears soon. (See para. [0056])
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein’s system by enhancing Kerstein’s system to detect vehicles’ state, as taught by Sakakibara, in order to confirm if the anomaly is a real one or temporal disturbance.
The motivation is to improve unexpected behavior determination accuracy by confirming if the unexpected behavior is real anomalies or temporal disturbance such as a disturbance noise on a sensor signal. 

Regarding claim 6:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 5. 
Kerstein further teaches:
wherein the at least one IVN security diagnostic sensor generates a security diagnosis alarm packet using the security DTC and the security freeze-frame data (para. [0046]: Upon detection of a intrusion anomaly, network security monitor 185 signals DEM 190 with information regarding the detected intrusion anomaly. DEM 190, responsive to the signaled detected intrusion anomaly, generates a DAC reflecting the detected intrusion anomaly and transmits the generated DAC to DCM 195. … In another embodiment, a single DAC is provided by DEM 190, with a payload carrying information indicative of the particular intrusion anomaly detected by network security monitor 185. --- it is noted that network security monitor 185 teaches the at least one IVN security diagnostic sensor; generate a DAC with a payload information indicative of the particular intrusion anomaly teaches generates a security diagnosis alarm packet using the security DTC and the security freeze-frame data; here, the claim does not specify about the limitation “alarm”, thus, for the sake of examination, the limitation “a security diagnosis alarm packet” is interpreted as “a security diagnosis packet”) and transmits the security diagnosis alarm packet to the identified attack target ECU and the cyber dashboard (para. [0047]: … DCM 195 of network security device 180 responds with all accumulated DACs held by DCM 195 transmitted utilizing DoIP implemented by DoIP node 198; para. [0009]: each ECU 30, TCU 40 and/or CAN ECU 95 may be arranged with an appropriate DoIP node; para. [0048]: a channel is continuously opened between DoIP node 198 and anomaly analyzer 170, and responsive to the DAC generated by DEM 190, DCM 195 transmits the received DAC to anomaly analyzer 170; para. [0012]: In one further embodiment, the system further comprises an anomaly monitor in communication with the anomaly analyzer, the alert message being sent to the anomaly monitor, wherein the plurality of engine control units, the anomaly analyzer and the anomaly monitor are located within a single automotive environment. --- It is noted that transmits the received DAC to anomaly analyzer 170 teaches transmits the security diagnosis alarm packet to the identified attack target ECU; and the alert message being sent to the anomaly monitor teaches transmit to the cyber dashboard).

Regarding claim 7:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 5. 
Kerstein further teaches:
wherein the IVN attack detection sensor identifies the attacker device and the attack target ECU by analyzing reception characteristics of a Controller Area Network (CAN) packet on the communication bus after identifying the driving state of the vehicle (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. In another embodiment, each received message addressed to any CAN ECU 95 is snooped, and the packet of the snooped message is analyzed statistically to determine any anomalies in the message; para. [0058]: Local security monitor 235 detects intrusion anomalies associated with ECU 230 which are not associated with standard DTCs, as described above. The intrusion anomalies are further detected by analyzing network traffic to and from ECU 230. In one embodiment, messages are parsed and analyzed to detect anomalies. --- It is noted that network security monitor 185 teaches an IVN attack detection sensor; the source address and target address of the snooped message are compared to determine validity teaches identify the attacker device and the attack target ECU; and analyzed statistically to determine any anomalies teaches by analyzing reception characteristics of a Controller Area Network (CAN) packet on the communication bus; monitor and analyze received message teaches after identifying the driving state of the vehicle, here the received message includes a the driving state of the vehicle as stated in the rejection of claim 5).

Regarding claim 16:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 1. 
Kerstein further teaches:
wherein the at least one ECU includes ECU security diagnostic memory for storing an ECU security diagnostic trouble code and ECU security freeze-frame data, which correspond to a result of verification of the integrity of the ECU electronic control software (para. [0043]: Anomaly analyzer 170 further serves as a target for DTCs generated by any of ECU 30, TCU 40, CAN ECU 95, and/or a DAC generated by network security device 180. Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below; para. [0046]: Upon detection of a intrusion anomaly, network security monitor 185 signals DEM 190 with information regarding the detected intrusion anomaly. DEM 190, responsive to the signaled detected intrusion anomaly, generates a DAC reflecting the detected intrusion anomaly and transmits the generated DAC to DCM 195. In one embodiment, DEM 190 generates one of a plurality of DACs, each indicative of a particular potential intrusion anomaly that may be detected by network security monitor 185; para. [0058]: a single DAC is provided by DEM 245, with a payload carrying information indicative of the particular anomaly detected by located security monitor 235. --- It is noted that Anomaly analyzer 170 teaches the at least one ECU; a memory teaches ECU security diagnostic memory; store the received DTCs/DACs which are generated with reflecting the detected intrusion anomaly teaches storing an ECU security diagnostic trouble code and ECU security freeze-frame data which correspond to a result of verification of the integrity of the ECU electronic control software).

