DETAILED ACTION
1. 	This Non-Final Office Action is in response to application filed on 07/16/2020.  	Claims 1-16 are being considered on the merits. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Drawings
2. 	The drawings filed on 07/16/2020 are accepted. 
Information Disclosure Statement
3.	The information disclosure statement (IDS) submitted on 03/01/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, an initialed and dated copy of the Applicant’s IDS form 1449 filed on 03/01/2021 is attached to this office action. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



4.	Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub No. US 2018/0262466 A1 to Atad, (hereinafter, “Atad”) in view of US Pub. No. US 2017/0353484 A1 to Knapp, (hereinafter, “Knapp”).
As per claim 1, Atad teaches a vehicular firewall provision device comprising: 
(Atad, para. [0030] “computing device or system 100 may be included in one or more IDPS units connected to an in-vehicle network as further described herein. Computing device 100 may include a controller 105 that may be a hardware controller. For example, a computer hardware processor or hardware controller 105 may be, or may include, a central processing unit processor (CPU), a chip or any suitable computing or computational device.”) configured to: 
match a data packet received from an external device with a plurality of rules (Atad, para. [0049] “packets matching the security filters may be sent to a security layer or unit for further analysis. If a message is classified as anomalous, suspected or malicious, it may be logged and may be blocked, according to a configuration of a system. A log of suspected and malicious events may be sent to a central management server for analysis.” And para. [0050] “an embodiment may use statistical filters for selecting which of the packets are to be examined or analyzed. Any rules or criteria may be used for selecting packets or messages for examination or inspection.”), 
temporally store a plurality of pieces of log data of a plurality of data packets that are dropped according to at least one of the plurality of rules, when data throughput of at least one electronic device included in a vehicle is equal to or greater than a reference value (Atad, para. [0054] “To process messages, rule engine unit 215 may use rulesets 225, vehicle state memory 230 and data in storage 220 such as logs and statistical information as shown. A decision 230 may be produced by IDPS 200. For example, a decision 230 may be that a specific packet or message is anomalous and/or related to a cyber threat, e.g., injected into an in-vehicle network by malicious code in an infected ECU.” And para. [0055] “filter rules 205 may include a whitelist of allowed packets as well as a blacklist of blocked packets. Filter rules 205 may be based on any one of: the payload (metadata and content) of packets, current state of the vehicle (for example its speed) and/or the state of the system.” And para. [0061] “Examples of an anomalous reading would be a signal that unexpectedly transitions to a dramatically different value or a reading outside of the defined range.” And para. [0068] “having determined that ECU 310 has been compromised (e.g., it is controlled by code injected thereto by a hacker), IDPS 200 may update TCAM 305 to include a rule or filter that causes switch 300 to drop or block packets coming from ECU 310.”), and 
Atad teaches all the limitations of claim 1 above, however fails to explicitly teach but Knapp teaches:
encrypt the plurality of pieces of log data that are temporally stored, when the data throughput is less than the reference value (Knapp, para. [0098] “A determination is made whether any malware has been detected at step 806. For any file determined to be clean (lacking any malware), the clean file is digitally signed and possibly encrypted at step 808. This could include, for example, the SMX server 105 calculating a hash of each clean file and possibly using an encryption key known to the SMX agents 103 to encrypt each clean file. For any file determined to be infected (containing malware), the infected file is quarantined and the event is logged at step 810. This could include, for example, the SMX server 105 using an anti-virus or anti-malware tool to quarantine each infected file. This could also include the SMX server 105 updating a log file on the SMX kiosk 104 or on the storage device 402 to identify the malware or infected file. Any infected file is not digitally signed or encrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 

As per claim 2, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 1, further comprising: 
a packet handler configured to receive the plurality of data packets (Atad, para. [0041] “one or more IDPS units or systems that may be included in a vehicle, e.g., connected to an in-vehicle Ethernet or other network. An IDPS unit may be, or may include, a cyber security protection layer for automotive ethernet or other networks that detects cyber-attacks and prevents them from affecting the vehicle by applying deep packet inspection (DPI) technologies and context aware filters on different layers of the network communication.”); 
a detector configured to filter a data packet based on the plurality of rules among the plurality of data packets (Atad, para. [0042] “an in-depth security approach is implemented by some embodiments to detect and prevent an attacker attempting to broaden his campaign from the attack surface penetrated to additional vehicle services and functionalities.” And para. [0045] “some embodiments may use static network configuration and enforce use-case based switching rules, e.g., enforce per use-case data flows. To successfully detect and block packet fabrication attacks, some embodiments may perform stateful DPI on automotive applications and diagnostics services.”); and 
a logger configured to collect a plurality of pieces of log data of the plurality of data packets that are dropped (Atad, para. [0049] “packets matching the security filters may be sent to a security layer or unit for further analysis. If a message is classified as anomalous, suspected or malicious, it may be logged and may be blocked, according to a configuration of a system. A log of suspected and malicious events may be sent to a central management server for analysis.”).

