EXAMINER'S AMENDMENT
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Matthew Karas on 1/7/22.

The application has been amended as follows:
Cancel claims 23 and 37.
Replace the remaining claims with the following:

“21.	(Currently Amended) A non-transitory computer-readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for identifying controller anomalies, comprising:
receiving first data representing real-time operation activity of a controller;
receiving second data relating to operation activity of at least one other controller;
comparing, using a statistical model generated based on time-based analysis of at least one runtime attribute of the at least one other controller, the first data with the second data to identify, based on a deviation between the first data and the second data, at least one anomaly associated with the real-time operation activity of the controller, wherein the at least one runtime attribute comprises at least one of:
a function called by the at least one other controller;
a sequence of functions called by the at least one other controller;
central processing unit (CPU) usage of the at least one other controller;
memory usage of the at least one other controller;
memory sequences accessed by the at least one other controller;
cache contents of the at least one other controller; or
cache accessing history of the at least one other controller; and
when the at least one anomaly is identified based on the deviation, sending a delta file to the controller, wherein the delta file is configured:
to change software on a single memory component of the controller from a first version to a second version by linking the delta file to execution of the software on the single memory component; and
to be stored on the controller adjacent to the first version of the controller software.

22.	The non-transitory computer-readable medium of claim 21, wherein the delta file comprises at least one position-independent executable code segment.

24.	The non-transitory computer-readable medium of claim 21, wherein the delta file is configured to change the software on the single memory component without interrupting execution of the software on the single memory component.

25.	The non-transitory computer-readable medium of claim 21, wherein the controller and the at least one other controller are comparable based on at least one of:
respective control functions of the controller and the at least one other controller; or
respective rules of the controller and the at least one other controller.

26.	The non-transitory computer-readable medium of claim 21, wherein the second data relates to operation activity of multiple controllers.

27.	The non-transitory computer-readable medium of claim 21, wherein the second data is selected based on at least one of: at least one known valid sequence of execution of the software, at least one known potentially malicious sequence of execution of the software, or a map file associated with the software.

28.	The non-transitory computer-readable medium of claim 21, wherein the at least one anomaly corresponds to at least one of: a memory location accessed by the controller, a sequence of memory locations accessed by the controller, a peak in data flow to or from the controller, a peak in data processing by the controller, or an anomalous power consumption behavior of the controller.

29.	The non-transitory computer-readable medium of claim 21, wherein the comparing uses a machine learning technique to identify the at least one anomaly.

30.	The non-transitory computer-readable medium of claim 21, wherein the delta file is multidimensional and comprises at least one of: a binary data dimension, a source attribute dimension, or a map file dimension.

31.	The non-transitory computer-readable medium of claim 21, wherein the delta file comprises startup code configured to at least:
initialize a runtime library of the delta file;
update a program counter of the controller; or
update memory addresses of the controller.

32.	The non-transitory computer-readable medium of claim 21, wherein the controller is configured to adjust the first version of the software to be non-executable.

33.	The non-transitory computer-readable medium of claim 21, wherein the software is mapped to a plurality of functional units, and the controller is configured to utilize a virtual file system (VFS) to manage and track one or more versions of each of the plurality of functional units.

34.	The non-transitory computer-readable medium of claim 33, wherein the controller is configured to adjust the first version of the software to become non-executable by updating memory addresses in the single memory component corresponding to one or more functional units managed by the virtual file system (VFS).

35.	A computer-implemented method for identifying controller anomalies, the method comprising:
receiving first data representing real-time real-time operation activity of a controller;
receiving second data relating to operation activity of at least one other controller;
comparing, using a statistical model generated based on time-based analysis of at least one runtime attribute of the at least one other controller, the first data with the second data to identify, based on a deviation between the first data and the second data, at least one anomaly associated with the real-time operation activity of the controller, wherein the at least one runtime attribute comprises at least one of:
a function called by the at least one other controller;
a sequence of functions called by the at least one other controller;
central processing unit (CPU) usage of the at least one other controller;
memory usage of the at least one other controller;
memory sequences accessed by the at least one other controller;
cache contents of the at least one other controller; or
cache accessing history of the at least one other controller; and
when the at least one anomaly is identified based on the deviation, sending a delta file to the controller, wherein the delta file is configured:
to change software on a single memory component of the controller from a first version to a second version by linking execution of the delta file to execution of the software on the single memory component; and
to be stored on the controller adjacent to the first version of the controller software.

36.	The computer-implemented method of claim 35, wherein the delta file comprises at least one position-independent executable code segment.

38.	The computer-implemented method of claim 35, wherein the second data relates to operation activity of multiple controllers.

39.	The computer-implemented method of claim 35, wherein the second data is selected based on at least one of: at least one known valid sequence of execution of the software, at least one known potentially malicious sequence of execution of the software, or a map file associated with the software.

40.	The computer-implemented method of claim 35, wherein the at least one anomaly corresponds to at least one of: a memory location accessed by the controller, a sequence of memory locations accessed by the controller, a peak in data flow to or from the controller, a peak in data processing by the controller, or an anomalous power consumption behavior of the controller.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARC M DUNCAN whose telephone number is (571)272-3646. The examiner can normally be reached M-F 7-330.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on 571-272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MARC DUNCAN/Primary Examiner, Art Unit 2113