DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/13/2020 has been entered.
Claims 1-13, 15, 17, 18 and 20-22 are under consideration with claim 1 having been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 12/13/2020 have been fully considered.
Applicant’s arguments, with respect to the rejection of amended claim 1 under 103 that Ben Noon et al (US 2015/0191135) in view of Muter et al., (A Structured Approach to Anomaly Detection for In-Vehicle Networks does not teaches the amended limitation of “determine a message dependent confidence level for the classification, which confidence level determination may vary from message to message” have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  
Applicant’s arguments, with respect to the rejection of amended claim 1 under 103 that Kaster (US 2017/0063996) in view of Muter et al., (A Structured Approach to Anomaly Detection for In-Vehicle Networks does not teach the amended limitation of “determine a message dependent confidence level for the classification, which confidence level determination may vary from message to message;” have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-13, 15, 17, 18 and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Ben Noon et al (US 2015/0191135) in view of Evans et al (US 9,843,594).

With respect to claim 1 Ben Noon teaches a module for providing security to an in-vehicle communication network having at least one bus and at least one node connected to the bus, the module comprising: 

a processor configured to process messages received via the port (see Ben Noon figure 2A processor and paragraph 0052-0053 i.e. Processor 41 processes a message it receives via port 42 or port 52 in accordance with computer executable instructions for executing matching rules, white and black lists of CAN messages, and response actions, optionally stored in a memory 45, and optionally in accordance with a vehicle context during which the message is received) to: 
classify a received message as to whether or not it is an anomalous message (see Ben Noon paragraphs 0068 i.e. the Watchman vets the ID of the message to determine if it is an ID of a potentially damaging message, which advantageously should not be allowed to propagate on high-speed bus 61); and 
if the message is classified as anomalous determining a response, wherein the response comprises at least one or any combination of more than one of: transmitting at least one message that reconfigures at least one electronic control unit (ECU) of the vehicle; shutting down a portion of the in-vehicle network; and/or transmitting at least one valid message over the in-vehicle network that overrides the anomalous message (see Ben Noon paragraphs 0068-0070 i.e. the Watchman vets the ID of the message to 
Ben Noon does not teach determine a message dependent confidence level for the classification, which confidence level determination may vary from message to message; or if the message is classified as anomalous determining a response based on the determined confidence level associated with the anomalous message.
Evans teaches determine a message dependent confidence level for the classification, which confidence level determination may vary from message to message (see Evans  figure 7 step 510, column 13 lines 38-42 i.e. determining module 112 may determine that an automobile-network message is anomalous only if a model indicates that the probability that the automobile network is anomalous is greater than a predetermined value  and column 14 lines 5-17 i.e. In some examples, if a model includes a classifier, determining module 112 may determine that an automobile-network message is anomalous by applying the classifier to the automobile-network message. If the model is an ensemble model that includes several classifiers, determining module 112 may use the classifiers to determine whether an automobile-network message is expected or anomalous by (1) calculating an aggregate 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben Noon et al in view of Evans to classify a message as anomalous when the determining module determines that the probability that the automobile network message is greater than a predetermined value as way detect anomalous message with confidence (see Evens column 14 lines 18-36). 

With respect to claim 4 Ben Noon teaches the module according to claim 3 wherein the at least one critical vehicle function comprises vehicle speed and/or gear ratio of a vehicle transmission (see Ben Noon paragraph 0015 i.e. The context may comprise an operating state of the vehicle and/or circumstances under which the vehicle is operating. An operating state of a vehicle may by way of example, comprise, vehicle speed, tire pressure, ambient temperature, vehicle load, and state of health). 

With respect to claim 5 Ben Noon teaches the module according to claim 1 wherein shutting down the portion of the in-vehicle network comprises shutting down a bus of the at least one bus (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 therefore, processor 41 of Watchman 40B causes the Watchman to transmit a dominant bit, optionally referred to as a "poison bit", onto high-speed bus 61, and then optionally proceeds to a block 177 to determine if a sufficient number of dominant bits has been transmitted to corrupt and block the unwanted message propagating on high-speed bus 61. If in block 177 processor 41 determines that Watchman 40B has not transmitted enough poison bits, the processor returns to block 175 and causes the Watchman to transmit another dominant bit. Watchman 40B and its processor 41 cycle through blocks 175 to 177 until in block 177 the processor determines that a sufficient number of dominant, poison, bits have been transmitted to destroy the message). 