Claim 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099 A1; hereinafter, “Kerstein”) in view of Sakakibara (US 2012/0253586 A1; hereinafter, “Sakakibara”), and further in view of Ruvio et al. (US 10,824,720 B2; hereinafter, “Ruvio”).

Regarding claim 8:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 7. 
Kerstein further teaches:
wherein the IVN attack detection sensor extracts … characteristics …, thereby detecting whether the attacker device transmits a CAN_ID for a forcible control attack on the ECU and identifying the ECU at which the attack is aimed (para. [0058]: Local security monitor 235 detects intrusion anomalies associated with ECU 230 which are not associated with standard DTCs, as described above. The intrusion anomalies are further detected by analyzing network traffic to and from ECU 230. In one embodiment, messages are parsed and analyzed to detect anomalies; (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. In another embodiment, each received message addressed to any CAN ECU 95 is snooped, and the packet of the snooped message is analyzed statistically to determine any anomalies in the message. --- It is noted that network security monitor 185 teaches an IVN attack detection sensor; the packet of the message is analyzed statistically to determine any anomalies and the source address and target address of the snooped message are compared teaches detecting whether the attacker device transmits a CAN_ID for a forcible control attack on the ECU and identifying the ECU at which the attack is aimed).
Kerstein in view of Sakakibara is silent about:
wherein the … attack detection sensor extracts a set of characteristics for uniquely identifying an ECU …
Ruvio, in the same field of endeavor, teaches: 
wherein the … attack detection sensor extracts a set of characteristics for uniquely identifying an ECU … (col. 19, ll. 1-36: It is further in the scope of the present invention to extract timing characteristics as depicted above for the timing data difference between at least two frames. It is further in the scope of the present invention to extract frequency characteristics as depicted above for the frequency data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract noise characteristics as depicted above for the noise data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract electrical characteristics as depicted above for any electrical data of a specific frame and/or difference between at least two frames. It is in the scope of the present invention to extract at least one typical characteristic for each specific ECU originating communication frames connected to the CAN network. It is further in the scope of the present invention to combine more than one frame and or communication characteristics to generate a frame profile. Additionally or alternatively comparing frame profiles will be used to detect anomalies. It is further in the scope of the present invention to filter frames having a characteristic or profile not fitting predetermined or learned criteria. The term “Electrical based characteristics” interchangeably refers hereinafter to different aspects of the physical electrical environment layer such as, voltage, current, number of conductors, impedance, RF emission and/or receiving, frequency. Additionally or alternatively, the noise characteristics on the transmission (e.g. on the electrical signal, on the RF signal) can be examined and referred to as a characteristic of the communication for the purpose of identification of an attack originator and mapping of the communication system. --- It is noted that extract timing characteristics, frequency characteristics, noise characteristics, and electrical characteristics teaches extracts a set of characteristics; extract at least one typical characteristic for each specific ECU teaches extracts characteristics uniquely identifying an ECU).
In this regard, Ruvio describes that many typical characteristics of current automotive bus systems enable unauthorized access relatively easy. For example, most communication between controllers is done unencrypted, in plain text. Another vulnerability in entailed in the fact that almost all possible bus messages, their respective structures and communication protocols are specified in publically available documents. Another predicament is that controllers are not able to verify if an incoming message comes from an authorized sender (see col. 1, ll. 49-57); Since it is crucial to identifying both the actual frames that construct the attack and the source of the attack, there is a long felt need for tools enabling the identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems (see col. 2, ll. 62-67).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara’s system by enhancing Kerstein in view of Sakakibara’s system to extract characteristics from the packet for each specific ECU, as taught by Ruvio, in order to identify the attack and the source of the attack.
The motivation is to provide a cost effective and efficient manner for identifying the network architecture malicious communication source and malicious frames in automotive bus communication systems. 

