DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 02/11/2021 has been entered.


Response to Amendments
This communication is in response to the amendments filed on 12 January 2021:
	Claims 1, 16 and 20 are amended.
	Claims 1-21 are pending.



Response to Arguments
In response to Applicant’s remarks filed on 12 January 2021:
a.	Applicant’s arguments that Kubota fails to close the significant gap left by Ujiie with regards to the limitation of “the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle” has been fully considered but is deemed not persuasive. Applicant’s attention is directed to Kubota, Paragraph [0176], see "a display control process when an event in which the behavior of the host vehicle M 
b.	Applicant’s arguments that Ujiie and Kubota fail to describe or suggest the features of the independent claims reciting “…wherein the plurality of messages have been intercepted during a period of time associated with a vehicle incident…determining indicators of compromise including a subset of the plurality of messages used in the computer attacks” have been fully considered but is deemed not persuasive. Applicant’s attention is directed to Ujiie, Paragraph [0067], see "the engine ECU 100a is connected to an engine 310 and periodically transmits, to bus 200, a data frame indicating the state of the engine 310. The brake ECU 100b is connected to the brake 320 and periodically transmits, to the bus 200, a data frame indicating the state of a brake 320", where "data frame" is being read as the plurality of messages that have been intercepted during a period of time (i.e., periodically)).
c.	Applicant’s arguments that Ujiie and Kubota fail to obviate the independent claims 1, 16, and 20. Moreover, Duri fails to close the significant gap left by Ujiie and Kubota because Duri also fails to describe or suggest “receiving log data having a plurality of messages that have been intercepted on at least one communications bus between a plurality of electronic control units (ECUs) of the vehicle, wherein the plurality of messages have been intercepted during a period of time associated with a vehicle incident…” has been fully considered but is deemed not persuasive. Applicant’s attention is directed to Ujiie, Paragraph [0068], see “The anomaly detection ECU 400 is a kind of ECU that functions as a frame transmission prevention apparatus. The anomaly detection ECU 400 is connected to the bus 200. The anomaly detection ECU 400 has a function of monitoring data frames flowing on the bus 200 and, upon detecting a data frame that meets a predetermined condition concerning a predetermined anomalous frame, performing a predetermined process to prevent transmission of the frame on the basis of predetermined management information”, where “monitoring data frames” is being read as receiving a plurality of messages that have been intercepted on at least one communications bus between a plurality of ECUs of the vehicle. Applicant's attention is further directed to Ujiie, Paragraph [0126], see “The analysis unit 520 sends, to the signature processing unit 550, the received anomaly detection message and acquires the result of verification of the signature of the anomaly 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

6.	Claims 1-2, 5, 9, 13-16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie et al. (U.S. PGPub. 2019/0173912), hereinafter Ujiie, in view of Kubota et al. (U.S. PGPub. 2020/0172123), hereinafter Kubota.

	Regarding claim 1, Ujiie teaches A computer-implemented method for generating rules for detecting and blocking attacks on electronics systems of a vehicle (Ujiie, Paragraph [0025], see “FIG. 14 is a diagram illustrating an example of a sequence of detecting and preventing transmission of an anomalous frame by the anomaly detection ECU according to the first embodiment”, where “detecting and preventing transmission” is being read as detecting and blocking attacks and where “a sequence…” is being read as comprising a set of rules for detecting and blocking the attacks), comprising:
	receiving log data having a plurality of messages that have been intercepted on at least one communications bus between a plurality of electronic control units (ECUs) of the vehicle (Ujiie, Paragraph [0068], see “The anomaly detection ECU 400 is a kind of ECU that functions as a frame transmission prevention apparatus. The anomaly detection ECU 400 is connected to the bus 200. The anomaly detection ECU 400 has a function of monitoring data frames flowing on the bus 200 and, upon detecting a data frame that meets a predetermined condition concerning a predetermined anomalous frame, performing a predetermined process to prevent transmission of the frame on the basis of predetermined management information”, where “monitoring data frames” is being read as receiving a plurality of messages that have been intercepted on at least one communications bus between a plurality of ECUs of the vehicle) (Ujiie, Paragraph [0126], see “The analysis unit 520 sends, to the signature processing unit 550, the received anomaly detection message and acquires the result of verification of the signature of the anomaly detection message…the , wherein the plurality of messages have been intercepted during a period of time associated with a vehicle incident (Ujiie, Paragraph [0067], see “The engine ECU 100a is connected to an engine 310 and periodically transmits, to bus 200, a data frame indicating the state of the engine 310. The brake ECU 100b is connected to the brake 320 and periodically transmits, to the bus 200, a data frame indicating the state of a brake 320”, where “data frame” is being read as the plurality of messages that have been intercepted during a period of time (i.e., periodically)), 
	detecting a computer attack based on analysis of the received log data (Ujiie, Paragraph [0005], see “The in-vehicle network system faces a threat to anomalous control over an ECU by an attacker who accesses the bus and transmits an attack frame, such as an anomalous frame”) (Ujiie, Paragraph [0214], see “the server 500 analyzes the log information and determines whether the data frame is an anomalous data frame that causes an anomaly in the in-vehicle network system 10, such as malfunction of the vehicle”, where “an anomaly in the in-vehicle network system 10” is being read as a computer attack);
	in response to detecting the computer attack, determining indicators of compromise including a subset of the plurality of messages used in the computer attack, and for each message, determining information on at least one ECU of the vehicle, the ECU being a recipient of the message (Ujiie, Paragraph [0053], see “the updating may include updating the first flag so that in the case where the first frame satisfies the first condition and the first flag corresponding to the first ID of the first frame indicates that prevention of transmission of the first frame is not permitted, and the prevention is permitted if the occurrence of anomaly is detected on the basis of a second frame having a second ID different from the first ID”, where “ID” is being read as indicators of compromise and where “first frame” and “second frame” are being read as a subset of the messages used in the computer attack) (Ujiie, Paragraph [0095], see “The data acquisition unit ; and
	generating a rule for a protection module executing in a processor in the vehicle, based on the indicators of compromise, wherein the rule contains at least one condition for the application of the rule for detecting a subsequent computer attack on the vehicle, and at least one action upon application of the rule for blocking the subsequent computer attack on the vehicle (Ujiie, Paragraph [0126], see “If the analysis unit 520 determines that the data frame detected as being anomalous is an anomalous data frame that causes an anomaly, the analysis unit 520 generates FW for activating the transmission prevention function that prevents a similar data frame from being transmitted…The analysis unit 520 instructs the FW holding unit 530 to hold the generated FW. Note that the log information about the data frame detected as being anomalous, which is set in the analysis information by the anomaly detection ECU 400, may include the content of the data frame, the reception interval or the reception frequency of data frames having an ID the same as the ID of the data frame, and log data related to the state of the vehicle acquired by monitoring the state of the vehicle for a predetermined period of time after reception of the data frame…Note that the analysis unit 520 may analyze the log information about the data frame detected as being anomalous and identify one or more anomalous data frames that cause anomalies of the in-vehicle network system 10 (e.g., malfunction of the vehicle)…the analysis unit 520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame that causes an anomaly is detected as being anomalous by the anomaly detection ECU 400, transmission of the data frame is prevented”, where “FW” is being read as firmware comprising a rule containing different conditions, where “520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame is detected…transmission of the data frame is prevented” is being read as detecting a subsequent computer attack on the vehicle (i.e., by identifying a data frame similar to the data frame identified as an anomalous data frame), where “transmission of the data frame is prevented” is being read as an action upon application of the rule for blocking the subsequent computer attack on the vehicle and where “FW holding unit 530” is being read as a protection module that holds the generated rule).
	Ujiie does not teach the following limitation(s) as taught by Kubota: the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle.
	(Kubota, Paragraph [0176], see “a display control process when an event in which the behavior of the host vehicle M changes occurs in a state in which the image showing that the driving assistance of the second degree is being executed is displayed in the process of step S120…”, where “an event in which the behavior of the host vehicle M changes” is analogous to the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie, by implementing techniques for a vehicle control system, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle, disclosed of Kubota.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle. This allows for the system to detect anomalies based on a change to a behavior of the vehicle and can make a determination that the vehicle is not associated with an incident when the behavior of the vehicle stays constant (Kubota, Paragraph [0176]). 

