DETAILED ACTION
Continued Examination under 37 CFR 1.114
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on Jan. 10, 2022 has been entered. 		
Claims 1-39 are pending.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Applicant’s Arguments
3.	Applicant has not filed new amendments or new claims and file the RCE with new set of arguments against the final rejection rendered on 10/04/2021. This is inherent application from another examiner. Examiner has reviewed Applicant’s arguments presented and previous arguments on 7/20/2021 and found the applicant’s arguments are persuasive only and only in view of applicants claim’s 13 and 33 limitations. Therefore the rejection of claims 13 and 

Regarding applicant’s argument on page 11, “Addepalli does not teach normal behavior models for fleets or detecting anomalies in fleet behavior as claimed.”  Examiner respectfully disagrees with the applicant and furthermore notes that Addepalli discloses normal behavior events of vehicles and detecting abnormal vehicle events as disclosed in (Col 7, line 38-53) communication system 10 can resolve the aforementioned issues relating to analyzing vehicular behavior, including vehicular behavioral analysis, remote diagnostics, predictive diagnostics, and machine device behavior. Specifically, communication system 10 can utilize a fully integrated on-board unit (OBU) 30 to manage vehicular behavioral anomalies and machine device behavioral states. Even more specifically, an integrated on-board unit (OBU) 30 is configured for managing behavioral anomalies from vehicle 4 by receiving data, comparing the data to a reference set of data, and identifying any differences between the data and the reference set of data. Data can be identified according to any currently existing or later developed means. Furthermore, an OBU can utilize a learning and monitoring process to define machine device behavior specifications for each vehicle. (Col. 7, line 54 – Col. 8, line 8)   a cloud-based platform may be accessed by a vehicle using available wireless network access options provided by OBU 30 (e.g., multiple wireless interfaces 26) and appropriate routing protocols. The cloud-based platform can provide dynamic, real time vehicle diagnostics from data provided by selected machine devices of the vehicle. Accordingly, vehicles with on-board units can provide data to a cloud for remotely managing behavioral anomalies of the vehicles and correlating the anomalies across multiple vehicles having defined similarities (e.g., model, type, parts, etc.). Additionally, a cloud-based platform can provide remote diagnoses of machine devices to assist in provide online monitoring and learning of vehicle component behavior based on interactions, combining learned behavior from many vehicles to derive a more complete behavior via a remote online service, updating vehicles with current behavior specifications, and monitoring behavior for failure detection and analysis
Regarding applicant’s argument on page 13, “Addepalli does not teach creating a normal behavior model for a fleet.” Examiner respectfully disagrees with the applicant noting that Addepalli in (Col. 12, line 57 – Col. 13 line 13) disclose that In addition to identifying deviations from trends and violations of policy, behavior engine module 25 may also adjust the reference set of data based on the set of data to form a new reference set of data when the deviation detected is within a range. For example, if data is received that a braking occurred three quarters of a second after the brake was applied, the reference set of data may be adjusted to include a delay of three quarters of a second as being part of the normal trend. A user, manufacturer, government policy, and/or algorithm may set the range. The range could be anything less than a second, half a second, or any other suitable range. By allowing the reference set of data to be adjusted, behavior engine model 25 may learn as it collects more data and becomes more accurate in identifying issues. As well as (Col. 18, lines 1-25) further disclosing Turning to FIG. 3B, FIG. 3B is a simplified block diagram illustrating a network environment in which a cloud-based platform of communication system 10 may be implemented, with specific examples of possible clouds 41 in accordance with this specification. The example embodiment of FIG. 3B includes connected vehicles 4a-d in communication with applications and services 110a-d through various communication networks, including diagnostic cloud 150, manufacturer cloud 160, dealer cloud 170, and Internet cloud 180. Each of connected vehicles 4a-d may also be in communication with various mobile devices, such as in-vehicle mobile devices 114 and 116. In general, each connected vehicle 4a-d may include an on-board unit (OBU) 30a-d that can establish and manage communications over any viable pathway, including networks 40 such as 3G/4G networks 120a-c, WiFi networks 122a-c, WiFi dedicated short range communication (DSRC) 124, and ad hoc DSRC 126a-d, for example. Connected vehicles 4a-d with established peer links between OBUs via, for example, ad hoc DSRC 126a-d, may form 
Regarding applicant’s argument on page 14, “Addepalli does not suggest combining vehicle behavior in order to create a behavior sate machine or otherwise create a normal behavior model for a fleet of connected vehicles.” Examiner respects the applicant’s interpretation and disagrees with the applicant and notes that vehicle with OBU can provide data to a cloud for communication as well as learning purposes and Addepalli disclose in (Col. 7, lines 60 – Col. 8, line 6), Accordingly, vehicles with on-board units can provide data to a cloud for remotely managing behavioral anomalies of the vehicles and correlating the anomalies across multiple vehicles having defined similarities (e.g., model, type, parts, etc.). Additionally, a cloud-based platform can provide remote diagnoses of machine devices to assist in determining actual causes of particular malfunctions. Finally, cloud-based embodiments disclosed herein provide online monitoring and learning of vehicle component behavior based on interactions, combining learned behavior from many vehicles to derive a more complete behavior via a remote online service, updating vehicles with current behavior specifications, and monitoring behavior for failure detection and analysis.  Continuing in (Col. 13, lines 21-27), By identifying different states for each machine device, learning and monitoring module 31 allows legacy systems to communicate with each other. Once a state is identified, that state may be sent to networks 40 and then used by other vehicles 59 and/or implemented in further coding of future systems. By all vehicles utilizing this process, behavioral states may quickly be identified.  In addition, Addepalli disclose, a central learning and monitoring service in (Col. 19, lines 33-50), In one embodiment, manufacturer cloud 160 may include manufacturer information 161, remote diagnosis central learning and monitoring service 164. Manufacturer cloud 160 may supply manufacturer information 161 to diagnostic cloud 150. For example, manufacturer information 161 may include templates indicating a type of car, a model of car, expected normal behaviors, and the like. A plurality of templates may be available for each car indicating various expected normal behaviors and acceptable parameter ranges. These templates along with safety defect information may be provided to time and series based trend analyzer 152a and policy based trend analyzer 152b of diagnostic cloud 150. Manufacturer cloud 160 may contact other vehicles 59 through networks 40, examples of which are shown in more detail in FIG. 3B, to relay safety information received from diagnostic cloud 150. Manufacturer cloud 160 may also improve future vehicle designs based on information received from diagnostic cloud 150.

Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
5.	Claims 1-12, 14-32, and 34-39 are rejected under 35 U.S.C. 103 as being unpatentable over Addepalli et al. (US PATENT # 8,903,593) in view of Sargolzaei et al. (2016 15th IEEE International Conference on Machine Learning and Application “A Machine Learning Approach for Fault Detection in Vehicular Cyber-Physical Systems”).

Regarding claim 1. (Addepalli, does disclose, a method for connected vehicle cybersecurity), comprising:
creating, by a remote system, a normal behavior model for a fleet of connected vehicles based on a first set of data, the first set of data including at least one first event with respect to the fleet of connected vehicles, wherein the first set of data is collected from at least one data source, wherein the remote system is remote from the fleet of connected vehicles; [Addepalli, Col. 12, line 57- Col. 13, line 3, Col. 18, lines 1-25, in addition to identifying deviations from trends and violations of policy, behavior engine module 25 may also adjust the reference set of data based on the set of data to form a new reference set of data when the deviation detected is within a range… By allowing the reference set of data to be adjusted, behavior engine model 25 may learn as it collects more data and becomes more accurate in identifying issues.  (Col. 18, lines 1-25), Referring to clouds 41, a data center or private individual cloud 45 may be, for example, an instance when a car manufacturer runs either a distributed cloud or a private cloud-computing environment, which could be for its exclusive use. Given the sensitivity of the information involved, initial deployments could likely materialize in this way. Regulatory cloud 46 may be, for example, an instance when some of the streams from the fleet of connected vehicles are sent to a common cloud for processing. Federate Cloud 47 may be, for example, an instance when different car manufacturers keep their individual clouds, but share some vital information (either voluntarily or through mandates) (e.g., set of data of normal behavior) in a common data pool, possibly accessible to agencies and researchers…];
detecting, by the remote system, an anomaly based on the normal behavior model and a second set of data [Addepalli, Col. 16, lines 9-29, FIG. 2A, while the policy based trend analyzer 32b can capture abnormal events based on population averages, it may be unable to capture driver, environment, and situation specific abnormalities…A trend curve can be constructed based on frequencies of each safety attribute set 76 and mapped using automatic clustering. Normal vehicle events can be detected by computing affinity matrices and applying eigenvalue decomposition to find clusters which represent normal behavior of the vehicle. Abnormal vehicle events can be detected by analyzing the conformity scores using various threshold weights. These weights may be dynamically configured using policies or using machine learning component 77 to reflect the learned normal behavior.],
the second set of data including a second event with respect to the fleet of connected vehicles, wherein each of the first set of data and the second set of data includes vehicle data related to operation of the fleet of connected vehicles, wherein each event represents a communication with the vehicle of the fleet of connected vehicles [Addepalli, Col. 7, line 38- Col. 8, line 6, Col. 12, lines 21-32, Col. 18, lines 1-25, FIG. 3B, communication system 10 can resolve the aforementioned issues relating to analyzing vehicular behavior, including vehicular behavioral analysis, remote diagnostics, predictive diagnostics, and machine device behavior. Specifically, communication system 10 can utilize a fully integrated on-board unit (OBU) 30 to manage vehicular behavioral anomalies and machine device behavioral states. Even more specifically, an integrated on-board unit (OBU) 30 is configured for managing behavioral anomalies from vehicle 4 by receiving data, comparing the data to a reference set of data, and identifying any differences between the data and the reference set of data…Accordingly, vehicles with on-board units can provide data to a cloud for remotely managing behavioral anomalies of the vehicles and correlating the anomalies across multiple vehicles having defined similarities (e.g., model, type, parts, etc.). (Col. 18, lines 1-25 FIG, 3B), referring to clouds 41, a data center or private individual cloud 45…Regulatory cloud 46 may be, for example, an instance when some of the streams from the fleet of connected vehicles are sent to a common cloud for processing. Federate Cloud 47 may be, for example, an instance when different car manufacturers keep their individual clouds, but share some vital information (either voluntarily or through mandates) in a common data pool, possibly accessible to agencies and researchers… ];
determining, based on the detected anomaly, at least one mitigation action [Addepalli, Col. 23 lines 47-59; Col. 26 lines 10-27, after a certain threshold, newly detected interactions or states can trigger a flag in central learning and monitoring service 164 to perform further analysis to make sure the detected behavior is an accepted one. Potentially unwanted behavior can be detected as part of this process. If an unwanted interaction or state is detected and confirmed to be defective, mitigation can be designed and can be pushed by central learning and monitoring service 164 to any relevant vehicles. Simple mitigations could, for example, instruct learning and monitoring module 31 of OBU 30 to inject a message on the bus if a machine device enters a defective state. More complicated issues could employ a software update of a machine device. (Col. 26 lines 10-27) if the logic behavior has not occurred greater than the threshold number of times, flow passes to step 802 to continue monitoring. If the logic behavior has occurred greater than the threshold number of times, however, flow then passes to step 808 and a determination is made as to whether the logic behavior is undesirable. If the logic behavior is undesirable, flow then moves to step 810 and the logic behavior may be mitigated. Mitigating the logic behavior could occur, for example, by isolating the data, initiating an operation, or shutting down the machine device responsible for the undesirable logic behavior. If the logic behavior is desirable, then the flow passes to step 812 and the logic behavior is identified as a state behavior for that particular machine device. As time passes, the identified state behaviors for a machine device may help generate a complete behavior specification for the machine device. Additionally, with enough information, a behavior state machine can be created. After steps 810 and 812 the flow terminates.]; and 
causing implementation of the at least one mitigation action [Addepalli, Col 26, lines 15-20; Col. 12, lines 15-20; Col. 12, lines 48-46, if the logic behavior is undesirable, flow then moves to step 810 and the logic behavior may be mitigated. Mitigating the logic behavior could occur, for example, by isolating the data, initiating an operation, or shutting down the machine device responsible for the undesirable logic behavior.  (Col. 12, lines 15-20) a response may be an alert and/or an action. For example, if a delay in braking is detected, an alert may be sent to user 2 that there is a malfunction in the braking of vehicle 4. In addition to the alert, behavior engine module 25 may communicate with other systems in vehicle 4 to compensate for the delayed braking.  (Col. 12, lines 48-46) additionally, behavior engine module 25 may also be configured to compare the data with the policy and detect a violation within the set of data of at least one rule of the set of rules. For example, in the braking scenario, if the policy indicates no more than a one second delay and the data indicates a real time detection of a two second delay, a violation is detected. In response to detecting the violation of the policy, behavior engine module 25 may initiate an operation such as an alert and/or a remedial action.].
Addepalli does not explicitly teach, wherein the anomaly indicates a cyber threat.
[Sargolzaei, page 637, Col. 2, paragraph 3, and FIG. 1, Consider a platoon of vehicles that transmit their trajectory data to the surrounding vehicles and infrastructure using dedicated short-range communication (DSRC) systems. These inter-vehicle communication protocols are potentially vulnerable to cyber attacks and may endanger passenger and pedestrian safety and privacy. This paper proposes a resilient control strategy to improve performance of CACC systems of CVs (Fig. 1.)].
Addepalli and Sargolzaei are in the same field of endeavor as they both are pertaining to the network of vehicular cyber-physical systems and, more particularly, to analyzing vehicular behavior in a network environment.
Therefore, it would have been obvious to one of ordinary skill in art before the effective filing date of claimed invention to modify the teachings of Addepalli, that is related to the field of electronic communications and, more particularly, to analyzing vehicular behavior in a network environment (Addepalli, please abstract and Col. 1. Lines 18-20) with the teachings of Sargolzaei (Sargolzaei, page 637, Col. 2, paragraph 3, and FIG. 1) that would enable Addepalli to also implement Internet of things (IoT) as a network of physical and virtual objects that can transmit data through interoperable communication protocols without human intervention.  Beyond the concept that connected vehicular cyber-physical systems (VCPSs) are equipped with internet access to share data with the internal and external devices, they use vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications to improve transportation safety, mobility, and environment. Due to the cloud-based architecture, connected vehicles (CVs) are vulnerable to cyber-attacks which may threaten passenger and pedestrian safety and privacy (Sargolzaei, please see abstract and introduction page 636).

