DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings are objected to due to these informalities:
Figure 1 includes numerical labels, and not descriptive labels for elements 100 to 104, so the drawing could be improved if it had descriptive labels in text.
Figure 6 should have a space between “Establish” and “conditional” in “Establishconditional” of Step S640.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office Action to avoid abandonment of the application.  Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended.  The figure or figure number of an amended drawing should not be labeled as “amended.”  If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency.  Additional replacement sheets may be necessary to show the renumbering of the remaining figures.  Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d).  If the changes are not accepted by the 

Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 
The following title is suggested: Generating Anomaly-Detection Rules for Communication Protocols by N-Gram Analysis
The disclosure is objected to because of the following informalities:
In ¶[0067], “in an and where” appears that it has some words missing.
In ¶[0076], “or may be packet belonging” appears that it should be “or may be a packet belonging”.   
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 to 2, 5 to 13, and 16 to 21 are rejected under 35 U.S.C. 103 as being unpatentable over Song et al. (U.S. Patent Publication 2009/0254501) in view of Allouche et al. (U.S. Patent Publication 2017/0200323).
Song et al. discloses a method and system to automatically correct errors in word inputs to an electronic device, comprising:
“receiving communication data” – word inputs are provided to an electronic device (Abstract); probability information generator 122 extracts features from a corpus of correct words M1 and incorrect words M2 (¶[0032] - ¶[0033]: Figure 1); learning unit 120 acquires learning data for learning; data for learning includes a corpus of correct words M1 and a corpus of incorrect words M2 (¶[0053: Figure 3: Step S10); broadly, words of correct words M1 and incorrect words M2 are “communication data”;
“constructing at least one N-gram from the received communication data” – preferably, probability information generator 122 uses a 1-gram model, or unigram model to extract features from a corpus of correct words (¶[0032]: Figure 1); features are extracted from a corpus of correct words M1, where the extraction of features may use a unigram model; probability information generator 122 extracts a unigram feature (¶[0054] - ¶[0055]: Figure 3: Step S11); instead of using a unigram model, a 2-gram model or a 3-gram model may alternatively be used for extracting features (¶[0058]: Figures 3 and 4); a denotation Fl,m means a unigram feature at a specific point for determining word-spacing information Sl,m (¶[0066]: Equation (1)); an error correction rule is extracted as an n-gram of 2 or more size (¶[0076]); error correction rule generator 124 creates error correction candidate rules of n-grams of 2 or more size (¶[0080]: Figure 7: Step S154);

