DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the application filed 7/6/20 and RCE filed 1/25/22. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/25/22 has been entered.
 
2.	Claim 2 and 9 were previously canceled.  Claims 3, 15, 18, 21, 22 are newly canceled.
	Claims 23-26 are newly added
	Claims 1, 4-8, 10-14, 16-17, 19-20 and 23-26 are pending.
	Claims 1, 4-8, 10-14, 16-17, 19-20 and 23-26 are rejected.

Response to Arguments


Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


6.	Claims 1, 4-5, 7, 11, 13, 16, 19 is rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594.

As per claim 1, Mushtaq teaches a method for analyzing service-oriented communication in a communications network, (via local analyzer and subscribed services) (col. 5, line 56-61) comprising the following steps: 
analyzing a data packet, and determining, based on information about a data field of a header included in the data packet, whether or not the data packet meets a criterion, (a first signature based on a preferably partially masked header of a captured network packet for use as an index into a local signature cache and into a local event /y database; If the signatures do not match (criterion established) but the deep packet analysis finds suspicious anomalies (e.g., protocol non-compliance or unconventional syntax or content, or destination is a dark domain or dark IP address), the current HTTP header and related communication information is provided to the central analyser; form signatures of preferably select HTTP header fields,, (col. 3, lines 38-41; col. 5, line 29-35, and 42-47); the criterion defining a setpoint value for at least one value from the data field permitted in the communications network, (hash can represent setpoint value defined; via generate a hash (e.g., using Md5sum) of the remaining fields of the headers (sometimes referred to as a partially-masked PCAP), and store the resulting hash value along with the packet header in the event/anomaly database 206 as its corresponding signature, thus permitted in the communications network) (col 12, lines 52-59); 
wherein the header is a header for service-oriented communication, (Upon finding suspicious anomalies, the local analyser reports the suspect (e.g., the header signatures and, in some embodiments, metadata related to the communication) to a central analyser to whose services it subscribes) (col. 5, lines 56-62);
(via hash can represent setpoint value; generate a hash (e.g., using Md5sum) of the remaining fields (thus, combination of values via hashing the remaining fields) of the headers) (col 12, lines 52-59); permitted in the communications network, (header fields comprising a combination of values are permitted in the communication network) (col. 6, lines 27-32); of at least two different fields of the header of the data packet, (the signature generator 252 extracts select fields (hence, at least two) of characters for use in forming the signature for the full packet header and discards the remaining characters as unneeded surplus for these purposes; header fields (different fields) are colon-separated name-value pairs in clear-text string format) (col. 6, lines 33-34; col. 12, lines 64-66); 
wherein an anomaly or an intrusion in the communications network is detected when the criterion is not met by the data packet, (If the local signature matching logic 174 finds no match but the deep packet inspection 176 finds anomalies, the current packet header is deemed a malware "suspect" or "suspect packet) (col. 9, line 10-14).
Mushtaq does not specifically wherein the combination of values defines a permitted combination of identifiers in the header of the data packet which identify a service user and a service provider, the service user being a user of a service, and the service provider being a provider of the service.
However, Patil teaches wherein the combination of values defines a permitted combination of identifiers in the header of the data packet which identify a service user and a service provider, (The service triggering contains the triggering conditions (permitted combinations) for service invocation. A simple service script may consist of a script header which may define a user identification, a service provider identification, and a number of services) (para. 56); the service user being a user of a service, (para. 13, 22), and the service provider being a provider of the service, (para. 13, 25).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil such that the operators may provide a lot of services, an enhanced range of services, as a package based on individual needs of a user or predetermined default or basic service requirements, (Patil; para. 57).
Neither Mushtaq nor Patil specifically teaches the communications network being an automotive communications network in a vehicle;
wherein the method further comprises performing a countermeasure in response to detecting the anomaly or the intrusion in the communications network. 
However, Evans teaches the communications network being an automotive communications network in a vehicle, (the automobile network may include an in-vehicle controller area network bus (e.g., a CAN bus)) (col. 2, lines 65-67; Fig. 4);
wherein the method further comprises performing a countermeasure in response to detecting the anomaly or the intrusion in the communications network, (using the model to determine that the automobile-network message is anomalous, and performing a security action (countermeasure) in response to determining (hence, detected) that the automobile-network message is anomalous) (col. 1, lines 59-62).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil and Evans in order to provide features to create the model may include using the set of features to create a model that is capable of distinguishing automobile-(Evans; col. 2, lines 34-39).
  