Regarding claim 2. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addeppalli does disclose, further comprising: 
training a machine learning model to create the normal behavior model, wherein the first set of data is used as a training data set, and wherein features used for training the machine learning model include the at least one first event [Addepalli, Col. 7, lines 51-53; Col. 16, lines 41-58; an OBU can utilize a learning and monitoring process to define machine device behavior specifications for each vehicle.  (Col. 16, lines 41-58) after normal and abnormal trend analyzers 72 and 73 have analyzed incoming data (e.g., sensor data), the output of the analyzers 72 and 73 may be analyzed by machine learning component 77 to increase the efficiency and optimize the analyzers. Machine learning component 77, for example, can train behavior engine module 25 by ingesting real data (e.g., data coming from various safety related sensors) and generating a normal curve for expected safe behavior. This normal curve can be deduced by a normal distribution of attribute counters used for repetitions. Training may occur continuously to avoid false positives or false negatives for deriving optimum thresholds. In addition, machine learning and classification techniques may be used to correlate events and smooth out a normal curve of attribute counters. During an active safety situation, abnormalities can be observed on real time data when long tail distortions with additional lumps (too high or too low) occur over normal curve due to unexpected repetitions in attribute counters.  (Col. 21, lines 3-10) in this case a feature set (e.g., safety attribute set 76) of trend analyzer framework 70 could be a specific diagnostic parameter over a time series or space series. The trend analyzer can cluster the data originating from a given vehicle or from multiple vehicles. Additionally, a definition of a normal operating trend of a vehicle can be derived by training the model using the normal operating constraint thresholds of a given vehicle based on its type and model.].

Regarding claim 3. Addepalli and Sargolzaei does disclose the method of claim 1. Furthermore Addepalli does disclose, further comprising: 
data [Addepalli, Col. 13, lines 28-38, FIG. 2A is a simplified block diagram illustrating one possible set of details associated with communication system 10. In this illustrative embodiment, machine devices 12 encompass sensors 14. Sensors 14 may monitor changes in vehicle control system information, driver physiological signals, visual/radar/lidar-based change in surrounding events/objects. For example, sensors 14 may monitor blood alcohol level of a driver, whether the eyes of the driver are open or closed, oxygen levels in vehicle 4, road obstacles such as potholes or objects, reaction times and functions of the different systems in vehicle 4, etc.]. 

