DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to remarks filed 07/29/2021, wherein claims 1 – 20 are pending and ready for examination.  
Response to Arguments
Applicant's arguments filed 07/29/2021 have been fully considered but they are not persuasive. 
Remarks to the Specification
Applicant Asserts: On page 5 of the Office Action, the Examiner objected the disclosure because of an informality in paragraph [0002]. In response, paragraph [0002] has been corrected by replacing “using providing” with “providing”. On page 5 of the Office Action, the Examiner required proper use of trademarks. In response, Applicant has amended the specification to properly use the term BLUETOOTH.
Examiner Response:  The Examiner thanks applicant representative for working to advance the prosecution of this application and withdraws the objection to the specification for readability and proper use of trademarks.

Claim Rejections35 USC § 102
Applicant Asserts: Paragraph [0110] of Ruvio describes comparing sensor data and data sent out by the vehicle. This is because Ruvio is mainly concerned with a hacker that modifies data sent from vehicle, e.g., “There is provided a method for identifying malicious activity that changes the integrity of data sent out from a vehicle” (Ruvio, Abstract). The time stamping and comparing described in paragraph [0110] of Ruvio is related to comparing data of a (same, specific) vehicle, and it would make no sense for Ruvio to compare sensor data of a first vehicle with data sent out by a second (different) vehicle because such comparing cannot be used to detect a tampering of data by a hacker.  Accordingly, Ruvio cannot teach “an event occurring in a plurality of vehicles in the fleet” as recited by amended independent claim 20. Applicant therefore respectfully submits that Ruvio does not teach or suggest each and every element of amended independent claims 20.

Examiner Response:  The Examiner does not agree with applicant characterization of the prior art of record primary Ruvio whereby no collection of data from a plurality of vehicles is taught.  Ruvio specifically at paragraph [0117] teaches sensor data is collected as part of the normal operations from the vehicle fleet.  Responsive to applicant assertions of Ruvio at location [0110] the Examiner was addressing the claim limitation an event occurring in a plurality of vehicles in the fleet.  The emphasis at location [0110] of Ruvio was on the claimed “event” and not the “plurality of vehicles” previously introduced in the first limitation. 

Claim Rejections35 USC § 103
Applicant Asserts: Specifically, as discussed with respect to amended independent claim 20, Ruvio does not teach the elements of a server adapted to “identify that at least one of: the fleet and a vehicle in the fleet is under a cyber-attack based on identifying, in the reports, at least one 
 However, Holzhauer cannot cure the deficiencies of Ruvio discussed above with reference to amended independent claim 20. Each of claims 2-8 and 10-19 depends from one of amended independent claims 1 and 9, and is thus likewise allowable. In light of the above discussion, Applicant requests that the Examiner withdraw the 35 U.S.C. § 103 rejection of claims 1-19.
Examiner Response:  The Examiner previously responded to applicant remarks regarding secondary reference Holzhauer in the non-final Office action of 04/06/2020 and are cited here.  The Examiner respectfully disagrees with applicant representative assertion that prior art of record Ruvio does not teach identifying, based on aggregated data, that at least one of: a fleet and a vehicle in the fleet is under a cyber-attack based on identifying, in the aggregated data, at least one of: an attribute which is common to a plurality of vehicles in the fleet.  Ruvio teaches at least at location 
[0193] According to an aspect of some embodiments of the present invention there is provided a server for detection of malicious activity in a computing unit of a vehicle, comprising: a network interface for wireless communicating with respective computing unit of a plurality of vehicles; a program store storing code; and a processor coupled to the network interface and the program store for implementing the stored code, the code comprising: code to receive at least one sensor data acquired by at least one sensor associated with a certain vehicle of the plurality of vehicles, the at least one sensor measuring at least one parameter associated with the certain vehicle; and code to analyze the at least one sensor data to identify an indication of malicious activity installed in the computing unit of the certain vehicle; and transmit the indication of the malicious activity to the computing unit of the certain vehicle.
Here, the Examiner finds Ruvio teaches identifying (detection) based on aggregated data (plurality of vehicles) that at least one (respective computing unit) of: a fleet (plurality of vehicles) and a vehicle (certain vehicle) in the fleet is under a cyber-attack based on identifying, in the aggregated data, at least one of: an attribute (one parameter) which is common to a plurality of vehicles in the fleet.  The Examiner further finds that Ruvio teaches attributes, common among the fleet, explicitly at location
 [0005] …The article Comprehensive Experimental Analyses of Automotive Attack Surfaces (2011) proposes that remote exploitation of connected vehicles is feasible via a broad range of attack vectors …useful for identity theft; license plates and other vehicle registration data; vehicle location information; vehicle physical security data…
Here, the Examiner finds Ruvio positively teaching attributes (attack vectors) common among the fleet (license plates; vehicle location information).  Combined with Ruvio disclosing aggregating collected information from the fleet identifying common attributes reads on the instant claim 1 and will cite the above referenced article as part of this action.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claim 20 is rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ruvio; Guy et al, US 20190036946, January 31, 2019, hereafter referred to as Ruvio.

