Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.
Election/Restrictions
	Restriction to one of the following inventions is required under 35 U.S.C. 121:
I.          Claims 1-15 are drawn to cyber attack detection, classified in GH04L63/1416, malware detection.
II. 	Claims 16-20 are drawn to developing a fault model, classified in H04L63/1433, vulnerability analysis.
		Inventions (I) and (I) related as subcombinations disclosed as usable together in a single combination.  The subcombinations are distinct from each other if they are shown to be separately usable.  In the instant case, invention ( I ) do not require: a mechanism for developing a fault model, comprising a cyber modeling module, an integrated vehicle health management (IVHM modeling module and the cyber modelling module and the IVHM modeling module combined together to output a combined fault model (as recited in invention II).
		 Invention ( II ) does not require: an integrated equipment fault and cyber attack detection arrangement comprising: and intrusion detection system (IDS)…a security operations center(SOC)…detecting anomalies … the patterns that are unrecognized are investigated …and patterns recognized result in a recommended maintenance plan, or a method of intrusion detection comprising: detecting cyber attacks and equipment failure upon a vehicle, reviewing anomaly...detecting issues from reviewing…and investigating the issues(as recited in invention I). 
	Applicant elected group 1 (claims 1-15) without traverse in a telephonic communication on 12-08-2021.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 04-15-2020 and 01-09-2020 has been considered. Please see attached PTO-1449. 
Objection to specification (abstract)

	The abstract must be as concise as the disclosure permits, preferably not exceeding 150 words in length. The abstract may not include other parts of the application or other material. (MPEP 608.01 (b)).

	The abstract has been objected to for the following informalities:

	The abstract should be 150 words or less. The abstract exceed 150 word. Appropriate correction required.
Drawings
	Figure 6 and 7 of the drawings are objected to because text of the figures are light and not readable.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application.

CLAIM INTERPRETATION
	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
	The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting intrusion detection system” and “vehicle health management (IVHM) module”.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. (e.g., see Specification, pages 8-10).
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 1 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Endo et al. (US Publication No.2019/0028493 ) in view of Hanks et al. (US Publication No.2012/0304007).


As per claim 1, Endo discloses an integrated equipment fault and cyber attack detection arrangement comprising: an intrusion detection system (IDS) for sensing cyber attacks upon a vehicle (paragraph [0020], “mobile unit configured to detect the attack performed on the mobile unit ); a security operations center (SOC) connected to the IDS for receiving cyber attacks (paragraph [0020], mobile unit transmit the attack information to server device(SOC)); and an integrated vehicle health management (IVHM) module connected to the SOC to process the cyber attacks (figure 1, Vehicle Mounted Terminal 400 (IVHM) connected to server 100, paragraph [0042], “the vehicle-mounted terminal 400 is configured to be capable of communicating with the server device 100 (SOC)); and wherein: the cyber attacks and equipment failures are regarded as anomalies (paragraph [0020], detecting attack are regarded as detected anomalies); detected anomalies having patterns from the IDS are passed on by the SOC to the [IVHM module] for pattern recognition (paragraph [0046], “the server device 100 periodically distributes the content of the databased (i.e., information related to an identified attacker) to plurality of communication devices).
	While Endo discloses detected anomalies are passed on by the server 100 (SOC) to plurality of communication devices, Endo does not explicitly disclose detected anomaly are passed to the IVHM module, patterns unrecognized by the IVHM module are sent to the SOC for analysis; the patterns that are unrecognized are investigated, and then results are passed from an investigation via a learning loop to the IVHM module; and patterns recognized by the IVHM module result in a recommended maintenance plan.
	Further Endo does not recite equipment failure (for sensing, receiving and to process the equipment failure). 
	However, in an analogous art, Hanks discloses, detected anomalies having patterns from the IDS are passed to the IVHM module for pattern recognition (paragraph [0052], event processor component collects events and forwards events to CEP component, past event database and comparison component of machine learning component, paragraph [0053],  CEP component and/or machine learning component (IVHM) determine an actual behavior of control system based on events, comparing the actual behavior to expected behavior); patterns unrecognized by the IVHM module are sent to the SOC paragraph [0055], when either CEP  component or machine learning component determines that the actual behavior differs (patterns unrecognized) from the expected behavior, decision support (SOC) component notified of differences); the patterns that are unrecognized are investigated, and then results are passed from an investigation via a learning loop  [to the IVHM module] (paragraph [0048], output from both CEP and machine Learning components are processed by decision support component. Decision support component executes one or more action based on complex event from CEP and/or based on detected abnormalities from machine learning component, action such as, instruct a controller to perform a command); and patterns recognized by the IVHM module result in a recommended maintenance plan (paragraph [0061], learning system updates AI event correlation model based on the event correlations identified, paragraph [0062], CEP or decision support component updates user policies to remove or adjust a rule. Similarly, learning system update AI event correlation model).	Further, Hanks discloses identifying, detecting and processing abnormal behavior of the system (paragraph [0032], “identifying abnormal behavior”, paragraph [0036], “abnormal behavior may be detected” , paragraph [0043], “CEP component 315may determine whether abnormalities are due to maintenance issues, faulty sensors”,[0056]).
	While Hanks discloses results are passed from an investigation to controller, Hanks does not disclose the result are passed to IVHM. However, passing result to IVHM instead of another entity (a controller) does not require an inventive step. It would have been within the knowledge of an ordinary skill in the art to easily make such modification without implementing any inventive step. One of ordinary skill in the art would have been motivated and capable to communicate/pass data (result) to any entity depending on arrangement of the system, in order to achieve the predictable result of providing notification and report according to the system arrangement. 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Endo with Hanks, in order to achieve the predictable result of identifying abnormal behavior in a control system.
	As per claim 5, Hanks furthermore discloses, wherein the investigation is performed by a human (paragraph [0046], “human control interface” performs the investigation). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to combine Endo and Hanks, in order to enable an administrator or technician to further  review and analyze detected attacks.

	Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Endo et al. (US Publication No.2019/0028493 ) in view of Hanks et al. (US Publication No.2012/0304007), further in view of Galula et al. (US Publication No.2018/0351980).
	As per claim 2,  Endo in view of Hanks teaches all limitation of claim as applied to claim 1 above. Endo in view of Hanks does not explicitly disclose, but Galula discloses, wherein the detected anomalies include an abnormal frequency of events reported by the SOC to the IVHM module (paragraph [0052], server 210 looks for in vehicles logs and search for things which might not be indicators alone, or by themselves, but due to scope, state, context or frequency are anomalous).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Endo and Hanks with Galula, in order to detect attack based on frequency of use and characterizing attack based on frequency of messages related to an infotainment system.

	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Endo et al. (US Publication No.2019/0028493 ) in view of Hanks set al. (US Publication No.2012/0304007), further in view of Quinn (US Publication No. 2004/0176885).
	As per claim 3, Endo in view of Hanks teaches all limitation of claim as applied to claim 1 above. While Hanks teaches updating with the results via leaning loop (Hanks, paragraph [0061]-[0062]), Endo in view of Hanks does not explicitly teach, but Quinn teaches IHVM is updated or improved (paragraph [0026], new features and functionality are added to the VHM system).
.

	Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Endo et al. (US Publication No.2019/0028493 ) in view of Hanks et al. (US Publication No.2012/0304007), further in view of Keller et al. (US Publication No. 2018/0288080).
	As per claim 4, Endo in view of Hanks teaches all limitation of claim as applied to claim 1 above. Endo in view of Hanks does not explicitly disclose but in an analogous art, Keller discloses, wherein the IVHM module outputs a recommended maintenance plan to service damage or prevent damage from cyber attacks or equipment failures (paragraph [0063], IVHM notifies a detected anomaly to a maintenance technician , the maintenance technician then performs one or more corresponding maintenance operations). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Endo and Hanks with Keller, in order to achieve the predictable result of  protecting the vehicle from anomalous behavior.

	Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Endo et al. (US Publication No.2019/0028493 ) in view of Hanks et al. (US Publication No.2012/0304007), further in view of Gabay et al. (US Publication No. 2014/0074345).
	As per claim 6, Endo in view of Hanks teaches all limitation of claim as applied to claim 1 above. Endo in view of Hanks does not explicitly disclose but in an analogous art, Gabay discloses, wherein the IVHM module compares patterns of detection anomalies passed on from the SOC, with known patterns in storage of the IVHM module for identifying issues (paragraph [0073], a VHMS  further comprise one or more data storage units for storing measured VH parameters (i.e. a measurement history), results of measured VH parameter analysis (i.e. a VH history of the vehicle) and/or operating parameters of the VHMS, and paragraph [0112], a particular vehicle's measurement history and "normal" measurements may be used as a comparison ).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Endo and Hanks with Gabay, in order to determine vehicle health at a particular moment).
	As per claim 7, Gaby furthermore discloses, wherein the pattern storage of the IVHM module is updated with new or unrecognizable patterns via the learning loop (the result of analysis is used to modify operation of parameters of the VHMS). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Endo and Hanks with Gabay, in order to enable detection of newly identified attacks patterns .
	As per claim 8,  Hanks furthermore discloses wherein updating the pattern storage [of the IVHM module] is effected with machine learning (paragraph [0061], learning system updates AI event correlation model based on the event correlations identified, paragraph [0062], CEP or decision support component updates user policies to remove or adjust a rule. Similarly, learning system update AI event correlation model). While Hanks discloses updating the patent storage is effected with machine learning, Hanks does not explicitly disclose the patent storage is a storage of the IVHM module. However, one of ordinary skill in the art recognizes, the function of updating a storage with patterns or any data does not depend on the entity of the storage and could be performed regardless of which or what entity  the storage is belong to. Therefore, providing such modification would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, providing the benefit of flexibility to update pattern in storages belonging to different entities.