Regarding claim 9:  
Kerstein in view of Sakakibara AND Ruvio teaches:

Kerstein further teaches:
wherein the IVN attack detection sensor extracts characteristics …, thereby identifying the attacker device and the attack target ECU (para. [0058]: Local security monitor 235 detects intrusion anomalies associated with ECU 230 which are not associated with standard DTCs, as described above. The intrusion anomalies are further detected by analyzing network traffic to and from ECU 230. In one embodiment, messages are parsed and analyzed to detect anomalies; (para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. In another embodiment, each received message addressed to any CAN ECU 95 is snooped, and the packet of the snooped message is analyzed statistically to determine any anomalies in the message. --- It is noted that network security monitor 185 teaches an IVN attack detection sensor; the packet of the message is analyzed statistically to determine any anomalies and the source address and target address of the snooped message are compared teaches extracts characteristics thereby identifying the attacker device and the attack target ECU).
Kerstein in view of Sakakibara is silent about:
wherein the … attack detection sensor extracts characteristics of an ECU fingerprint and analyzes a correlation between a received CAN_ID and the ECU …
Ruvio, in the same field of endeavor, teaches:  
wherein the … attack detection sensor extracts characteristics of an ECU fingerprint and analyzes a correlation between a received CAN_ID and the ECU … (col. 19, ll. 1-36: It is further in the scope of the present invention to extract timing characteristics as depicted above for the timing data difference between at least two frames. It is further in the scope of the present invention to extract frequency characteristics as depicted above for the frequency data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract noise characteristics as depicted above for the noise data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract electrical characteristics as depicted above for any electrical data of a specific frame and/or difference between at least two frames. It is in the scope of the present invention to extract at least one typical characteristic for each specific ECU originating communication frames connected to the CAN network. It is further in the scope of the present invention to combine more than one frame and or communication characteristics to generate a frame profile. Additionally or alternatively comparing frame profiles will be used to detect anomalies; col. 19, ll. 47-62: Additionally or alternatively, when characterizing at least one ECU communication by said characterizing module and/or said mapping module, the characterization can be a factor of, for example, at least one or any combination thereof of: at least one frame communicated, an analysis of a plurality of (more than 1) frames at least temporarily stored and analyzed for at least one characteristic, characteristic set, a characteristics probability matrix, a Markov model of the optional characteristics of each ECU, statistical correlation examination of at least one characteristic to a set of data, statistical significance of at least one characteristic, the usability of using a specific characteristic in reference to its divergence, characterizing messages comprising one or more frames, the typical frame sequence, the typical frame timing, electrical based characteristics, time based characteristics, physical based characteristics. --- It is noted that extract timing characteristics, frequency characteristics, noise characteristics, and electrical characteristics teaches extracts characteristics of an ECU fingerprint; and statistical correlation examination of at least one characteristic teaches analyzes a correlation between a received CAN_ID and the ECU. Here, the claim does not specify what the ECU fingerprint is, so for the sake of examination, it is interpreted as meaning characteristics such as a time interval and a frequency).
	The motivation for claim 8 is applicable for claim 9.

