Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/722,458 filed on 12/20/2019. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 4/15/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-6, 9, 12-15 and 20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Sasaki (US 2019/0156593).

	As per claim 1, Sasaki discloses a computer-implemented method for managing security of a vehicle, comprising: monitoring a plurality of activities of one or more electronic devices associated with the vehicle (Sasaki, Paragraph 0234 recites “The terminal device 200 then is operated by the monitoring organization to perform detailed analysis relating to the abnormality (S113). The terminal device 200 also is operated by the monitoring organization to preserve evidence (S114). ”); 
	generating a plurality of event logs based on the monitored activities; sending the generated event logs to a server (Sasaki, Paragraph 0240 recites “The communication unit 448 of the security ECU 440 then transmits the full log (S132). For example, the communication unit 448 of the security ECU 440 compresses the full log recorded in the accumulating unit 447 and transmits the compressed full log to the server device 300.”);
	and receiving, from the server, one or more alerts created based on the generated event logs (Sasaki, Paragraph 0243 recites “The abnormality notifying unit 346 of the server device 300 also transmits an abnormality notification to the security ECU 440 via the communication unit 348 (S135).”)
	
	As per claim 2, Sasaki discloses the method of claim 1, Sasaki further teaches wherein the electronic devices comprise: one or more electronic control units (ECUs) (Sasaki, Paragraph 0087 recites “is a block diagram illustrating the configuration of a security system according to the present embodiment. A security system 100 illustrated in FIG. 1 includes a server device 300, an onboard system 410, and so forth. The onboard system 410 is a system installed in a vehicle 400, and includes a security electronic control unit (ECU) 440, other ECUs 451 and 452, and so forth. The ECU is also referred to as an engine control unit.”); 
	one or more autonomous driving systems (ADSs); one or more security gateways or one or more security agents. (Sasaki, Paragraph 0196 recites “The security system 100 has a security gateway device 460, where the gateway device 430 and security ECU 440 have been integrated. Note that the security gateway device 460 may be the security ECU 440 including the gateway device 430, or may be the gateway device 430 including the security ECU 440.”).
	
	As per claim 3, Sasaki discloses the method of claim 1, Sasaki further teaches wherein the generating a plurality of event logs comprises: generating the plurality of event logs based on one or more preset rules, wherein each of the one or more preset rules is associated with one or more of the electronic devices (Sasaki, Paragraph 0096 recites “For example, the security ECU 440 may identify unauthorized data by matching communication data with a white list or rules. The security ECU 440 may also invalidate unauthorized data using a CAN error frame.”).

	As per claim 4, Sasaki discloses the method of claim 1, Sasaki further teaches wherein the monitored activities comprise: code modifications; account activities; access to protected data; or command or program execution (Sasaki, Paragraph 0096 recites “Thus, the server device 300 can detect unauthorized data, unauthorized access, or predictors or the like thereof, that the onboard system 410 cannot detect.”).

	As per claim 5, Sasaki discloses the method of claim 1, Sasaki further teaches wherein the generating the plurality of event logs comprises: determining, for each of one or more of the monitored activities, whether the activity meets one or more conditions associated with at least one of one or more preset rules (Sasaki, Paragraph 0096 recites “For example, the security ECU 440 may identify unauthorized data by matching communication data with a white list or rules. The security ECU 440 may also invalidate unauthorized data using a CAN error frame.”).

	As per claim 6, Sasaki discloses the method of claim 1, Sasaki further teaches after the sending the generated event logs to a server: analyzing, by the server, the generated event logs, wherein the analyzing comprises categorizing the generated event logs and applying a detection logic to the categorized event logs (Sasaki, Paragraph 0242 recites “The abnormality detecting unit 345 of the server device 300 then performs abnormality detection processing in accordance with the full log recorded in the accumulating unit 347 (S133). That is to say, the abnormality detecting unit 345 of the server device 300 determines whether or not there is an abnormality included in the communication data on the onboard network, by determining whether or not there is an abnormality included in the full log”).
	and creating, by the server, one or more alerts based on the analyzing (Sasaki, Paragraph 0243 recites “The abnormality notifying unit 346 of the server device 300 also transmits an abnormality notification to the security ECU 440 via the communication unit 348 (S135).”).

	As per claim 9, Sasaki discloses the method of claim 1, Sasaki further teaches after the sending the generated event logs to a server: storing, by the server, the event logs into a database (Sasaki, Paragraph 0215 recites “The sampling log processing unit 343 obtains sampling logs via the communication unit 348, and stores the obtained sampling logs in the accumulating unit 347. The full log processing unit 344 obtains full logs via the communication unit 348, and stores the obtained full logs in the accumulating unit 347.”).

