Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
This action is in response to original filings made on 7/9/2020. Claims 7-11, 13 and 19-23 are amended. Claims 3-6, 12, and 16-18 are cancelled. Claims 1, 2, 7-11, 13-15 and 19-28 are pending.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). 
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language Such claim limitation(s) is/are: “anomaly analyzer arranged to…” in claims 1, 2, 25, 27 and 28. Additionally, claim limitation(s) “security monitor arranged to…” in claim 8 and “event manager arrange to…” in claim 11. 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 2, 8, 11, 25, 27 and 28 limitation(s) of, “anomaly analyzer arranged to”, “security monitor arranged to” and “event manager arrange to”, invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claims 7, 9, 10, 13, 24 and 26 are rejected under 35 USC § 112 in view of their respective dependencies on independent claims 1 and 25.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-11, 13, 14 and 19-24 are rejected under 35 U.S.C. 103 as being unpatentable over Baltes et al. (US Patent Publication No. 2016/0219028 and Baltes hereinafter) in view of Choi et al. (US Patent Publication No. 2017/0070320 and Choi hereinafter).

As to claim 1, Baltes teaches a system for monitoring intrusion anomalies in an automotive environment, the system comprising: 
a telematic control unit (i.e., …teaches in par. 0024 the following: “telematics unit”.); 
a plurality of engine control units (i.e., …teaches in par. 0002 the following: “The electronic hardware includes sensors, electronic control units (ECUs; also called vehicle systems modules),”), 
each of said plurality of engine control units associated with a respective local security monitor (i.e., …teaches in figure 1, figure element(s) 400a and 400c …fraud detecting units),
and a diagnostic communications manager arranged to receive information regarding intrusion anomalies detected by said local security monitor (i.e., …teaches in par. 025 the following: “It should be appreciated that an intrusion detection system can be implemented apart from the processor 52 using a separate VSM 42 connected to the vehicle bus 44 and dedicated to monitoring the operating aspects of the vehicle electronics 28. In that case, the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred. It can also be 
and an anomaly analyzer in communication with each of said diagnostic communication managers and said telematics control unit (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control module over a unit of time. In one possible instance, the processor 52 could detect that more than three messages are sent over the vehicle bus 44 in one millisecond (ms). The rate of message transmission can be compared with a threshold indicating normal operation stored in the memory device 54. If the rate is above that threshold (e.g., one message per ms), then the processor 52 can determine that unauthorized access to the vehicle electronics 28 has occurred. Or in another example, the processor 52 can identify an absence of messages over the vehicle bus 44 relating to a vehicle function. Vehicle functions can include aspects of vehicle operation like braking, throttle control, and steering as well as control of the audio system 36 and other infotainment features, to name a few. It should be appreciated that an intrusion detection system can be implemented apart from the processor 52 using a separate VSM 42 connected to the vehicle bus 44 and dedicated to monitoring the operating aspects of the vehicle electronics 28. In that case, the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred. It can also be helpful to identify attempted unauthorized access as well as unauthorized access that has ultimately been successful. The method 200 proceeds to step 220.” … teaches in par. 0024 the following: “telematics unit”), 
said anomaly analyzer arranged to accumulate said information regarding intrusion anomalies detected by said respective local security monitors (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control module over a unit of time. In one possible instance, the processor 52 could detect that more than three messages are sent over the vehicle bus 44 in one millisecond (ms). The rate of message transmission can be compared with 

Baltes does not expressly teach:
said communication utilizing a diagnostic over Internet protocol.
In this instance the examiner notes the teachings of prior art reference Choi. 
Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes with the teachings of Choi by including the feature of diagnostic communication over Internet Protocol. Utilizing diagnostic communication over Internet Protocol as taught by Choi above allows a system to provide comprehensive communication and therefore provides the motivation in this instance to combine the references. The examiner 

3 - 6. (Cancelled)

As to claim 7, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, wherein each of said plurality of engine control units is within a respective single automotive environment (i.e., …teaches in par. 0002 the following: “The electronic hardware includes sensors, electronic control units (ECUs; also called vehicle systems modules),”), 
said anomaly analyzer being within a respective supervisory automotive environment (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future.”).