               As to claim 20, Ruvio teaches a method - Ruvio [0029] FIG. 1C is a flowchart of a method for identification of malicious activity within one or more computing unit components installed in the vehicle from the perspective of the computing unit, comprising:
                obtaining, by a set of sensors units installed in a respective set of vehicles, data related to cyber security and sending the data to a server - Ruvio [0141]… the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified). The sensor data associated with malicious activity may be used to create a dataset of sensor data defined as associated with malicious activity. The updated statistical classifier is able to more accurately detect the presence of the malicious activity in other computing units of other vehicles.  Here, the claimed ‘obtaining’ is taught by Ruvio as ‘received’ whereas the claimed ‘units installed’ is taught by Ruvio as ‘sensor data’ because the sensor data is generated from sensors installed in the fleet vehicle); and             
identifying by the server a cyber-threat related to at least one of: a fleet and a vehicle in the fleet - Ruvio [0131]… at 414, the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified). The sensor data associated with malicious activity may be used to create a dataset of sensor data defined as associated with malicious activity. The dataset maybe used to update the statistical classifier using the sensor data and tag. The updated statistical classifier is able to more accurately detect the presence of the malicious activity in other computing units of other vehicles. Here, the claimed ‘identifying’ is taught by Ruvio as ‘using the sensor data and tag’);
           based on identifying, in the data – Ruvio [0042] Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. The server architecture collects data from other vehicles, to create the sensor data designated as normal), at least one of:                       an attribute which is common to a plurality of vehicles in the fleet – Ruvio [0005] … The foreseeable exploits of the vehicle data integrity might lead to data theft, such as: license plates and other vehicle registration data; vehicle location information. Here, the claimed ‘common attribute’ is taught by Ruvio as ‘license plates’ because all vehicles in the fleet would have a data construct labeled ‘license plates’ as an identifying attribute), and 
                       an event occurring in a plurality of vehicles in the flee – Ruvio [0110] The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag.  Here, the claimed ‘event’ is taught by Ruvio as ‘deployment of airbag’). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Ruvio, in view of Holzhauer; Daniel Francis et al, US 20180316701, November 1, 2018, hereafter referred to as Holzhauer.
            As to claim 1, Ruvio teaches a system for providing fleet cyber-security - Ruvio [0002] The present invention…relates to vehicle data communication networks and…to systems and methods for detecting malicious activity in vehicle data communication networks) comprising: 
              a server - Ruvio [0142] Reference is now made to FIG. 4 …of a system that includes: a monitoring server 202 comprising:
              a memory - Ruvio [0142] Server 202 further comprises a memory module 202a; and
              a processor  - Ruvio [0142] The processing module is configured to detect if the first data framework has been modified…a memory module 202a) adapted to:
              receive from a plurality of data collection units (DCUs) installed in a respective plurality of vehicles in the fleet, a plurality of reports, the reports including information collected by the DCUs and related to cyber security - Ruvio [0040, 0123 and 0141] since at ‘0040’ The correlation may be performed by computing and/or aggregating the data from the multiple sensors to a format of the data sent out by the vehicle. Here, the claimed ‘reports’ is taught by Ruvio as ‘format...data sent out’ because a report must have structure or format, since at ‘123 At 406, sensor data is received from a computing unit of a vehicle. The sensor data is received for analysis by the server to determine whether or not the sensor data is associated with malicious activity executing within the computing unit of the vehicle.  Here, the claimed ‘DCU’ is taught by Ruvio as ‘computing unit’ whereas the claimed ‘cyber security’ is taught by Ruvio as ‘malicious activity’ since at ‘141The method includes, for one or more iterations, acts of generating at least one first data framework associated with sensor…selectively transmitting a notification message if it is determined whether the first data framework has been modified.  Here, the claimed ‘plurality of reports’ is taught by Ruvio as ‘one or more iterations’ because repeating the steps 102-114 provides a separate report from a sensor whereby the claimed ‘fleet reports’ is taught by Ruvio as ‘a notification message’ when the separate reports are correlated); and    
              identify, that at least one of: the fleet and a vehicle in the fleet is under a cyber-attack – Ruvio [0066 and 0131] since at ’66 one or more functions described with reference to FIG. 1A-C may be performed by server 512, for example, by processing unit 502B of server 512 executing code instructions (optionally, malicious activity detection code 510A) stored in a program store 506B and/or data repository 508B since at ‘131 the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified.  Here, the claimed ‘identification’ is taught by Ruvio as ‘Fig. 1A’ since the Figure 1A depicts step 414 which updates classifier with malicious activity) based on identifying, in the reports, at least one of:                       an attribute which is common to a plurality of vehicles in the fleet – Ruvio [0043] Optionally, when the malicious activity is identified, the associated sensor data is tagged with a tag indicative of the association with malicious activity. The sensor data and the tag may be stored by the server and used to update a statistical classifier (or other code) to detect the presence of similar malicious activity in the computing unit of another vehicle.  Here, the claimed ‘reports’ is taught by ‘sensor data’ because it is reports data to the classifier), and 
                       an event occurring in a plurality of vehicles in the flee – Ruvio [0110] The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag.  Here, the claimed ‘event’ is taught by Ruvio as ‘deployment of airbag’. RUVIO DOES NOT TEACH the fleet and a vehicle in the fleet is under cyber-attack, HOWEVER HOLZHAUER TEACHES the fleet and a vehicle in the fleet is under cyber-attack – Holzhauer [0065] an Independent System Operator ("ISO") might make predictive contingency responses based on the fleet attack information.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio Server processing unit 502 with Holzhauer’ s Independent System Operation for fleet management.  Ruvio indeed considers vehicle cyber-attacks but is silent on community-of-interest or corporal asset management of a fleet of vehicles.  With Holzhauer, Ruvio can expand security from discreet vehicles to corporal or industrially owned vehicles for 