As per claim 4, the method as recited in claim 1, Mushtaq teaches wherein the combination of values permitted in the communications network (via hash can represent setpoint value; generate a hash (e.g., using Md5sum) of the remaining fields (thus, combination of values via hashing the remaining fields) of the headers; header fields are permitted in the communication network) (col. 6, lines 27-32; col 12, lines 52-59);
Mushtaq does not specifically teach a combination of the service provider identified in the header of the data packet by a service ID, and the service user identified in the header of the data packet identified by a client ID.
However, Patil teaches a combination of the service provider identified in the header of the data packet by a service ID, and the service user identified in the header of the data packet identified by a client ID, (The service triggering contains the triggering conditions (permitted combinations) for service invocation. A simple service script may consist of a script header which may define a user identification, a service provider identification, and a number of services) (para. 56); the service user being a user of a service, (para. 13, 22).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil such that the operators may provide a lot of services, an enhanced range of (Patil; para. 57).

As per claim 5, the method as recited in claim 1, Mushtaq teaches wherein the determining includes checking whether a field "protocol version" from the data packet and/or a field "message type" from the data packet and/or a field "return code" from the data packet, has a value permitted in the communications network, (If the signatures do not match but the deep packet analysis finds suspicious anomalies (e.g., protocol non-compliance (comprises protocol version) or unconventional syntax or content) (col. 5, lines 27-32). 

 	As per claim 7, the method as recited in claim 1, 
Neither Mushtaq nor Patil specifically teach wherein the determining includes checking whether a length of the data packet coincides with a length specified in a "length" field of the data packet and/or whether the data packet is longer or shorter than permitted in the communications network. 
However, Evans teaches wherein the determining includes checking whether a length of the data packet coincides with a length specified in a "length" field of the data packet and/or whether the data packet is longer or shorter than permitted in the communications network. (the term “feature” may refer to the value of any characteristic, attribute, or property of one or more automobile-network messages that may be used to determine whether all or a portion of the automobile-network messages are expected or anomalous. Examples of such features may include message types, message lengths) (col. 10, lines 31-38).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil and Evans in order to provide features to create the model may include using the set of features to create a model that is capable of distinguishing automobile-network messages that are part of normal operation of the automobile from automobile-network messages that are part of an attack on the automobile network, (Evans; col. 2, lines 34-39).

As per claim 11, Mushtaq teaches a device for analyzing service-oriented communication in a communications network, (via local analyzer and subscribed services) (col. 5, line 56-61; Fig. 1A/102 and Fig. 2) the device comprising: 
an analysis unit which is: (i) situated in a connecting element for connecting data lines in the communications network for transmitting data packets, or (ii) connected or connectable to the connecting element for communication, the analysis unit configured, (col. 5, line 56-61; Fig. 1A/102 and Fig. 2); wherein the header is a header for service-oriented communication, (signature based on a preferably partially masked header of a captured network packet for use as an index into a local signature cache and into a local event/anomaly database; subscribed to service of analyzer as well) (col. 5, line 56-62). 
The remainder of the limitations are rejected based on the analysis of claim 1 due to the similarity of the limitations.

	As per claim 13, Mushtaq teaches non-transitory computer-readable storage medium on which is stored a computer program for analyzing service-oriented communication in a communications network, (via local analyzer and subscribed services; storage) (col. 5, line 56-61; col. 22, lines 59-67; Fig. 1A/102 and Fig. 2); the computer program, when executed by a computer, causing the computer to perform,(program is viewed as computer readable code) (col. 22, lines 59-67) the following steps: 
The remainder of the limitations are rejected based on the analysis of claim 1, due to the similarity of the limitations.  

 	As per claim 16, the device as recited in claim 11, it is rejected based on the analysis of claim 4. 
 
 	As per claim 19, the non-transitory computer-readable storage medium as recited in claim 13, it is rejected based on the analysis of claim 4 due to the similarity of the limitations.   

7.	Claims 6 and 12 is rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594 and further in view of Litichever et al., (Litichever), US PGPub. No.: 20200389469.

(error condition, and may result in the corresponding communication being sent to the central analyzer 110 (FIG. 1A) for further analysis and/or the error condition reported) (col. 14, lines 37-41).
Neither Mushtaq, Patil nor Evans specifically teach error code in a field "return code" of the data packet. 
	However, Litichever teaches error code in a field "return code" of the data packet, (para. 151).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans and Litichever such that error detection and correction is performed at various layers in the protocol stack. Network packets may contain a checksum, parity bits or cyclic redundancy checks to detect errors that occur during transmission, (Litichever; para. 152).

As per claim 12, the device as recited in claim 11, 
Neither Mushtaq, Patil nor Evans specifically teach wherein the connecting element is an automotive Ethernet switch.  
However, Litichever teaches wherein the connecting element is an automotive Ethernet switch, (switch of motor vehicle communication network; Ethernet switch) (para. 80, 467).
(Litichever; para. 152).

8.	Claims 8, 14, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594, in view of Tsurumi et al., (Tsurumi), US PGPub. No.: 20190141070.