Regarding claim 4. Addepalli and Sargolzaei does disclose the method of claim 3.  Furthermore Addepalli, does disclose, wherein each contextually enriched set of data includes a plurality of contexts, wherein each context of the plurality of contexts is a persistent vehicle state at a point in time, wherein the vehicle data indicates information related to behavior of the vehicle, wherein at least one context of the plurality of contexts provides information other than information explicitly indicated in the vehicle data [Addepalli, Col. 2, line 39-50, yet another example embodiment includes receiving a plurality of behavior states associated with a plurality of machine devices in a plurality of vehicles and monitoring the plurality of behavior states. Additionally, the method includes identifying abnormal behavior in the plurality of behavior states. The method also includes determining whether the abnormal behavior exists in greater than a threshold number of vehicles of the plurality of vehicles. The method further includes initiating an operation if the abnormal behavior exists in greater than the threshold number of vehicles of the plurality of vehicles.].

Regarding claim 5. Addepalli and Sargolzaei does disclose the method of claim 4. Furthermore Addepalli does disclose, wherein the anomaly is detected based further on at least one context of the second set of data [Addepalli, Col 14, lines 11-19, behavior engine module 25 may provide reference data 34 for time and space series based trend analyzer 32a and policy based trend analyzer 32b. Time and space series based analyzer 32a uses reference data 34 to compare data 42 with a relevant trend 35. Trend 35 may be a behavioral trend identified from a certain machine device of machine devices 12. For example, trend 35 may be the amount of times a driver blinks or the average length of time the eyes of the driver are closed.]. 

Regarding claim 6. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose,  wherein creating the normal behavior model further comprises: creating a network protocol analyzer based on the first set of data, wherein the protocol network analyzer is configured to identify use of unexpected network protocols based on the at least one first event [Addepalli, Col. 10, line 65 – Col. 11, line 8, and Col. 13, line 46-59,  Behavior engine module 25 in OBU 30 may be configured to enable identifying anomalies in a vehicular network environment and, particularly, for analyzing vehicular hardware behavior and detecting unsafe behaviors. In one embodiment, behavior engine module 25 is a hardware based behavior analysis engine using content inspection and machine learning algorithms. Behavioral analysis engine 25 can find repetitions of certain attributes and generate a behavior curve within a configurable time window. An abnormal trend of the behavior curve can be detected in which unexpected repetition attributes occur.  (Col. 13, line 46-59), Data 42 may represent all data transmitted from sensors 14. Within data 42 are states 43, which can be behavioral states. A set of data within data 42 may indicate a certain behavioral state is occurring. For example, a set of data within data 42 may indicate that an object is in the road. This set of data may be identified and associated with a state within states 43. Although sensors 14 are primarily shown and described herein, it will be apparent that other types of machine devices 12 such as ECUs or actuators, for example, may also have data and states associated therewith. Thus, the activities described herein are applicable to data from any type of machine device 12 providing suitable data for monitoring, identifying abnormal behaviors, diagnosing and predicting malfunctions, and/or learning behavioral states.].

Regarding claim 7. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein each of the at least one first event and the at least one second event is a plurality of events, wherein each event is attributed to a point in time, wherein creating the normal behavior model further comprises [Addepalli, Col. 13 lines 60-66; Col. 14, lines 1-10, behavior engine module 25 of OBU 30 can be configured to analyze data 42 from machine devices 12. In one embodiment, behavior engine module 25 may use time and space series based trend analyzer 32a and policy based trend analyzer 32b to identify anomalies/deviations within machine devices 12. With reference to analyzers 32a and 32b, `time` refers to a date and possibly a time, and `space` refers to a location. (Col. 14, lines 1-10) time and space series based trend analyzer 32a identifies and monitors trends in machine devices 12 over time. Time and space series based trend analyzer 32a may identify an anomaly within machine devices 12 when a piece of data indicates a deviation from past data received about that machine device or a similar machine device. Policy based trend analyzer 32b compares the trends and data from machine devices 12 against a policy and set of rules. Violations of those rules may be identified by policy based trend analyzer 32b.]: 
creating at least one expected sequence of events based on the plurality of first events [Addepalli, Col. 14, behavior engine module 25 may provide reference data 34 for time and space series based trend analyzer 32a and policy based trend analyzer 32b. Time and space series based analyzer 32a uses reference data 34 to compare data 42 with a relevant trend 35. Trend 35 may be a behavioral trend identified from a certain machine device of machine devices 12. For example, trend 35 may be the amount of times a driver blinks or the average length of time the eyes of the driver are closed.  (Col. 14, lines 14-24) time and space series based analyzer 32a also uses reference data 34 to compare data 42 with common trend 36. Common trend 36 may be, for example, a common trend among similar machine devices or a common trend among the same or similar machine devices in similar vehicles].

Regarding claim 8. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein each of the first set of data and the second set of data include internal vehicle variables, wherein the normal behavior model is created based further on the internal vehicle variables of the first set of data [Addepalli, Col. 21, lines 63-67; Col. 22 lines 11-35, OBU 30 can act as a gateway with routing capabilities (e.g., routing processor 23) and multiple wireless interfaces (e.g., network interfaces 26) for all heterogeneous subsystems to communicate with the outside world in real time. Also, the illustrative embodiments conceptualize a mechanism to carry internal communication (e.g., from the subsystems) to transport over gateway communication protocols that enables these internal subsystem transactions to be captured, logged, and analyzed in remote location. In one example implementation, manufacturer cloud 160 can receive internal subsystem transaction data and perform logging and analysis functions related to such data. Moreover, internal subsystem transaction data may be captured by OBU 30 and sent to manufacturer cloud 160 in real time. (Col. 22 lines 11-35) remote diagnosis module 165 of manufacturer cloud 160 may include a logging module 162 and a diagnostic module 163. Data captured by OBU 30 may be sent to remote diagnosis module 165, where it is logged in logging module 162. In addition, analysis of the captured data can be performed by diagnostic module 163.  Real time data collection of a vehicle operating in real world conditions can bring a far better understanding to the behavior of the subsystems and their interactions among them, which can lead to better and more robust designs of those subsystems. These efforts may also improve productivity of vehicle designers, engineers, and the like.  Real time data collection can also allow manufacturers and service departments to collect data from a vehicle under claimed impaired operation. Manufacturers and service departments may no longer have to rely either upon a complaint or a lab sample trying to reproduce the claimed failure under simulated conditions. This concept can be expanded to collect and analyze data from several real world ongoing operations to make statistically meaningful observations and conclusions. When these concepts are coupled with pattern recognition and preemptive actions on the part of manufacturers, the illustrative embodiments can empower the manufacturers to be proactive in recognizing and acting upon any impending issues before these issues escalate.].