As per claim 3, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 2, wherein the logger is configured to: 
when an amount of data received from the external device is equal to or greater than a reference value, temporally store the plurality of pieces of log data of the plurality of data packets that are dropped according to at least one of the plurality of rules (Atad, para. [0051] “Packets or messages statistically or otherwise selected for inspection may be sent to a security layer or unit (e.g., in an IDPS as described herein) for further analysis. Any metadata or information related to packets may be examined. For example, a timestamp representing the time a message was sent or received, the rate, frequency or number of packets per time unit, the average size of packets, the largest or smallest packet size seen and so on may all be collected or determined (e.g., by a sensor or by an IDPS) and included in metadata as described, and the metadata may be sent and/or used for further analysis aimed at identifying a cyber threat.” And para. [0061] “A signal content analysis layer or unit in IDPS 200 may be designed to detect, identify and/or characterize irrational "behavior" by reading the signal's values. Examples of an anomalous reading would be a signal that unexpectedly transitions to a dramatically different value or a reading outside of the defined range.”), and 
when the amount of data received from the external device is less than the reference value, encrypt the plurality of pieces of log data that are temporally stored (Knapp, para. [0077] “the scanning of files and the determination of which files are considered "clean" could be done in any suitable manner, such as by using a third-party anti-virus or anti-malware software package, pre-defined configuration files, or manual configurations. Further, the storage device 402 itself and individual files on the storage device 402 could be signed in any suitable manner. For instance, an SMX server 105 could digitally sign the storage device 402 itself by storing a hash on the storage device 402, and the SMX server 105 could digitally sign each file by storing a hash for each file on the storage device 402, potentially within the file manifest.” And para. [0098] “A determination is made whether any malware has been detected at step 806. For any file determined to be clean (lacking any malware), the clean file is digitally signed and possibly encrypted at step 808. This could include, for example, the SMX server 105 calculating a hash of each clean file and possibly using an encryption key known to the SMX agents 103 to encrypt each clean file. For any file determined to be infected (containing malware), the infected file is quarantined and the event is logged at step 810...Any infected file is not digitally signed or encrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 

As per claim 4, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 2, wherein the logger is configured to: 
when hacking attacks are detected, temporally store the plurality of pieces of log data of the plurality of data packets that are dropped according to at least one of the plurality of rules (Atad, para. [0049] “packets matching the security filters may be sent to a security layer or unit for further analysis. If a message is classified as anomalous, suspected or malicious, it may be logged and may be blocked, according to a configuration of a system. A log of suspected and malicious events may be sent to a central management server for analysis.” And para. [0054] “To process messages, rule engine unit 215 may use rulesets 225, vehicle state memory 230 and data in storage 220 such as logs and statistical information as shown. A decision 230 may be produced by IDPS 200. For example, a decision 230 may be that a specific packet or message is anomalous and/or related to a cyber threat, e.g., injected into an in-vehicle network by malicious code in an infected ECU.”), and 
when the hacking attacks are terminated, encrypt the plurality of pieces of log data that are temporally stored (Knapp, para. [0077] “the scanning of files and the determination of which files are considered "clean" could be done in any suitable manner, such as by using a third-party anti-virus or anti-malware software package, pre-defined configuration files, or manual configurations. Further, the storage device 402 itself and individual files on the storage device 402 could be signed in any suitable manner. For instance, an SMX server 105 could digitally sign the storage device 402 itself by storing a hash on the storage device 402, and the SMX server 105 could digitally sign each file by storing a hash for each file on the storage device 402, potentially within the file manifest.” And para. [0098] “A determination is made whether any malware has been detected at step 806. For any file determined to be clean (lacking any malware), the clean file is digitally signed and possibly encrypted at step 808. This could include, for example, the SMX server 105 calculating a hash of each clean file and possibly using an encryption key known to the SMX agents 103 to encrypt each clean file. For any file determined to be infected (containing malware), the infected file is quarantined and the event is logged at step 810...Any infected file is not digitally signed or encrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 

