PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/203,411
Filing Date: 28 Nov 2018
Appellant(s): Hertenstein, Jake, Daniel



__________________
Jason L. Moore
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 02/12/2021.

(1) Grounds of Rejection to be reviewed on Appeal
Every ground of rejection set forth in the Office action dated 09/17/2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
Place holders
Functions
Claims
A network interface 
receive
1
A network interface
 receive
8
A trusted computing device
Monitor, generate
9


Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1,4,5 and 8-9, and 11-20 are rejected under 35 U.S.C. 103 as being un-patentable over Robinson et al (US-Patent 9,195,806) hereinafter “Robinson”  ” in view of McCorkendale et al (US PG-Pubs  20040153644) hereinafter “McCorkendale”;
As per claim 1 Robinson discloses a system to perform software load verification, the system comprising: 

Col 1 line “60-65 “A second microprocessor is coupled to the first microprocessor through a communications link over which encrypted communications are transmitted. This second microprocessor is coupled to a flash memory for storing data to configure the target microprocessor with the configuration settings and the application image“;
Col 8 line 61-65” To implement this process, the security engineer for the application being managed by the security server 10 configures various security aspects for the security subsystems of the target microprocessor which are to be loaded by the security subsystems at power up of the target device. The security engineer also enters the operational security policy for the target device, and may optionally generate a configuration image for use to update the security subsystem of target devices already in the field.”
See also col 5 line 25-32
A network interface configured to receive load verification data and a cryptographic signature from a software update target device:
This element is interpreted under 35 U.S.C. 112(f) as the network interface in system 180 of fig. 1. That exchange data with server.
Robinson discloses a network interface of fig. 1 that exchange data between the secure microprocessor 1000 and secure server 10. Exchanging data (code image, authentication, and operational data). In an authenticated way (data and associated signature (cryptographic way)).

Examiner interpretation.
Col 5 line 59-67” An additional feature of the system is that the security server 10 can also receive cryptographically protected information from the secure microprocessor 1000. This information 30 consists of cryptographically protected logs and/or operational data. The logs 32 include tamper and user logs 32, discussed in more detail below. The operational data 35 can consist of any type of data which is desired to be communicated from the secure microprocessor 1000 back to the security server 10. There are multiple methods for communicating The bidirectional arrow 38 designates that this information can flow back and forth between the server 10 and the microprocessor 1000”;
 Wherein the load verification data is descriptive of particular load events occurring during loading software at the software update target device:
Col 6 line 4-12” Circuits within the secure microprocessor 1000 monitor its operating environment and its functions and interfaces. Depending on the user-defined configuration of the `event mask register, ` events will be captured by the secure microprocessor. Then, based on their criticality, events can be associated with programmable response sequences, for example, a software `interrupt`, a memory `flush`, a `permanently disable` the secure microprocessor”;
Col 5 line 59-67” An additional feature of the system is that the security server 10 can also receive cryptographically protected information from the secure microprocessor 1000. This information 30 consists of cryptographically protected logs and/or operational data. The logs 32 include tamper and user logs 32, discussed in more detail below. The operational data 35 can consist of any type of data which is desired to be communicated from the secure microprocessor 1000 back to the security server 10. There are multiple methods for communicating the logs and data to and from the security server and the security subsystem of the microprocessor. The bidirectional arrow 38 designates that this information can flow back and forth between the server 10 and the microprocessor 1000”;

And a processor configured to: 
Authenticate that the load verification data is received from the software update target device based on the cryptographic signature:
Col 11 line 55-65 “The server protects the data and sends it to the fielded target device so it can be loaded into the security subsystem of the target device 1000. Data flow in the opposite direction is handled by the individual having access privileges to receive data from the fielded target device. That individual submits the cryptographically protected data to the security server 10, which then decrypts and authenticates the data. As with other aspects of server 10, the use of server specific key material binds the data the security server. The use of device specific material binds the data to a particular one or set of fielded security subsystems. The use of an 

Responsive to authenticating that the load verification data is received from the software update target device, performing a comparison of the particular load events and the expected load events:
Col 1 line 58-67 “It also provides a comparator feature to assure that the data programmed into the secure microprocessor is as intended. A second microprocessor is coupled to the first microprocessor through a communications link over which encrypted communications are transmitted. This second microprocessor is coupled to a flash memory for storing data to configure the target microprocessor with the configuration settings and the application image. A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.


But not explicitly: 
And perform a response action based on results of the comparison: McCorkendale discloses:
And perform a response action based on results of the comparison:
[0061] the execution authority client module 616 uses the I/O module 610 to contact the execution authority 118 and obtain the status information. The client module reports this information to the gatekeeper module 612, which then determines whether to allow the software to execute. The execution authority client module 616 can also send the software to the execution authority 118 and/or analysis authority 120 if requested to do so.

See also [0068].9

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, 
McCorkendale to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3).

As per claim 4, the rejection of claim 1 is incorporated and furthermore Robinson discloses:
wherein the memory is further configured to store first configuration data indicating an expected configuration of the software update target device, wherein the load verification data includes second configuration data indicating configuration of the software update target device prior to loading of the software, wherein the processor is configured to perform a second comparison of the first configuration data and the second configuration data:
Col 2 line 1-5 “A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.

wherein the first configuration data is distinct from the load verification data, wherein the second configuration data is distinct from the first data:
Col 2 line 1-5 “A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.
receive cryptographically protected information from the secure microprocessor 1000. This information 30 consists of cryptographically protected logs and/or operational data. The logs 32 include tamper and user logs 32, discussed in more detail below. The operational data 35 can consist of any type of data which is desired to be communicated from the secure microprocessor 1000 back to the security server 10. There are multiple methods for communicating the logs and data to and from the security server and the security subsystem of the microprocessor. The bidirectional arrow 38 designates that this information can flow back and forth between the server 10 and the microprocessor 1000”;

Examiner interpretation:
 Intended configuration is first configuration, actually programmed into the target device is second configuration and load verification data is a log (30/32) of data/configuration received from target device 1000.