l,m means a unigram feature at a specific point for determining word-spacing information Sl,m; probability information generator 122 acquires probability information of each feature by learning a CRFs probability model; probability information includes a spacing probability, i.e., P(1|F), that is a specific point and a no-spacing probability, i.e., P(0|F), that a specific point is not spaced (¶[0066] - ¶[0067]: Equation (1)); error correction rule generator 124 extracts sentences from a corpus of first-spaced words and from a corpus of correct words M1, and compares the extracted sentences to each other (¶[0078]: Figure 7: Steps S151 to S152); here, “conditional probabilities of certain characteristics” is a probability that words are spaced or not spaced at a given point in a sentence; PCRF(Sl,m|Fl,m) of Sl,m given feature Fl,m; extracted features can be unigrams or n-grams (“analyzing the at least one N-gram”); implicitly, “comparing the constructed at least one N-gram with a repository of N-gram analyses” is equivalent to comparing n-gram features of a corpus of correct words M1 to n-gram features of a corpus of incorrect words M2;
“generating anomaly-detection rules based on the N-gram analysis” – error correction rules are created by applying probability information to a corpus of incorrect words (Abstract); error correction rule generator 124 produces an error correction rule by using errors found in a corpus of first-spaced words; specifically, error correction rule generator 124 creates candidate rules for an error correction rule, and selects an error correction rule from among candidate rules (¶[0035]: Figure 1); error correction rule generator 124 creates an error correction rule by using a corpus of first-spaced words; an error correction rule is extracted as an n-gram of 2 or more size (¶[0075] - ¶[0076]: Figure 3: Step S15); after confidence scores of all candidate rules are extracted, error correction rule generator 124 selects an error correction rule (¶[0094]: Figure 3: Steps S16 to S17); here, error correction rules are equivalent to “anomaly-detection rules”; that is, an ‘error’ is an ‘anomaly’. 
Concerning independent claims 1 and 11 to 12, Song et al. arguably discloses all of the limitations of these independent claims.  Conceivably, Song et al. does not disclose a preambular limitation of generating anomaly-detection rules for “communication protocols”.  However, a preamble is generally not given patentable weight for purposes of claim construction if a body of a claim provides a complete description of the invention.  See Pitney Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d Song et al. does not expressly disclose “anomaly-detection” rules, but “error correction rules” for word spacing are equivalent.  That is, an error in word spacing is an ‘anomaly’ in a textual ‘communication’ that can be corrected by application of rules in Song et al.  Broadly, words are “communication data”.
Concerning independent claims 1 and 11 to 12, even if these limitations of generating “anomaly-detection” rules for “communication protocols” are omitted by Song et al., they are taught by Allouche et al.  Generally, Allouche et al. teaches detecting an intravehicular anomaly associated with a vehicle by analyzing in-vehicle data, and at an extravehicular monitor detecting any anomaly by analyzing the intravehicular information in combination with extravehicular data that are external to a plurality of vehicles.  (Abstract; ¶[0003])  Intravehicular monitor (IVM) 104 includes a local anomaly detector (LAD) 108 configured to detect anomalies associated with vehicle 102A by acquiring data from components of vehicle 102A and applying predefined rules 110.  LAD 108 applies predefined rules 110 to communications monitored by communications monitor (CM) 106 to identify communications that are not in compliance with their associated communication protocols, e.g., CAN, MOST, or LIN.  (¶[0020]: Figure 1)  Extravehicular monitor (EVM) 100 includes an event analyzer 116 configured to identify a source or cause of any of the anomalies by applying predefined investigative rules.  Event analyzer 116 identifies anomaly patterns and analyzes the patterns in order to identify commonalities.  Event analyzer 116 is configured to investigate suspected malicious security incidents by retracing actions of vehicles 102 as well as elements external to vehicles 102.  (¶[0023]: Figure 1)  Specifically, anomalies associated with Allouche et al., then, teaches using rules to detect malicious security incidents as “anomalies” in “communication protocols”.  That is, if someone is attempting to remotely interfere with operation of a self-driving vehicle, then this may be detected according to “rules” from an “anomaly” in “a communication protocol”.  An objective is to address vulnerabilities of modern vehicles to cyberattacks to improve security by intravehicular mechanisms.  (¶[0002])  It would have been obvious to one having ordinary skill in the art to generate error correction rules from n-gram features using a probability model of Song et al. to rules for detecting anomalies in communications that are not in compliance with communication protocols as taught by Allouche et al. for a purpose of improving security of vehicle vulnerabilities to cyberattacks.  