Regarding claim 10:  
Kerstein in view of Sakakibara and Ruvio teaches:
The onboard cybersecurity diagnostic system of claim 9. 
Kerstein in view of Sakakibara is silent about:
wherein the ECU fingerprint includes a time interval at which the CAN_ID is received, a frequency with which the CAN_ID is received, or a period at which the CAN_ID is received as a statistical characteristic value of a received CAN message.
Ruvio, in the same field of endeavor, teaches:
wherein the ECU fingerprint includes a time interval at which the CAN_ID is received, a frequency with which the CAN_ID is received, or a period at which the CAN_ID is received as a statistical characteristic value of a received CAN message (col. 19, ll. 1-36: It is further in the scope of the present invention to extract timing characteristics as depicted above for the timing data difference between at least two frames. It is further in the scope of the present invention to extract frequency characteristics as depicted above for the frequency data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract noise characteristics as depicted above for the noise data of a specific frame and/or difference between at least two frames. It is further in the scope of the present invention to extract electrical characteristics as depicted above for any electrical data of a specific frame and/or difference between at least two frames. It is in the scope of the present invention to extract at least one typical characteristic for each specific ECU originating communication frames connected to the CAN network. It is further in the scope of the present invention to combine more than one frame and or communication characteristics to generate a frame profile. Additionally or alternatively comparing frame profiles will be used to detect anomalies; col. 19, ll. 1-36: Additionally or alternatively, when characterizing at least one ECU communication by said characterizing module and/or said mapping module, the characterization can be a factor of, for example, at least one or any combination thereof of: at least one frame communicated, an analysis of a plurality of (more than 1) frames at least temporarily stored and analyzed for at least one characteristic, characteristic set, a characteristics probability matrix, a Markov model of the optional characteristics of each ECU, statistical correlation examination of at least one characteristic to a set of data, statistical significance of at least one characteristic, the usability of using a specific characteristic in reference to its divergence, characterizing messages comprising one or more frames, the typical frame sequence, the typical frame timing, electrical based characteristics, time based characteristics, physical based characteristics. --- It is noted that extract timing characteristics, and frequency characteristics teaches ECU fingerprint).
	The motivation for claim 8 is applicable for claim 10.

Regarding claim 11:  
Kerstein in view of Sakakibara and Ruvio teaches:
The onboard cybersecurity diagnostic system of claim 9. 
Kerstein in view of Sakakibara is silent about:
wherein the ECU fingerprint includes a reception power value as a physical characteristic value of the CAN packet, which is measured at a CAN transceiver.
Ruvio teaches:
wherein the ECU fingerprint includes a reception power value as a physical characteristic value of the CAN packet, which is measured at a CAN transceiver (col. 19, ll. 27-36: The term “Electrical based characteristics” interchangeably refers hereinafter to different aspects of the physical electrical environment layer such as, voltage, current, number of conductors, impedance, RF emission and/or receiving, frequency. Additionally or alternatively, the noise characteristics on the transmission (e.g. on the electrical signal, on the RF signal) can be examined and referred to as a characteristic of the communication for the purpose of identification of an attack originator and mapping of the communication system. --- It is noted that physical electrical environment layer such as, voltage, current teaches a reception power value as a physical characteristic value of the CAN packet; the electrical signal can be examined on the transmission implies measured at a CAN transceiver).
	The motivation for claim 8 is applicable for claim 11.

Regarding claim 12:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 5, wherein: 
Kerstein in view of Sakakibara is silent about:
the IVN attack detection sensor detects an attack using the driving state of the vehicle and an attack detection rule, and
the attack detection rule includes a detection rule for an individual CAN packet and a detection rule using a time-series correlation between CAN packets received over time.
Ruvio teaches:
the IVN attack detection sensor detects an attack using the driving state of the vehicle and an attack detection rule (col. 18, ll. 52-67: After executing at least initial timing analysis by such an algorithm in combination with a Markov model modeling the transitions possible of the data points, evaluating the probability of an event, is possible. Additionally or alternatively, rules can be applied in accordance with the system's expectations calculated by the algorithm. Additionally or alternatively, threshold values can be implemented in the algorithm following an initial analysis of a data set. Additionally or alternatively, each data set of a communication comprising frames comprising frames can be used to generate and evaluate timing characteristics specific to it. Additionally or alternatively, any change in the possible transitions states, the probability, the mean values (e.g. of a cluster or between clusters), variance, correlation, or spectral density of the data points can be an anomaly of a timing characteristic. --- It is noted that rules can be applied, and threshold values can be implemented (threshold values implies that there is a state value) teaches detects an attack using the driving state of the vehicle and an attack detection rule), and 
the attack detection rule includes a detection rule for an individual CAN packet and a detection rule using a time-series correlation between CAN packets received over time (col. 18, ll. 41-67: A dedicated algorithm measures the validity of an incoming frame based on statistical analysis, including a probability matrix, and/or a Gaussian probability curve. The purpose of preforming bus timing analysis is to extract the timing characteristics of the specified frame. Following statistical analysis the process can include clustering of the data to main groups and within them calculating the probabilities of each data point. In addition, a calculation can be performed to see the probability for any random new data point to be located in a specific cluster. Additionally or alternatively, a Markov model is utilized to determine the possible transition states. After executing at least initial timing analysis by such an algorithm in combination with a Markov model modeling the transitions possible of the data points, evaluating the probability of an event, is possible. Additionally or alternatively, rules can be applied in accordance with the system's expectations calculated by the algorithm. Additionally or alternatively, threshold values can be implemented in the algorithm following an initial analysis of a data set. Additionally or alternatively, each data set of a communication comprising frames comprising frames can be used to generate and evaluate timing characteristics specific to it. Additionally or alternatively, any change in the possible transitions states, the probability, the mean values (e.g. of a cluster or between clusters), variance, correlation, or spectral density of the data points can be an anomaly of a timing characteristic; col. 19, ll. 37-46: The term “Learned over time” interchangeably refers hereinafter to the application of leaning algorithms and/or heuristic means for analyzing communication data (including frames send and received, their timing characteristics, their electrical characteristics, their data content, their noise characteristics, the events and/or sensor values relating to them, and as such) and for example detecting patterns and/or action and result sequences in order to make rules, assessments, expectations, of the system, including defining a base for comparison of future communication related activities. --- It is noted that a calculation can be performed to see the probability for any random new data point to be located in a specific cluster teaches a detection rule for an individual CAN packet; any change in the possible transitions states, the probability, the mean values (e.g. of a cluster or between clusters), variance, correlation, or spectral density of the data points can be an anomaly of a timing characteristic teaches a detection rule using a time-series correlation between CAN packets received over time. Here, the claim does not specify what the detection rule is, so for the sake of examination, it is interpreted as any rule related to the message and data).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara’s system by enhancing Kerstein in view of Sakakibara’s system to use the driving state of the vehicle and an attack detection rule, as taught by Ruvio, in order to identify the attack and the source of the attack.
The motivation is to increase in accuracy of the intrusion anomalies detection by applying a rule in accordance with the system's expectations. 

