DETAILED ACTION
This office action is in response to the application filed on 12/10/2019. Claims 1-22 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application No. DE 102018221952.4, which was filed in Germany on December 17, 2018. It is noted that the applicant has filed a certified copy of the application as required by 37 CFR 1.55.  

Drawings Objection
 The drawings 1-2 are objected to because they are being represented by blank numbered blocks, without a suitable labeled representation.

Applicant must supply a suitable legend. A proposed drawing correction or corrected drawings are required in reply to the Office action to avoid abandonment of the application. The objection to the drawings will not be held in abeyance. 

The following are direct quotations of 37 CFR 1.84(n), (o), repeated below:(n)  Symbols. Graphical drawing symbols may be used for conventional 

(o)      Legends. Suitable descriptive legends may be used subject to approval by the Office, or may be required by the examiner where necessary for understanding of the drawing. They should contain as few words as possible.

Notes on Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform claim 10, “wherein the control entity is configured to” in claim 11, “An infrastructure component for operating a communications network in a vehicle, or for operating an industrial communications network” in claim 12, “wherein the infrastructure component is configured to in claims 13-14, ” a forwarding device, which is configured”, in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claims 10-15 are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

The Structure and description of such a system is being illustrated by at least description paragraphs [0027]- [0036]

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-4 and 6-18, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Dyakin et al. (U.S Pub No. 2019/0306180 A1, referred to as Dyakin).

Regarding claims 1 and 17, Dyakin teaches:
A method operating a communications network in a vehicle, or for operating an industrial communications network (¶ 0009, “According to one aspect of the present disclosure, a computer-implemented method is provided for detecting attacks on electronics systems of a vehicle.”), the method comprising: 
determining, with a control entity for the communications network, a countermeasure after detecting an attack (¶ 0009, “The method further includes detecting a computer attack of the vehicle based on satisfaction of at least one condition of a rule by the stored messages and information in the log, and blocking the computer attack of the vehicle by performing an action associated with the rule (EN: countermeasure); Fig. 3, Items 300, 303, 102; ¶ 0054- ¶ 0057, “The server 303 (EN: control entity) is configured to receive the log 304 from the protection module 102 and to detect a computer attack by analyzing the received log 304… The server 303 is also configured to create rules for the protection module 102 on the basis of the indicators of compromise, a rule containing at least one condition for the application of the rule for the detecting of a computer attack on the MT, and at least one action upon application of the rule for blocking the computer attack on the MT.”); 
configuring an infrastructure component as a function of the countermeasure, in particular, by setting at least one filtering, blocking or forwarding rule (Fig. 2A, Item 102; ¶ 0047, “The protection module 102 (EN: infrastructure component) serves chiefly to block (EN: blocking rule received from server 303) a computer attack on the MT. By a computer attack on the MT is meant, primarily, a computer attack on the networks of the MT and the electronic systems of the MT, especially the ECU and network gateways.”; Fig. 2B- Fig. 2C, Item 102; ¶ 0048- ¶ 0053; Fig. 5A, Steps 501- 504; ¶ 0103); and 
performing one of the following: (i) isolating at least one data stream from or to at least one other infrastructure component by the infrastructure component in a portion of the communications network; or (ii) isolating at least one data stream to or from a terminal node by the infrastructure component in a portion of the communications network (¶ 0058, “The action upon application of the rule also depends on the indicators of compromise. For example, if an indicator of compromise contains a defined message on the CAN bus and information about the recipient of this message, then the action upon application of the rule might be as follows: block all messages being transmitted on the CAN bus to that recipient (EN: other infrastructure component or terminal node in a portion of the communications network).”; Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule. For example, the rule may specify that, responsive to determining that a portion of the intercepted messages matches a defined group of messages to a first recipient, the action performed is that all messages are blocked from being transmitted on the first communications bus to the first recipient”; ¶ 0115- ¶ 0118, “the computer attack may be blocked by blocking transmission of at least one message from the first communications bus to a second communications bus of the vehicle via a gateway.”).

Regarding claim 17, Dyakin further teaches
A non-transitory computer readable medium having a computer program, which is executable by a processor, comprising: a program code arrangement having program code for operating a communications network in a vehicle, or for operating an industrial communications network (¶ 0128, “the methods may be stored as one or more instructions or code on a non-transitory computer-readable medium. Computer-readable medium includes data storage”).