As to claim 8, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, wherein said plurality of engine control units are arranged as nodes on a network (i.e., …teaches in par. 0002 the following: “The electronic hardware includes sensors, electronic control units (ECUs; also called vehicle systems modules),”), 
the system further comprising a network security monitor arranged to identify anomalies in software packets transmitted on said network to, or from, at least one of said plurality of engine control units (i.e., …teaches in par. 0026 the following: “the processor 52 could detect an abnormally high number of messages directed to a VSM 42 responsible for vehicle braking Based on the detected 

The system of Baltes do not expressly teach:
“said anomaly analyzer further in communication with said anomaly analyzer utilizing the diagnostic over Internet protocol”. 
In this instance the examiner notes the teachings of prior art reference Choi. 
Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes with the teachings of Choi by including the feature of diagnostic communication over Internet Protocol. Utilizing diagnostic communication over Internet Protocol as taught by Choi above allows a system to provide comprehensive communication and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Baltes’ system will obtain the capability to provide enhanced system diagnostics. 

As to claim 9, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, wherein each of said diagnostic communication managers are arranged to report on event, to said anomaly analyzer, said intrusion anomalies identified by said respective security monitor (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.).

As to claim 10, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, wherein said anomaly analyzer is arranged to periodically poll each of said diagnostic communication managers for said intrusion anomalies identified by said respective security monitor (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future.”. …teaches in par. 0024 the following: “the processor 52 of the vehicle telematics unit 30 can access computer-readable instructions stored in the memory devices 54 that direct the processor 52 to monitor operating aspects of the vehicle electronics 28. Vehicles can detect unauthorized access or attempts to access vehicle electronics 28 by establishing a range of characteristic behavior for different aspects of the electronics and monitoring the electronics for indications that it is performing outside of the established range.”).

As to claim 11, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, wherein each of said plurality of engine control units further comprises a diagnostic event manager arranged to generate a diagnostic anomaly code for each of said intrusion anomalies detected by said security monitor (i.e., …teaches in par. 0026 the following: “processor 52 can then select countermeasures to deploy that are targeted to the VSM 42 and/or a portion of the vehicle electronics 28 that are responsible for vehicle braking”), 
said diagnostic communications manager in communication with said diagnostic event manager thereby receiving said information regarding anomalies detected by said security monitor (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future).

12. (Cancelled)

As to claim 13, the system of Baltes and Choi as applied to claim 1 above teaches anomaly detection, specifically Baltes does not expressly teach a system of claim 1, wherein said anomaly analyzer comprises a diagnostic over Internet protocol client, and said plurality of engine control units each comprise a diagnostic over Internet protocol node, for said communication utilizing the diagnostic over Internet protocol.
In this instance the examiner notes the teachings of prior art reference Choi. 
With regards to applicant’s claim limitation element of, “wherein said anomaly analyzer comprises a diagnostic over Internet protocol client”, Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
With regards to applicant’s claim limitation element of, “and said plurality of engine control units each comprise a diagnostic over Internet protocol node, for said communication utilizing the diagnostic over Internet protocol”, Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes with the teachings of Choi by including the feature of diagnostic communication over Internet Protocol. Utilizing diagnostic communication over Internet Protocol as taught by Choi above allows a system to provide comprehensive communication and therefore provides the motivation in this instance to combine the references. The examiner 

