Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to application filed on 12/26/2019. Claims 1, 13 and 19 are independents. Claims 1-25 are currently pending.

Claim Objections
Claims 8, 9, 17, 18, 23 and 24 are objected. IDS needs to be spelled out as intrusion detection system (IDS).
Claim 25 is objected because Applicant states the computer program product claim 25 “The computer program product of claim 18…” but claim 18 is a method claim. Accordingly, examiner would interpret claim 25 as a method claim.
Appropriated corrections are required.

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-25 are rejected under 35 U.S.C. 103 as being unpatentable over Ahire et al. (US 20210021610 A1), hereinafter Ahire, in view of David et al. (US 20180191738 A1), hereinafter David.

Regarding claims 1, 13 and 19, Ahire teaches an apparatus to detect intrusion (FIG. 1, the threat detection apparatus), the apparatus comprising:
memory (FIG. 1 and para. 0022, [t]he threat detection apparatus 110 includes one or more processors 112, such as an electronic control unit (ECU), and a memory 114); and

to monitor one or more control units (FIG. 3 and para. 0048, the threat detection apparatus 110 may check message Identifiers on the critical commands and/or messages ... the threat detection apparatus 110 may check that that the values of the message for the critical component, such as the steering 210, the engine 138, the brake 212 and/or the accelerator214 are within a threshold) of an in-vehicle network (FIG. 1 and 2, in-vehicle network), each of the one or more control units to perform a vehicle function (FIG. 2 and para. 0033, [t]he one or more sensors 116 may include a camera 116a or other sensors 116b.The other sensors 116b may include a vehicle speed sensor. a steering wheel sensor, a proximity sensor, a brake sensor and/or an acceleration sensor. Para. 0035, FIG. 2 further describes the various other vehicle devices 126 that may be connected and/or provide data (or CAN data) along the CAN bus 124);
to combine observations of the one or more control units (para. 0048, the threat detection apparatus 110 may check message identifiers on the critical commands and/or messages ... the threat detection apparatus 110 may check that that the values of the message for the critical components ... are within a threshold. Para. 0068, determines an overall threat score (412). The threat score represents an estimate of the threat that the malicious activity or attack presents to the vehicle 102); and
to determine, based on a combination of the observations, that one or more of the observations represent an intrusion (FIG. 3 and para. 0046, [t]he threat detection 
When the overall threat score is less than the threshold score, the threat forensics platform 104 may continue to monitor CAN data from the CAN bus 124. When the overall threat score is greater than or equal to the threshold, this may indicate that there is malicious activity on the CAN bus 124).
Ahire does not explicitly disclose monitor and combine at one or more observation layers. However, in an analogous art, David teaches monitor and combine at one or more observation layers (FIG. 1B and para. 0039, adding an endpoint security layers and policies 158a-n to ECUs 156a-n so that they use policies outlining whitelists of permitted processes. binaries, etc., and outlining permitted contexts within which the permitted processes are able to operate, the ECUs 156a-n are able to detect the unexpected behavior or operation of a dropper and Immediately report on the attack attempt in real-time. Para. 0046, In general, a restricted subset of contexts appropriate for safe mode operation can vary per ECU and/or per process. For example, each of the ECUs 156a-n may include different safe mode instructions in their respective security layer and policies 158a-n, that are determined (e.g., by an engineer) as being appropriate for the ECU).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Ahire and 

Regarding claims 2, 14 and 20, the combination of Ahire and David teaches all of the limitations of claims 1, 13 and 19, as described above. Ahire further teaches attack characterization logic circuitry to determine, based at least on the observations, characteristics of an attack (FIG. 3 and para. 0044, threat detection apparatus 110 may obtain an edge version of the baseline model of malicious activity [interpreted as the characteristics of an attack]. Para. 0045, threat detection apparatus 110 collects sensor data and/or processing data), and to pass the characteristics of the attack information to a forensic logging system to log the attack or pass the characteristics of the attack to a recovery system for informed selection of recovery procedures (FIG. 3 and para. 0047, the threat detection apparatus 110 may provide the CAN data that includes the sensor data and/or processing data to the threat forensics platform 104 for analysis.).