 And wherein the response action is further based on results of the second comparison
Col 3 line 36-44 “In response to an event, the secure microprocessor can provide a log of tamper incidents back to the security server for further analysis. The security server is the tool used by a security engineer to define the desired response sequences from the individual responses supported by the secure microprocessor, create the event response associations in a table used operationally by the secure microprocessor, and review encrypted security logs created by the secure microprocessor”.  
  
As per claim 5 the system of claim 4, is incorporated and furthermore Robinson discloses:
 Wherein the processor is further configured to, responsive to determining that the particular load events match the expected load events,:
Col 2 line 1-5 “A verification portion of the second microprocessor compares the configuration settings and 

Update the first configuration data based on the load verification data:
Col 20 line 1-7 “When storing data, e.g. target configuration data to non-volatile memory 162, a two-step process is performed. Specifically, the data is first stored to the non-volatile memory 162, and then it is verified. FIG. 14 illustrates the security server's storing operation, that is, the storing of target configuration data into non-volatile memory 162. The operation begins with receiving information and associated target device configuration settings from the Client 200”.
Col line 31-36 “FIG. 15 illustrates the security server's verification operation, e.g. the verification of a target configuration data previously stored in non-volatile memory 162. This operation ensures that data, Such as target device configuration settings, provided by the Client were correctly processed and stored into non-volatile memory 162.
Examiner interpretation: storage 162/300 store any configuration applied to the secure system, such as update, security, license and etc. this is an archive a new update are applied the storage is updated. 


As per claim 8, Robinson discloses an aircraft comprising: 
A network interface configured to receive, via a network from an off-board device, a software package that includes software;
This element is interpreted under 35 U.S.C. 112(f) as the network interface in system 180 of fig. 1. That exchange data with server.
Robinson discloses a network interface of fig. 1 that that exchange data between the secure microprocessor 1000 and secure server 10. Exchanging data (code image, authentication, and operational data). In an authenticated way (data and associated signature (cryptographic way))
Examiner interpretation:
Col 10 line 18-27” By using asymmetric server specific material, image creation can be limited to a particular group of 

 And a processor configured to: authenticate, based on a digital signature, that the software is received from the off-board device:
Col 21 line 15-26”The Security Engine 230 decrypts the message and generates its own HMAC (AH3) of the application image. The Security Engine 230 then reads the target device configuration data from non-volatile memory 300, generates an HMAC (DH5) from the data and validates it against the HMAC (DH2) stored with the data. If the HMACs are valid, the Security Engine encrypts the application image using information stored within the target device configuration data, generates an HMAC (IH1) of the resulting encrypted image and stores the encrypted image as well as its HMAC to nonvolatile memory 300.”

 And responsive to authenticating the software: perform particular load events to load the software:
Col 21 line 15-26” If the HMACs are valid, the Security Engine encrypts the application image using information stored within the target device configuration data, generates an HMAC (IH1) of the resulting encrypted image and stores the encrypted image as well as its HMAC to nonvolatile memory 300.”
Col 12 line 53-57”The server protects the data and sends it to the fielded target device so it can be loaded into the security subsystem of the target device 1000.

 Cause the network interface to send load verification data and a cryptographic signature to the off-board device,the load verification data indicating the particular load events:
1000. Data flow in the opposite direction is handled by the individual having access privileges to receive data from the fielded target device. That individual submits the cryptographically protected data to the security server 10, which then decrypts and authenticates the data….”
Col 5 line 58-65 “An additional feature of the system is that the security server 10 can also receive cryptographically protected information from the secure microprocessor 1000. This information 30 consists of cryptographically protected logs and/or operational data… “

But not explicitly:
Receive, via the network interface, a response message from the off- board device, the response message based on analysis of the load verification data and the cryptographic signature at the off-board device; and selectively execute the software based on the response message.
McCorkendale discloses:
Receive, via the network interface, a response message from the off- board device, the response message based on analysis of the load verification data and the cryptographic signature at the off-board device:
[0046]” malicious software detection module 512 looks up the statuses of signatures received from the client devices 122 in the database module 514 and reports the statuses back to the client devices 122. Accordingly, if a client device 122 requests to execute software marked as "deny" in the database module 514, the detection module 512 will report this status back to the client device 122, thereby preventing the software from being executed.
And selectively execute the software based on the response message:
[0069] Once the client device 122 determines the status of the software, it determines 718 the appropriate action to take in response to the attempt to execute the software. If the 

 It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of Robinson into teachings of
McCorkendale to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3).

As per claim 9 the rejection of claim 8 is incorporated and furthermore Robinson discloses:
A trusted computing device configured to: monitor operations performed by the processor during loading of the software; and generate a list of the particular load events based on the monitored operations:
This element is interpreted under 35 U.S.C. 112(f) as the device in system 182 in system 180 of fig. 1. That is trusted by the processor in executing specific data.
Robinson discloses a secure subsystem in microprocessor 1000 for creating a table resulted from loading/exacting software just downloaded into memory 15 of fig. 1 in association with algorithm defined in col 3 line 30-45.

Col 3 line 30- 44 “During runtime, the secure microprocessor monitors a large number of ‘events’ that may be indicative of attempts to compromise the owner's software or data, for example, an attempted access of a restricted address space. Such access can come from malware injected into a software image by an adversary. Events are assigned to different response sequences based on the criticality of the event, and 

 Wherein the load verification data is based on the list of the particular load events.  
Col 1 line 58-67 “A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.

As per claim 11 the rejection of claim 8 is incorporated and furthermore Robinson discloses:
Determining that the response message indicates that the particular load events do not match expected load events:
Col 22 line 60-65” Assuming the comparison is successful, the Client 200 is assured the application image written to the target device matches the application image provided by the Client 200 during the upload operation”.

In particular, the secure microprocessor 1000 as used in conjunction with the security server 10 of our system employs various techniques and algorithms to protect critical program information within it from attack. Of particular importance here is prevention of such attacks when the microprocessor is most Vulnerable, namely during device configuration and Software loading (“bootup').
Examiner interpretation: Not successful is the other option in comparison in Fig. 17 by client 200.
  