As to claim 14, Baltes teaches a method of monitoring intrusion anomalies in an automotive environment, the method comprising: 
detecting intrusion anomalies for each of a plurality of engine control units (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control module over a unit of time. In one possible instance, the processor 52 could detect that more than three messages are sent over the vehicle bus 44 in one millisecond (ms). The rate of message transmission can be compared with a threshold indicating normal operation stored in the memory device 54. If the rate is above that threshold (e.g., one message per ms), then the processor 52 can determine that unauthorized access to the vehicle electronics 28 has occurred. Or in another example, the processor 52 can identify an absence of messages over the vehicle bus 44 relating to a vehicle function. Vehicle functions can include aspects of vehicle operation like braking, throttle control, and steering as well as control of the audio system 36 and other infotainment features, to name a few. It should be appreciated that an intrusion detection system can be implemented apart from the processor 52 using a separate VSM 42 connected to the vehicle bus 44 and dedicated to monitoring the operating aspects of the vehicle electronics 28. In that case, the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred. It can also be helpful to identify attempted unauthorized access as well as unauthorized access that has ultimately been successful. The method 200 proceeds to step 220.”); 
receiving information, at a respective diagnostic communications manager associated with the respective engine control unit, regarding said detected intrusion anomalies (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control 
said received information to an anomaly analyzer (i.e., …teaches in par. 025 the following: “It should be appreciated that an intrusion detection system can be implemented apart from the processor 52 using a separate VSM 42 connected to the vehicle bus 44 and dedicated to monitoring the operating aspects of the vehicle electronics 28. In that case, the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred. It can also be helpful to identify attempted unauthorized access as well as unauthorized access that has ultimately been successful. The method 200 proceeds to step 220.”), 
said anomaly analyzer arranged to accumulate said detected intrusion anomalies of said plurality of engine control units (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control module over a unit of time. In one possible 

Baltes does not expressly teach:
“and communicating, utilizing a diagnostic over Internet protocol”.
In this instance the examiner notes the teachings of prior art reference Choi. 
Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes with the teachings of Choi by including the feature of diagnostic communication over Internet Protocol. Utilizing diagnostic communication over Internet Protocol as taught by Choi above allows a system to provide comprehensive communication and therefore provides the motivation in this instance to combine the references. The examiner 

16 - 18. (Cancelled)

As to claim 19, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 14, 
wherein each of the plurality of engine control units is within a respective single automotive environment (i.e., …teaches in par. 0002 the following: “The electronic hardware includes sensors, electronic control units (ECUs; also called vehicle systems modules),”), 
said anomaly analyzer being within a respective supervisory automotive environment (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future.”). 

As to claim 20, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 14, wherein said detecting intrusion anomalies comprises identifying intrusion anomalies in software packets transmitted to, or from, at least one of the plurality of engine control units (i.e., …teaches in par. 0026 the following: “the processor 52 could detect an abnormally high number of messages directed to a VSM 42 responsible for vehicle braking Based on the detected number of messages relating to vehicle braking, the processor 52 can determine that the type of unauthorized access is vehicle-braking related”).

As to claim 21, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 14,  further comprising setting each of the diagnostic communication managers to report on event, to said anomaly analyzer, said detected intrusion anomalies (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.).

As to claim 22, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 14, further comprising periodically polling each of said diagnostic communication managers for said detected intrusion anomalies (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future.”. …teaches in par. 0024 the following: “the processor 52 of the vehicle telematics unit 30 can access computer-readable instructions stored in the memory devices 54 that direct the processor 52 to monitor operating aspects of the vehicle electronics 28. Vehicles can detect unauthorized access or attempts to access vehicle electronics 28 by establishing a range of characteristic behavior for different aspects of the electronics and monitoring the electronics for indications that it is performing outside of the established range.”).

As to claim 23, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 14, further comprising generating a diagnostic anomaly code for each of said detected intrusion anomalies (i.e., …teaches in par. 0026 the following: “processor 52 can then select countermeasures to deploy that are targeted to the VSM 42 and/or a portion of the vehicle electronics 28 that are responsible for vehicle braking”), 


As to claim 24, the system of Baltes and Choi as applied to claim 14 above teaches anomaly detection, specifically Baltes teaches a method of claim 23, wherein for each type of detected intrusion anomaly said generated diagnostic anomaly code is unique (i.e., …teaches in par. 0026 the following: “processor 52 can then select countermeasures to deploy that are targeted to the VSM 42 and/or a portion of the vehicle electronics 28 that are responsible for vehicle braking”).