Regarding claim 9. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein the normal behavior model includes at least one security policy, wherein an anomaly is detected when the at least one security policy is violated [Addepalli, Col. 12, lines 38-56, in addition to comparing machine device data to a reference set of data, behavior engine module 25 may also be configured to provide a policy with a set of rules. The policy could be, for example, a standard or preference indicated by a manufacturer or government entity. The set of rules may be specific elements as applied to the machine device. For example, in different illustrative embodiments, a safety policy may have a rule that an actual braking operation may not occur later than one second after a brake is applied by user 2 of vehicle 4.  Additionally, behavior engine module 25 may also be configured to compare the data with the policy and detect a violation within the set of data of at least one rule of the set of rules. For example, in the braking scenario, if the policy indicates no more than a one second delay and the data indicates a real time detection of a two second delay, a violation is detected. In response to detecting the violation of the policy, behavior engine module 25 may initiate an operation such as an alert and/or a remedial action.]. 
Regarding claim 10.  Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein determining the at least one mitigation action further comprises: 
determining a root cause of the anomaly, wherein the at least one mitigation action is determined based on the root cause [Addepalli, Col. 7 lines 54 - Col. 8, line 6; Col. 19, lines 15-20, a cloud-based platform may be accessed by a vehicle using available wireless network access options provided by OBU 30 (e.g., multiple wireless interfaces 26) and appropriate routing protocols. The cloud-based platform can provide dynamic, real time vehicle diagnostics from data provided by selected machine devices of the vehicle. Accordingly, vehicles with on-board units can provide data to a cloud for remotely managing behavioral anomalies of the vehicles and correlating the anomalies across multiple vehicles having defined similarities (e.g., model, type, parts, etc.). Additionally, a cloud-based platform can provide remote diagnoses of machine devices to assist in determining actual causes of particular malfunctions. Finally, cloud-based embodiments disclosed herein provide online monitoring and learning of vehicle component behavior based on interactions, combining learned behavior from many vehicles to derive a more complete behavior via a remote online service, updating vehicles with current behavior specifications, and monitoring behavior for failure detection and analysis.  (Col. 19, lines 15-20) abnormal behavior detection module 156 may also include a predictive diagnostic module 157 for determining actual causes of malfunctions of vehicles. Predictive diagnostic module 157 can substantially or completely remove human bias and/or error in determining whether the safety of a vehicle has been compromised.]. 

Regarding claim 11. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, further comprising: determining at least a portion of the second set of data to be utilized for anomaly detection, wherein the anomaly is detected based only on the normal behavior model and the determined at least a portion of the second set of data [Addepalli, Col. 7, lines 38-56, communication system 10 can resolve the aforementioned issues relating to analyzing vehicular behavior, including vehicular behavioral analysis, remote diagnostics, predictive diagnostics, and machine device behavior. Specifically, communication system 10 can utilize a fully integrated on-board unit (OBU) 30 to manage vehicular behavioral anomalies and machine device behavioral states. Even more specifically, an integrated on-board unit (OBU) 30 is configured for managing behavioral anomalies from vehicle 4 by receiving data, comparing the data to a reference set of data, and identifying any differences between the data and the reference set of data. Data can be identified according to any currently existing or later developed means. Furthermore, an OBU can utilize a learning and monitoring process to define machine device behavior specifications for each vehicle.]. 

Regarding claim 12. Addepalli and Sargolzaei does disclose The method of claim 1.  Addepalli does disclose, further comprising:
 creating an individual normal behavior model for each connected vehicle of the fleet of connected vehicles based on the first set of data, wherein the anomaly is detected based further on the individual normal behavior models [Addepalli, Col. 12, line 57- Col. 13, line 3, Col. 18, lines 1-25, in addition to identifying deviations from trends and violations of policy, behavior engine module 25 may also adjust the reference set of data based on the set of data to form a new reference set of data when the deviation detected is within a range… By allowing the reference set of data to be adjusted, behavior engine model 25 may learn as it collects more data and becomes more accurate in identifying issues.  (Col. 18, lines 1-25), Referring to clouds 41, a data center or private individual cloud 45 may be, for example, an instance when a car manufacturer runs either a distributed cloud or a private cloud-computing environment, which could be for its exclusive use. Given the sensitivity of the information involved, initial deployments could likely materialize in this way. Regulatory cloud 46 may be, for example, an instance when some of the streams from the fleet of connected vehicles are sent to a common cloud for processing. Federate Cloud 47 may be, for example, an instance when different car manufacturers keep their individual clouds, but share some vital information (either voluntarily or through mandates) (e.g., set of data of normal behavior) in a common data pool, possibly accessible to agencies and researchers…].  