As per claim 5, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 2, wherein the logger configured to: 
when an amount of data generated about an object outside the vehicle is equal to or greater than a reference value, temporally store the plurality of pieces of log data of the plurality of data packets that are dropped according to at least one of the plurality of rules (Atad, para. [0049] “packets matching the security filters may be sent to a security layer or unit for further analysis. If a message is classified as anomalous, suspected or malicious, it may be logged and may be blocked, according to a configuration of a system. A log of suspected and malicious events may be sent to a central management server for analysis.” And para. [0054] “To process messages, rule engine unit 215 may use rulesets 225, vehicle state memory 230 and data in storage 220 such as logs and statistical information as shown. A decision 230 may be produced by IDPS 200. For example, a decision 230 may be that a specific packet or message is anomalous and/or related to a cyber threat, e.g., injected into an in-vehicle network by malicious code in an infected ECU.” And para. [0061] “an automotive application protection layer module or unit in IDPS 200 may include a signal content analysis detection unit or layer that may analyze, identify, detect and/or characterize network traffic based on physical properties of the data carried by the automotive application level signals. A signal content analysis layer or unit in IDPS 200 may be designed to detect, identify and/or characterize irrational "behavior" by reading the signal's values. Examples of an anomalous reading would be a signal that unexpectedly transitions to a dramatically different value or a reading outside of the defined range.”), and
when the amount of data generated about the object outside the vehicle is less than the reference value (Atad, para. [0062] “An automotive application protection layer, module or unit in IDPS 200 may include an AVB packets timing analysis unit or layer that may be adapted to analyze, identify, detect and/or characterize AVB packets timing. This may include, for example, checking frame frequency against what would be expected.”), 
encrypt the plurality of pieces of log data that are temporally stored (Knapp, para. [0098] “A determination is made whether any malware has been detected at step 806. For any file determined to be clean (lacking any malware), the clean file is digitally signed and possibly encrypted at step 808. This could include, for example, the SMX server 105 calculating a hash of each clean file and possibly using an encryption key known to the SMX agents 103 to encrypt each clean file. For any file determined to be infected (containing malware), the infected file is quarantined and the event is logged at step 810...Any infected file is not digitally signed or encrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 

As per claim 6, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 2, wherein the logger is configured to aggregate and temporally store the plurality of pieces of log data (Atad, para. [0047] “Some embodiments may update security policy over the air, e.g., in some embodiments, security solution may be adaptive, allowing "virtual patching" of new vulnerabilities as they are released. Some embodiments may detect and log suspected attacks that may have bypassed some preventative security measures. Once detected, these bypass events may be aggregated across a fleet on a centralized off board server in order to analyze, understand and prepare the proper response.”).

As per claim 7, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 6, wherein the logger is configured to aggregate and temporally store the plurality of pieces of log data for respective identifications (IDs) of the plurality of rules (Atad, para. [0047] “Some embodiments may update security policy over the air, e.g., in some embodiments, security solution may be adaptive, allowing "virtual patching" of new vulnerabilities as they are released. Some embodiments may detect and log suspected attacks that may have bypassed some preventative security measures. Once detected, these bypass events may be aggregated across a fleet on a centralized off board server in order to analyze, understand and prepare the proper response.” [0051] “Packets or messages statistically or otherwise selected for inspection may be sent to a security layer or unit (e.g., in an IDPS as described herein) for further analysis. Any metadata or information related to packets may be examined. For example, a timestamp representing the time a message was sent or received, the rate, frequency or number of packets per time unit, the average size of packets, the largest or smallest packet size seen and so on may all be collected or determined (e.g., by a sensor or by an IDPS) and included in metadata as described, and the metadata may be sent and/or used for further analysis aimed at identifying a cyber threat.”).