Prevent execution of the software based on the determination;
McCorkendale discloses:
Prevent execution of the software based on the determination;
[0061] the execution authority client module 616 uses the I/O module 610 to contact the execution authority 118 and obtain the status information. The client module reports this information to the gatekeeper module 612, which then determines whether to allow the software to execute. The execution authority client module 616 can also send the software to the execution authority 118 and/or analysis authority 120 if requested to do so.

[0069]”If the software is potentially malicious, i.e., its status is "deny execution," the client device 122 blocks execution 722 of the software. If the client device 122 cannot determine whether the software is potentially malicious, i.e., its status is "unknown," the client device 122 typically blocks execution of the software and optionally sends 724 a copy of the software to the analysis authority 120 for evaluation”.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of McCorkendale into teachings of Robinson to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3). The notion of exchanging messages to determine authenticity or to determine to execute such code image and execute only what was proper and validated is determined by Robinson and McCorkendale.

As per claim 12, the rejection of claim 8 is incorporated and furthermore Robinson discloses:
wherein the processor is further configured to, prior to loading the software, generate configuration data indicating configuration of the aircraft, wherein the load verification data includes the configuration data, wherein the response message is based on results of a comparison of the configuration data and second configuration data, the second configuration data indicating an expected configuration of the aircraft.
Col 1 line 58-67 “It also provides a comparator feature to assure that the data programmed into the secure microprocessor is as intended. A second microprocessor is coupled to the first microprocessor through a communications link over which encrypted communications are transmitted. This second microprocessor is coupled to a flash memory for storing data to configure the target microprocessor with the configuration settings and the application image. A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.


Claims 13, 17, are the method claims corresponding to system claim 1, 5, and rejected under the same rational as claims 1, 5 above.

As per claim 14, the system of claim 13 is incorporated and furthermore, Robinson discloses:
 Wherein, responsive to determining that the particular load events match the expected load events:
Col 22 line 60-65” Assuming the comparison is successful, the Client 200 is assured the application image written to the 200 during the upload operation”.

But not explicitly:

The response action includes sending an approval message to the software update target device:
McCorkendale discloses:

The response action includes sending an approval message to the software update target device:

[0061] the execution authority client module 616 uses the I/O module 610 to contact the execution authority 118 and obtain the status information. The client module reports this information to the gatekeeper module 612, which then determines whether to allow the software to execute. The execution authority client module 616 can also send the software to the execution authority 118 and/or analysis authority 120 if requested to do so.

[0069]”Once the client device 122 determines the status of the software, it determines 718 the appropriate action to take in response to the attempt to execute the software. If the software is not potentially malicious, i.e., its status is "allow execution," the client device 122 executes the software”.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of McCorkendale into teachings of Robinson to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3). The notion of exchanging McCorkendale.

As per claim 15, the rejection of claim 13 is incorporated and furthermore, Robinson discloses:
wherein responsive to determining that the particular load events do not match the expected load events:
Col 22 line 60-65” Assuming the comparison is successful, the Client 200 is assured the application image written to the target device matches the application image provided by the Client 200 during the upload operation”.

In particular, the secure microprocessor 1000 as used in conjunction with the security server 10 of our system employs various techniques and algorithms to protect critical program information within it from attack. Of particular importance here is prevention of such attacks when the microprocessor is most Vulnerable, namely during device configuration and Software loading (“bootup').
Examiner interpretation: Not successful is the other option in comparison in Fig. 17 by client 200.

But not explicitly:
The response action includes sending a disable message to the software update target device to prevent execution of the software at the software update target device:
McCorkendale discloses:

The response action includes sending a disable message to the software update target device to prevent execution of the software at the software update target device:
[0061] the execution authority client module 616 uses the I/O module 610 to contact the execution authority 118 and obtain the status information. The client module reports this 

[0069]”If the software is potentially malicious, i.e., its status is "deny execution," the client device 122 blocks execution 722 of the software. If the client device 122 cannot determine whether the software is potentially malicious, i.e., its status is "unknown," the client device 122 typically blocks execution of the software and optionally sends 724 a copy of the software to the analysis authority 120 for evaluation”.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of McCorkendale into teachings of Robinson to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3). The notion of exchanging messages to determine authenticity or to determine to execute such code image and execute only what was proper and validated is determined by Robinson and McCorkendale.

As per claim 16, the rejection of claim 13 is incorporated and furthermore Robinson discloses:
accessing, at the off-board device, first configuration data indicating an expected configuration of the software update target device; and performing, at the off-board device, a second comparison of the first configuration data and second 

Col 2 line 1-5 “A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.

wherein the response action is further based on results of the second comparison:
Col 3 line 36-44 “In response to an event, the secure microprocessor can provide a log of tamper incidents back to the security server for further analysis. The security server is the tool used by a security engineer to define the desired response sequences from the individual responses supported by the secure microprocessor, create the event response associations in a table used operationally by the secure microprocessor, and review encrypted security logs created by the secure microprocessor”.  


As per claim 18, the rejection of claim 13 is incorporated and furthermore Robinson discloses:
generating the load verification data at a trusted computing device of the software update target device:
Col 21 line 38-46“The Security Engine 230 encrypts its HMACs, AH3 and IH1, using a key it shares only with the Comparator 220 and places the ciphertext into shared on-chip memory. Similarly, the Verifier 240 encrypts its HMACs, AH4 and IH2, using a key it shares only with the Comparator 220 and places the ciphertext into shared on-chip memory. The Security Engine 230 also sends the encrypted image to the Web/CGI 210 and to the Comparator 220.”

As per claim 19, the rejection of claim 13 is incorporated and furthermore Robinson discloses:
Receiving a software package at the software update target device:
Col 21 line 9-13” The Web/CGI 210 sends separate, cryptographically protected messages containing the application image to the Security Engine 230 and Verifier 240 using keys shared by it and the two components respectively.”
 
And authenticating the software package based on a digital signature:
Col 21 line 15-25 “The Security Engine 230 decrypts the message and generates its own HMAC (AH3) of the application image. The Security Engine 230 then reads the target device configuration data from non-volatile memory 300, generates an HMAC (DH5) from the data and validates it against the HMAC (DH2) stored with the data. If the HMACs are valid, the Security Engine encrypts the application image using information stored within the target device configuration data, generates an HMAC (IH1) of the resulting encrypted image and stores the encrypted image as well as its HMAC to nonvolatile memory 300. 
 