	Regarding claim 2, Ujiie as modified by Kubota teaches The method of claim 1, wherein the log data further comprises information on at least one ECU which is the recipient of at least one of the intercepted messages (Ujiie, Paragraph [0097], see “FIG. 5 is a diagram illustrating an example of the reception ID list retained in each of the ECUs 100a to 100d…This example indicates that an ECU receives, from the bus 200, a data frame including any one of IDs”) (Ujiie, Paragraph [0100], see “The ID of the data frame transmitted from the door open/close sensor ECU 100c is “3””, where the “ID” indicates the recipient of the messages) (Ujiie, Paragraph [0126], see “the log information about the data frame detected as being anomalous, which is set in the analysis information by the anomaly detection ECU 400, may include the content of the data frame, the reception interval or the reception frequency of data frames having an ID the same as the ID of the data frame, and log data related to the state of the vehicle acquired by monitoring the state of the vehicle for a predetermined period of time after reception of the data frame”, where “the reception frequency of data frames having an ID the same as the ID of the data frame” is being read as the log data comprising information on at least one ECU which is the recipient of the intercepted message, due to the “ID” indicating a specific ECU).

	Regarding claim 5, Ujiie as modified by Kubota teaches The method of claim 1, wherein the communications bus comprises at least one of a Controller Area Network (CAN) bus, a Local Interconnect Network (LIN), a Media Oriented Systems Transport (MOST) bus, a FlexRay bus, and an Ethernet bus (Ujiie, Paragraph [0064], see “The in-vehicle network system 10 includes a plurality of ECUs each performing communication according to the CAN protocol…”, where “CAN protocol” is being read as the communications bus comprising a Controller Area Network (CAN) bus), wherein messages sent on the communications bus are broadcasted to all of the ECUs communicatively coupled to the communications bus (Ujiie, Paragraph [0132], see “Note that transmission of the data frame to the bus 200 is broadcast transmission that enables all of the ECUs connected to the bus 200 to receive the data frame”).

	Regarding claim 9, Ujiie as modified by Kubota teaches The method of claim 1, wherein the rule specifies, responsive to determining that a portion of the intercepted messages matches a defined group of messages to a first recipient ECU, the at least one action upon application of the rule comprises blocking all messages from being transmitted on the communications bus to the first recipient ECU (Ujiie, Paragraph [0211], see “in the case where a data frame received by the frame transceiver unit 110 satisfies a predetermined condition related to the anomaly detection rule stating that the ID is not included in the authorized ID list, and the flag information corresponding to the ID of the data frame in the management information indicates that prevention of transmission of the data frame is not permitted, if the occurrence of an anomaly is detected on the basis of a data frame that is received by the frame transceiver unit 110 and that has a specific ID different from the ID of the data frame, the flag information may be updated so as to indicate that prevention of transmission is permitted”, where “anomaly detection rule stating that the ID is not included in the authorized ID list” is being read as determining that a portion of the intercepted messages matches a defined group of messages to a first recipient ECU, where “authorized ID list” is being read as a defined group and where “flag information may be updated so as to indicate that prevention of transmission is permitted” is being read as indicating an action upon application of the rule comprising of blocking all messages from being transmitted on the communications bus to the ECU).