As per claim 8, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 6, wherein each of the plurality of pieces of log data includes at least one of a generation time, an internet protocol (IP) address, a port, or a protocol (Atad, para. [0095] “the exemplary behavior (or expected behavior) or characteristics of a message provided in words above may be defined, represented, or be included, in a model using a set of values in an entry of, or for, a specific message group, type or category. For example, messages may be identified, grouped, identified or characterized according to an IP and port combination such that an embodiment can associate a specific behavior and/or apply specific rules to a specific group or category of messages. For example, based on an IP address and port, all messages sent by a specific ECU and/or to a specific ECU may be grouped or categorized (e.g., as related to a specific flow) and the grouped or categorized messages may be analyzed or processed according to rules or criteria that are specific to the group or category. An expected behavior or characteristics of a message may refer to the behavior of a group of messages having a common message type, message ID, description, etc. Accordingly, since a model may define and/or represent an expected behavior or characteristics, a model may be used, by IDPS 200, in order to determine compliance with an expected behavior or characteristics. A model may include thresholds that may be used in order to identify anomalies or cyber threats or cyber-attacks as described herein.”).
As per claim 9, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 6, wherein the logger is configured to: 
aggregate the plurality of pieces of log data and temporally store the plurality of pieces of log data in a buffer, and when a capacity of the buffer is exceeded, store the plurality of pieces of log data that are aggregated in a storage (Atad, para. [0034] “Storage system 140 may be or may include, for example, a memory chip, a hard disk drive, a universal serial bus (USB) device or other suitable removable and/or fixed storage unit. As shown, storage system 140 may include rules 141, vehicle state 142, logs 143, network state 144, system characteristics 145, system state 146 and model 147.” And para. [0035] “Rules 141, vehicle state 142, logs 143, network state 144, system characteristics 145, system state 146 and model 147 may be, may be stored in or may be represented by any suitable digital data structure or construct or computer data objects that enables storing, retrieving and modifying values. For example, rules 141, vehicle state 142, logs 143, network state 144, system characteristics 145, system state 146 and model 147 may be files, tables or lists in a database in storage system 140, and may each include a number of fields that can be set or cleared, a plurality of parameters for which values can be set, a plurality of entries that may be modified, and so on. For example, a vehicle's state may be set, cleared or modified in a vehicle state 142 by modifying digital data in a vehicle state 142 digital object.” And para. [0036] “Content may be loaded from storage system 140 into memory 120 where it may be processed by controller 105. For example, a value indicating or representing a vehicle's state (e.g., stationary, engine is running, speed at which the vehicle is moving) may be loaded from vehicle state 142 into memory 120 and used, by controller 105, for selecting and/or applying a rule, identifying a cyber-threat” and para. [0037] “memory 120 may be a non-volatile memory (e.g., a flash memory) having the storage capacity of storage system 140.”).

As per claim 10, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 6, wherein the processor is configured to retrieve the plurality of pieces of log data that are aggregated and encrypt the plurality of pieces of log data that are retrieved (Knapp, para. [0088] “audit logs on storage devices 402 allows, among other things, the overall system to track which files are introduced to which protected nodes within a protected system via removable media. The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer…Since audit logs on storage devices 402 can be retrieved and forwarded by SMX servers 105, the SMX agents 103 and the SMX servers 105 can collect a large amount of information useful for more effective auditing of the use of removable media in a protected system.” And para. [0086] “details that may be included in the audit log file for a file activity could include a source node or device identifier, a target node or device identifier, parameters of the source and target nodes like Internet Protocol (IP) address and Medium Access Control (MAC) address, file name, file size, file type, file permissions, active user, and whether the file activity was allowed, blocked, or successful. Note, however, that any other or additional information could be stored in an audit log file as needed or desired. The audit log file can be encrypted, such as by using a certificate or locally-stored private key.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 
As per claim 11, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 6, wherein the processor is configured to encrypt the plurality of pieces of log data that are aggregated (Knapp, para. “[0085] The SMX agent 103 can save information related to all of these events or other events in an audit log file on an authorized storage device 402. For example, when an authorized storage device 402 is connected to a protected node 102, any or all available log files stored locally on the protected node 102 could be copied to the authorized storage device 402. If a file is copied from the authorized storage device 402 to the protected node 102, the SMX agent 103 can append details of the file activity to the log file on the storage device 402. If a file is copied to the storage device 402 from the protected node 102, the SMX agent 103 can again append details of the file activity to the log file on the storage device 402. If an attempted file transfer to or from the storage device 402 is blocked by the SMX agent 103, the SMX agent 103 can append details of the file activity to the log file on the storage device 402.” And para. [0086] “Example details that may be included in the audit log file for a file activity could include a source node or device identifier, a target node or device identifier, parameters of the source and target nodes like Internet Protocol (IP) address and Medium Access Control (MAC) address, file name, file size, file type, file permissions, active user, and whether the file activity was allowed, blocked, or successful. Note, however, that any other or additional information could be stored in an audit log file as needed or desired. The audit log file can be encrypted, such as by using a certificate or locally-stored private key. ”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]).