 Wherein the particular load events are performed at the software update target device responsive to the authenticating the software package:
col21 line26-32’ The Verifier 240, in a similar fashion as the Security Engine 230, decrypts its message, generates its own HMAC (AH4) of the application image, reads the target device configuration data from non-volatile memory 300, generates an HMAC (DH6) and validates it against the HMAC (DH2) stored with the data and encrypts the application image.


As per claim 20, the rejection of claim 13 is incorporated and furthermore Robinson does not explicitly discloses:

 Wherein performing the response action at the off-board device includes sending the response message from the off-board device to the software update target device;
And selectively executing the software at the software update target device based on the response message.
McCorkendale discloses:
Receiving a response message at the software update target device from the off- board device:
[0010]” The execution authority (118) provides this information to the requesting client devices (122), which can then determine whether to allow or deny execution. In one embodiment, the status information is provided in part by the certifying authority (114)”;

 Wherein performing the response action at the off-board device includes sending the response message from the off-board device to the software update target device:
[00032]” For example, in one embodiment, the execution authority 118 notifies the analysis authority 120 when the execution authority detects a possible software worm. In response, the analysis authority 120 receives a copy of the software and analyzes it to determine whether the software is malicious. In one embodiment the analysis is performed by Digital Immune System software available from Symantec Corp. of Cupertino, Calif. The analysis authority 120 reports the results of the analysis to the execution authority 118, and the latter authority relays this information to the client devices 122.

And selectively executing the software at the software update target device based on the response message:


It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of McCorkendale into teachings of Robinson to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3). The notion of exchanging messages to determine authenticity or to determine to execute such code image and execute only what was proper and validated is determined by Robinson and McCorkendale.

Claims 2, 3, 6 and 10  are rejected under 35 U.S.C. 103 as being un-patentable over Robinson et al (US-Patent 9,195,806) hereinafter “Robinson”  ” in view of .

As per claim 2, the system of claim 1 is incorporated and furthermore, Robinson does not discloses:
wherein the load verification data includes times data identifying a time difference corresponding to a first load event of the particular load events and a second load event of the particular load events.
SUGIMOTO discloses:
wherein the load verification data includes times data identifying a time difference corresponding to a first load event of the particular load events and a second load event of the particular load events.
[0059] Furthermore, the verification unit 7 verifies whether or not a difference between each of the system times T1 to Tn stored in the plurality of check files FILE1.dat to FILEn.dat and other closest system time is smaller than a first threshold value di (third verification processing)”;

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of SUGIMOTO into teachings of Robinson to alter the system to return to the normal mode, and prevents the software 
As per claim 3, the rejection of claim 1 is incorporated and furthermore, Robinson does not disclose:
. wherein the first data identifies an expected time difference corresponding to a first expected load event of the expected load events and a second expected load event of the expected load events; wherein the first load event corresponds to the first expected load event wherein the second load event corresponds to the second expected load event, and wherein performing the comparison of the particular load events and the expected load events comprises comparing the time difference and the expected time difference:
SUGIMOTO discloses:
 wherein the first data identifies an expected time difference corresponding to a first expected load event of the expected load events and a second expected load event of the expected load events;
[0047] In this case, a time interval from the system time T1 to Tn can be known in advance by actual measurement. For example, the time interval is approximately 30 seconds. Further, the same is true of the time interval from the system time T1 to Tn. For example, the time interval is approximately one second to several seconds. The time interval from the system time T1 to Tn usually varies depending on the time needed for the inherent processing of each process.
Examiner interpretation:

 wherein the first load event corresponds to the first expected load event wherein the second load event corresponds to the second expected load event:
[0036] …. The generating unit 3 includes the plurality of processes 31 (P1 to Pn). The generating processing is performed by the plurality of processes 31. That is, the generating processing in the update processing of the software, i.e., the program, is divided into the plurality of processes 31 to be performed. Each of the divided generating processing includes, for example, obtaining an update file 41, generating a check file 42, calling the software update interface unit 25 and the like. The divided generating processing which each of the processes 31 should perform is specified (allocated) in advance. Each of the processes 31 performs one or a plurality of the divided generating processing which is allocated to itself in advance. 
and wherein performing the comparison of the particular load events and the expected load events comprises comparing the time difference and the expected time difference:
[0059] Furthermore, the verification unit 7 verifies whether or not a difference between each of the system times T1 to Tn stored in the plurality of check files FILE1.dat to FILEn.dat and other closest system time is smaller than a first threshold value di (third verification processing). For example, it is possible to verify whether or not the difference is smaller than the threshold value di by calculation of T(i+1)-Ti. The same is true of all of the system times. The difference T(i+1)-Ti corresponds to the time period from when a certain check file FILEi.dat is generated until a next check file FILE(i+1).dat is generated.