	Regarding claim 13, Ujiie as modified by Kubota teaches The method of claim 1, wherein the at least one action upon application of the rule comprises blocking transmission of at least one message from the communications bus to another communications bus of the vehicle via a gateway (Ujiie, Paragraph [0209], see “The frame transmission prevention apparatus 2400 may be a gateway apparatus having a transfer function of connecting a plurality of buses to one another and forwarding a data frame received from one bus to another bus…the processing unit 2420 can perform, as the predetermined process of preventing transmission of a frame, a process of preventing forwarding of a frame”, where transmission is blocked based on the rule via a gateway).

	Regarding claim 14, Ujiie as modified by Kubota teaches The method of claim 1, wherein the at least one action upon application of the rule comprises blocking transmission of at least one message between ECUs communicatively coupled on the same communications bus (Ujiie, Paragraph [0067], see “Each of the ECUs can transmit and receive a frame via the bus 200 in accordance with the CAN protocol. One type of frame exchanged between the ECUs is a data frame”, where the ECUs are communicatively coupled on the same communications bus) (Ujiie, Paragraph [0068], see “The anomaly detection ECU 400 is a kind of ECU that functions as a frame transmission prevention apparatus. The anomaly detection ECU 400 is connected to the bus 200. The anomaly detection ECU 400 has a function of monitoring data frames flowing on the bus 200 and, upon detecting a frame that meets a predetermined condition concerning a predetermined anomalous frame, performing a predetermined process to prevent transmission of the frame on the basis of predetermined management information…”, where at least one action upon application of the rule comprises blocking transmission (preventing transmission) of at least one message (data frame) between the ECUs).

	Regarding claim 15, Ujiie as modified by Kubota teaches The method of claim 14, wherein the transmission of at least one message between ECUs is blocked by sending a sequence of bit zeros on the bus, such that a different value than the at least one message is established on the bus, causing a receiving ECU to disregard the at least one message due to a discrepancy in a checksum of the message (Ujiie, Paragraph [0003], see “If the format of a received data frame is anomalous, the receiving node transmits a frame called an error frame. An error frame consists of 6 consecutive dominant bits transmitted and is used to notify the transmitting node and the other receiving node of the occurrence of anomaly of the data frame”, where “6 consecutive dominant bits” is being read as a sequence of bit zeros) (Ujiie, Paragraph [0209], see “When the content of the frame on the bus 200 is altered by the dominant signals and, thus, a reception error, such as a CRC error, or the like occurs, it can be prevented that the ECU of the receiving node processes the frame in the same manner as a normal frame”, where “CRC error” is being read as causing a receiving ECU to disregard the at least one message due to a discrepancy in a checksum of the message).