With respect to claim 6 Ben Noon teaches the module according to claim 1 wherein shutting down the portion of the in-vehicle network comprises shutting down a portion of the in-vehicle network to which the module is connected (see Ben Noon 

With respect to claim 7 Ben Noon teaches the module according to claim 1 wherein shutting down comprises shutting down for a shutdown period having a predetermined duration (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously 

With respect to claim 8 Ben Noon teaches teaches 8 the module according to claim 1 wherein shutting down comprises shutting down until such time as outside intervention addresses a cause of transmission of the anomalous (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 therefore, processor 41 of Watchman 40B 

With respect to claim 9 Ben Noon teaches the module according to claim 1 wherein shutting down comprises clamping the portion of the in-vehicle network to a predetermined voltage (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 therefore, processor 41 of Watchman 40B causes the Watchman to transmit a dominant bit, optionally referred to as a "poison bit", onto high-speed bus 61, and then optionally proceeds to a block 177 to determine if a sufficient number of dominant bits has been transmitted to corrupt and block the unwanted message propagating on high-speed bus 

With respect to claim 10 Ben Noon teaches the module according to claim 9 wherein the predetermined voltage is a voltage of a dominant bit (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 therefore, processor 41 of Watchman 40B causes the Watchman to transmit a dominant bit, optionally referred to as a "poison bit", onto high-speed bus 61, and then optionally proceeds to a block 177 to determine if a sufficient number of dominant bits has been transmitted to corrupt and block the unwanted message propagating on high-speed bus 61. If in block 177 processor 41 determines that Watchman 40B has not transmitted enough poison bits, the processor returns to block 175 and causes the Watchman to transmit another dominant bit. Watchman 40B and its processor 41 cycle through blocks 175 to 177 until in block 177 

With respect to claim 11 Ben Noon teaches the module according to claim 9 wherein shutting down comprises periodically interrupting shutting down to enable propagation of messages critical to operation of the vehicle (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 therefore, processor 41 of Watchman 40B causes the Watchman to transmit a dominant bit, optionally referred to as a "poison bit", onto high-speed bus 61, and then optionally proceeds to a block 177 to determine if a sufficient number of dominant bits has been transmitted to corrupt and block the unwanted message propagating on high-speed bus 61. If in block 177 processor 41 determines that Watchman 40B has not transmitted enough poison bits, the processor returns to block 175 and causes the Watchman to transmit another dominant bit. Watchman 40B and its processor 41 cycle through blocks 175 to 177 until in block 177 the processor determines that a sufficient number of dominant, poison, bits have been transmitted to destroy the message).



With respect to claim 13 Ben Noon teaches the module according to claim 12 wherein the at least one critical ECU comprises an engine ECU and/or a braking ECU (see Ben Noon figure 1B Engine Control and Anti-Skid Braking and paragraph 0025 i.e. High-speed CAN bus 61 is schematically shown connected to engine, suspension, traction, gearbox, and braking control systems 62, 63, 64, 65, and 66 respectively). 

With respect to claim 15 Ben Noon teaches the module according to claim 1 wherein the at least one valid message comprises a last message detected on the bus of a same type as the anomalous message and transmitted before recognition of the anomalous message (see Ben Noon paragraphs 68-70 i.e. The CAN protocol that configures message transmission over in-vehicle network 60 uses a dominant bit and a recessive bit to transmit CAN messages. The dominant bit is usually the "0" bit and the recessive bit is usually the "1" bit. If a dominant and a recessive bit are simultaneously transmitted on a same bus of a CAN network, such high-speed bus 61 in in-vehicle network 60, the dominant bit survives and is received by nodes connected to the bus and the recessive bit does not survive and is not received by the nodes. In block 175 

With respect to claim 17 Ben Noon teaches the module according to claim 1 wherein the confidence level for the anomalous message is based on whether the anomalous message is classified as a black list or gray list message and a confidence level of the classification (see Ben Noon figure 2B step 120 and paragraph 0058 i.e. If processor 41 determines in decision block 107 that the message ID is not a message ID of a white list CAN message, the processor proceeds to a block 120 and determines whether or not the ID is a black list message ID. If the message is a black list message, the processor optionally proceeds to a block 122 and blocks the message from entry to high-speed CAN bus 61).