Regarding claims 10 and 12, Dyakin teaches:
An infrastructure component for operating a communications network in a vehicle, or for operating an industrial communications network, comprising: a processor and a storage device, including instructions, which are executable by the processor (Fig. 3, Items 101, 102, 304; ¶ 0054- ¶ 0055,” The protection module 102 (EN: infrastructure component) is also connected to the buses of the MT (in the given example, it is a module of the central gateway 101) and is configured to intercept messages”; ¶ 0009, “According to one aspect of the present disclosure, a computer-implemented method is provided for detecting attacks on electronics systems of a vehicle), to perform the following: 
receiving a configuration for a countermeasure from a 21control entity for the communications network, after detecting an attack (Fig. 3, Items 102, 302, 303; ¶ 0054- ¶ 0057, “The server 303 (EN: control entity) is configured to receive the log 304 from the protection module 102 and to detect a computer attack by analyzing the received log 304… The server 303 is also configured to create rules for the protection module 102 on the basis of the indicators of compromise, a rule containing at least one condition for the application of the rule for the detecting of a computer attack on the MT, and at least one action upon application of the rule for blocking the computer attack on the MT.”; ¶ 0100, “The protection module 102 is configured to obtain rules from the server 303 via the network 302. A rule obtained, created on the basis of the indicators of compromise, may contain at least one condition for application of the rule and at least one action upon application of the rule.”); 
configuring the infrastructure component as a function of the countermeasure (Fig. 2A, Item 102; ¶ 0047, “The protection module 102 (EN: infrastructure component) serves chiefly to block (EN: blocking rule received from server 303) a computer attack on the MT. By a computer attack on the MT is meant, primarily, a computer attack on the networks of the MT and the electronic systems of the MT, ”; Fig. 2B- Fig. 2C, Item 102; ¶ 0048- ¶ 0053; Fig. 5A, Steps 501- 504; ¶ 0103), so as to perform one of the following: 
(i) isolating at least one data stream from or to at least one other infrastructure component, in a portion of communications network, as a function of the countermeasure, or (ii) isolating at least one data stream to or from a terminal node, in a portion of communications network, as a function of the countermeasure (¶ 0058, “The action upon application of the rule also depends on the indicators of compromise. For example, if an indicator of compromise contains a defined message on the CAN bus and information about the recipient of this message, then the action upon application of the rule might be as follows: block all messages being transmitted on the CAN bus to that recipient (EN: other infrastructure component or terminal node in a portion of the communications network).”; Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule. For example, the rule may specify that, responsive to determining that a portion of the intercepted messages matches a defined group of messages to a first recipient, the action performed is that all messages are blocked from being transmitted on the first communications bus to the first recipient”; ¶ 0115- ¶ 0118, “the computer attack may be blocked by blocking transmission of at least one message from the first communications bus to a second communications bus of the vehicle via a gateway.”).



Regarding claim 10, Dyakin further teaches:
An apparatus for operating a communications network in a 20vehicle, or for operating an industrial communications network, comprising: a control entity for the communications network, including a processor and a storage device, which includes instructions, which are executable by the processor (Fig. 3, Item 303; Fig. 7, Item 20; ¶ 0121- ¶ 0127, “FIG. 7 presents an example of a computer system 20 (EN: apparatus comprising a control entity) on which aspects of systems and methods for detecting attacks on electronics systems of a vehicle… the computer system may be used to realize the server 303, as well as the electronic systems of the MT”).

Regarding claims 2 and 18, Dyakin teaches all the features of claims 1 and 17, as outlined above.
Dyakin further teaches:
wherein at least one data stream to or from the infrastructure component, or at least one data stream to or from the terminal node, is monitored, in particular, by an attack detection device, using a criterion regarding a quantity or a content of data of the data stream, and wherein an attack is detected when the data stream deviates from the criterion (¶ 0091, “The data frame on the CAN bus has a data structure ending with a field containing a check sum of the message (15 bits). Therefore, the central gateway 101 has the possibility of checking the frame content (EN: content of data) with the use of the protection module 102, and upon detecting an unwanted message (EN: data stream deviates from the criterion) in the process of transmitting the check 102 can change the value of said check sum by sending a sequence consisting of bits 0.”).