Concerning claims 2 and 13, Allouche et al. teaches that vehicles coordinate their operations by communicating on one or more network buses (¶[0002]); intravehicular monitor (IVM) 104 includes a communications monitor (CM) configured to gather in-vehicle data by monitoring communications between components of vehicle 102A, e.g., between Electronic Control Units (ECUs) of vehicle 102A and communications directed to vehicle 102A from points of origin external to vehicle 102A (¶[0019]: Figure 1); LAD 108 acquires data from components of vehicle 102A and applies predefined rules 110 to identify when data deviate from expected values (¶[0020]: Figure 1); in-vehicle data are gathered by monitoring communications 
Concerning claims 5 and 16, Song et al. discloses “constructing at least one N-gram from the received communication data includes constructing at least one N-gram from at least one of content information . . .”.  Broadly, text of words is “content information” and unigram or n-gram models are used to extract features.
Concerning claims 6 to 7 and 17 to 18, Song et al. discloses that, preferably, probability information generator 122 uses a 1-gram model, or unigram model to extract features from a corpus of correct words (¶[0032]: Figure 1); features are extracted from a corpus of correct words M1, where the extraction of features may use a unigram model; probability information generator 122 extracts a unigram feature (¶[0054] - ¶[0055]: Figure 3: Step S11); instead of using a unigram model, a 2-gram model or a 3-gram model may alternatively be used for extracting features (¶[0058]: Figures 3 and 4); an error correction rule is extracted as an n-gram of 2 or more size (¶[0076]); error correction rule generator 124 creates error correction candidate rules of n-grams of 2 or more size (¶[0080]: Figure 7: Step S154).  Here, a 1-gram or unigram model is “a unigram” and a 2-gram model is “a bigram”.
Concerning claims 8 and 19, Song et al. discloses that probability information generator 122 creates probability information by applying the extracted features and a probability model to a corpus of incorrect words M2 from which all spaces between words of a corpus of correct words M1 are removed (¶[0033]: Figure 1); instead of using Song et al. generates error correction rules from conditional probabilities obtained by comparing features of a corpus of correct words to a corpus of incorrect words, and these features in one embodiment may be 2-grams (“comparing the constructed bigram with a repository of bigrams”). 
Concerning claims 9 and 20, Song et al. discloses an error correction rule is extracted as an n-gram of 2 or more size (¶[0076]); error correction rule generator 124 creates error correction candidate rules of n-grams of 2 or more size (¶[0080]: Figure 7: Step S154).  Here, an n-gram of more than 2 is “a higher-order N-gram.”
Concerning claims 10 and 21, Song et al. discloses that, preferably, probability information generator 122 uses a 1-gram model, or unigram model to extract features from a corpus of correct words (¶[0032]: Figure 1); features are extracted from a corpus of correct words M1, where the extraction of features may use a unigram model; probability information generator 122 extracts a unigram feature (¶[0054] - ¶[0055]: Figure 3: Step S11); instead of using a unigram model, a 2-gram model or a 3-gram model may alternatively be used for extracting features (¶[0058]: Figures 3 and 4); a l,m means a unigram feature at a specific point for determining word-spacing information Sl,m (¶[0066]: Equation (1)); an error correction rule is extracted as an n-gram of 2 or more size (¶[0076]); error correction rule generator 124 creates error correction candidate rules of n-grams of 2 or more size (¶[0080]: Figure 7: Step S154).  Here, a 2-gram model is “a bigram” and an n-gram of more than 2 is “a higher-order N-gram.”  Song et al., then, discloses analyzing n-grams including “unigrams”, “bigrams”, and “higher-order N-grams”.   

Claims 3 to 4 and 14 to 15 are rejected under 35 U.S.C. 103 as being unpatentable over Song et al. (U.S. Patent Publication 2009/0254501) in view of Allouche et al. (U.S. Patent Publication 2017/022323) as applied to claims 1 and 12 above, and further in view of Andress et al. (U.S. Patent Publication 2007/0174469).
Allouche et al. teaches “intercepting . . . a communication between two machines”, but omits “duplicating a communication”, “processing the duplicate communication”, and “returning the original communication to the data stream” of claims 3 and 14.  Similarly, Allouche et al. omits “receiving a communication data log, containing records of at least one communication, from a plug-in” of claims 4 and 15.  However, Andress et al. teaches intercepting communications between a client and a service, where a proxy invokes an interceptor plug-in that is plugged into the proxy.  (Abstract)  One prior art embodiment for intercepting IP data traffic is to log all IP datagrams of several user sessions at specific interception points (“receiving a communication data log”), and doing filtering analysis in order to regenerate a complete user session.  (¶[0006])  An incoming or outgoing call for a certain telephone number is Andress et al., then, teaches these limitations of “duplicating a communication” and “a plug-in” that stores information of “a communication log data”.  Implicitly, if a message is duplicated, then an original message continues to a recipient, which is equivalent to “returning the original communication to the data stream.”  An objective is to enable interception of a customer’s communication for law enforcement agencies, and to provide an improved method for intercepting data traffic.  (¶[0002] and ¶[0011])  It would have been obvious to one having ordinary skill in the art to provide a plug-in for interception of logged data and to duplicate a communication as taught by Andress et al. to monitor anomalies of communications in a communication protocol of Allouche et al. for a purpose of providing an improved method for intercepting data traffic for law enforcement agencies.





Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicants’ disclosure.
Gureghian et al., Jurca et al., Ramsey, Reddy et al., and Shang et al. disclose related prior art.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARTIN LERNER whose telephone number is (571) 272-7608. The examiner can normally be reached Monday-Thursday 8:30 AM-6:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Daniel Washburn can be reached on (571) 272-5551. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center.  Unpublished application information in Patent Center is available to registered users.  To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov.  Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format.  For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/MARTIN LERNER/Primary Examiner
Art Unit 2657                                                                                                                                                                                                        November 23, 2021