As per claim 12, the combination of Atad and Knapp teach the vehicular firewall provision device of claim 1, wherein the plurality of rules includes: 
a black list rule generated based on an internet protocol (IP) address and a port, the black list rule defined as a list of a data packet excluded from a processing target; and a white list rule generated based on an IP address and a port, the white list defined as a list of a data packet included in the processing target (Atad, para. [0055] “filter rules 205 may include a whitelist of allowed packets as well as a blacklist of blocked packets. Filter rules 205 may be based on any one of: the payload (metadata and content) of packets, current state of the vehicle (for example its speed) and/or the state of the system.” And para. [0058] “model 147 or ruleset 225 may include a network specification enforcement layer or unit that may be designed and adapted to ensure that packets seen on the network are in accordance with a network's use-case specification. For example, this layer may include enforcing rules, criteria or other logic on gateway ports, VLAN, media access control (MAC) addresses, IP addresses, layer 4 (L4) ports and allowed application identifiers, e.g., a network layer may include rules related to SOME/IP service discovery, DoIP initiation and termination and the like.”).

As per claim 13, Atad teaches an operation method of a vehicular firewall provision device, the method comprising: 
receiving, by at least one processor, a plurality of data packets from an external device; matching, by the at least one processor, the plurality of data packets with a plurality of rules (Atad, para. [0049] “packets matching the security filters may be sent to a security layer or unit for further analysis. If a message is classified as anomalous, suspected or malicious, it may be logged and may be blocked, according to a configuration of a system. A log of suspected and malicious events may be sent to a central management server for analysis.” And para. [0050] “an embodiment may use statistical filters for selecting which of the packets are to be examined or analyzed. Any rules or criteria may be used for selecting packets or messages for examination or inspection.”); 
temporally storing, by the at least one processor, a plurality of pieces of log data of a plurality of data packets that are dropped according to at least one of the plurality of rules, when data throughput of at least one electronic device included in a vehicle is equal to or greater than a reference value (Atad, para. [0054] “To process messages, rule engine unit 215 may use rulesets 225, vehicle state memory 230 and data in storage 220 such as logs and statistical information as shown. A decision 230 may be produced by IDPS 200. For example, a decision 230 may be that a specific packet or message is anomalous and/or related to a cyber threat, e.g., injected into an in-vehicle network by malicious code in an infected ECU.” And para. [0055] “filter rules 205 may include a whitelist of allowed packets as well as a blacklist of blocked packets. Filter rules 205 may be based on any one of: the payload (metadata and content) of packets, current state of the vehicle (for example its speed) and/or the state of the system.” And para. [0061] “Examples of an anomalous reading would be a signal that unexpectedly transitions to a dramatically different value or a reading outside of the defined range.” And para. [0068] “having determined that ECU 310 has been compromised (e.g., it is controlled by code injected thereto by a hacker), IDPS 200 may update TCAM 305 to include a rule or filter that causes switch 300 to drop or block packets coming from ECU 310.”); and 
Atad teaches all the limitations of claim 13 above, however fails to explicitly teach but Knapp teaches:
encrypting, by the at least one processor, the plurality of pieces of log data that are temporally stored, when the data throughput is less than the reference value (Knapp, para. [0098] “A determination is made whether any malware has been detected at step 806. For any file determined to be clean (lacking any malware), the clean file is digitally signed and possibly encrypted at step 808. This could include, for example, the SMX server 105 calculating a hash of each clean file and possibly using an encryption key known to the SMX agents 103 to encrypt each clean file. For any file determined to be infected (containing malware), the infected file is quarantined and the event is logged at step 810. This could include, for example, the SMX server 105 using an anti-virus or anti-malware tool to quarantine each infected file. This could also include the SMX server 105 updating a log file on the SMX kiosk 104 or on the storage device 402 to identify the malware or infected file. Any infected file is not digitally signed or encrypted.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Knapp’s cyber-security threat intelligence into Atad’s cyber security method, with a motivation to bridge cyber-security threat intelligence into a protected system (Knapp, para. [0013]). 