Regarding claims 3 and 13, Dyakin teaches all the features of claims 1 and 12, as outlined above.
Dyakin further teaches:
wherein a filtering, blocking or forwarding rule is stored in the infrastructure component, (Fig. 3, Items 102, 302, 303; ¶ 0054- ¶ 0057; ¶ 0100, “The protection module 102 is configured to obtain rules from the server 303 via the network 302 (EN: protection module 102 can be configured to save obtained rules). A rule obtained, created on the basis of the indicators of compromise, may contain at least one condition for application of the rule and at least one action upon application of the rule.”), and wherein the infrastructure component applies the stored filtering, blocking or forwarding rule for implementing the countermeasure (Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule (EN: blocking rule for implementing the countermeasure)). 


Regarding claim 4, Dyakin teaches all the features of claim 1, as outlined above.
Dyakin further teaches:
(Fig. 3, Items 102, 302, 303; ¶ 0054- ¶ 0057; ¶ 0100, “The protection module 102 (EN: infrastructure component) is configured to obtain rules from the server 303 via the network 302. A rule obtained, created on the basis of the indicators of compromise, may contain at least one condition for application of the rule and at least one action upon application of the rule.”; Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule (EN: blocking rule for implementing the countermeasure)). 

Regarding claim 6, Dyakin teaches all the features of claim 1, as outlined above.
Dyakin further teaches:
wherein the terminal node includes a control unit or a sensor on a controller area network or an Ethernet network (¶ 0025-0026, “Sensors and setpoint generators configured to detect operating conditions (e.g. engine speed) and setpoint values (e.g. switch position). The sensors and setpoint generators are further configured to convert physical variables into electrical signals.”; ¶ 0039, “the network architecture 100 may be configured to implement CAN (Controller Area Network), which is a communications standard for a network of a means of transportation”; ¶ 0051).

Regarding claims 7 and 15, Dyakin teaches all the features of claims 1 and 12, as outlined above.
Dyakin further teaches:
wherein the terminal node includes a device of a controller area network (¶ 0039, “the network architecture 100 may be configured to implement CAN (Controller Area Network), which is a communications standard for a network of a means of transportation”), and wherein the infrastructure component includes a forwarding device, which, according to stipulated rules, relays messages to or from the terminal node, out of or into the controller area network, or processes them further (¶ 0055; ¶ 0057, “The protection module 102 (EN: infrastructure component ) may communicate with the server 303 by means of a network 302 (i.e., a wireless communications network, such as a Wi-Fi network, LTE, and others). The server 303 is configured to receive the log 304 from the protection module 102 and to detect a computer attack by analyzing the received log 304.”).

Regarding claims 8 and 16, Dyakin teaches all the features of claims 1 and 12, as outlined above.
Dyakin further teaches:
wherein the infrastructure component includes a switch for software-defined networking or time- sensitive networking (¶ 0055, “he protection module 102 also serves to transmit to the server 303 the portion of the log 304 containing the messages, as well as the information as to at least one ECU which is the recipient of at least one of the mentioned messages which were intercepted by the protection module 102 on the o−Δt, t0+Δt), where t0 is the time of occurrence of the incident with the MT, and Δt is the certain period around the time of occurrence of the incident with the MT, for example 10 seconds; ¶ 0059; ¶ 0096, “a significant change in speed of the MT during a short interval of time may be considered to be an anomaly.”; ¶ 0111, “The protection module 102 may store, in a log 304, the intercepted messages and information indicating the determined at least one recipient ECU. In some aspects, the protection module 102 may store, in the log, time stamps corresponding to a time of interception of the intercepted messages.”; ¶ 0112).

Regarding claim 9, Dyakin teaches all the features of claim 1, as outlined above.
Dyakin further teaches:
wherein at least one terminal node is configured to discard specified data (¶ 0088, “blocking the sending of at least one message from among the messages contained in defined indicators of compromise (EN: discard specified data)”; ¶ 0091, “Upon receiving such a message, the ECU addressee will detect a discrepancy in the check sum of the message, and such a message will not be processed (EN: discard specified data)”; ¶ 0094).