With respect to claim 18 Ben Noon teaches the module according to claim 1 wherein the response is based on at least one or any combination of more than one of: an ID of the message; an ECU with which the message is associated; content of the 

With respect to claim 20 Ben Noon teaches the module according to claim 18 wherein vehicle context comprises a state of the vehicle and/or a state of the vehicle’s in-vehicle communication network (see Ben Noon paragraph 0015 i.e. An operating state of a vehicle may by way of example, comprise, vehicle speed, tire pressure, ambient temperature, vehicle load, and state of health).

With respect to claim 21 Ben Noon teaches the module according to claim 20 wherein the state of the vehicle comprises at least one or any combination of more than one of, vehicle speed, acceleration, closing speed to a leading or trailing vehicle, engine rpm, engine temperature, oil pressure, hydraulic pressure, wheel traction, road condition, vehicle location optionally provided by a GPS signal, and/or weather condition (see Ben Noon paragraph 0015 i.e. An operating state of a vehicle may by way of 

With respect to claim 22 Ben Noon teaches the module according to claim 20 wherein the state of the in-vehicle network comprises baud rate, which types of messages are being transmitted over the in-vehicle network, and/or which nodes in in-vehicle communication network are actively communicating over the network, and/or a state or contents of a communication session (see Ben Noon paragraph 0036 i.e. Watchman 40 may generate and store in a Watchman memory a health feature vector for vehicle 30 that provides a measure of the vehicle's health responsive to messages that the Watchman monitors).

Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over Ben Noon et al (US 2015/0191135) in view of Evans et al (US 9,843,594) in view of Kaster (US 2017/0063996).
With respect to claim 2 Ben Noon teaches the module according to claim 1 but does not teach wherein transmitting at least one message that reconfigures at least one ECU, comprises a transmitting a message that causes an ECU of the at least one ECU to reset to a known safe default configuration. Kaster teaches wherein transmitting at least one message that reconfigures at least one ECU, comprises a transmitting a message that causes an ECU of the at least one ECU to reset to a known safe default configuration (see Kaster paragraphs 0018-0019 i.e. If a suspicious message or suspicious activity is detected, a warning is sent to the driver that could include an LED 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben Noon in view of Kaster to send a reset command to the ECU that is the target of the attack as a way counteract suspicious activity or an attack by returning the ECU to a safe state (see Kaster paragraph 0020). Therefore one would have been motivated to have sent a reset command to the ECU that is the target of the attack to reset the EUC to a safe state.

	
With respect to claim 3 Ben Noon teaches the module according to claim 1 but does not teach wherein transmitting at least one message that reconfigures at least one ECU comprises transmitting a message that causes the ECU to operate only responsive to messages for which the vehicle operates within a safe range for at least one critical vehicle function. Kaster teaches wherein transmitting at least one message 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben Noon in view of Kaster to send a reset command to the ECU causing the vehicle to enter into a safe mode to counteract suspicious activity or an attack in which unnecessary features of the vehicle are turned off (e.g. the radio, seat heaters) by reducing the functionality or disabling the ECUs which control such non -critical systems, while keeping critical necessary and active-passive safety functions are available (see Kaster paragraph 0020). Therefore one would have been motivated to have enter into a safe mode to counteract suspicious 

Related Prior Art
	Sonalker at al. US 20160188396 “TEMPORAL ANOMALY DETECTION ON AUTOMOTIVE NETWORKS” teaches an anomaly detector for a Controller Area Network (CAN) bus performs state space classification on a per-message basis of messages on the CAN bus to label messages as normal or anomalous, and performs temporal pattern analysis as a function of time to label unexpected temporal patterns as anomalous. The anomaly detector issues an alert if an alert criterion is met that is based on the outputs of the state space classification and the temporal pattern analysis.
	Litichever et al. US 20150020152 “SECURITY SYSTEM AND METHOD FOR PROTECTING A VEHICLE ELECTRONIC SYSTEM“ teaches a security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492