	Regarding claim 16, Ujiie teaches A computer system for generating rules for detecting and blocking attacks on electronics systems of a vehicle, the computer system comprising (Ujiie, Paragraph [0025], see “FIG. 14 is a diagram illustrating an example of a sequence of detecting and preventing transmission of an anomalous frame by the anomaly detection ECU according to the first embodiment”, where “detecting and preventing transmission” is being read as detecting and blocking attacks and where “a sequence…” is being read as comprising a set of rules for detecting and blocking the attacks):
	a hardware processor configured to:
		receive log data having a plurality of messages that have been intercepted on at least one communications bus between a plurality of electronic control units (ECUs) of the vehicle (Ujiie, Paragraph [0068], see “The anomaly detection ECU 400 is a kind of ECU that functions as a frame transmission prevention apparatus. The anomaly detection ECU 400 is connected to the bus 200. The anomaly detection ECU 400 has a function of monitoring data frames flowing on the bus 200 and, upon detecting a data frame that meets a predetermined condition concerning a predetermined anomalous frame, performing a predetermined process to prevent transmission of the frame on the basis of predetermined management information”, where “monitoring data frames” is being read as receiving a plurality of messages that have been intercepted on at least one communications bus between a plurality of ECUs of the vehicle) (Ujiie, Paragraph [0126], see “The analysis unit 520 sends, to the signature processing unit 550, the received anomaly detection message and acquires the result of verification of the signature of the anomaly detection message…the analysis unit 520 analyzes the log information regarding the data frame detected as being anomalous, which is included in the analysis information serving as the anomaly detection message for which the signature verification is successful…An example of the log data obtained by monitoring the state of the vehicle is information such as the content of various data frames received from the bus 200 and the reception times thereof”, where “anomaly detection message” is being read as the plurality of messages that have been intercepted, where the “anomaly detection messages” includes the received log data and where “log data obtained is information such as the content of various data frame received from the bus 200” is being read as the plurality of messages being intercepted on at least one communications bus between the electronic units of the vehicle), wherein the plurality of messages have been intercepted during a period of time associated with a vehicle incident (Ujiie, Paragraph [0067], see “The engine ECU 100a is connected to an engine 310 and periodically transmits, to bus 200, a data frame indicating the state of the engine 310. The brake ECU 100b is connected to the brake 320 and periodically transmits, to the bus 200, a data frame indicating the state of a brake 320”, where “data frame” is being read as the plurality of messages that have been intercepted during a period of time (i.e., periodically)), 
		detect a computer attack based on analysis of the received log data (Ujiie, Paragraph [0005], see “The in-vehicle network system faces a threat to anomalous control over an ECU by an attacker who accesses the bus and transmits an attack frame, such as an anomalous frame”) (Ujiie, Paragraph [0214], see “the server 500 analyzes the log information and determines whether the data frame is an anomalous data frame that causes an anomaly in the in-vehicle network system 10, such as malfunction of the vehicle”, where “an anomaly in the in-vehicle network system 10” is being read as a computer attack);
		in response to detecting the computer attack, determine indicators of compromise including a subset of the plurality of messages used in the computer attack, and for each message, determining information on at least one ECU of the vehicle, the ECU being a recipient of the message (Ujiie, Paragraph [0053], see “the updating may include updating the first flag so that in the case where the first frame satisfies the first condition and the first flag corresponding to the first ID of the first frame indicates that prevention of transmission of the first frame is not permitted, and the prevention is permitted if the occurrence of anomaly is detected on the basis of a second frame having a second ID different from the first ID”, where “ID” is being read as indicators of compromise and where “first frame” and “second frame” are being read as a subset of the messages used in the computer attack) (Ujiie, Paragraph [0095], see “The data acquisition unit 170 acquires data indicating the states of the devices, sensors, and the like connected to the ECU and supplies the data to the frame generation unit 160”, where “data” is being read as messages and where “indicating the states of the devices, sensors, and the like connected to the ECU” is being read as for each message, information on at least one ECU of the vehicle which is the recipient of that message); and
		generate a rule for a protection module executing in a processor in the vehicle, based on the indicators of compromise, wherein the rule contains at least one condition for the application of the rule for detecting a subsequent computer attack on the vehicle, and at least one action upon application of the rule for blocking the subsequent computer attack on the vehicle (Ujiie, Paragraph [0126], see “If the analysis unit 520 determines that the data frame detected as being anomalous is an anomalous data frame that causes an anomaly, the analysis unit 520 generates FW for activating the transmission prevention function that prevents a similar data frame from being transmitted…The analysis unit 520 instructs the FW holding unit 530 to hold the generated FW. Note that the log information about the data frame detected as being anomalous, which is set in the analysis information by the anomaly detection ECU 400, may include the content of the data frame, the reception interval or the reception frequency of data frames having an ID the same as the ID of the data frame, and log data related to the state of the vehicle acquired by monitoring the state of the vehicle for a predetermined period of time after reception of the data frame…Note that the analysis unit 520 may analyze the log information about the data frame detected as being anomalous and identify one or more anomalous data frames that cause anomalies of the in-vehicle network system 10 (e.g., malfunction of the vehicle)…the analysis unit 520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame that causes an anomaly is detected as being anomalous by the anomaly detection ECU 400, transmission of the data frame is prevented”, where “FW” is being read as firmware comprising a rule containing different conditions, where “520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame is detected…transmission of the data frame is prevented” is being read as detecting a subsequent computer attack on the vehicle (i.e., by identifying a data frame similar to the data frame identified as an anomalous data frame), where “transmission of the data frame is prevented” is being read as an action upon application of the rule for blocking the subsequent computer attack on the vehicle and where “FW holding unit 530” is being read as a protection module that holds the generated rule).
	Ujiie does not teach the following limitation(s) as taught by Kubota: the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle.
	(Kubota, Paragraph [0176], see “a display control process when an event in which the behavior of the host vehicle M changes occurs in a state in which the image showing that the driving assistance of the second degree is being executed is displayed in the process of step S120…”, where “an event in which the behavior of the host vehicle M changes” is analogous to the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie, by implementing techniques for a vehicle control system, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle, disclosed of Kubota.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle. This allows for the system to detect anomalies based on a change to a behavior of the vehicle and can make a determination that the vehicle is not associated with an incident when the behavior of the vehicle stays constant (Kubota, Paragraph [0176]). 

	Regarding claim 18, Ujiie as modified by Kubota teaches The computer system of claim 16, wherein the communications bus comprises at least one of a Controller Area Network (CAN) bus, a Local Interconnect Network (LIN), a Media Oriented Systems Transport (MOST) bus, a FlexRay bus, and an Ethernet bus (Ujiie, Paragraph [0064], see “The in-vehicle network system 10 includes a plurality of ECUs each performing communication according to the CAN protocol…”, where “CAN protocol” is being read as the communications bus comprising a Controller Area Network (CAN) bus), wherein messages sent on the communications bus are broadcasted to all of the ECUs communicatively coupled to the communications bus (Ujiie, Paragraph [0132], see “Note that transmission of the data frame to the bus 200 is broadcast transmission that enables all of the ECUs connected to the bus 200 to receive the data frame”).