Regarding claims 3 and 15, the combination of Ahire and David teaches all of the limitations of claims 2 and 14, as described above. Ahire further teaches the characteristics to comprise an indication of the one or more of the observations that represent the attack (para. 0047, [t]he threat detection apparatus 110 may send the CAN data to the threat forensics platform 104 across the network 108 using the network access device 122 and obtain an indication of any malicious attacks or activity; para. 

Regarding claim 4, the combination of Ahire and David teaches all of the limitations of claim 3. as described above. Ahire further teaches the characteristics to comprise an indication of compromised signals (para. 0052, prevent the malicious activity from compromising operation of the vehicle 102).

Regarding claims 5 and 22, the combination of Ahire and David teaches all of the limitations of claims 2 and 20, as described above. Ahire further teaches the characteristics to comprise an indication of one or more of the control units that represent a source of the attack (para. 0048, the threat detection apparatus 110 may ensure that the frequency and patterns of the critical commands and/or messages are occurring within a threshold frequency and/or pattern. This ensures that the controllers, electronic control units or other processors and/or devices are not flooded with messages that utilize the limited resources [thereby identified as source of the attack]).

Regarding claim 6, the combination of Ahire and David teaches all of the limitations of claim 2, as described above. Ahire further teaches the characteristics to comprise an indication of one or more of the control units that represent a target for the attack  (para. 0044, malicious activity that targets critical functions of the vehicle 102, such as the engine 138, the steering 210, the brake 212 and/or the accelerator 214).

Regarding claim 7, the combination of Ahire and David teaches all of the limitations of claim 1. as described above. Ahi further teaches wherein the detection logic circuitry (FIG. 1) comprises a processor coupled with the memory to execute code of the detection logic circuitry  (FIG. 1 and para. 0022, threat detection apparatus 110 includes one or more processors 112, such as an electronic control unit (ECU). and a memory 114; para. 0023, [t]he processor 112 may be coupled to a memory 114 and execute instructions that are stored in the memory 114).

Regarding claims 8, 17 and 23, the combination of Ahire and David teaches all of the limitations of claims 1, 13 and 20, as described above. Ahire further teaches the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS based on an output from an IDS (FIG. 4 and para. 0068, determine the threat score based on the one or more of the checks of the message identifier, the validation of the CAN data against corresponding the baseline range of values and the differences in patterns between the baseline model and the messages within the CAN data. Para. 0069, assign a threat score for each of the check of the message identifier, the validation of the CAN data and/or the differences in patterns. The score may be a weighted score ... The weights may be pre-configured or assigned based on user Input The weights may be related to and reflect the priority or importance of the detection of the malicious activity).
In addition, David teaches at a first layer and at a second layer (FIG. 1B and para. 0039, adding an endpoint security layers and policies 158a-n to ECUs 156a-n so that they use policies outlining whitelists of permitted processes, binaries, etc., and 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Ahire and David because the ECUs 156a-n are able to detect the unexpected behavior or operation of a dropper and immediately report on the attack attempt in real-time (David, para. 0039).

Regarding claims 9, 18 and 24, the combination of Ahire and David teaches all of the limitations of claims 1, 13 and 20, as described above. Ahire further teaches the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically
adjust a threshold for detection of suspicious activity by an IDS based on a single output or a combination of outputs from at least one other IDS (FIG. 4 and para. 0068, determine the threat score based on the one or more of the checks of the message identifier, the validation of the CAN data against corresponding the baseline range of values and the differences in patterns between the baseline model and the messages within the CAN data. Para. 0069, assign a threat score for each of the check of the message identifier, the validation of the CAN data and/or the differences in patterns. The score may be a weighted score ... The weights may be pre-configured or assigned based on user input. The weights may be relate-0 to and reflect the priority or importance of the detection of the malicious activity).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Ahire and David because the ECUs 156a-n are able to detect the unexpected behavior or operation of a dropper and immediately report on the attack attempt in real-time (David, para. 0039).

Regarding claim 10, the combination of Ahire and David teaches all of the limitations of claim 1, as described above. Ahire further teaches wherein the observation layers to include any one or more layers of a physical layer, a message layer, a context layer. and another layer (para. 0048, the threat detection apparatus 110 may check message identifiers on the critical commands and/or messages to ensure that there is a message identifier on each message of the multiple messages on the CAN bus and that the message identifier conforms to an expected format for the CAN data), wherein the physical layer comprises voltage levels at pins of a control unit, the message layer comprises message ordering/timing and content contained within the messages observed on channels of an in-vehicle bus, the context layer comprises vehicle specific

This ensures that the controllers, electronic control units or other processors and/or devices are not flooded with messages that utilize the limited resources).