 	As per claim 8, the method as recited in claim 5, Mushtaq teaches wherein the determining includes checking, (col. 5, lines 27-32).
Neither Mushtaq, Patil, nor Evans specifically teach whether the fields "message type" and "return code" assume a permitted combination.  
However, Tsurumi teaches whether the fields "message type" and "return code" assume a permitted combination, (wherein return code are associated with errors, i.e. transmitted in error frame data frames containing unauthorized data to be monitored can be efficiently invalidated on the onboard network, thus combination not permitted) (para. 70).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, (Tsurumi; para. 70). 

 	As per claim 14, Mushtaq teaches a method for analyzing service-oriented communication in a communications network, wherein the combination of values defines a permitted combination of values of a message type field in the header (HTTP header and messages; via hash can represent setpoint value; generate a hash (e.g., using Md5sum) of the remaining fields (thus, combination of values via hashing the remaining fields) of the headers; header fields are permitted in the communication network) (col. 6, lines 27-32; col 12, lines 52-59); (via local analyzer and subscribed services) (col. 5, line 56-61), the method comprising the following steps;
analyzing a data packet, and determining, based on information about a data field of a header included in the data packet, whether or not the data packet meets a criterion, (a first signature based on a preferably partially masked header of a captured network packet for use as an index into a local signature cache and into a local event /y database; If the signatures do not match (criterion established) but the deep packet analysis finds suspicious anomalies (e.g., protocol non-compliance or unconventional syntax or content, or destination is a dark domain or dark IP address), the current HTTP header and related communication information is provided to the central analyser; form signatures of preferably select HTTP header fields,, (col. 3, lines 38-41; col. 5, line 29-35, and 42-47); the criterion defining a setpoint value for at least one value from the data field permitted in the communications network, (hash can represent setpoint value defined; via generate a hash (e.g., using Md5sum) of the remaining fields of the headers (sometimes referred to as a partially-masked PCAP), and store the resulting hash value along with the packet header in the event/anomaly database 206 as its corresponding signature, thus permitted in the communications network) (col 12, lines 52-59); 
wherein the header is a header for service-oriented communication, (Upon finding suspicious anomalies, the local analyser reports the suspect (e.g., the header signatures and, in some embodiments, metadata related to the communication) to a central analyser to whose services it subscribes) (col. 5, lines 56-62);
wherein the setpoint value defines a combination of values, (via hash can represent setpoint value; generate a hash (e.g., using Md5sum) of the remaining fields (thus, combination of values via hashing the remaining fields) of the headers) (col 12, lines 52-59); permitted in the communications network, (header fields comprising a combination of values are permitted in the communication network) (col. 6, lines 27-32); of at least two different fields of the header of the data packet, (the signature generator 252 extracts select fields (hence, at least two) of characters for use in forming the signature for the full packet header and discards the remaining characters as unneeded surplus for these purposes; header fields (different fields) are colon-separated name-value pairs in clear-text string format) (col. 6, lines 33-34; col. 12, lines 64-66); 
wherein an anomaly or an intrusion in the communications network is detected when the criterion is not met by the data packet, (If the local signature matching logic 174 finds no match but the deep packet inspection 176 finds anomalies, the current packet header is deemed a malware "suspect" or "suspect packet) (col. 9, line 10-14).

However, Patil teaches wherein the combination of values defines a permitted combination of identifiers in the header of the data packet which identify a service user and a service provider, (The service triggering contains the triggering conditions (permitted combinations) for service invocation. A simple service script may consist of a script header which may define a user identification, a service provider identification, and a number of services) (para. 56); the service user being a user of a service, (para. 13, 22), and the service provider being a provider of the service, (para. 13, 25).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil such that the operators may provide a lot of services, an enhanced range of services, as a package based on individual needs of a user or predetermined default or basic service requirements, (Patil; para. 57).
Neither Mushtaq nor Patil specifically teaches the communications network being an automotive communications network in a vehicle;
wherein the method further comprises performing a countermeasure in response to detecting the anomaly or the intrusion in the communications network. 
However, Evans teaches the communications network being an automotive communications network in a vehicle, (the automobile network may include an in-vehicle controller area network bus (e.g., a CAN bus)) (col. 2, lines 65-67; Fig. 4);
using the model to determine that the automobile-network message is anomalous, and performing a security action (countermeasure) in response to determining (hence, detected) that the automobile-network message is anomalous) (col. 1, lines 59-62).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq and Patil and Evans in order to provide features to create the model may include using the set of features to create a model that is capable of distinguishing automobile-network messages that are part of normal operation of the automobile from automobile-network messages that are part of an attack on the automobile network, (Evans; col. 2, lines 34-39).
Neither Mushtaq, Patil nor Evans specifically teach combination of message type field of the data packet and a return code field of the header of the data packet. 
However, Tsurumi teaches teach combination of message type field of the data packet and a return code field of the header of the data packet, (para. 70).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans and Tsurumi such that data frames containing unauthorized data to be monitored can be efficiently invalidated on the onboard network, (Tsurumi; para. 70). 