Regarding claim 13:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 5. 
Kerstein further teaches:
wherein the security DTC includes a code … for diagnosing a type of the attack or damage caused by the attack (para. [0016]: In one further embodiment, for each type of the intrusion anomalies detected by the security monitor the diagnostic event manager is arranged to generate a unique diagnostic anomaly code; para. [0042]: The term DAC, as used herein, is meant as a code which indicates an anomaly which deviates from the proper configuration. As opposed to DTCs, DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below. --- It is noted that DACs teaches the security DTC; a unique diagnostic anomaly code for each type of the intrusion anomalies detected teaches a code for diagnosing a type of the attack).
Kerstein in view of Sakakibara is silent about:
… a code for differentiating an area in which an attack has occurred.
Ruvio teaches:
… a code for differentiating an area in which an attack has occurred (col. 23, ll. 39-48: According to another embodiment of the invention, … wherein the identification module is further configured to forward at least one event and/or the identified attack originator to at least one selected from: (a) a driver of a vehicle comprising at least a portion of the CAN bus by means of a dedicated human machine interface; (b) one or more the ECU; (c) one or more third party system located in the vehicle comprising at least a portion of the CAN bus; (d) one or more external system; and, (e) any combination thereof. --- It is noted that the identified attack originator teaches a code for differentiating an area in which an attack has occurred; here, the claim does not specify what the code is, so for the sake of examination, it is interpreted as related information).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara’s system by enhancing Kerstein in view of Sakakibara’s system to include the identified attack originator in the DAC, as taught by Ruvio, in order to identify the source of the attack by other ECU (i.e., anomaly analyzer 170).
. 

Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099 A1; hereinafter, “Kerstein”) in view of Sakakibara (US 2012/0253586 A1; hereinafter, “Sakakibara”), and further in view of Santillo et al. (US 2019/0063284 A1; hereinafter, “Santillo”).

Regarding claim 14:  
Kerstein in view of Sakakibara teaches:
The onboard cybersecurity diagnostic system of claim 5. 
Kerstein further teaches:
wherein the security DTC includes an … code … when a cyberattack is serious enough to compromise safety of the vehicle … (para. [0016]: In one further embodiment, for each type of the intrusion anomalies detected by the security monitor the diagnostic event manager is arranged to generate a unique diagnostic anomaly code; para. [0042]: The term DAC, as used herein, is meant as a code which indicates an anomaly which deviates from the proper configuration. As opposed to DTCs, DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; para. [0052]: the event that any of the received DACs of stage 1000, or payload information thereof, are congruent with the black list of stage 1020, in stage 1040 anomaly analyzer 170 is arranged to output a warning indicator to a monitor. --- It is noted that DACs teaches the security DTC; security flaws, safety flaws and hacking identification teaches a cyberattack is serious enough to compromise safety of the vehicle).
Kerstein in view of Sakakibara is silent about:

Santillo teaches:  
wherein the security DTC includes an MIL code for immediately lighting a cybersecurity Malfunction Indicator Lamp (MIL) on the cyber dashboard … so it is necessary to urgently respond thereto (para. [0064]: For example, a diagnostic code may be set and a malfunction indicator light (MIL) may be illuminated on a display panel of the vehicle to notify the operator, the code and MIL maintained until the filter is replaced or repaired. --- It is noted that a diagnostic code corresponds to the security DTC; a malfunction indicator light (MIL) teaches an MIL code; until the filter is replaced or repaired teaches so it is necessary to urgently respond thereto)
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara’s system by enhancing Kerstein in view of Sakakibara’s system to include the MIL in the DAC, as taught by Santillo, in order to allow the anomaly monitor to output a warning indicator with the MIL to a monitor.
The motivation is to allow the monitor to immediately illuminate the warning of attack by referencing the MIL in the warning indicator. 

Regarding claim 15:  
Kerstein in view of Sakakibara and Santillo teaches:
The onboard cybersecurity diagnostic system of claim 14. 
Kerstein further teaches:
wherein the security freeze-frame data includes … data … on a device in which the security DTC is generated and a condition under which an attack has occurred (para. [0058]: Upon detection of a intrusion anomaly, network security monitor 185 signals DEM 190 with information regarding the detected intrusion anomaly. DEM 190, responsive to the signaled detected intrusion anomaly, generates a DAC reflecting the detected intrusion anomaly and transmits the generated DAC to DCM 195. … a single DAC is provided by DEM 245, with a payload carrying information indicative of the particular anomaly detected by located security monitor 235. --- It is noted that a payload teaches the security freeze-frame data; upon detection of a intrusion anomaly generating a DAC teaches the security DTC is generated and a condition under which an attack has occurred on a device).
Kerstein in view of Sakakibara and Santillo is silent about:
wherein the … freeze-frame data includes different data depending on a device…
Theriot, in the same field of endeavor, teaches:
wherein the … freeze-frame data includes different data depending on a device… (para. [0086]: The OBD-II payload field can specify an OBD-II mode, an OBD-II parameter ID (PID), and additional payload data. …  Example OBD-II PIDs include, but are not limited to, freeze DTC, fuel system status, engine coolant temperature, fuel trim, fuel pressure, engine revolutions/minute (RPMs), vehicle speed, timing advance, and intake air temperature. Many other OBD-II modes and OBD-II PIDs are possible as well. --- It is noted that Example OBD-II PIDs such as engine coolant temperature, fuel trim, fuel pressure teaches different data depending on a device). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara and Santillo’s system by enhancing Kerstein in view of Sakakibara and Santillo’s system to include different data in the payload depending on the device, as taught by Theriot, in order to provide proper diagnostic information of each vehicle. 
The motivation is to allow the anomaly analyzer to easily identify the attack originator ECU by additionally referencing the payload of the DAC.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099 A1; hereinafter, “Kerstein”) in view of Sakakibara (US 2012/0253586 A1; hereinafter, “Sakakibara”), and further in view of Theriot et al. (US 2012/0215491 A1; hereinafter, “Theriot”).