As per claim 6, the rejection of claim 1 is incorporated and furthermore Robinson discloses:
wherein the particular load events include the software update target device performing a data write operation to a particular type of device during the loading of the software, the software update target device initiating a boot process during the loading of the software, the software update target device generating a signature during the loading of the software, the software update target device detecting an error during the loading of the software, or a combination thereof.
SUGIMOTO discloses:
include the software update target device performing a data write operation to a particular type of device during the loading of the software:
[0037]As shown in FIG. 2, a process P1 performs obtaining the update file 41 and generating the check file 42. The process P1 can perform only one of the processing. For example, the process P1 can perform only obtaining the update file 41.
1 requests the system time obtaining unit 21 which is the API of the OS 2 and receives a system time T1 from the system time obtaining unit 21 as a response. The system time is obtained from a timer 11 of the CPU 1. The process P1 requests the system time conversion unit 33 of the application 3′ and receives a conversion result F1 (T1) from the system time conversion unit 33 as a response. The process P1 generates and stores the check file 42(FILE1.dat) for storing the conversion result F1 (T1). The check file 42 is stored in the memory unit 4 and is used (verified) by the verification unit 7 as described later.
the software update target device generating a signature during the loading of the software:
[0040] “In this case, the system time conversion unit 33 includes a conversion algorithm F1 (not shown in the figures) for converting the system time into a byte sequence in a one-to-one conversion. This conversion can prevent illegal (malicious) software update more effectively than by storing the system time directly into the check file 42. Different conversion algorithms can be used depending on each of the processes 31. In this case, the illegal software update can be practically impossible”;
 the software update target device detecting an error during the loading of the software, or a combination thereof.
[0073] “the manager 6 verifies whether or not a sequence of the software update is correct by using the verification unit 7 (step S62) and checks whether or not the verification result obtained from the verification unit 7 is valid (step S63). If the verification result is valid, the manager 6 calls the software update unit 26, applies the update file 41 to the program (step S64), and restarts the OS 2 in the normal mode (step S65). If the verification result is not valid (if the verification result is invalid), the manager 6 omits step S64 and performs step S65.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, 
As per claim 10 the rejection of claim 8 is incorporated and furthermore Robinson discloses:
Wherein the load verification data identifies an ordered list of the particular load event.
SUGIMOTO discloses:
Wherein the load verification data identifies an ordered list of the particular load event:
[0058]”Further, the verification unit 7 verifies whether or not the system times T1 to Tn stored in each of the plurality of check files FILE1.dat to FILEn.dat include one time-series (second verification processing). As described above, since the processes P1 to Pn generate the check files FILE1.dat to FILEn.dat in this order, the system times Ti to Tn include the time-series, T1< . . . <Ti< . . . <Tn, (the T1 is the earliest time and the Tn is the latest time) without fail. The verification unit 7 validates the verification result if the system times T1 to Tn include the time-series”;

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of SUGIMOTO into teachings of Robinson to alter the system to return to the normal mode, and prevents the software .

Claims 7 are rejected under 35 U.S.C. 103 as being un-patentable over Robinson et al (US-Patent 9,195,806) hereinafter “Robinson”  ” in view of McCorkendale et al (US PG-Pubs  20040153644) hereinafter “McCorkendale” and  Kimberly  et al (US PG-Pubs  2014/0337630) hereinafter “Kimberly;
As per claim 7, the rejection of claim 1 is incorporated and furthermore Robinson does not explicitly discloses:
Wherein the software update target device is integrated into an aircraft.
Kimberly discloses:
Wherein the software update target device is integrated into an aircraft.
Kimberly [0033]” aircraft 102 may be any appropriate type of aircraft. For example, without limitation, aircraft 102 may be a commercial or private passenger aircraft, a cargo aircraft, a military or other government aircraft, or any other aircraft configured for any appropriate purpose or mission. Aircraft 102 may be a fixed wing, rotary wing, or lighter than air aircraft. Aircraft 102 may be a manned aircraft or an unmanned air vehicle.”	
Examiner interpretation:
 Fig. 1: Data provider provides software, other data and digital certificates to aircraft through a network interface between the aircraft and data providers.  A processor unit verifies the data for use on the aircraft using a selected number of the plurality of digital certificates.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate the teachings of Robinson into teachings of
 to update the firmware in a secure manner that allow only trusted source such as manufacturer of the processor to alter the configuration of the system. This will avoid vulnerability to attack by unauthorized persons and/or malware or even exploit vulnerabilities in system firmware. (Robinson col 3).
(2) Response to Argument
	A- Rejection of claims 1, 4, 5, 8, 9 and 11-20
Appellant’s argument:
Robinson describes a security server for programming configuration setting and application images. See Robinson, Abstract. The security server includes two secure microprocessors. See Robinson, Abstract. The first secure microprocessor receives configuration data from a target processor. See Robinson, Abstract. The second microprocessor verifies the configuration settings are correctly stored in the target microprocessor. See Robinson, Abstract. The cited portions of Robinson are silent regarding the security server receiving load verification data descriptive of particular load events (e.g., performing a data write to a particular type of device during the loading of software). Rather, Robinson describes configuration settings for use during operation of a microprocessor.
In rejecting claim 1, the Office cites to Col. 5,11. 59-67 as teaching load verification data that is descriptive of particular load events. See Office Action, page 9. While this section describes that a security server receives cryptographically protected information, the cited portions are silent regarding this cryptographically protected information including load events.
In rejecting claim 1, the Office cites to Col. 5,11. 59-67 as teaching load verification data that is descriptive of particular load events. See Office Action, page 9. While this section describes that a security server receives cryptographically protected information, the cited portions are silent regarding this cryptographically protected information including load events.

Examiner’s answer:
 The issue in the argument is that Robinson is silent in sending events logs occurred during loading of software. And the appellant’s points to Robinson abstract for the disclosure.

To more emphasize, because system are vulnerable to attacks specifically during loading of software [Robinson col 5 line 26-29:
“The cryptographically protected operational image 12 provided by the security server 10 usually will contain the configuration and application information needed to configure the security subsystem and the general purpose processing subsystem. This information enables the secure microprocessor to operate in its desired modes while executing the specified application software. In particular, the secure microprocessor 1000 as used in conjunction with the security server 10 of our system employs various techniques and algorithms to protect critical program information within it from attack. Of particular importance here is prevention of such attacks when the microprocessor is most vulnerable, namely during device configuration and software loading ("boot up")],

Robinson enables the secure microprocessor to execute as intended by verifying that what loaded to the secure microprocessor is the intended configuration and expected policies and software application. The security server 10 is used to diagnose or `fix` a manufactured secure microprocessor.
In order to verify secure microprocessor configuration, the server 10 receives logs occurred during secure microprocessor operation (setting and executing new configuration) to check for any vulnerable or undesirable event.
 The argument above acknowledges that the event are received by the server 10 but emphasizes that Robinson is silent on event occurred during loading of software.
 The specification of this application refer to load event as follow:
[0019] “In a particular aspect, the load events 143 include performing a memory operation, initiating a process, or both. The load events 143 include, for example, the processor 186 initiating a boot process, generating a signature, detecting an error, or a combination thereof”;
 
 In order to configure the target microprocessor 1000, the server creates necessary information for the application to be loaded. For example the boot component can specify security configuration overlays which include specific revisions to the target device security configuration to be applied when that particular boot component is loaded. 
 During booting: loading the software (setting or executing the configuration), the microprocessor 1000 collect set of logs events that occurred as follow:
Col 6 line 4-12” Circuits within the secure microprocessor 1000 monitor its operating environment and its functions and interfaces. Depending on the user-defined configuration of the `event mask register, ` events will be captured by the secure microprocessor. Then, based on their criticality, events can be associated with programmable response sequences, for example, a software `interrupt`, a memory `flush`, a `permanently disable` the secure microprocessor”;

Among the sets of events occurred is for example: memory flush and this is an operation associated with the memory and ‘permanently disable” is a process triggered during the operations.
Those event that are collected by the secure microprocessor 1000 are encrypted and sent to the server 10 and analyzed by the server.
Col 5 line 59-67” An additional feature of the system is that the security server 10 can also receive cryptographically protected information from the secure microprocessor 1000. This information 30 consists of cryptographically protected logs and/or operational data.