	Regarding claim 20, Ujiie teaches A non-transitory computer readable medium comprising computer executable instructions for generating rules for detecting and blocking attacks on electronics systems of a vehicle, including instructions for (Ujiie, Paragraph [0025], see “FIG. 14 is a diagram illustrating an example of a sequence of detecting and preventing transmission of an anomalous frame by the anomaly detection ECU according to the first embodiment”, where “detecting and preventing transmission” is being read as detecting and blocking attacks and where “a sequence…” is being read as comprising a set of rules for detecting and blocking the attacks) (Ujiie, Paragraph [0224], see “a computer-readable recording medium that stores the computer program or the digital signal may be provided”):
	receiving log data having a plurality of messages that have been intercepted on at least one communications bus between a plurality of electronic control units (ECUs) of the vehicle (Ujiie, Paragraph [0068], see “The anomaly detection ECU 400 is a kind of ECU that functions as a frame transmission prevention apparatus. The anomaly detection ECU 400 is connected to the bus 200. The anomaly detection ECU 400 has a function of monitoring data frames flowing on the bus 200 and, upon detecting a data frame that meets a predetermined condition concerning a predetermined anomalous frame, performing a predetermined process to prevent transmission of the frame on the basis of predetermined management information”, where “monitoring data frames” is being read as receiving a plurality of messages that have been intercepted on at least one communications bus between a plurality of ECUs of the vehicle) (Ujiie, Paragraph [0126], see “The analysis unit 520 sends, to the signature processing unit 550, the received anomaly detection message and acquires the result of verification of the signature of the anomaly detection message…the analysis unit 520 analyzes the log information regarding the data frame detected as being anomalous, which is included in the analysis information serving as the anomaly detection message for which the signature verification is successful…An example of the log data obtained by monitoring the state of the vehicle is information such as the content of various data frames received from the bus 200 and the reception times thereof”, where “anomaly detection message” is being read as the plurality of messages that have been intercepted, where the “anomaly detection messages” includes the received log data and where “log data obtained is information such as the content of various data frame received from the bus 200” is being read as the plurality of messages being intercepted on at least one communications bus between the electronic units of the vehicle), wherein the plurality of messages have been intercepted during a period of time associated with a vehicle incident (Ujiie, Paragraph [0067], see “The engine ECU 100a is connected to an engine 310 and periodically transmits, to bus 200, a data frame indicating the state of the engine 310. The brake ECU 100b is connected to the brake 320 and periodically transmits, to the bus 200, a data frame indicating the state of a brake 320”, where “data frame” is being read as the plurality of messages that have been intercepted during a period of time (i.e., periodically)), 
	detecting a computer attack based on analysis of the received log data (Ujiie, Paragraph [0005], see “The in-vehicle network system faces a threat to anomalous control over an ECU by an attacker who accesses the bus and transmits an attack frame, such as an anomalous frame”) (Ujiie, Paragraph [0214], see “the server 500 analyzes the log information and determines whether the data frame is an anomalous data frame that causes an anomaly in the in-vehicle network system 10, such as malfunction of the vehicle”, where “an anomaly in the in-vehicle network system 10” is being read as a computer attack);
	in response to detecting the computer attack, determining indicators of compromise including a subset of the plurality of messages used in the computer attack, and for each message, determining information on at least one ECU of the vehicle, the ECU being a recipient of the message (Ujiie, Paragraph [0053], see “the updating may include updating the first flag so that in the case where the first frame satisfies the first condition and the first flag corresponding to the first ID of the first frame indicates that prevention of transmission of the first frame is not permitted, and the prevention is permitted if the occurrence of anomaly is detected on the basis of a second frame having a second ID different from the first ID”, where “ID” is being read as indicators of compromise and where “first frame” and “second frame” are being read as a subset of the messages used in the computer attack) (Ujiie, Paragraph [0095], see “The data acquisition unit 170 acquires data indicating the states of the devices, sensors, and the like connected to the ECU and supplies the data to the frame generation unit 160”, where “data” is being read as messages and where “indicating the states of the devices, sensors, and the like connected to the ECU” is being read as for each message, information on at least one ECU of the vehicle which is the recipient of that message); and
	generating a rule for a protection module executing in a processor in the vehicle, based on the indicators of compromise, wherein the rule contains at least one condition for the application of the rule for detecting a subsequent computer attack on the vehicle, and at least one action upon application of the rule for blocking the subsequent computer attack on the vehicle (Ujiie, Paragraph [0126], see “If the analysis unit 520 determines that the data frame detected as being anomalous is an anomalous data frame that causes an anomaly, the analysis unit 520 generates FW for activating the transmission prevention function that prevents a similar data frame from being transmitted…The analysis unit 520 instructs the FW holding unit 530 to hold the generated FW. Note that the log information about the data frame detected as being anomalous, which is set in the analysis information by the anomaly detection ECU 400, may include the content of the data frame, the reception interval or the reception frequency of data frames having an ID the same as the ID of the data frame, and log data related to the state of the vehicle acquired by monitoring the state of the vehicle for a predetermined period of time after reception of the data frame…Note that the analysis unit 520 may analyze the log information about the data frame detected as being anomalous and identify one or more anomalous data frames that cause anomalies of the in-vehicle network system 10 (e.g., malfunction of the vehicle)…the analysis unit 520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame that causes an anomaly is detected as being anomalous by the anomaly detection ECU 400, transmission of the data frame is prevented”, where “FW” is being read as firmware comprising a rule containing different conditions, where “520 generates FW for activating the transmission prevention function so that if a data frame similar to the data frame identified as an anomalous data frame is detected…transmission of the data frame is prevented” is being read as detecting a subsequent computer attack on the vehicle (i.e., by identifying a data frame similar to the data frame identified as an anomalous data frame), where “transmission of the data frame is prevented” is being read as an action upon application of the rule for blocking the subsequent computer attack on the vehicle and where “FW holding unit 530” is being read as a protection module that holds the generated rule).
	Ujiie does not teach the following limitation(s) as taught by Kubota: the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle.
	(Kubota, Paragraph [0176], see “a display control process when an event in which the behavior of the host vehicle M changes occurs in a state in which the image showing that the driving assistance of the second degree is being executed is displayed in the process of step S120…”, where “an event in which the behavior of the host vehicle M changes” is analogous to the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie, by implementing techniques for a vehicle control system, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle, disclosed of Kubota.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the vehicle incident being an undesirable event resulting in a change to a behavior of the vehicle. This allows for the system to detect anomalies based on a change to a behavior of the vehicle and can make a determination that the vehicle is not associated with an incident when the behavior of the vehicle stays constant (Kubota, Paragraph [0176]). 