Regarding claim 20: 
Kerstein teaches:
An operation method of an onboard cybersecurity diagnostic system for a vehicle (claim 14: A method of monitoring intrusion anomalies in an automotive environment), comprising:
autonomously diagnosing, by an electronic control unit (ECU), a cybersecurity problem (para. [0042]: Anomaly analyzer 170 is arranged … to request from the various ECUs 30, CAN ECUs 95 and DCU 80 DTCs and diagnostic anomaly codes (DACs) … DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; para. [0043]: Upon detection of a intrusion anomaly, network security monitor 185 signals DEM 190 with information regarding the detected intrusion anomaly. DEM 190, responsive to the signaled detected intrusion anomaly, generates a DAC reflecting the detected intrusion anomaly and transmits the generated DAC to DCM 195. --- It is noted that anomaly analyzer 170 and network security device 180 detect an intrusion anomaly; anomaly analyzer 170 teaches by an electronic control unit (ECU)); and
displaying a security state determined depending on a diagnosis result on a cyber dashboard (para. [0012]: the system further comprises an anomaly monitor in communication with the anomaly analyzer, the alert message being sent to the anomaly monitor, wherein the plurality of engine control units, the anomaly analyzer and the anomaly monitor are located within a single automotive environment; para. [0052]: the event that any of the received DACs of stage 1000, or payload information thereof, are congruent with the black list of stage 1020, in stage 1040 anomaly analyzer 170 is arranged to output a warning indicator to a monitor. --- It is noted that an anomaly monitor teaches a cyber dashboard; the alert message from the anomaly analyzer and warning indicator teaches a security state determined depending on a diagnosis result; it is inherent that the monitor displays the message),
wherein the ECU comprises:
a hardware security module configured to verify integrity of ECU electronic control software (para. [0014]: the system further comprising a network security monitor arranged to identify anomalies in software packets transmitted on the network to, or from, at least one of the plurality of engine control units, the anomaly analyzer further in communication with the anomaly analyzer utilizing the diagnostic over Internet protocol; para. [0050]: Anomaly analyzer 170 may be implemented in an FPGA, microcontroller, or processor with associated memory, the associated memory holding electronically readable instructions, which when implemented perform the tasks as described; para. [0041]: FIG. 2A illustrates an automotive communication network 100 comprising a network security device 180 in communication with DCU 80. In further detail, automotive communication network 100 comprises: Ethernet switch 20; plurality of ECUs 30; TCU 40; an external tester 150; an anomaly analyzer 170 comprising a DoIP client 70 and a DoIP node 75; DCU 80; a network security device 180; a CAN bus 90; and plurality of CAN ECUs 95. Each of the plurality of ECUs 30, TCU 40, anomaly analyzer 170 and DCU 80 are coupled to a respective port of Ethernet switch 20 and represent nodes of automotive communication network 100. --- It is noted that anomaly analyzer 170 implemented in an FPGA teaches a hardware security module; identify anomalies in software packets teaches verify integrity of ECU electronic control software; FIG. 2A teaches the software is ECU electronic control software); and
ECU security diagnostic memory configured to store ..., a security state of the sensor data, an ECU security diagnostic trouble code (DTC) and ECU security freeze-frame data (para. [0043]: Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below; para. [0057]: DEM 245 transmits the generated DTC to DCM 255, which stores the generated DTC for recall by external tester 150 or anomaly analyzer 170; para. [0042]: The term DAC, as used herein, is meant as a code which indicates an anomaly which deviates from the proper configuration. … DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; para. [0058]: a single DAC is provided by DEM 245, with a payload carrying information indicative of the particular anomaly detected by located security monitor 235. --- It is noted that a memory of anomaly analyzer 170 and DCM 255 storing the generated DAC teaches ECU security diagnostic memory; store the received DTCs/DACs with a payload teaches store a security state of the sensor data, an ECU security diagnostic trouble code (DTC) and ECU security freeze-frame data),
the ECU electronic control software verifying integrity of ECU control data by … security diagnostic data received from an In-Vehicle Network (IVN) security diagnostic sensor (para. [0131]: some or all of the steps and/or operations may be implemented or performed using one or more processors executing instructions, programs, interactive data structures, and client and/or server components stored in one or more nonvolatile computer-readable storage media; para. [0042]: Anomaly analyzer 170 is arranged … to request from the various ECUs 30, CAN ECUs 95 and DCU 80 DTCs and diagnostic anomaly codes (DACs) … DACs provide anomaly codes for complex anomalies, such as security flaws, safety flaws and hacking identification, as will be described further below; para. [0043]: Anomaly analyzer 170 further serves as a target for DTCs generated by any of ECU 30, TCU 40, CAN ECU 95, and/or a DAC generated by network security device 180. Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below; para. [0014]: the system further comprising a network security monitor arranged to identify anomalies in software packets transmitted on the network to, or from, at least one of the plurality of engine control units, the anomaly analyzer further in communication with the anomaly analyzer utilizing the diagnostic over Internet protocol; para. [0044]: In operation, network security monitor 185 of network security device 180 monitors activity on CAN bus 90, either by snooping for, or by actively blocking, a message addressed to any CAN ECU 95. In particular, in one embodiment each received message addressed to any CAN ECU 95 is snooped and the source address and target address of the snooped message are compared to a predetermined list of acceptable addresses to determine validity. --- It is noted that programs teaches the ECU electronic control software; anomaly analyzer 170 teaches at least on ECU; a DAC generated by network security device 180 teaches a security diagnostic data received from an IVN security diagnostic sensor; monitors activity and a message on CAN bus 90 and determine validity teaches verifying integrity of ECU control data).
Kerstein is silent about:
ECU … memory configured to store a sensor/onboard diagnostic (OBD) parameter ID, sensor data …, 
… verifying integrity … by combining the sensor data received from a sensor … 
Sakakibara, in the same field of endeavor, teaches: 
… verifying integrity … by combining the sensor data received from a sensor …  (Fig. 21 & para. [0033]: Based on a detection signal from the sensor 6, each ECU 4 supplies a control signal to the actuator, thereby executing an intended-control operation that the each ECU is responsible for. When the vehicle abnormality detection apparatus 7 of the ECU 4 detects a vehicle abnormality based on no response of the actuator 5 or the sensor 6 or based on an abnormality value in vehicle information …; para. [0053]: In the present embodiment, the recording apparatus 3 acquires the behavior data and the DTC information from the CAN bus 2. When the behavior determination section 31 of the recording apparatus 3 determines the occurrence of the unexpected behavior based on the behavior data, the vehicle abnormality influence determination section 32 determines whether or not the time of the occurrence of the unexpected behavior satisfies the predetermined timing condition with respect to the time of acquiring the DTC information; para. [0041]: The behavior data provided from the ECU 4 to the CAN bus 2 includes an engine water temperature, an exhaust pipe pressure, an engine revolution, a vehicle speed, an ignition timing (e.g., advanced ignition timing), an intake air temperature, an air flow rate, a throttle opening degree, an accelerator position, and other various behavior data.  --- It is noted that the behavior determination section 31 of the recording apparatus 3 determines the occurrence of the unexpected behavior based on the behavior data teaches autonomously diagnose integrity based on the sensor data. Further noted that the claim does not specifically define how the sensor data and a security diagnostic packet are combined, so for the sake of examination, it is interpreted as based on the sensor data and the security diagnose packet). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein’s system by enhancing Kerstein’s system to detect the anomalies based on the sensor data and the DAC generated by network security device, as taught by Sakakibara, in order to confirm if the anomalies is a real one or temporal disturbance.
The motivation is to improve unexpected behavior determination accuracy by confirming if the unexpected behavior is real anomalies or temporal disturbance such as a disturbance noise on a sensor signal. 
Kerstein in view of Sakakibara is silent about:

Theriot, in the same field of endeavor, teaches: 
ECU … memory configured to store a sensor/onboard diagnostic (OBD) parameter ID, sensor data … (para. [0086]: The OBD-II payload field can specify an OBD-II mode, an OBD-II parameter ID (PID), and additional payload data. Example OBD-II modes include, but are not limited to, modes to: show current data, show freeze frame data, show one or more frames of previously-recorded data (e.g., movies of OBD-II data), show stored Diagnostic Trouble Codes (DTCs), clear DTCs and stored values, test results for oxygen sensor monitoring, test results for other components, show DTCs detected during current or last driving cycle, control operation of on-board component/system, request vehicle information mode, and a permanent/cleared DTC mode. Example OBD-II PIDs include, but are not limited to, freeze DTC, fuel system status, engine coolant temperature, fuel trim, fuel pressure, engine revolutions/minute (RPMs), vehicle speed, timing advance, and intake air temperature. Many other OBD-II modes and OBD-II PIDs are possible as well. --- It is noted that an OBD-II parameter ID (PID) teaches a sensor/onboard diagnostic (OBD) parameter ID; current data teaches sensor data).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kerstein in view of Sakakibara’s system by enhancing Kerstein in view of Sakakibara’s system to store the PID parameter, current data, freeze frame data, and test results, as taught by Theriot, in order to provide various information to the network security device and anomaly analyzer.
The motivation is to increase in accuracy of the intrusion anomalies detection by providing various information to the network security device and anomaly analyzer. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashokkumar Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/W.Y./Examiner, Art Unit 2491





/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491