Regarding claims 12 and 20, claims 12 and 20 are directed to a system and a non-transitory readable medium associated with the method of claim 1. Claims 12 and 20 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claim 13, claim 13 is directed to a similar system associated with the method of claim 4 respectively. Claim 13 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 14, claim 14 is directed to a similar system associated with the method of claim 5 respectively. Claim 14 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 15, claim 15 is directed to a similar system associated with the method of claim 6 respectively. Claim 15 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to 

Claims 7, 8, 16 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sasaki (US 2019/0156593) in view of Bajpai (US 2021/0203682).

	As per claim 7, Sasaki discloses the method of claim 6 but fails to teach wherein the analyzing the generated event logs comprises, for each of one or more of the generated event logs: identifying a source associated with an activity corresponding to the event log; determining that the source is not among a list of trusted sources stored by the server; and creating an alert associated with the event log based on the determination.
	However, in an analogous art Bajpai teaches wherein the analyzing the generated event logs comprises, for each of one or more of the generated event logs: identifying a source associated with an activity corresponding to the event log; determining that the source is not among a list of trusted sources stored by the server; and creating an alert associated with the event log based on the determination (Bajpai, Paragraph 0116 recites “If the seen CAN identifier matches one of the stored CAN identifiers, hacking detection system 170A can assume that the message is from a valid and trusted source. On the other hand, if the seen CAN identifier does not match any of the stored CAN identifiers (e.g., because it is a CAN identifier used by ECU 134E or 134J, which do not have hacking detection systems 170), hacking detection system 170A can assume that the message is from an invalid or untrusted source, and act accordingly.”).
	It would have been obvious to a person of ordinary skill in the, at the earliest effective filing date to use Bajpai’s cybersecurity on a controller area network in a vehicle with Sasaki’s information processing device and information processing method because the use of lists for trusted and untrusted sources is a good technique to ensure only trusted sources are interacting with a network. 

	As per claim 8, Sasaki discloses the method of claim 6 but fails to teach wherein the analyzing the generated event logs comprises, for each of one or more of the generated event logs: identifying a source associated with an activity corresponding to the event log; determining that the source is among a list of prohibited sources stored by the server; and creating an alert associated with the event log based on the determination.
	However, in an analogous art Bajpai teaches (Bajpai, Paragraph 0116 recites “If the seen CAN identifier matches one of the stored CAN identifiers, hacking detection system 170A can assume that the message is from a valid and trusted source. On the other hand, if the seen CAN identifier does not match any of the stored CAN identifiers (e.g., because it is a CAN identifier used by ECU 134E or 134J, which do not have hacking detection systems 170), hacking detection system 170A can assume that the message is from an invalid or untrusted source, and act accordingly.”).
	It would have been obvious to a person of ordinary skill in the, at the earliest effective filing date to use Bajpai’s cybersecurity on a controller area network in a 

	Regarding claim 16, claim 16 is directed to a similar system associated with the method of claim 7 respectively. Claim 16 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 17, claim 17 is directed to a similar system associated with the method of claim 8 respectively. Claim 17 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. 


Claims 10, 11, 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sasaki (US 2019/0156593) in view of Kaster (US 2017/0063996).

	As per claim 10, Sasaki discloses the method of claim 6 but fails to teach wherein the one or more received alerts comprise instructions associated with countermeasures for preventing one or more security threats.
	However, in an analogous art Kaster teaches (Kaster, Paragraph 0020 recites “Another method of counteracting suspicious activity is to notify non-targeted ECUs of the attack so that the non-targeted ECUs may run their pre-programmed countermeasures. For example, the invention can determine that a first critical ECU is being attacked and then notify other critical system ECUs of the attack on the first critical ECU. Another countermeasure is to transmit a reset command to the first critical ECU that is determined to be the target of suspicious activity.”).
	It would have been obvious to a person of ordinary skill in the, at the earliest effective filing date to use Kaster’s security monitor for a vehicle with Sasaki’s information processing device and information processing method because the use of countermeasures would aim to prevent any further damage from an attack/abnormal activity. 

	As per claim 11, Sasaki in combination with Kaster teaches the method of claim 10, Kaster further teaches after the receiving one or more alerts created based on the generated event logs: implementing the countermeasures based on the instructions to prevent the one or more security threats (Kaster, Paragraph 0020 recites “Another method of counteracting suspicious activity is to notify non-targeted ECUs of the attack so that the non-targeted ECUs may run their pre-programmed countermeasures. For example, the invention can determine that a first critical ECU is being attacked and then notify other critical system ECUs of the attack on the first critical ECU. Another countermeasure is to transmit a reset command to the first critical ECU that is determined to be the target of suspicious activity.”).
	It would have been obvious to a person of ordinary skill in the, at the earliest effective filing date to use Kaster’s security monitor for a vehicle with Sasaki’s information processing device and information processing method because the use of 

	Regarding claim 18, claim 18 is directed to a similar system associated with the method of claim 10 respectively. Claim 18 is similar in scope to claim 10, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 11 respectively. Claim 19 is similar in scope to claim 11, respectively, and are therefore rejected under similar rationale. 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439