7. 	Claims 3-4 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of Duri et al. (U.S. PGPub. 2008/0307491), hereinafter Duri.

	Regarding claim 3, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Duri: The method of claim 1, wherein log data is received from the protection module executing in the processor in the vehicle.
	(Duri, Paragraph [0010], see “wherein the data protection manager includes: a system for receiving data requests for sensor data from a plurality of applications; a system for authenticating an application anytime a data request is made from the application; a system for storing each data request in a data log…”, where “data protection manager” is analogous to a protection module executing in the processor in the vehicle).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for enforcement of privacy policy and protection of confidentiality, comprising of the log data being received from the protection module, disclosed of Duri. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the log data being received from the protection module. This allows for the method to monitor across systems to evaluate log events and patterns in log data in order to identify performance or configuration issues (Duri, Paragraph [0010]). 

Regarding claim 4, Ujiie as modified by Kubota does not teach the following limitation(s) as taught by Duri: The method of claim 1, wherein the vehicle incident comprises an occurrence of a road traffic accident with the vehicle.
(Duri, Paragraph [0031], see “These applications are enabled by the collection and use of data which may include information on the location of a vehicle as a function of time, emergency situations including accidents and personal health emergencies, diagnostic data on the many systems within the vehicle…”, where “emergency situations including accidents” is analogous to the vehicle incident comprising an occurrence of a road traffic accident with the vehicle).
 Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for enforcement of privacy policy and protection of confidentiality, comprising of the vehicle incident comprising an occurrence of a road traffic accident with the vehicle, disclosed of Duri.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the vehicle incident comprising an occurrence of a road traffic accident with the vehicle. This allows for the method to evaluate information about the causes of a road traffic accident with the vehicle in order to identify an attack on the vehicle prior to it occurring, as well as ultimately preventing it (Duri, Paragraph [0031]). 

	Regarding claim 17, Ujiie as modified by Kubota teaches The computer system of claim 16, wherein the log data further comprises information on at least one ECU which is the recipient of at least one of the intercepted messages (Ujiie, Paragraph [0097], see “FIG. 5 is a diagram illustrating an example of the reception ID list retained in each of the ECUs 100a to 100d…This example indicates that an ECU receives, from the bus 200, a data frame including any one of IDs”) (Ujiie, Paragraph [0100], see “The ID of the data frame transmitted from the door open/close sensor ECU 100c is “3””, where the “ID” indicates the recipient of the messages) (Ujiie, Paragraph [0126], see “the log information about the data frame detected as being anomalous, which is set in the analysis information by the anomaly detection ECU 400, may include the content of the data frame, the reception interval or the reception frequency of data frames having an ID the same as the ID of the data frame, and log data related to the state of the vehicle acquired by monitoring the state of the vehicle for a predetermined period of time after reception of the data frame”, where “the reception frequency of data frames having an ID the same as the ID of the data frame” is being read as the log data comprising information on at least one ECU which is the recipient of the intercepted message, due to the “ID” indicating a specific ECU), 
Ujiie as modified by Kubota does not teach the following limitation(s) as taught by Duri: wherein the vehicle incident comprises an occurrence of a road traffic accident with the vehicle. 
(Duri, Paragraph [0031], see “These applications are enabled by the collection and use of data which may include information on the location of a vehicle as a function of time, emergency situations including accidents and personal health emergencies, diagnostic data on the many systems within the vehicle…”, where “emergency situations including accidents” is analogous to the vehicle incident comprising an occurrence of a road traffic accident with the vehicle).
 Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for enforcement of privacy policy and protection of confidentiality, comprising of the vehicle incident comprising an occurrence of a road traffic accident with the vehicle, disclosed of Duri.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the vehicle incident comprising an occurrence of a road traffic accident with the vehicle. This allows for the method to evaluate information about the causes of a road traffic accident with the vehicle in order to identify an attack on the vehicle prior to it occurring, as well as ultimately preventing it (Duri, Paragraph [0031]).


8.	Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of OE et al. (U.S. PGPub. 2019/0108752), hereinafter Oe.

	Regarding claim 6, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Oe: The method of claim 1, wherein the at least one condition of the rule specifies presence of a defined group of messages during a period of time associated with movement of the vehicle.
	(Oe, Paragraph [0063], see “the driving behavior detection unit 203 can calculate the average speed of the vehicle 5 during traveling based on an elapsed time while the vehicle 5 is traveling in one trip of the vehicle 5 and a moving distance while the vehicle 5 is traveling. At this time, the driving behavior detection unit 203 can ascertain the moving distance of the vehicle 5 using a detection value of an odometer, which can be included in the in-vehicle electronic equipment group 60, acquired by the vehicle information acquisition unit 202”, where the “vehicle information acquisition unit 202” specifies presence of a defined group of messages during a period of time associated with movement of the vehicle (i.e., through the odometer) and where “calculate the average speed of the vehicle 5…” is analogous to the presence of a defined group of messages, which is acquired during a period of time (based on an elapsed time) associated with movement of the vehicle (while the vehicle 5 is traveling…)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for a driving assistance device, comprising of specifying a presence of a defined group of messages during a period of time associated with movement of the vehicle, disclosed of Oe.   
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of specifying a presence of a defined group of messages during a period of time associated with movement of the vehicle. This allows for the system to identify the cause of the issue by associating a group of messages with the movement of the vehicle in order to evaluate indications of the vehicle being compromised (Oe, Paragraph [0063]). 