Appellant’s argument:
See McCorkendale, Abstract and paragraph [0010], If the status of the software is known, the execution authority reports the status to the client device. See McCorkendale, Abstract. The cited portions of McCorkendale are silent regarding a network interface configured to receive load verification data from a software update target device, where the load verification data is descriptive of particular load events related to loading software at the software update target device, as in claim 1. Rather, McCorkendale determines the status of software based on a signature of the software.

Examiner’s answer:
 The issue in the argument is that McCorkendale is silent also about a network interface configured to receive load verification data from a software update target device, where the load verification data is descriptive of particular load events related to loading software at the software update target device. Robinson is used to reject the limitation as emphasized above and in the office action and McCorkendale is used for performing the action.
To emphasize, the system of McCorkendale has a set of developers that create and deploy a software to certification authority and create a hash of the software. 

 [0009] the software developer distributes the software to client devices (122) using conventional channels. At some point, one or more of the client devices (122) attempts (714) to execute (as used herein, "execute" also includes "install") the software.”

 the software for the first time, McCorkendale consults with the execution authority that is remotely located in the network (fig. 1) to check if it’s safe to execute or not, preventing malicious code from execution.
[0061] The execution authority client module 616 uses the I/O module 610 to contact the execution authority 118 and obtain the status information. The client module reports this information to the gatekeeper module 612, which then determines whether to allow the software to execute. The execution authority client module 616 can also send the software to the execution authority 118 and/or analysis authority 120 if requested to do so”;

 Contacting the execution authority is after generating the hash/signature of the software by the signature verification module or the software is not signed at all.(this will generate an error)  that the execution authority 118 can solve.
Appellant’s argument:
[0061] Further, Appellant respectfully submits that a hypothetical combination of Robinson and McCorkendale would not disclose or suggest each and every element of claim 1. For example, Robinson describes a security server that compares configuration settings. McCorkendale describes a software certifying authority that compares signatures of software. Appellant respectfully submits that the combination would be either a single device that compares configuration settings and signatures of software or two distinct devices that perform these functions. 
Examiner’s answer:
The issue is the motivation of combining the reference Robinson and McCorkendale. And any combination of this reference will not discloses a description of load event.
From the previous response, McCorkendale execution of application is also installation of application. During installation the client device check the signature of the application.i.e in word of appellants: generate application signature. While the signature is invalid or not known, the client device will not execute the application until the execution authority verifies such signature and notifies the client to execute the application. What was sent in contacting the execution authority is invalid signature or the signature is not known at all: load events during execution/installation.
For Robinson the same scenario is followed to collect load event and send them to the server 10 that will decide how to fix and allow the secure microprocessor to execute application as intended. Among the load event sent to the server 10 is a memory flush: memory operation as the appellant recites examples in the specification or in this appeal brief (page 6, 2nd paragraph).all this load event sent to remote server is through a network interface and any response received is also through the same network interface.
Appellant’s argument:
Further, the cited portions of Robinson and McCorkendale are silent regarding “authenticate that the load verification data is received from the software update target 
Examiner’s answer:
The issue is that Robinson is silent about authenticating and comparing load event to expected load events.
 The load event generated by the secure microprocessor 1000,
Col 6 line 4-12” Circuits within the secure microprocessor 1000 monitor its operating environment and its functions and interfaces. Depending on the user-defined configuration of the `event mask register, ` events will be captured by the secure microprocessor. Then, based on their criticality, events can be associated with programmable response sequences, for example, a software `interrupt`, a memory `flush`, a `permanently disable` the secure microprocessor”,

are forwarded to the server for authentication: make sure that such event are coming from the trusted device identity known to the server,
Col 11 line 55-65 “The server protects the data and sends it to the fielded target device so it can be loaded into the security subsystem of the target device 1000. Data flow in the opposite direction is handled by the individual having access privileges to receive data from the fielded target device. That individual submits the cryptographically protected data to the security server 10, which then decrypts and authenticates the data. As with other aspects of server 10, the use of server specific key material binds the data the security server. The use of device specific material binds the data to a particular one or set of fielded security subsystems. The use of an 

 The server use a comparator to determine if the received load data is the intended load data,
Col 1line 58-67” A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.

What was programmed is done during installation or at execution time and what is intended is what is expected to occur during installation/execution.
Appellant’s argument:
Therefore, the cited portions of Robinson and McCorkendale, individually or in combination, fail to disclose or suggest “a network interface configured to receive load verification data and a cryptographic signature from a software update target device, wherein the load verification data is descriptive of particular load events related to loading software at the software update target device, and wherein the particular load events include the software update target device performing a data write operation to a particular type of device during the loading of the software, the software update target device initiating a boot process during the loading of the software, the software update target device generating a signature during the loading of the software, the software update target device detecting an error during the loading of the software, or a combination thereof,” as in claim 1. (Emphasis added). Hence, claim 1 is allowable. Claims 4 and 5 are allowable at least by virtue of depending from an allowable claim.
Examiner’s answer:
 The appellants outlines and quoted limitation “wherein the load verification data is descriptive of particular load events related to loading software at the software update target device”,

