DETAILED ACTION
 	Claims 1-18 are pending. This is in response to Applicant’s Request for continued examination filed on October 31, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on October 31, 2021 has been entered.

Authorization for this examiner’s amendment was given in an interview with Morey Wildes #36,968 on November 23, 2021.

Claim Amendment
 	1. (Previously Presented) A method of detecting attacks on a communication authentication layer of an in-vehicle network, the method comprising:  	determining, by at least one network node, at least one attack attempt on the communication authentication layer of the in-vehicle network, wherein the communication authentication layer is adapted to include an authentication code in messages and to authenticate messages based on the authentication code, and wherein the determination is carried out by identifying anomalies in at least one of: messages, data and metadata directed to the communication authentication layer; and wherein the determination is carried out by: 
 	counting, by the at least one network node, the number of valid messages and the number of invalid messages received by the node during a predefined time interval, and determining that the number of valid messages is less than a first threshold; and that the number of invalid messages is greater than a second threshold, and
 	 selecting, by the at least one network node, a response corresponding to the determined attack attempt, said response selected from at least one of: 
 		modification of parameter values corresponding to a security protocol;
 		 a failsafe response; and 
 		rejection of messages identified as anomalies.  

2. (Original) The method of claim 1, wherein the response is selected in accordance with the number of received messages of a predetermined type being greater than a third threshold during the predefined time interval.  

3. (Original) The method of claim 1, comprising identifying a message as an anomaly based on identification, in the message, of a code from a previously received message.  
4. (Original) The method of claim 1, comprising identifying a message as an anomaly based on identification of a change in a frequency of received messages, wherein the change in frequency exceeds a predefined threshold.  

5. (Original) The method of claim 1, further comprising determining a confidence level of a message being valid based on a code in the message and based on one or more codes included in one or more previously received messages, wherein if the confidence level is below a confidence level threshold the message is identified as an anomaly.  

6. (Original) The method of claim 1, comprising determining at least one pattern of messages, wherein the response is selected in accordance with determination of a predetermined pattern of messages characterized by at least one of: a sequence of message types and a time interval between messages.  

7. (Original) The method of claim 8, wherein the response is selected in accordance with determination of a pattern of messages being different from a predetermined pattern.  

8. (Original) The method of claim 1, wherein the response is selected in accordance with detection of a deviation from an expected behavior, wherein the deviation is detected based on at least one of: a timing model and a content model.  

9. (Original) The method of claim 1, further comprising sending a message to at least one node of the network, wherein the sent message comprises at least one of: an indication of a detected security risk and an indication of the selected response.  

10. (Original) The method of claim 9, wherein the sent message further comprises an indication of the type of the identified anomaly.  

11. (Original) The method of claim 1, comprising selecting predefined normal mode response based on identification of at least one of: a predefined event, a predefined time interval and a predefined command.  

12. (Original) The method of claim 1, further comprising performing at least one of: logging a message identified as an anomaly, blocking a message identified as an anomaly, and sending a signal on a communication bus to cause network nodes to disregard the message.  

13. (Original) The method of claim 1, wherein the response is selected in accordance with detection of a deviation from an expected time value progression in a plurality of secured time messages.  

14. (Previously Presented) A system for detection of at least one attack on a communication authentication layer of an in-vehicle network, the system comprising: 
 	at least one processor; and at least one electronic control unit, coupled to the processor and configured to communicate with the processor via the communication authentication layer, wherein the communication authentication layer is adapted to include an authentication code in messages and to authenticate messages based on the authentication code and wherein the processor is configured to determine at least one attack attempt on the communication authentication layer by identifying anomalies in at least one of: messages, data and metadata directed to the communication authentication layer, wherein the determination is carried out by: counting, by the at least one network node, the number of valid messages and the number of invalid messages received by the node during a predefined time interval, and determining that the number of valid messages is less than a first threshold, and the number of invalid messages is greater than a second threshold, and
 	APPLICANT(S): GALULA, Yaron et al. SERIAL NO.:16/666,445 FILED:October 29, 2019 Page 5 wherein the processor is configured to respond to an attack attempt by at least one response selected from: 
 		modification of parameter values corresponding to a security protocol;
 a failsafe response; and 
rejection of messages identified as anomalies.  

15. (Original) The system of claim 14, further comprising a communication module, coupled to the processor and configured to communicate with external devices.  

16. (Previously Presented) The method of claim 1, wherein the determination further includes: calculating a ratio by relating the of number valid messages to the number of invalid messages; and relating the calculated ratio to a predefined ratio.  

17. (Previously Presented) The system of claim 14, wherein the determination further includes: calculating a ratio by relating the of number valid messages to the number of invalid messages; and relating the calculated ratio to a predefined ratio.

18.  (canceled).

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: 
 	Applicant’s argument is persuasive since there is no art teaches, at the ECU’s communication authentication layer, where counting the number of valid messages and the number of invalid messages received by the node during a predefined time interval, and determining that the number of valid messages is less than a first threshold, and the number of invalid messages is greater than a second threshold. Therefore, claims 1 and 14 are allowed. Note that Applicant submits the Terminal Disclaimer in order to avoid Double Patenting rejection against US Patent No. 10,530,793.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Inquiry Communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994.  The examiner can normally be reached on Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.