Regarding claim 7, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Oe: The method of claim 6, wherein the at least one condition of the rule further specifies that the information indicating the at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs.
(Oe, Paragraph [0095], see “the in-vehicle electronic equipment group 60 includes various sensors that output vehicle information, various actuators, various ECUs, and the like…the in-vehicle electronic equipment group 60 and the ECU 20 are connected to perform communication with each other directly or indirectly, for example, through an in-vehicle network, such as a CAN, and the in-vehicle electronic equipment group 60 outputs various signals corresponding to the vehicle information on a bus of the in-vehicle network. With this, ECU 20 (vehicle information acquisition unit 202) can acquire various signals corresponding to the vehicle information output on the bus of the in-vehicle network”, where “ECU 20” is being read as at least one recipient ECU that is a recipient of the messages that match a defined group of ECUs, due to the ECU acquiring various signals corresponding to the vehicle information output on the bus (intended recipient)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for a driving assistance device, comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs, disclosed of Oe. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs. This allows for more advanced security within the system by making sure the intended recipient matches a defined group in order to further evaluate and identify potential attacks on the ECUs (Oe, Paragraph [0095]). 


9.	Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of Oe, in further view of Benhammou et al. (U.S. PGPub. 2018/0158329), hereinafter Benhammou.

Regarding claim 8, Ujiie as modified by Kubota and further modified by Oe do not teach the following limitation(s) as taught by Benhammou: The method of claim 6, wherein the at least one condition of the rule further specifies a state of movement of the vehicle, such that the rule is applied responsive to determining that the vehicle is in motion, and the rule is not applied responsive to determining that the vehicle is not moving.
	(Benhammou, Paragraph [0089], see “the device may determine that changes in traffic data being received from traffic signals indicates movement consistent with a moving vehicle…If the input data and traffic data yield a determination that the device is not being transported in a vehicle, no action is taken and the application may continue to monitor input data and traffic data. If a determination is made that the device is moving in a vehicle, programmed rules may be accessed and applied to the input data or traffic data 1203”, where “a determination that the device is not being transported in a vehicle, no action is taken…” is analogous to the rule not being applied responsive to determining that the vehicle is not moving and where “a determination is made that the device is moving in a vehicle, programmed rules may be accessed and applied…” is analogous to applying rules responsive to determining that the vehicle is in motion).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie, techniques disclosed of Kubota and techniques for a driving assistance device, comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs, disclosed of Oe, by implementing techniques for monitoring traffic data, comprising of only applying rules when a determination is made that the vehicle is in motion, disclosed of Benhammou. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of only applying rules when a determination is made that the vehicle is in motion. This allows for a more effective and efficient method of generating rules for blocking a computer attack on a vehicle by applying the rules after a determination is made (Benhammou, Paragraph [0089]). 

Regarding claim 19, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Oe: The computer system of claim 16, wherein the at least one condition of the rule specifies presence of a defined group of messages during a period of time associated with movement of the vehicle,
wherein the at least one condition of the rule further specifies that the information indicating the at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs

(Oe, Paragraph [0063], see “the driving behavior detection unit 203 can calculate the average speed of the vehicle 5 during traveling based on an elapsed time while the vehicle 5 is traveling in one trip of the vehicle 5 and a moving distance while the vehicle 5 is traveling. At this time, the driving behavior detection unit 203 can ascertain the moving distance of the vehicle 5 using a detection value of an odometer, which can be included in the in-vehicle electronic equipment group 60, acquired by the vehicle information acquisition unit 202”, where the “vehicle information acquisition unit 202” specifies presence of a defined group of messages during a period of time associated with movement of the vehicle (i.e., through the odometer) and where “calculate the average speed of the vehicle 5…” is analogous to the presence of a defined group of messages, which is acquired during a period of time (based on an elapsed time) associated with movement of the vehicle (while the vehicle 5 is traveling…)) (Oe, Paragraph [0095], see “the in-vehicle electronic equipment group 60 includes various sensors that output vehicle information, various actuators, various ECUs, and the like…the in-vehicle electronic equipment group 60 and the ECU 20 are connected to perform communication with each other directly or indirectly, for example, through an in-vehicle network, such as a CAN, and the in-vehicle electronic equipment group 60 outputs various signals corresponding to the vehicle information on a bus of the in-vehicle network. With this, ECU 20 (vehicle information acquisition unit 202) can acquire various signals corresponding to the vehicle information output on the bus of the in-vehicle network”, where “ECU 20” is being read as at least one recipient ECU that is a recipient of the messages that match a defined group of ECUs, due to the ECU acquiring various signals corresponding to the vehicle information output on the bus (intended recipient)).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for a driving assistance device, comprising of specifying a presence of a defined group of messages during a period of time associated with movement of the vehicle and comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs, disclosed of Oe. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of specifying a presence of a defined group of messages during a period of time associated with movement of the vehicle and comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs. This allows for more advanced security within the system by making sure the intended recipient matches a defined group in order to further evaluate and identify potential attacks on the ECUs (Oe, Paragraph [0095]). 
Ujiie as modified by Kubota and further modified by Oe do not teach the following limitation(s) as taught by Benhammou: wherein the at least one condition of the rule further specifies a state of movement of the vehicle, such that the rule is applied responsive to determining that the vehicle is in motion, and the rule is not applied responsive to determining that the vehicle is not moving.
	(Benhammou, Paragraph [0089], see “the device may determine that changes in traffic data being received from traffic signals indicates movement consistent with a moving vehicle…If the input data and traffic data yield a determination that the device is not being transported in a vehicle, no action is taken and the application may continue to monitor input data and traffic data. If a determination is made that the device is moving in a vehicle, programmed rules may be accessed and applied to the input data or traffic data 1203”, where “a determination that the device is not being transported in a vehicle, no action is taken…” is analogous to the rule not being applied responsive to determining that the vehicle is not moving and where “a determination is made that the device is moving in a vehicle, programmed rules may be accessed and applied…” is analogous to applying rules responsive to determining that the vehicle is in motion).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie, techniques disclosed of Kubota and techniques for a driving assistance device, comprising of specifying information indicating that at least one recipient ECU that is a recipient of the messages matches a defined group of ECUs, disclosed of Oe, by implementing techniques for monitoring traffic data, comprising of only applying rules when a determination is made that the vehicle is in motion, disclosed of Benhammou. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of only applying rules when a determination is made that the vehicle is in motion. This allows for a more effective and efficient method of generating rules for blocking a computer attack on a vehicle by applying the rules after a determination is made (Benhammou, Paragraph [0089]).