              As to claim 2, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein identifying the cyber-attack is based on at least one of: 
              correlating information in the reports with data stored on the server - Ruvio [0105] The correlation may be performed by computing unit 504 installed at vehicle 501, and/or computing unit 504 implemented within server 512); and
              correlating information in the reports with server logs related to a communication of DCUs with the server - Ruvio [0125] At 408, the received sensor data is analyzed by the server. The analysis may be performed by correlating the received sensor data with data defined as normal operation without malicious activity).

              As to claim 3, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify the cyber-attack based on - Ruvio [0050] The systems and/or methods described herein provide a unique, particular, and advanced technique of collecting and analyzing data dynamically from multiple sensors installed in the vehicle, to identify the presence of malicious activity within the vehicle network). 
               As to claim 4, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein:
            the DCUs are adapted to include, in the reports, codes identifying service entities – Ruvio [0019]  code to intercept, by at least one sensor data monitoring agent that monitors sensor data outputted by at least one sensor associated with the vehicle; and
            the server is adapted to use the received codes to associate a service entity with a cyber threat – Ruvio [0019 and 0038] since at ‘19 a computing unit for identifying an indication of malicious activity that changes the integrity of data sent out from a vehicle, comprising: code to monitor the integrity of the data sent out by the vehicle b… identify an indication of malicious activity that changed the data sent out from the vehicle relative to the data sensed by the at least one sensor, since at ‘38  Alternatively or additionally, the malicious activity is detected at a server external to the vehicle, by code instructions that perform the correlation of the sensor data (transmitted by the vehicle to the server) with the data sent out by the vehicle to the server and/or to a third party server that forwards the data sent out by the vehicle to the server).

            As to claim 5, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to:
             classify an event based on relating the event to one or more recorded events; and identify a cyber-attack based on the classification – Ruvio [0043] … when the malicious activity is identified, the associated sensor data is tagged with a tag indicative of the association with malicious activity. The sensor data and the tag may be stored by the server and used to update a statistical classifier (or other code) to detect the presence of similar malicious activity in the computing unit of another vehicle). Here, the claimed ‘classify’ is taught by Ruvio as ‘tagged’ because the tag identifies malicious activity whereas the claimed ‘event’ is taught by Ruvio as ‘activity’.  The claimed ‘recorded events’ is taught by Ruvio as ‘association with malicious activity’ because in order to associate data a record must be held or archived for comparison purposes to form the basis of the associating).

               As to claim 6, the combination of Ruvio and Holzhauer teaches the system of claim 5, wherein the server is adapted to identify a false positive detection based on the classification - Holzhauer [0042] Some embodiments of the algorithm may utilize feature-based learning techniques based on high fidelity physics models…detection may occur with more precision using multiple signals, making the detection more accurate with less false positives.  Here, the claimed ‘adapted’ is taught by Holzhauer as ‘high fidelity models’ because it is what is used to make detection more likely.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s tuned high fidelity equipment models that recursively reduce the rate of false positives.  Ruvio does not explicitly cite recursive iteration for reducing false positives but Holzhauer provides this feature.  Ruvio would be motivated to consider Holzhauer because security in fleet vehicles becomes an even bigger concern with autonomous vehicles, and even more so with driverless cars as taught by Ruvio at location [0004]).
               As to claim 7, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify previously undetected threats by correlating historical data with newly identified hacks. - Holzhauer [0050] In order to decide whether or not these signals 612, 622, 632, 642 are truly currently under attack, a historical batch with pertinent feature vector information may be kept for some duration of time. Then when an attack is detected on another signal, this batch is examined). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s historical data to correlate new threats.  Ruvio does not explicitly cite use of historical data and trends but Holzhauer provides this feature.  Ruvio would be motivated to consider Holzhauer because security in fleet vehicles becomes an even bigger concern with autonomous vehicles, and even more so with driverless cars as taught by Ruvio at location [0004]).