 “wherein the load verification data is descriptive of particular load events occurring during loading software at the software update target device”,
 under the BRI occurring during loading does not means related to the loading, but event that occurred during the software loading: happened and took place at the time the software update  was loaded. The claim is given their broadest reasonable interpretation IN LIGHT OF THE SPECIFICATION BUT NOT IN VACCUM OF THE SPECIFICATION.
 THE WORD “RELATED TO “IS REMOVED FROM THE LIMITATION SET FILLED 06/16/2020 and replaced with “occurring during”.
Appellant’s argument:
Robinson is silent regarding comparing particular load events to expected load events. The cited portions of Robinson are likewise silent regarding such a comparison being performed responsive to authenticating that load verification data is received from a software update target device based on a cryptographic signature.
…
McCorkendale is silent regarding comparing particular load events to expected load events. The cited portions of McCorkendale are likewise silent regarding such a comparison being performed responsive to authenticating that load verification data is received from a software update target device based on a cryptographic signature. 
Examiner’s answer:
In Robinson, while booting the secure microprocessor 1000(target device), circuits within the secure microprocessor collect a set of event occurred during the loading of the software. The collected data is a set of logs that will be exchanged with the server 10 in an asymmetric cryptography.
 The secure microprocessor generate a key as a signature and attach it to the logs and the server will decipher the key to make sure the log is coming from a specific source, herein the secure microprocessor 1000.
Robinson “Data flow in the opposite direction is handled by the individual having access privileges to receive data from the fielded target device. That individual submits the cryptographically protected data to the security server 10, which then decrypts and authenticates the data”;

To more emphasize among the event exchanged are event that occurred while loading the software into the secure microprocessor 1000 because at that time the secure microprocessor 1000 is vulnerable to attack:
Col 3 line 35-42” During runtime, the secure microprocessor monitors a large number of `events` that may be indicative of attempts to compromise the owner's software or data, for example, an attempted access of a restricted address space. Such access can come from malware injected into a software image by an adversary. Events are assigned to different response sequences based on the criticality of the event, and the desired device or system-level effect. In response to an event, the secure microprocessor can provide a log of tamper incidents back to the security server for further analysis. The security server is the tool used by a security engineer to define the desired response sequences from the individual responses supported by the secure microprocessor, create the event response associations in a table used operationally by the secure 

The server 10 receive the log data (event occurred) and compare them to expected event:

 Col 1 line 58-67 “It also provides a comparator feature to assure that the data programmed into the secure microprocessor is as intended. A second microprocessor is coupled to the first microprocessor through a communications link over which encrypted communications are transmitted. This second microprocessor is coupled to a flash memory for storing data to configure the target microprocessor with the configuration settings and the application image. A verification portion of the second microprocessor compares the configuration settings and application images intended to be programmed into the target microprocessor, with those actually programmed into the target microprocessor to assure appropriate configuration data and application images”.

 In the other hand, to emphasize more, McCorkendale during execution,
 [0009]”the software developer distributes the software to client devices (122) using conventional channels. At some point, one or more of the client devices (122) attempts (714) to execute (as used herein, "execute" also includes "install") the software”,

determines whether the loaded software is malicious or not,  by generating a signature. Generating a signature is an event that occurred during loading (install/execute) of the software by the client device and it is consistent for what the load event are:
[0043] In general, the interface module 510 receives messages from client devices 122 identifying software (via the software's signature) that the devices have been instructed to execute. The interface module 510 also sends messages to the client devices 122 indicating whether the identified software or other software on the client devices is possibly malicious”.
 

 The execution authority of McCorkendale compares the signature to signature “database” to check for a match this is done during install/execution of software update.
The database signature is associated with “allow” or “deny” based on signatures.
[0054]”In one embodiment, the client devices 122 periodically resubmit the signatures of software on the client devices 122 to the execution authority 118 in order to receive any updated status information. The status response module 526 utilizes the client device interface module 510 to receive these update requests, reads the signature statuses from the database module 514, and sends the updated statuses to the requesting client devices 122”,


Appellant’s argument:
 As noted above, the Office cites to a comparison of configuration data to configuration data when rejecting a comparison of particular load events to expected load events. See Office Action, page 10. The cited portions of the references are silent regarding a comparison of particular load events to expected load events and a second comparison of first configuration data to second configuration data. Thus, even if the cited references show a comparison first configuration data and second configuration data, the cited references fail to disclose both comparisons described in claim 4. Therefore, the cited portions of Robinson and McCorkendale, individually or in combination, fail to disclose every feature of claim 4. Hence, claim 4 is allowable for at least this additional reason.
 Examiner’s answer:

The comparison that is done in claim 4 are:
Comparison of prior configuration to new configuration.
And in claim 4, configuration includes load verification, and in Robinson the log generated include event that generated a signature by the secure microprocessor 1000. This log is forwarded to the server 10 and Authenticated: in order to authenticate any signature that is generated by the secure microprocessor 1000 the signature is verified (compared) by the server 1000, to make sure that the secure microprocessor is in its list (authentication).
Appellant’s argument:
Further, the cited portions of Robinson and McCorkendale fail to disclose “wherein the processor is further configured to, responsive to determining that the particular load events match the expected load events, update the first configuration data based on the load verification data,” as in claim 5. In rejecting claim 5, the Office maps comparing configuration settings intended to be programmed with configuration settings already programmed to determining that particular load events match expected load events. See Office Action, page 13. The Office further maps storing configuration data to updating configuration data. See Office Action, page 13. Thus, the Office’s mapping of the claim element would result in configuration data being written responsive to the data being written matching the data being overwritten.
Examiner’s answer:

 Robinson in updating target 1000, compare configuration before update and what is expected (intended). The memory or storage 162/300 is an archive of what applied during time to the target device. It is not overwritten but keeping track of what was prior configuration in case of recovery or roll back to previous version. What was written into the memory is an update to the target configuration after the target device provided a log that configuration setting are correctly processed.
Stored in the memory after verification (by the server 10) that the log is exactly received from a specific target device based for example on hash generated by the target device. This is an archive when new update are applied, the storage is updated but after verification and authentication. 
For Claims 8, 9, 11, 12, 13 and 20 the argument are similar to claims 1, 4, 5 argument. Same examiner’s answer applies to such arguments.
B- Rejections of claims 2, 3, 6, and 10.
Appellant’s argument:
Sugimoto describes a software update verification apparatus. See Sugimoto, Abstract. During a software update mode, a verification unit performs verification on processes being performed by an operating system. See Sugimoto, Abstract. The verification unit verifies the processes by determining whether a series of check files exist. See Sugimoto, paragraph [0057], The verification unit further determines whether the system time stored in each of the check files is valid. See Sugimoto, paragraphs The cited portions of Sugimoto are silent regarding load verification data descriptive of particular load events occurring during loading software at the software update target device. Therefore, the cited portions of Robinson, McCorkendale, and Sugimoto, individually or in combination, fail to disclose at least one element of claim 1, from which claims 2, 3, and 6 depend. Hence, claims 2, 3, and 6 are allowable at least by virtue of depending from an allowable claim.
Examiner’s answer:
Regarding claims  2, 3 and  6,The issue in the argument is that Sugimoto does not discloses loading event occurring during loading of software and the cited paragraph are silent about event descriptive of particular event occurring during loading of software..
 From the previous examiner’s answers, Robinson collect data/event that occurred during system execution of software such as during loading and send them to the server 10. Also in McCorkendale the client device generate for example a signature/hash during loading (install/execute) of the update and send into the execution authority for verification in order to allow or deny execution of such update.
Sugimoto, also update the client device, by applying an update file to the system of the client device. The client device in applying the update generate a set of load event using a set of processes P1 to Pn.
 The expected configuration requires each process Pi to generate at least a time Ti after finishing each job into file.dat for verification.

[0047] In this case, a time interval from the system time T1 to Tn can be known in advance by actual measurement. For example, the time interval is approximately 30 seconds. Further, the same is true of the time interval from the system time T1 to Tn. For example, the time interval is approximately one second to several seconds. The time interval from the system time T1 to Tn usually varies depending on the time needed for the inherent processing of each process”;
To more emphasize those file.dat, are generated during loading of the software into the client device .i.e. installing an update to the client device Sugimoto [0038].
 During installation each process generates “file.dat”, this is an event occurring during loading of software and write the time into that memory space this is another event generated during the loading of the software.
The update manager is called to verify such output generated during the update.
In order to verify, the verification unit first reads data from file.dat and check if time series exists(requirement). Time series T1<…<Tn corresponds to event generated by a corresponding process (load event) P1 to Pn during loading of the software. 
 Because an interval between such generation is a threshold between those time series, the verification units generates T(i+1)-Ti and compare it to the threshold.
 [0059] Furthermore, the verification unit 7 verifies whether or not a difference between each of the system times T1 to Tn stored in the plurality of check files FILE1.dat to FILEn.dat and other closest system time is smaller than a first threshold value di (third verification processing). For example, it is possible to verify whether or not the difference is smaller than the threshold value di by calculation of T(i+1)-Ti. The same is true of all of the system times. The difference T(i+1)-Ti corresponds to the time period from when a certain check file FILEi.dat is generated until a next check file FILE(i+1).dat is generated. 
Furthermore the appellant’s argues that check file are generated prior to loading of the software in appeal brief page 17:
“Further, the files are checked prior to calling a software update unit (e.g., prior to the load events occurring”, see Sugimoto, paragraph [0073]”.
 
 the file 32 that is loaded in  fig. 2, is the file that will be installed into the client device. During loading (installation) the OS may be restarted (booted-up). But any effect that is generated during loading of the software to the system is logged. Here the process Pi and its time series in “file.dat”.

 when all the process P1 to Pn are finished, the manager 6 call the verifier, that is what described in  [0073], to check if the time data that is generated during installation is the same time series expected. Using the updated file is based on the outcome of the verifier. If the validation is correct as expected the updated file will be use by the OS if not validated the updated file will not be used by the OS.
Appellant’s argument:
Further, the cited portions of Robinson, McCorkendale, and Sugimoto, fail to disclose or suggest “wherein the load verification data identifies an ordered list of the particular load events,” as in claim 10. When rejecting claim 10, the Office maps this element to verifying that a plurality of check files were generated in time-series order. See Office Action, page 33. The cited portions of Sugimoto are silent regarding 
Examiner’s answer:
The issue in the argument is directed to claim 10, in that Sugimoto does not includes a set of sequenced loaded events.
 in Sugimoto, the processes are event that are executed to generates a set of file.dat that , and write the time to that file.
[0058] Further, the verification unit 7 verifies whether or not the system times T1 to Tn stored in each of the plurality of check files FILE1.dat to FILEn.dat include one time-series (second verification processing). As described above, since the processes P1 to Pn generate the check files FILE1.dat to FILEn.dat in this order, the system times Ti to Tn include the time-series, T1< . . . <Ti< . . . <Tn, (the T1 is the earliest time and the Tn is the latest time) without fail. The verification unit 7 validates the verification result if the system times T1 to Tn include the time-series”;
 T1 is generated first than T2….finally Tn.Those time Ti are loading event associated with updating the system with file 32 as in fig. 2 of Sugimoto. 
C- Rejection of claim 7
Appellant’s argument:
See Kimberly, Abstract. Tb processor unit verifies the data based on a plurality of digital certificates. See Kimberly, Abstract. The digital certificates include public key certificates and identity certificates that identify the source of software. See Kimberly, paragraph [0011], Appellant respectfully subi that the source of software is not particular load events occurring during loading software. Therefore, the cited portions of Robinson, McCorkendale, and Kimberly, individually or in combination, fail to disclose at least one element of claim 1, from which claim 7 depends. Hence, claim 7 is allowable at least by virtue of depending from an allowable claim.
Examiner’s answer:
To more emphasize, in Kimberly (fig. 1) Data provider 114 may provide data 106 in data bundle 116 for loading on aircraft 102.Bundle 116 is signed with certificates.
When received by the aircraft 102(loaded into the aircraft), the certificate from the bundle is identified: read from the memory where the bundle is installed and check if the certificate is valid. The validation process is based on loading the bundle into the aircraft, and using such bundle is based on the outcome of the validation process.
For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/BRAHIM BOURZIK/Examiner, Art Unit 2191                                                                                                                                                                                                        
Conferees:


/EMERSON C PUENTE/Supervisory Patent Examiner, Art Unit 2196                                                                                                                                                                                                        

Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.