Regarding claim 14. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore does disclose, wherein the fleet of connected vehicles is organized in a hierarchy, [Addepalli, Col. 2, lines 44-49, Col. 17, line 45 –Col. 18, line 25, the method also includes determining whether the abnormal behavior exists in greater than a threshold number of vehicles of the plurality of vehicles. The method further includes initiating an operation if the abnormal behavior exists in greater than the threshold number of vehicles of the plurality of vehicles. (Col. 17, line 45 –Col. 18, line 25, FIG. 3B), an instance when some of the streams from the fleet of connected vehicles are sent to a common cloud for processing. Federate Cloud 47 may be, for example, an instance when different car manufacturers keep their individual clouds, but share some vital information (either voluntarily or through mandates) in a common data pool, possibly accessible to agencies and researchers. Distributed Cloud 48 may be, for example, an instance when national/planetary coverage may demand a distributed/hierarchical organization for efficiency and responsiveness. In any one of these instances the cloud could provide not only processing but also short term storage and/or long-term storage of processed data and/or any related data computations. In addition, each of these clouds may include various network elements, computers, Internet connectivity, and any other suitable architecture or components capable of packet exchanges in a network environment. (Col. 21, lines 3-10), In this case a feature set (e.g., safety attribute set 76) of trend analyzer framework 70 could be a specific diagnostic parameter over a time series or space series. The trend analyzer can cluster the data originating from a given vehicle or from multiple vehicles. Additionally, a definition of a normal operating trend of a vehicle can be derived by training the model using the normal operating constraint thresholds of a given vehicle based on its type and model.]: 
clustering the first set of data with respect to the plurality of levels of the hierarchy, wherein the normal behavior model is created based on the clustered first set of data [Addepalli, Col. 16-17 lines 45-67; Col. 18, lines 1-25, applying eigenvalue decomposition to find clusters which represent normal behavior of the vehicle referring to clouds 41, a data center or private individual cloud 45 may be, for example, an instance when a car manufacturer runs either a distributed cloud or a private cloud-computing environment, which could be for its exclusive use. Given the sensitivity of the information involved, initial deployments could likely materialize in this way. Regulatory cloud 46 may be, for example, an instance when some of the streams from the fleet of connected vehicles are sent to a common cloud for processing. Federate Cloud 47 may be, for example, an instance when different car manufacturers keep their individual clouds, but share some vital information (either voluntarily or through mandates) in a common data pool, possibly accessible to agencies and researchers. Distributed Cloud 48 may be, for example, an instance when national/planetary coverage may demand a distributed/hierarchical organization for efficiency and responsiveness. In any one of these instances the cloud could provide not only processing but also short term storage and/or long-term storage of processed data and/or any related data computations. In addition, each of these clouds may include various network elements, computers, Internet connectivity, and any other suitable architecture or components capable of packet exchanges in a network environment.  (Col. 89) Machine learning component 77, for example, can train behavior engine module 25 by ingesting real data (e.g., data coming from various safety related sensors) and generating a normal curve for expected safe behavior. This normal curve can be deduced by a normal distribution of attribute counters used for repetitions. Training may occur continuously to avoid false positives or false negatives for deriving optimum thresholds. In addition, machine learning and classification techniques may be used to correlate events and smooth out a normal curve of attribute counters. During an active safety situation, abnormalities can be observed on real time data when long tail distortions with additional lumps (too high or too low) occur over normal curve due to unexpected repetitions in attribute counters.].

Regarding claim 15. Addepalli and Sargolzaei does disclose the method of claim 14.  Furthermore Addepalli does disclose, wherein the hierarchy includes at least one sub-fleet of the plurality of connected vehicles, further comprising [Addepalli, Col. 2, lines 39-49, receiving a plurality of behavior states associated with a plurality of machine devices in a plurality of vehicles and monitoring the plurality of behavior states. Additionally, the method includes identifying abnormal behavior in the plurality of behavior states. The method also includes determining whether the abnormal behavior exists in greater than a threshold number of vehicles of the plurality of vehicles. The method further includes initiating an operation if the abnormal behavior exists in greater than the threshold number of vehicles of the plurality of vehicles]: 
creating a sub-fleet normal behavior model for each sub-fleet, wherein the anomaly is detected based further on the sub-fleet normal behavior models [Addepalli, Col 21, lines 3-10, in this case a feature set (e.g., safety attribute set 76) of trend analyzer framework 70 could be a specific diagnostic parameter over a time series or space series. The trend analyzer can cluster the data originating from a given vehicle or from multiple vehicles. Additionally, a definition of a normal operating trend of a vehicle can be derived by training the model using the normal operating constraint thresholds of a given vehicle based on its type and model.]. 

Regarding claim 16. Addepalli and Sargolzaei does disclose the method of claim 15.  Furthermore Addepalli does disclose, wherein the detected anomaly includes a deviation from a first sub-fleet normal behavior model of the at least one sub-fleet normal behavior model, wherein the at least one mitigation action is implemented with respect to each connected vehicle included in a sub-fleet associated with the first sub-fleet normal behavior model [Addepalli, Col. 24, lines 10-22, this technique proposes monitoring and learning machine device behavior based on interactions, combining learned behavior from many vehicles to derive a more complete behavior specification in a remote online service, updating each vehicle with the most current behavior specification from the central online learning and monitoring service 164, and leveraging the learned behavior to monitor devices for failure detection and analysis, and potentially designing mitigations that can be pushed to vehicles via central online learning and monitoring service 164. Learning and monitoring module 31 of OBU 30 could potentially implement these mitigations, providing an efficient means for reacting to detected failures in vehicles.]. 