As per claim 14, the combination of Atad and Knapp teach the method of claim 13, further comprising: aggregating and temporally storing, by the at least one processor, the plurality of pieces of log data (Atad, para. [0047] “Some embodiments may update security policy over the air, e.g., in some embodiments, security solution may be adaptive, allowing "virtual patching" of new vulnerabilities as they are released. Some embodiments may detect and log suspected attacks that may have bypassed some preventative security measures. Once detected, these bypass events may be aggregated across a fleet on a centralized off board server in order to analyze, understand and prepare the proper response.”).
As per claim 15, the combination of Atad and Knapp teach the method of claim 14, wherein the encrypting includes: retrieving, by the at least one processor, the plurality of pieces of log data that are aggregated; and encrypting, by the at least one processor, the plurality of pieces of log data that are retrieved (Knapp, para. [0088] “audit logs on storage devices 402 allows, among other things, the overall system to track which files are introduced to which protected nodes within a protected system via removable media. The details contained in an audit log could include pertinent details of file input/output (I/O), such as the active user, date, time, source file, and target system information related to a file transfer…Since audit logs on storage devices 402 can be retrieved and forwarded by SMX servers 105, the SMX agents 103 and the SMX servers 105 can collect a large amount of information useful for more effective auditing of the use of removable media in a protected system.” And para. [0086] “details that may be included in the audit log file for a file activity could include a source node or device identifier, a target node or device identifier, parameters of the source and target nodes like Internet Protocol (IP) address and Medium Access Control (MAC) address, file name, file size, file type, file permissions, active user, and whether the file activity was allowed, blocked, or successful. Note, however, that any other or additional information could be stored in an audit log file as needed or desired. The audit log file can be encrypted, such as by using a certificate or locally-stored private key.”).
(Knapp, para. [0013]). 
As per claim 16, the combination of Atad and Knapp teach the method of claim 14, wherein the encrypting includes encrypting, by the at least one processor, the plurality of pieces of log data that are aggregated (Knapp, para. “[0085] The SMX agent 103 can save information related to all of these events or other events in an audit log file on an authorized storage device 402. For example, when an authorized storage device 402 is connected to a protected node 102, any or all available log files stored locally on the protected node 102 could be copied to the authorized storage device 402. If a file is copied from the authorized storage device 402 to the protected node 102, the SMX agent 103 can append details of the file activity to the log file on the storage device 402. If a file is copied to the storage device 402 from the protected node 102, the SMX agent 103 can again append details of the file activity to the log file on the storage device 402. If an attempted file transfer to or from the storage device 402 is blocked by the SMX agent 103, the SMX agent 103 can append details of the file activity to the log file on the storage device 402.” And para. [0086] “Example details that may be included in the audit log file for a file activity could include a source node or device identifier, a target node or device identifier, parameters of the source and target nodes like Internet Protocol (IP) address and Medium Access Control (MAC) address, file name, file size, file type, file permissions, active user, and whether the file activity was allowed, blocked, or successful. Note, however, that any other or additional information could be stored in an audit log file as needed or desired. The audit log file can be encrypted, such as by using a certificate or locally-stored private key. ”).
(Knapp, para. [0013]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20180103036 A1 – Vehicle management, detection and control. 
US 20180183832 A1 – Security routing with IoT devices. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437           


/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437