	Claim 9-14 are rejected under 35 U.S.C. 103 as being unpatentable over Hanks et al. (US Publication No.2012/0304007), in view of Endo et al. (US Publication No. 2019/0028493).
	As per claim 9, Hanks discloses a method for intrusion detection comprising: detecting cyber attacks and equipment failures upon a vehicle (paragraph [0047]) detecting anomaly and  paragraph [0044], system failure); detecting issues from reviewing the anomalies having unrecognized patterns (paragraph [0055], “determine that actual behavior differs from the expected behavior); and investigating the issues of unrecognized patterns and sending information to the [IVHM] module for improvement or updating of the system pattern recognition device (paragraph [0048], output from both CEP and machine Learning components are processed by decision support component. Decision support component executes one or more action based on complex event from CEP and/or based on detected abnormalities from machine learning component, action such as, instruct a controller to perform a command, paragraph [0061]-[0062], learning module updates AI event correlation module  based on the event correlations identified  and the correlation feedback received. CEP or decision support component updates user policies. Learning system update AI event correlation model by using indication from the user as positive feedback or negative feedback).
	Hanks does not explicitly disclose, reviewing anomalies having patterns from one or more detected cyber attacks or equipment failures identified at an integrated vehicle health maintenance (IVHM) module with a symptom pattern recognition device. However, in an analogous art, Endo discloses reviewing anomalies having patterns from one or more detected cyber attacks (paragraph [0067], monitoring device stores attacker information in attacker list, detects the communication from the transmission source which corresponds to the attacker information (patterns) in the attacker list and blocks the anomalous communication, paragraph [0069], anomalous communications are exported to be analyzed (reviewed) for their attack patterns).
	While Hanks discloses sending information to controller, Hanks does not disclose sending information to the IVHM module. However, passing result to IVHM instead of another entity (a controller) does not require an inventive step. It would have been within the knowledge of an ordinary skill in the art to easily make such modification without implementing any inventive step. One of ordinary skill in the art would have been motivated and capable to communicate/pass data (result) to any entity depending on arrangement of the system, in order to achieve the predictable result of providing notification and report according to the system arrangement. 

	As per claim 10, Endo furthermore discloses wherein the unrecognized patterns are reviewed at a security operations center (SOC) (paragraph [0046], server 110, receives the attack detection information and manages the attack detection information using a database).The motivation to combine is similar to the motivation provided in claim 9.
	As per claim 11, Hanks furthermore discloses, wherein the IVHM module, in response to the review of the recognized patterns, recommends a maintenance plan for servicing a vehicle having possible damage by one or more cyber attacks or equipment failures according to a recognized pattern (paragraph [0061], learning system updates AI event correlation model based on the event correlations identified, paragraph [0062], CEP or decision support component updates user policies to remove or adjust a rule. Similarly, learning system update AI event correlation model).
	As per claim 12, Hanks furthermore teaches, the unrecognized patterns have issues that are analyzed or investigated by a human (paragraph [0046], “human control interface”) ; and one or more results of an analysis or investigation categorized as system improvement are sent back on a learning loop as information for improvement of the system pattern recognition device (claim 1, “receiving…an indication of  whether the accrual behavior is abnormal from a user …updating…the expected behavior based on the received indication, claim indication, claim 4, “updating the expected behavior comprises updating an artificial intelligence event correlation model”).
	As per claim 13, Hanks furthermore discloses, wherein the learning loop uses machine learning to update the patterns used by the system pattern recognition device ((paragraph [0061], learning system updates AI event correlation model based on the event correlations identified, paragraph [0062], CEP or decision support component updates user policies to remove or adjust a rule. Similarly, learning system update AI event correlation model).
As per claim 14, Hanks furthermore discloses, wherein the system pattern recognition device comprises a table of known patterns (paragraph [0044], “storage device is configured to store an expected behavior”).

	Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Hanks et al. (US Publication No.2012/0304007), in view of Endo et al. (US Publication No. 2019/0028493), further in view of Amiri et al. (US Publication No.2018/0288086) .
	As per claim 15, Hanks in view of Endo does not explicitly teach but in an analogous art, Amiri discloses wherein: a neural net is alternatively implemented in lieu of the table of known patterns; and a predetermined set of features are extracted from the anomalies and fed to an input layer of the neural net (paragraph [0033], neural network unit configured to perform pattern recognition on the constrained set of the one or more features and to generate output data”). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine, Hanks and Endo with Amiri, in order to achieve the predictable result of efficiently learning and detecting of malicious activities through the well know and widely used neural network.
References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Park, US Publication No.2021/0075807, discloses a system and a method for providing security to an in-vehicle network. The method efficiently operates multiple detection techniques to maintain robustness against malicious message detection while increasing overall detection efficiency.	
	Vian, Publication No. 2010/0052948, discloses transponder module for vehicles. The module has a universal vehicle sensor input interface capable of receiving sensor input from different types of vehicle sensors and from different types of vehicles. One or more processors and memory, in real time, receive vehicle sensor input data via the input interface. Based on a vehicle type stored in the memory, the processor(s) use the sensor input data to determine conditions of subsystems the vehicle.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/ALI S ABYANEH/
Primary Examiner, Art Unit 2437