               As to claim 8, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify a cyber-threat based on correlating data received from a plurality of DCUs in a vehicle - Ruvio [0190] Optionally, the method further comprises creating the at least one sensor data by aggregation of signals from a plurality of sensors each measuring a respective parameter associated with the vehicle.  Here, the claimed ‘DCUs’ is taught by Ruvio as ‘sensors’ because sensors are discreet data collectors).

               As to claim 9, claim 9 is a method that is directed to the system of claim 1. Therefore claim 9 is rejected for the reasons set forth in claim 1.

               As to claim 10, claim 10 is a method that is directed to the system of claim 2. Therefore claim 10 is rejected for the reasons set forth in claim 2.

               As to claim 11, claim 11 is a method that is directed to the system of claim 3. Therefore claim 11 is rejected for the reasons set forth in claim 3.

               As to claim 12, claim 12 is a method that is directed to the system of claim 4. Therefore claim 12 is rejected for the reasons set forth in claim 4.

               As to claim 13, claim 13 is a method that is directed to the system of claim 5. Therefore claim 13 is rejected for the reasons set forth in claim 5.

               As to claim 14, claim 14 is a method that is directed to the system of claim 6. Therefore claim 14 is rejected for the reasons set forth in claim 6.

               As to claim 15, claim 15 is a method that is directed to the system of claim 7. Therefore claim 15 is rejected for the reasons set forth in claim 7.

               As to claim 16, claim 16 is a method that is directed to the system of claim 8. Therefore claim 16 is rejected for the reasons set forth in claim 8.

                As to claim 17, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising:   
               including, in the reports, geolocation information - Ruvio [0184]… the unified internal parameters are selected from the group consisting of:… geographical location; and using the geolocation information to associate a cyber-threat with a location – Ruvio [0182] the method further comprises tagging the received at least one sensor data with a tag indicative of an association with malicious activity).

                As to claim 18, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising:
                 including, in the reports – Ruvio [0177] receiving at the server, from a computing unit installed in a vehicle, at least one sensor data acquired by at least one sensor associated with the vehicle.  Here, the claimed ‘in the reports’ is taught by Ruvio as ‘receiving at the server’ because data received from the vehicle is a report characterized as a first data framework taught by Ruvio in the preceding paragraph), connectivity information – Ruvio [0184] the unified internal parameters are selected from the group consisting of:  …cellular communication network indicators… home area network indicators.  Here, the claimed ‘connectivity information’ is taught by Ruvio as ‘cellular…home area network indicators’ because they indicate connection endpoints); and
                  using the connectivity information to associate a cyber-threat with a communication entity – Ruvio [0182] the method further comprises tagging the received at least one sensor data with a tag indicative of an association with malicious activity).

                As to claim 19, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising: including, in the reports – Ruvio [0177] receiving at the server, from a computing unit installed in a vehicle, at least one sensor data acquired by at least one sensor associated with the vehicle.  Here, the claimed ‘in the reports’ is taught by Ruvio as ‘receiving at the server’ because data received from the vehicle is a report characterized as a first data framework taught by Ruvio in the preceding paragraph), weather conditions – Ruvio [0184] the unified internal parameters are selected from the group consisting of:  …weather. RUVIO DOES NOT TEACH and using the weather conditions to identify false positive detection, HOWEVER HOLZHAUER TEACHES and
                  using the weather conditions to identify false positive detection  - Holzhauer [0042] …detection may occur with more precision using multiple signals, making the detection more accurate with less false positives.  Here, the claimed ‘weather conditions’ is taught by Holzhauer as ‘multiple signals’ because a weather sensor produces signals transmitted to the server to provide machine learning operation data. Collecting multiple signals from more than one vehicle reduces the likelihood of false positives.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s tuned high fidelity equipment models that recursively reduce the rate of false positives.  Ruvio does not explicitly cite recursive iteration for reducing false positives but Holzhauer provides this feature.  Ruvio would be motivated to consider Holzhauer because security in fleet vehicles becomes an even bigger concern with autonomous vehicles, and even more so with driverless cars as taught by Ruvio at location [0004]).

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/WILLIAM B JONES/Examiner, Art Unit 2491                                                                                                                                                                                                        10/21/2021


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491