10.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of KISHIKAWA et al. (U.S. PGPub. 2019/0140778), hereinafter Kishikawa. 

	Regarding claim 10, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Kishikawa: The method of claim 1, wherein the at least one condition of the rule further specifies the presence of a defined group of messages arranged in a defined order and were intercepted during a defined interval of time. 
	(Kishikawa, Paragraph [0201], see “if there are three or more data frames that conform to both the reception interval rule and data variation rule, the group setting unit 140 may select, as data frames used as the references, two out of the three data frames, randomly, in order of reception, or on the basis of the difference between data values”, where “conform to both the reception interval rule…” is analogous to specifying the presence of a defined group of messages that were intercepted during a defined interval of time, where “in order of reception” is analogous to specifying the presence of a defined group of messages arranged in a defined order, and where “three or more data frames…” is analogous to a defined group of messages). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for information processing, comprising of specifying the presence of a defined group of messages arranged in a defined order and were intercepted during a defined interval of time, disclosed of Kishikawa.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of specifying the presence of a defined group of messages arranged in a defined order and were intercepted during a defined interval of time. This allows for the system to identify the cause of the issue by associating a predefined group of messages arranged in a defined order that were intercepted during a defined interval of time in order to evaluate indications of the vehicle being compromised (Kishikawa, Paragraph [0201]).  


11.	Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of MORITA et al. (U.S. PGPub. 2016/0219051), hereinafter Morita.

	Regarding claim 11, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Morita: The method of claim 1, wherein the at least one action upon application of the rule comprises transmitting to at least one ECU a message containing a command to disconnect the at least one ECU that is on a list of ECUs of auxiliary electronic systems of the vehicle.
	(Morita, Paragraph [0119], see “it may be configured to ask a user (a driver of the vehicle) whether or not to disconnect communication with an ECU that is determined to be illegal, and to maintain the communication with the ECU that is determined to be illegal depending on an instruction of the user”, where “ask a user…whether or not to disconnect communication with an ECU” is analogous to transmitting a message containing a command to disconnect the at least one ECU).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for a relay apparatus, comprising of transmitting a message containing a command to disconnect at least one ECU, disclosed of Morita.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of transmitting a message containing a command to disconnect at least one ECU. This allows for a more user-friendly interface for disconnecting an ECU when it is identified as being compromised by sending a message containing a command to disconnect the at least one ECU (Morita, Paragraph [0119]). 


12.	Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of HAGA et al. (U.S. PGPub. 2016/0297401), hereinafter Haga.

	Regarding claim 12, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Haga: The method of claim 1, wherein the at least one action upon application of the rule comprises transmitting to at least one ECU a message containing a command to enable a safety mode for the at least one ECU that is on a list of ECUs of primary electronic systems of the vehicle.
	(Haga, Paragraph [0249], see “The fraud-sensing ECU 4100a further determines whether or not a mode change to put the vehicle into the safe state is “enabled”, in accordance with the security action 625 corresponding to the message ID “4” in the security condition table 620 (step S4026). If it is “enabled”, the security processing unit 4130 of the fraud-sensing ECU 4100a issues a mode change instruction to the mode change processing unit 4170 to put the vehicle into the safe state”, where a message is transmitted to the ECU containing a command (instruction) to enable a safety mode for the at least one ECU).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for handling transmission of fraudulent frames within in-vehicle network, comprising of transmitting a message containing a command to enable a safety mode to a respective ECU, disclosed of Haga.   
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of transmitting a message containing a command to enable a safety mode to a respective ECU. This allows for a more user-friendly interface for enabling a safety mode on a respective ECU when it is identified as being compromised by sending a message containing a command to disconnect the at least one ECU (Haga, Paragraph [0249]). 


13.	Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Ujiie, in view of Kubota, in further view of Xie et al. (U.S. Patent 10,129,288), hereinafter Xie.

	Regarding claim 21, Ujiie as modified by Kubota do not teach the following limitation(s) as taught by Xie: The method of claim 1, wherein the subset of the messages include at least one of:
	an antivirus record, an IP address, a check sums of files, a URL address, and a domain names of a botnet command center.
	(Xie, Column 2, Lines 3 – 5, see “The system performs comprehensive IP address analysis to derive information about botnet hosts, attack proxies, and dedicated attack hosts, all from input event logs”, where “input event logs” is analogous to comprising the subset of the messages, wherein the input event logs include an IP address of a botnet command center).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for frame transmission prevention, disclosed of Ujiie and techniques disclosed of Kubota, by implementing techniques for using IP address data to detect malicious activities, comprising of the subset of the messages including an IP address of a botnet command center, disclosed of Xie. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques of generating rules for blocking a computer attack on a vehicle, comprising of the subset of the messages including an IP address of a botnet command center. This allows for the system to make an accurate detection and perform subsequent remedy strategies to overcome the computer attack on a vehicle (Xie, Column 2, Lines 3 – 5). 


Conclusion
14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433       

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433