Regarding claim 17. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein each of the first set of data and the second set of data includes at least one of: telematics data, communication protocols, connected vehicle service data, driver mobile applications, and user mobile applications [Addepalli, Col. 2, lines 53 - Col. 3, line 67, turning to FIG. 1, is a simplified block diagram of a communication system 10 for analyzing vehicular behavior in a vehicular network environment. The example architecture of FIG. 1 includes an end user (driver) 2 operating a vehicle 4 in environment 11 that includes an on-board unit (OBU) 30. In this particular example, OBU 30 includes processing elements 21, which include a computing processor 22 and a routing processor 23. OBU 30 also includes a memory element 24, a behavior engine module 25, network interfaces 26, a user interface 27, and a display 28, where such devices may be associated with particular end users (passengers or driver) within vehicle 4. Generally, OBU 30 can be suitably coupled to numerous different nodes in communication system 10, where a node can be any device (e.g., a machine device or a mobile device), network element, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over a communications channel in a network… OBU 30 may further include capabilities associated with navigation system 17 (e.g., a global positioning system (GPS)). OBU 30 may also be suitably coupled to various in-vehicle mobile devices 18a-b at any given time, where such devices may be associated with particular end users (passengers or driver) within vehicle 4… remote nodes that could be located externally to the vehicle include end user devices, mobile devices, network elements, electronic devices in networked systems (e.g., server in a datacenter, end user device in a local area network (LAN), etc.), OBUs of other vehicles, road-side infrastructure devices, and road-side user devices… Communication system 10 may include a configuration capable of transmission control protocol/Internet protocol (TCP/IP) communications for the electronic transmission or reception of packets in a network. Communication system 10 may also operate in conjunction with a user datagram protocol/IP (UDP/IP) or any other suitable protocol, where appropriate and based on particular needs. In addition, communication system 10 may also include a configuration capable of accommodating legacy bus subsystems 20 that may be employed to convey information across the myriad of machine devices (e.g., sensors 14a-c, controls 16a-c, actuator 13) in vehicle 4… A predictive diagnostic technique in a cloud can substantially reduce or eliminate human bias and/or error in determining whether the safety of a vehicle has been compromised. Additionally, collected information can be used to create behavior state machines for each of the machine devices of the subsystems. These behavior state machines can be used as a reference for behavior of the associated machine device.]. 

Regarding claim 18. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore Addepalli does disclose, wherein the at least one mitigation action includes at least one of:
 blocking at least one communication with the fleet of connected vehicles, blocking at least one communication with at least one connected vehicle service, generating an alert or report indicating the anomaly, and ignoring at least one command to be sent to the at least one connected vehicle of the fleet of connected vehicles [Addepalli, Col. 14, line 65- Col. 15, line 6, Col. 18, lines 1-25, (Col. 26, lines 10-27),  behavior engine module 25 may communicate with feedback and active control module 33. Feedback and active control module 33 may initiate operations once an anomaly or a deviation from policy or trend analysis is identified. When an operation is initiated, an alert may be sent to different entities as well as a physical/mechanical action taken. The physical/mechanical action may include applying brakes to prevent an accident, shutting down vehicle 4, or any other suitable and authorized action. (Col. 18, lines-1-25, FIG. 3B) includes connected vehicles 4a-d in communication with applications and services 110a-d through various communication networks, including diagnostic cloud 150, manufacturer cloud 160, dealer cloud 170, and Internet cloud 180. Each of connected vehicles 4a-d may also be in communication with various mobile devices, such as in-vehicle mobile devices 114 and 116….  (Col. 26, lines 10-27) if the logic behavior has not occurred greater than the threshold number of times, flow passes to step 802 to continue monitoring. If the logic behavior has occurred greater than the threshold number of times, however, flow then passes to step 808 and a determination is made as to whether the logic behavior is undesirable. If the logic behavior is undesirable, flow then moves to step 810 and the logic behavior may be mitigated. Mitigating the logic behavior could occur, for example, by isolating the data, initiating an operation, or shutting down the machine device responsible for the undesirable logic behavior. If the logic behavior is desirable, then the flow passes to step 812 and the logic behavior is identified as a state behavior for that particular machine device. As time passes, the identified state behaviors for a machine device may help generate a complete behavior specification for the machine device. Additionally, with enough information, a behavior state machine can be created. After steps 810 and 812 the flow terminates.].

Regarding claim 19. Addepalli and Sargolzaei does disclose the method of claim 1.  Furthermore does disclose, wherein the at least one mitigation action includes causing at least one action via a connected vehicle service, wherein the connected vehicle service includes at least one of: at least one user device, and at least one server [Addepalli, Col. 3, lines 23-29; Col. 21, lines 27-32; Col. 26, line 54 – Col. 27 line 3, examples of possible remote nodes that could be located externally to the vehicle include end user devices, mobile devices, network elements, electronic devices in networked systems (e.g., server in a datacenter, end user device in a local area network (LAN), etc.), OBUs of other vehicles, road-side infrastructure devices, and road-side user devices.  Once abnormal behavior is detected through the above technique, a safety alert may be sent to the vehicle owner, dealer, OEM and in some cases safety authorities based on the policy setup provided to the framework. An alert medium could include email, SMS, phone call, or any other suitable Internet based messaging scheme.  (Col. 26, line 54 – Col. 27 line 3) in one example implementation, the on-board unit (OBU) (e.g., OBU 30) and cloud components with modules, software, or hardware in clouds (e.g., diagnostic cloud 150, manufacturer cloud 160) are network elements that facilitate or otherwise help coordinate activities related to analyzing vehicular behaviors in a vehicular environment. As used herein, the term `network element` is meant to encompass computers, network appliances, servers, routers, switches, gateways, bridges, load balancers, firewalls, processors, modules, or any other suitable device, component, element, or object operable to exchange information in a network environment. Moreover, the network elements may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective exchange of data or information.]. 

Regarding claim 20, this claim defines a non-transitory computer readable medium claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Furthermore, Addepelli in col. 27, lines 45-66 disclose processor and memory. Therefore, claim 20 is rejected with the same rational as in the rejection of claim 1. 

