Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
In response to the arguments filed 3/8/2022:
Referring to the response to the 35 U.S.C. 112(f) rejections (arguments: page 6 lines 11-34):  The 35 U.S.C. 112(f) rejections have been dropped in view of amendments.
Referring to the response to the 35 U.S.C. 112(b) rejections (arguments: page 7 line 1 to page 9 line 6):  The 35 U.S.C. 112(b) rejections have been dropped in view of amendments; claims 1 and 4-7 are allowed.
Referring to the response to the 35 U.S.C. 103 rejections (arguments: page 9 lines 7-27):  The 35 U.S.C. 103 rejections have been dropped in view of amendments; claims 1 and 4-7 are allowed.

Allowable Subject Matter
Claims 1 and 4-7 are allowed.
The following is an examiner’s statement of reasons for allowance: 
Independent claim 1:
U.S. Publication No. 20200053104 to El Moussa et al disclose a method (performed by malicious encrypted traffic detector 200) for detecting and defending against abnormal traffic of an in-vehicle network (network 202, which can be a vehicle network; Section 0052) based on information entropy …; when there is abnormal traffic on the in-vehicle network, entropy is changed (estimated measure of entropy changes to become similar to the reference measure of entropy), resulting in a sharp decrease in a value of information entropy (estimated measured of entropy deviates from the reference measure entropy is changed”; since the estimated measured of entropy changes to become similar to the reference measure of entropy, which indicates malicious traffic).  The sufficiency of the similarity in the entropy measures is obtained by allowing for a degree of deviation from a predetermined level of acceptable deviation; for example, the reference measure of entropy 209 can define a midpoint in a linear range of entropy measures (claimed “threshold”) deviating by a predetermined extent above and below the midpoint (claimed “when there is abnormal traffic on an in-vehicle network, entropy is changed, resulting in a sharp decrease in a value of information entropy”; since the estimated measured of entropy deviates from the reference measure of entropy by a value below the midpoint in a linear range of entropy measures, which represents a 
The method comprising:
Setting a … window.  A plurality of windows are defined, wherein each window defines a different subset of network traffic; each window can be defined by way of a start point and an end point, each of the start and end points indicating a location in network traffic; Sections 0076-0078, 0082-0084, and 0096-0103.  Entropy estimator 204 collects network traffic in a window and estimates the entropy of the collected network traffic in the window.  
…
…
Setting the threshold (reference measure of entropy 209 can define a midpoint in a linear range (claimed “threshold”) of entropy measures deviating by a predetermined extent above and below the midpoint, or the reference measure of entropy 209 can be a range of reference entropy measures (claimed “threshold”)).  The sufficiency of the similarity in the entropy measures is obtained by allowing for a degree of deviation from a predetermined level of acceptable deviation; for example, the reference measure of entropy 209 can define a midpoint in a linear range of entropy measures (claimed “threshold”) deviating by a predetermined extent above and below the midpoint Or, for example, the reference measure of entropy 209 can be a range of reference entropy measures (claimed “threshold”).  When malicious traffic is detected, protective and/or remedial measures are taken.  
Collecting and processing traffic.  Entropy estimator 204 collects network traffic in a window and estimates the entropy of the collected network traffic in the window.  
Calculating the information entropy in the … window … Entropy estimator 204 collects network traffic in a window and estimates the entropy of the collected network traffic in the window.  
network based on the threshold.  Entropy comparator 206 receives an estimated measure of entropy from estimator 204 for comparison with a reference measure of entropy 209 in data store 208.  The reference measure of entropy 209 is a measure of entropy for a portion of network traffic of a malicious encrypted network connection, and is determined through observation of malicious network traffic.  Entropy comparator 206 compares an estimated measure of entropy from the estimator 204 with the reference measure of entropy 209 for malicious encrypted traffic.  If the estimated measure of entropy for traffic communicated via computer network 202 is sufficiently similar to the reference measure of entropy 209, comparator 206 outputs a positive identification of malicious traffic on computer network 202.  When malicious traffic is detected, protective and/or remedial measures are taken.  Refer to Sections 0051-0160.