Regarding claim 11, Dyakin teaches all the features of claim 10, as outlined above.
Dyakin further teaches:
(Fig. 3, Items 102, 302, 303; ¶ 0054- ¶ 0057, “The server 303 (EN: control entity) is configured to receive the log 304 from the protection module 102 and to detect a computer attack by analyzing the received log 304… The server 303 is also configured to create rules for the protection module 102 on the basis of the indicators of compromise, a rule containing at least one condition for the application of the rule for the detecting of a computer attack on the MT, and at least one action upon application of the rule for blocking the computer attack on the MT.”; ¶ 0100, “The protection module 102 is configured to obtain rules from the server 303 via the network 302. A rule obtained, created on the basis of the indicators of compromise, may contain at least one condition for application of the rule and at least one action upon application of the rule.”), and wherein the filtering, blocking or forwarding rule is appliable by the infrastructure component for implementing the countermeasure, using the received filtering, blocking or forwarding rule    Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule. For example, the rule may specify that, responsive to determining that a portion of the intercepted messages matches a defined group of messages to a first recipient, the action performed is that all messages are blocked from being transmitted on the first communications bus to the first recipient”; ¶ 0115- ¶ 0118, “the computer attack may be blocked by blocking transmission of at least one message from the first communications bus to a second communications bus of the vehicle via a gateway.”).

Regarding claim 14, Dyakin teaches all the features of claim 12, as outlined above.
Dyakin further teaches:
wherein the infrastructure component is configured to receive a filtering, blocking or forwarding rule for implementing the countermeasure (Fig. 3, Items 102, 302, 303; ¶ 0054- ¶ 0057; ¶ 0100, “The protection module 102 is configured to obtain rules from the server 303 via the network 302. A rule obtained, created on the basis of the indicators of compromise, may contain at least one condition for application of the rule and at least one action upon application of the rule.”), and wherein the infrastructure component is configured to apply the received filtering, blocking or forwarding rule for implementing the countermeasure (Fig. 5B; ¶ 0113- ¶ 0114, “In one aspect, the protection module 102 may block the computer attack of the vehicle by performing an action associated with the rule (EN: blocking rule for implementing the countermeasure)).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 5 and 19-22 are rejected under 35 U.S.C. 103 as being unpatentable over Dyakin, in view of Kalra et al. (U.S Pub No. 2020/0120119 A1, referred to as Kalra).

Regarding claim 5, Dyakin teaches all the features of claim 1, as outlined above.
Dyakin does not explicitly disclose, however Kalra teaches:
wherein as a countermeasure for an attack on a path between two devices of the communications network, a redundant path between the two devices is determined, wherein the redundant path is configured, using filtering, blocking or forwarding rules, and wherein the two devices includes one of: (a) an infrastructure component and a terminal node, (b) an infrastructure component and an infrastructure component, or (c) a terminal node and a terminal node (Kalra: Fig. 1; ¶ 0003, “FIG. 1A illustrates a block diagram of a system including a first intelligent electronic device (“IED”) and a second IED in communication through a network comprising a plurality of switches consistent with embodiments of the present disclosure.”; Fig. 1B; ¶ 0029, “Where a time of flight exceeds an expected time of flight, certain actions may be taken to reconfigure system 100 to reduce the risk associated with a potential MITM attack. For example, if data packets between IED 102 and IED 104 are routed through the path (EN: redundant path) comprising L1, L4, L3 (i.e., through the hacker device 114), and L6, system 100 may reroute the data packets using the path comprising L1, L2, L5, and L6 (EN: forwarding rules). The rerouted packets may thereby avoid hacker device 114. In 100 may create an isolated path to create a honeypot to navigate a hacker to a trap.”.
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Dyakin by Kalra and have a system configured to switch data packets and reroute it through another path in case of a hacker attack in order to reduce the risk associated with a potential attack. (Kalra: ¶ 0029).

Regarding claims 19-22, Dyakin teaches all the features of claims 1, 10, 12 and 17, as outlined above.
Dyakin does not explicitly disclose, however Kalra teaches:
wherein the control entity for the communications network includes a software-defined networking controller, and wherein the isolating is performed by blocking, throttling or rerouting the at least one data stream (Kalra: ¶ 0030, “the present disclosure may comprise deterministic and non-deterministic networks. In deterministic networks, such as software-defined networks (SDN), the path of a packet through a network is defined. As such, the time of flight should have a predictable time of flight.”; Fig. 5, Steps 514-518; ¶ 0049- ¶ 0051, “At 518, a protective action may be implemented. In one embodiment, data packets may be re-routed through an alternative path. As discussed above in connection with FIG. 1B, data packets may be re-routed to avoid network segment L3, and thus avoid the hacker device 114. Still further, in one embodiment, a system may create an isolated path to create a honeypot to navigate a hacker to a trap.”).
Dyakin by Kalra and have software-defined networks (SDN) device, wherein in case of an attack reroute data packets in order to avoid the hacker attack. (Kalra: ¶ 0051).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/HASSAN SAADOUN/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435