Regarding claims 11 and 25, the combination of Ahire and David teaches all of the limitations of claims 1 and 18, as described above. David further teaches wherein combination of the observations of the one or more control units at the one or more observation layers comprises any one or combination of intra-layer observation combinations, inter-layer combinations, and global layer combinations (FIG. 1B and para. 0039, [t]he early warning can give the original equipment manufacturers (OEMs) and system providers of the vehicle 152 (and its subparts) time to address the threat, as Indicated by the computer system 164 providing real-time status Information to a client computing device 168 with information 170 on malware that has been blocked across the ECUs 156a-n (step 166). For example, an alert on the malware 160a-n can include the complete trail of the attack on the ECUs 156a-n, including its source, path, and context of the vehicle 152 and/or ECUs 156a-n when the attack was blocked).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Ahire and David because vulnerabilities can be fixed and blocked to prevent any malware from infiltrating the CAN Bus on the vehicle (David, para. 0039).

Regarding claim 12, the combination of Ahire and David teaches all of the limitations of claim 1, as described above. Ahire further teaches wherein combination of the observations of the one or more control units at the one or more observation layers (para. 0024, [t]he malicious activity may be an injected message, virus, spyware, malware or other foreign code, message or data, which interferes with the normal operation of one or more devices or components of the vehicle 102) comprises any one or combination of majority voting, machine learning, weighted voting, and historical pattern comparison (para. 0024, [t]he processor 112 and/or the one or more processors 130 may generate or obtain predictive baseline models ("baseline") and use machine learning algorithms to Improve the detection and/or identification of malicious activity).

Regarding claim 16, the combination of Ahire and David teaches all of the limitations of claim 14, as described above. Ahire further teaches the characteristics to comprise an indication of compromised signals (para. 0052, prevent the malicious activity from compromising operation of the vehicle 102) and an indication of one or more of the control units that represent a source of the attack (para. 0048, the threat detection apparatus 110 may ensure that the frequency and patterns of the critical commands and/or messages are occurring within a threshold frequency and/or pattern. This ensures that the controllers, electronic control units or other processors and/or devices are not flooded with messages that utilize the limited resources [thereby identified as source of the attack]).

Regarding claim 21, the combination of Ahire and David teaches all of the limitations of claim 20, as described above. Ahire further teaches the characteristics to comprise an indication of the one or more of the observations that represent the attack (para. 0047, [t]he threat detection apparatus 110 may send the CAN data to the threat forensics platform 104 across the network 108 using the network access device 122 and obtain an indication of any malicious attacks or activity; para. 0048, [t]he threat detection apparatus 110 determines whether there is malicious activity on the CAN bus 124) and an indication of compromised signals (para. 0052, prevent the malicious activity from compromising operation of the vehicle 102).

Reference Listed Not Used
The closest art Funk et al. (US 20180040172 B1) teaches method for implementing Internet of Things (“IoT”) functionality, and, in particular embodiments, implementing added services for OBD2 connection for IoT-capable vehicles. In various embodiments, a portable device (when connected to an OBD2 DLC port of a vehicle) might monitor wireless communications between a vehicle computing system(s) and an external device(s), might monitor vehicle sensor data from vehicular sensors tracking operational conditions of the vehicle, and might monitor operator input sensor data from operator input sensors tracking input by a vehicle operator. The portable device (or a server) might analyze either the monitored wireless communications or a combination of the monitored vehicle sensor data and the monitored operator input sensor data, to determine whether vehicle operation has been compromised. If so, the portable device 
The closest art Galula et al. (US 20180351980 A1) teaches a method for providing fleet cyber-security comprising may include collecting, by a plurality of data collection units installed in a respective plurality of vehicles in the fleet, information related to cyber security and including the information in reports to a server. Data in reports may be aggregated, by the server. A cyber-attack may be identified based on aggregated data.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday-Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published 


/SHU CHUN GAO/Examiner, Art Unit 2437 


/NELSON S. GIDDINS/Primary Examiner, Art Unit 2437