Regarding claim 21, this claim defines a system claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Furthermore, Addepelli in col. 27, lines 45-66 disclose processor and memory. Therefore, claim 21 is rejected with the same rational as in the rejection of claim 1. 

Regarding claim 22, this claim defines the system claim that corresponds to method claim 2 and does not define beyond limitations of claim 2. Therefore, claim 22 is rejected with the same rational as in the rejection of claim 2. 
Regarding claim 23, this claim defines the system claim that corresponds to method claim 2 and does not define beyond limitations of claim 3. Therefore, claim 23 is rejected with the same rational as in the rejection of claim 3. 

Regarding claim 24, this claim defines the system claim that corresponds to method claim 3 and does not define beyond limitations of claim 4. Therefore, claim 24 is rejected with the same rational as in the rejection of claim 4. 

Regarding claim 25, this claim defines the system claim that corresponds to method claim 2 and does not define beyond limitations of claim 5. Therefore, claim 25 is rejected with the same rational as in the rejection of claim 5. 

Regarding claim 26, this claim defines the system claim that corresponds to method claim 6 and does not define beyond limitations of claim 6. Therefore, claim 26 is rejected with the same rational as in the rejection of claim 6. 

Regarding claim 27, this claim defines the system claim that corresponds to method claim 7 and does not define beyond limitations of claim 7. Therefore, claim 27 is rejected with the same rational as in the rejection of claim 7. 

Regarding claim 28, this claim defines the system claim that corresponds to method claim 8 and does not define beyond limitations of claim 8. Therefore, claim 28 is rejected with the same rational as in the rejection of claim 8. 
Regarding claim 29, this claim defines the system claim that corresponds to method claim 9 and does not define beyond limitations of claim 9. Therefore, claim 29 is rejected with the same rational as in the rejection of claim 9. 
Regarding claim 30, this claim defines the system claim that corresponds to method claim 10 and does not define beyond limitations of claim 10. Therefore, claim 30 is rejected with the same rational as in the rejection of claim 10. 

Regarding claim 31, this claim defines the system claim that corresponds to method claim 11 and does not define beyond limitations of claim 11. Therefore, claim 31 is rejected with the same rational as in the rejection of claim 11. 

Regarding claim 32, this claim defines the system claim that corresponds to method claim 12 and does not define beyond limitations of claim 12. Therefore, claim 32 is rejected with the same rational as in the rejection of claim 12. 

Regarding claim 34, this claim defines the system claim that corresponds to method claim 14 and does not define beyond limitations of claim 14. Therefore, claim 34 is rejected with the same rational as in the rejection of claim 14. 

Regarding claim 35, this claim defines the system claim that corresponds to method claim 15 and does not define beyond limitations of claim 15. Therefore, claim 35 is rejected with the same rational as in the rejection of claim 15. 

Regarding claim 36, this claim defines the system claim that corresponds to method claim 16 and does not define beyond limitations of claim 16. Therefore, claim 36 is rejected with the same rational as in the rejection of claim 16. 

Regarding claim 37, this claim defines the system claim that corresponds to method claim 17 and does not define beyond limitations of claim 17. Therefore, claim 37 is rejected with the same rational as in the rejection of claim 17. 

Regarding claim 38, this claim defines the system claim that corresponds to method claim 18 and does not define beyond limitations of claim 18. Therefore, claim 38 is rejected with the same rational as in the rejection of claim 18. 

Regarding claim 39. Addepalli and Sargolzaei does disclose the system of claim 21. Furthermore, Addepalli does disclose, wherein the at least one mitigation action includes causing a display, on a user device, of at least one mitigation action option, wherein the at least one mitigation action further includes a mitigation action option selected via the user device [Addepalli, Col. 4, lines 4-23; the term `road-side infrastructure device` as used herein includes a base station, access point, satellite, and any device capable of establishing a network connection for exchanging packets between a user device or OBU and the Internet or other networks with remote nodes. In addition, `user device` as used herein is intended to include mobile devices, personal computers, electronic devices, and any other device, component, element, or object operable by a user and capable of initiating voice, audio, video, media, or data exchanges within communication system 10. As used herein, the term `machine device` is meant to encompass sensors, actuators, electronic control units (ECUs) or controls, instruments, embedded devices, media devices, infotainment systems, vehicle navigation systems, displays, other peripheral or auxiliary devices or components, etc. Machine devices may be physically distributed across the vehicle in a vehicle subsystem, consolidated in any way, provisioned in proprietary configurations, or otherwise configured based on particular networking, vehicle, and/or end user needs. (Col. 12, lines 21-37) by initiating an alert and/or action, behavior engine module 25 may prevent catastrophic vehicular events and possibly save lives. User 2 may be able to react more quickly to danger or issues with vehicle 4. Additionally, vehicle 4 may be able to take action on behalf of user 2 and prevent an accident from occurring. By detecting changes in vehicle control system information, driver physiological signals, visual/radar/lidar based change detection in surrounding events/objects and consequently employing alert systems, automatic feedback vehicle control system and other driver assist tools into vehicles; behavior engine module 25 may prevent accidents from occurring.].

Allowable subject matter
6.	Claims 13 and 33 are objected to as being dependent upon a rejected base claim, but would be allowable (in view of other limitations of the independent claims) if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and further overcoming other rejections or objections that might have been rendered above. The detail reason for allowance will be furnished upon allowance of the application.


Conclusion
7.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Valencia et al. US 9,609,456 B2 disclose methods, devices, and system for communicating behavioral analysis information.	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHALIL NAGHDALI whose telephone number is (571) 272-9884. The examiner can normally be reached on M-F 8AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, KRISTINE L KINCAID can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 1000.

/KHALIL NAGHDALI/Primary Examiner, Art Unit 2437