 	As per claim 17, the method as recited in claim 11, Mushtaq teaches wherein the combination of values defines a permitted combination of values of a message type field (HTTP header and messages; via hash can represent setpoint value; generate a hash (e.g., using Md5sum) of the remaining fields (thus, combination of values via hashing the remaining fields) of the headers; header fields are permitted in the communication network) (col. 6, lines 27-32; col 12, lines 52-59); 
Neither Mushtaq, Patil nor Evans specifically teach combination of message type field of the data packet and a return code field of the header of the data packet. 
However, Tsurumi teaches teach combination of message type field of the data packet and a return code field of the header of the data packet, (para. 70).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans and Tsurumi such that data frames containing unauthorized data to be monitored can be efficiently invalidated on the onboard network, (Tsurumi; para. 70).

 	As per claim 20, the non-transitory computer-readable storage medium as recited in claim 13, it is rejected based on the analysis of claim 17, due to the similarity of the limitations.  

9.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594 and further in view of Moskowitz, (Moskowitz), US PGPub. No.: 20170187729.

 	As per claim 10, the method is recited in claim 1, 

However, Moskowitz teaches wherein before an inspection of the criterion, it is checked whether the data packet is part of a service-oriented communication, the inspection of the criterion being carried out only if the data packet is part of a service-oriented communication, (only if the intrusion detection system has determined that the packet belongs to one of the plurality of data flows (hence, service oriented communication) to be further inspected and only if a presence of one or more of a first set of authorization data and priority data (also viewed as service oriented communication data) has been detected in the packet, a set of criteria to discriminate (inspect)  between different flows) (claim 77).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans and Moskowitz such that some form of recognition or identification of data streams may be handled by firewalls, intrusion detection systems and similar analysis to assure data integrity, (Moskowitz; para. 28).

10.	Claims 23-25 are rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594 and further in view of Teshler, (Teshler), US PGPub. No.: 20170295182.

As per claim 23, the method as recited in claim 1, 
Neither Mushtaq, Patil nor Evans teaches wherein countermeasure includes prohibiting the data packet from being sent to a network user of the communications network.  
However, Teshler teaches wherein countermeasure includes prohibiting the data packet from being sent to a network user of the communications network, (security communication lockdown (countermeasure) is configured to block (drop/erase) the message, preventing the attack) (para. 69).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans and Teshler such that  the inventive specially programmed computing systems are configured to implement the configuration lockdown procedures with respect to the inventive devices configured to implement the security communication lockdown but also implement the configuration lockdown procedures with respect each other ECU resided within the vehicle (Teshler; para. 72).

 	As per claim 24, the device as recited in claim 11, it is rejected based on the analysis of claim 23, due to the similarity of the limitations.  

 	As per claim 25, the non-transitory computer-readable storage medium as recited in claim 13, it is rejected based on the analysis of claim 23, due to the similarity of the limitations.  

11.	Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Mushtaq et al., (Mushtaq), US Patent No.: 9430646 as applied to the claims above, in view of Patil et al., (Patil), US PGPub. No.: 20020120746 and Evans et al., (Evans), US Patent No.: 9843594, in view of Tsurumi et al., (Tsurumi), US PGPub. No.: 20190141070 and further in view of Teshler, (Teshler), US PGPub. No.: 20170295182.

 	As per claim 26, the method as recited in claim 14, 
Neither Mushtaq, Patil, Evans, nor Tsurumi teaches wherein countermeasure includes prohibiting the data packet from being sent to a network user of the communications network.
However, Teshler teaches wherein countermeasure includes prohibiting the data packet from being sent to a network user of the communications network, (security communication lockdown (countermeasure) is configured to block (drop/erase) the message, preventing the attack) (para. 69).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq, Patil, Evans Tsurumi and Teshler such that the inventive SREE component is configured to protect the associated computing system(s) from malicious software that runs on top of the operating system, as a separate application and/or inject itself as part of another application (Teshler; para. 196).

Conclusion
i.e. Zula, US PGPub. No.: 20150001427, para. 16.  See form 892

13.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to James Edwards whose telephone number is (571) 270-7176.  The examiner can normally be reached Monday to Thursday, 7:00-5:30pm EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Peter Pappas can be reached on 571-272-7646.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published application may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAMES A EDWARDS/Primary Examiner 
Art Unit 2448                                                                                                                                                                                                        3/9/22