El Moussa et al do not disclose a method for detecting and defending against abnormal traffic of an in-vehicle network based on information entropy, wherein different objects are used as discrete random variables for traffic of a CAN bus and an in-vehicle Ethernet; when there is abnormal traffic on an in-vehicle network, probability distribution of the random variables is changed… ; detecting the traffic of the CAN bus and the in-vehicle Ethernet based on the threshold…
  U.S. Publication No. 20150148040 Ehrlich et al disclose in Figures 8-11 and Sections 0071, 0072, and 0141-0166 a system that determines an entropy calculated on the probability distribution of the failures of the outgoing handovers (claimed “different objects are used as discrete random variables for traffic” and “probability distribution of the random variables is changed”) and compares the entropy to a threshold to determine anomalous conditions; Sections 0052, 0155, and 0166 disclose the system can be applied to a CAN bus 118 in an Ethernet system (claimed “wherein different objects are used as discrete random variables for traffic of a CAN bus and an in-vehicle Ethernet”, “detecting the traffic of the CAN bus and the in-vehicle Ethernet…”).  U.S. Publication No. 20190258251 to Ditty et al disclose in Sections 0122, 0348, 0404, and 0614 wherein entropy is measured in a vehicle including a CAN bus and traffic of a CAN bus and an in-vehicle Ethernet”, “detecting the traffic of the CAN bus and the in-vehicle Ethernet…”).  U.S. Publication No. 20190230113 to Al Faruque et al also disclose in Sections 0085-0086 that the entropy of a discrete random variable A is calculated using the probability distribution function ƒ(a) of discrete random variable A (claimed “wherein different objects are used as discrete random variables for traffic…; … probability distribution of the random variable is changed”).  By applying Ehrlich et al and Ditty et al to El Moussa et al:  the vehicle system of El Moussa et al can include a CAN bus and in-vehicle Ethernet, since Ehrlich et al, Ditty et al, and El Moussa et al all disclose similar vehicular systems that determine entropy.  By applying Ehrlich et al and Al Faruque et al to El Moussa et al:  the vehicle system of El Moussa et al determines if entropy has changed to detect network abnormalities; entropy is calculated by using the probability distribution of random variables as disclosed by Ehrlich et al and Al Faruque et al, so El Moussa et al can determine if the probability distribution of random variables has changed to detect network abnormalities.  
El Moussa et al also do not specifically disclose … when there is abnormal traffic on an in-vehicle network, probability distribution of the random variable is changed, resulting in a sharp decrease in a value of information entropy…
U.S. Patent No. 7712134 to Nucci et al disclose in Column 8 lines 28-46 and Column 13 lines 28-51 wherein the system detect the cause of a decrease in entropy and identifies the elements contributing the most to the decrease in entropy, since a decrease in entropy represents abnormal system conditions.  
El Moussa et al also do not disclose setting a sliding window; … ; calculating the information entropy in the sliding window … 
U.S. Publication No. 20170195090 to Boidol et al disclose in Sections 0007, 0027, and 0094 wherein the entropy of data blocks is calculated over a sliding window.  
when the window is full.
U.S. Publication No. 20180189587 Mandal et al disclose in Figures 4 and Section 0157 wherein the system determines if a sliding window is full.  If the sliding window is full, feature detection can be performed on the data in the sliding window.  If the sliding window is not full, more data can be read into the sliding window.  

However, none of the prior art disclose the limitations “… the method comprising: setting a sliding window; setting a maximum tolerable time delay maxTime of abnormality detection, and calculating a traffic rate v, wherein a size range of the sliding window is [0,maxTime/v], the sliding window needs to be set as large as possible in this range, and a fixed window size is W; and setting a window sliding distance to W/2 … ”, and can be logically combined with El Moussa et al, Ehrlich et al, Ditty et al, Al Faruque et al, Nucci et al, Boidol et al, and Mandal et al.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Publication No. 2016/0018345 to Park et al disclose in Figures 1-10 a method detecting an abnormal state of a battery: an entropy calculator is configured to calculate an information entropy based on battery estimation information and battery measurement information; the battery estimation 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTINE Y NG whose telephone number is (571)272-3124. The examiner can normally be reached M-F 12pm-9pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ricky Ngo can be reached on 5712723139. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Christine Ng/
Examiner, AU 2464
March 11, 2022