Claims 2 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Baltes in view of Choi as applied to claims 1 and 14 above and further in view of Ricci (US Patent Publication No. 2013/0204484).

As to claims 2 and 15, the system of Baltes and Choi as applied to claims 1 and 14 above teaches anomaly detection, specifically Baltes teaches a system of claim 1, output at least one of a command to disable a communication function of the telematics control unit (i.e., …teaches in par. 0035 the following: “The electronic hardware countermeasure and/or the alert can be followed or accompanied by the vehicle restricting use or operation of various vehicle functions. For instance, the vehicle telematics unit 30 can disable wireless communications or restrict access to vehicle controls in response to the command. ”); 
and an alert message (i.e., …teaches in par. 0035 the following: “The electronic hardware countermeasure and/or the alert can be followed or accompanied by the vehicle restricting use or 

The system of Baltes and Choi do not expressly teach:
“wherein said anomaly analyzer is further arranged to compare the received information regarding intrusion anomalies detected by said local security monitor with a black list, and in the event that the received information is congruent with the black list …”. 
In this instance the examiner notes the teachings of prior art reference Ricci. 
	Ricci teaches in par. 0247 the following: “The security breach event details, signal description (e.g., type, source, destination, protocol, and payload type) and signal receipt timestamps), are recorded in memory 220 and firewall settings, including whitelists and blacklists, are updated.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes and Choi with the teachings of Ricci by including the feature of a blacklist. Utilizing a blacklist as taught by Ricci above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Baltes and Choi will obtain the capability to provide enhanced system security. 


Claims 25-28 are rejected under 35 U.S.C. 103 as being unpatentable over Baltes in view of Choi and further in view of Ricci.

As to claim 25, Baltes teaches a system for monitoring intrusion anomalies in an automotive environment, the system comprising: 

a network security device comprising a network security monitor arranged to identify anomalies in software packets transmitted on said network to, or from, at least one of said plurality of engine control units (i.e., …teaches in par. 025 the following: “the processor 52 can monitor how many messages are transmitted to an engine control module over a unit of time. In one possible instance, the processor 52 could detect that more than three messages are sent over the vehicle bus 44 in one millisecond (ms). The rate of message transmission can be compared with a threshold indicating normal operation stored in the memory device 54. If the rate is above that threshold (e.g., one message per ms), then the processor 52 can determine that unauthorized access to the vehicle electronics 28 has 
output at least one of: a command to disable a communication function of the telematics control unit (i.e., …teaches in par. 0035 the following: “The electronic hardware countermeasure and/or the alert can be followed or accompanied by the vehicle restricting use or operation of various vehicle functions. For instance, the vehicle telematics unit 30 can disable wireless communications or restrict access to vehicle controls in response to the command.”); 
and an alert message (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.).

The system of Baltes does not expressly teach:
“and an anomaly analyzer in communication with said network security monitor, said communication utilizing a diagnostic over Internet protocol”.
In this instance the examiner notes the teachings of prior art reference Choi. 
Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.


The system of Baltes and Choi do not expressly teach:
“said anomaly analyzer arranged to compare the received information regarding intrusion anomalies detected by said network security device with a black list, and in the event that the received information is congruent with the black list…”. 
In this instance the examiner notes the teachings of prior art reference Ricci. 
	Ricci teaches in par. 0247 the following: “The security breach event details, signal description (e.g., type, source, destination, protocol, and payload type) and signal receipt timestamps), are recorded in memory 220 and firewall settings, including whitelists and blacklists, are updated.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes and Choi with the teachings of Ricci by including the feature of a blacklist. Utilizing a blacklist as taught by Ricci above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Baltes and Choi will obtain the capability to provide enhanced system security. 

As to claim 26, the system of Baltes, Choi and Ricci as applied to claim 25 above teaches anomaly detection, specifically Baltes teaches a system of claim 25, wherein said network security device further comprises a diagnostic communications manager arranged to report on event (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.), 
to said anomaly analyzer, said information regarding intrusion anomalies detected by said network security monitor (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.).

As to claim 27, the system of Baltes, Choi and Ricci as applied to claim 25 above teaches anomaly detection, specifically Baltes teaches a system of claim 25, wherein said plurality of engine control units each comprise a local security monitor and a diagnostic communications manager arranged to receive information regarding intrusion anomalies detected by said local security monitor (i.e., …teaches in par. 0025 the following: “the processor 52 can receive data from the VSM 42 indicating unauthorized electronic access to vehicle electronics 28 in the vehicle 12 has occurred.”.), 
said anomaly analyzer arranged to accumulate said information regarding intrusion anomalies detected by said respective local security monitors (i.e., …teaches in par. 009 the following: “The countermeasures can also be used along with a data collection mechanism that indicates the identity of the entity responsible for the unauthorized access and/or helps prevent such unauthorized behavior in the future.”).

The system of Baltes does not expressly teach:

In this instance the examiner notes the teachings of prior art reference Choi. 
Choi teaches in par. 0061 the following: “the gateway may receive the test mode request signal by using a communication manner such as a diagnostic communication over Internet Protocol (DoIP),”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes with the teachings of Choi by including the feature of diagnostic communication over Internet Protocol. Utilizing diagnostic communication over Internet Protocol as taught by Choi above allows a system to provide comprehensive communication and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Baltes’ system will obtain the capability to provide enhanced system diagnostics. 

As to claim 28, the system of Baltes, Choi and Ricci as applied to claim 25 above teaches anomaly detection, specifically Baltes teaches a system of claim 27, wherein said anomaly analyzer is further arranged to: output at least one of: the command to disable a communication function of the telematics control unit (i.e., …teaches in par. 0035 the following: “The electronic hardware countermeasure and/or the alert can be followed or accompanied by the vehicle restricting use or operation of various vehicle functions. For instance, the vehicle telematics unit 30 can disable wireless communications or restrict access to vehicle controls in response to the command.”); 
and the alert message (i.e., …teaches in par. 0035 the following: “The electronic hardware countermeasure and/or the alert can be followed or accompanied by the vehicle restricting use or operation of various vehicle functions. For instance, the vehicle telematics unit 30 can disable wireless communications or restrict access to vehicle controls in response to the command.”).

The system of Baltes and Choi do not expressly teach:
“compare the received information regarding intrusion anomalies from said diagnostic communication managers of said engine control units with the black list” and “and in the event that the received information regarding intrusion anomalies from any of said diagnostic communication managers is congruent with the black list”. 
In this instance the examiner notes the teachings of prior art reference Ricci. 
	With regards to applicant’s claim limitation element of, “compare the received information regarding intrusion anomalies from said diagnostic communication managers of said engine control units with the black list”, Ricci teaches in par. 0247 the following: “The security breach event details, signal description (e.g., type, source, destination, protocol, and payload type) and signal receipt timestamps), are recorded in memory 220 and firewall settings, including whitelists and blacklists, are updated.”.
	With regards to applicant’s claim limitation element of, “and in the event that the received information regarding intrusion anomalies from any of said diagnostic communication managers is congruent with the black list”, Ricci teaches in par. 0247 the following: “The security breach event details, signal description (e.g., type, source, destination, protocol, and payload type) and signal receipt timestamps), are recorded in memory 220 and firewall settings, including whitelists and blacklists, are updated.”. The examiner notes that the Blacklist to will be checked to identify the anomaly.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baltes and Choi with the teachings of Ricci by including the feature of a blacklist. Utilizing a blacklist as taught by Ricci above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to 
Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: UJIIE et al. (US Patent Publication No. 2017/0147812) and David et al. (US Patent Publication No. 2017/0295188).
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.