DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Status of Claims
Claims 1-3, 6-20, 22 are pending.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-3, 6-20, 22 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The originally filed disclosure, at least in [0015] of the published application, describes that the Watchman data is transmitted to the Cyber-Hub by the plurality of vehicles for the purpose of determining a common operating state of the vehicles at a given time. The disclosure, in [0092], describes that “the module is configured to transmit a query to the hub as to whether or not the module should transmit data it has accumulated to the hub” which indicates that the module waits for a confirmation from the hub to transmit to the data. The disclosure, in [0093], describes that “the hub is configured to transmit a request to the module to send data that it has accumulated to the hub”. The Examiner is unable to find a specific teaching in the originally filed disclosure describing the claimed limitation wherein none of the data that is processed by the hub is generated from a message in a communication solicited by the hub between a vehicle in the fleet and an identified suspected source of malware. MPEP 2173.05(i) describes that “Any negative limitation or exclusionary proviso must have basis in the original disclosure” and “Any claim containing a negative limitation which does not have basis in the original disclosure should be rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as failing to comply with the written description requirement”. One of ordinary skill in the art would implement a system where, if enough vehicles report a similar type of attach at the same time, the hub would send a request for all the vehicles in the fleet to send their monitoring data to determine the extent of the attach at the time as some of the vehicles might not identify the new attach as an attach.

Claims 2, 3, 6-20 are rejected for being dependent on a rejected claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 1-3, 10-17, 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Valasek et al. [Valasek, US 20150113638] in view of Zhang et al. [Zhang, US 20150150124].
As to claim 1. Valasek discloses A system for providing security to a fleet of vehicles, the vehicles being real vehicles, [0019], the system comprising: 
a plurality of modules, attach monitoring unit (118) which can be implemented on a plurality of vehicles [par. 49], each module configured to monitor messages propagating in an in-vehicle network, [par. 22], of one vehicle, which is the vehicle the module is present on, comprised in the fleet, [par. 49] wherein all the vehicles with the monitoring unit is considered the fleet and each module detects attach on the individual vehicles, the in-vehicle network having a bus, bus (102) [par. 21], and at least one node connected to the bus, [fig. 1], each module comprising: 
at least one communication port, communication interface (208) [par. 24], connectable to a portion of the in-vehicle network, via which the module receives and transmits messages, [par. 24]; 
a memory, memory (204), having data characterizing messages that the at least one node transmits and receives during normal operation of the node, [par. 25], and software, [par. 48] executable to: 
identify, responsive to the data characterizing messages and messages received from the in-vehicle network, an anomaly in communications over the in- vehicle communication network, [par. 25, 26]; and 
a processor, processor (202), configured to execute the software in the memory, [par. 48]; and 
a communication interface, wifi system (112) [par. 42];
a data monitoring and processing hub external to the vehicles comprised in the fleet, [par. 43] that the monitoring system can be implemented in a remote machine.
Valasek fails to disclose that the communication interface is configured to support communication with an entity external to the vehicle, and the software instructs the communication interface to transmit monitoring data responsive to the received messages; and wherein the data monitoring and processing hub is operable to receive transmission of monitoring data from the plurality of modules and process data in the monitoring data to identify whether within a same specified timeframe a plurality of vehicles having messages monitored by the modules is subject to a same cyber attack, and wherein none of the processed data is generated from a message in a communication solicited by the hub between a vehicle in the fleet and an identified, suspected source of malware.
Zhang teaches cloud-assisted threat defense for connected vehicles comprising a vehicle security communication gateway (208) capable of communication with an external entity, [par. 34], and an on-board threat defense module (402) to send a threat report to a security cloud (110) capable of being connected to any number of vehicles, [par. 28]; wherein in response to determining a communication poses a security threat to a vehicle, the security cloud receives and processes the received report, [par. 46, 51]; wherein the hub determines an attach based on determining if other vehicles are experiencing the same security threat of the same type at a predetermined timeframe from the same source, [0104]; wherein the processed data is not solicited by the hub from a vehicle and the data is a result of an automatic transmission from a vehicle in the fleet, [0089, 0104] that describes “In an example embodiment, a Type II threat report is transmitted from the on-board defense module 402 to the threat detection logic 704”; wherein the threat report 728 is transmitted from a plurality of vehicles, [fig. 7, 0089].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of Valasek with that of Zhang so that the system can aggregate intrusion types from a plurality of vehicles in a central location.

As to claim 2. Valasek discloses The system according to claim 1, wherein the communication interface is comprised in a module of the plurality of modules, communication interface (208) is comprised in the monitoring unit, [fig. 2] [par. 24].

claim 3. Valasek discloses The system according to claim 1, wherein the communication interface is comprised in a node, wifi system (112) [par. 24], can be considered as a node, connected to the bus of an in-vehicle network, [fig. 1].

As to claim 10. Valasek discloses The system according to claim 1, wherein the data comprises a state feature vector representing a state of the vehicle, [par. 34].

As to claim 11. Valasek discloses The system according to claim 10, wherein the software is executable to change the state feature vector responsive to identifying an anomaly in communications over the in-vehicle communication network, [par. 38] change the state of the vehicle when attack is detected.

As to claim 12. Valasek discloses The system according to claim 1, wherein the software is executable to raise an alert responsive to identifying an anomaly in communications over the in-vehicle communication network, [par. 24, 38].

As to claim 13. Valasek discloses The system according to claim 1, wherein the software is executable to identify if at least one of the messages received via the at least one communication port is anomalous, [par. 38].

As to claim 14. Valasek fails to disclose The system according to 13, wherein the monitoring data comprises data relevant to tracking performance of the module, responsive to identifying at least one anomalous message.

It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of Valasek with that of Zhang so that the cloud server can determine the validity of the determination from the module.

As to claim 15. Valasek fails to disclose The system according to claim 14, wherein the monitoring data comprises information regarding one or more anomalous messages identified by the module.
Zhang teaches cloud-assisted threat defense for connected vehicles comprising a vehicle security communication gateway (208) capable of communication with an external entity, [par. 34], and an on-board threat defense module (402) to send a threat report to a security cloud (110) in response to determining a communication poses a security threat to the vehicle, [par. 50]; wherein the defense module gathers and sends data with the detail of the identified threat, [par. 103].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of Valasek with that of Zhang so that the cloud server can determine the validity of the determination from the module.

claim 16. Valasek fails to disclose The system according to claim 14, wherein the hub is operable to track the performance of one or more of the plurality of modules.
Zhang teaches cloud-assisted threat defense for connected vehicles comprising a vehicle security communication gateway (208) capable of communication with an external entity, [par. 34], and an on-board threat defense module (402) to send a threat report to a security cloud (110) in response to determining a communication poses a security threat to the vehicle, [par. 50]; wherein the defense module gathers and sends data that can be used to analyze the performance of the module, [par. 103, 104].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of Valasek with that of Zhang so that the cloud server can determine the validity of the determination from the module.

As to claim 17. Valasek fails to disclose The system according to claim 16, wherein the tracking of performance comprises determining how frequently one or more the plurality of modules generates false positives or false negatives in identifying messages as anomalous messages.
Zhang teaches cloud-assisted threat defense for connected vehicles comprising a vehicle security communication gateway (208) capable of communication with an external entity, [par. 34], and an on-board threat defense module (402) to send a threat report to a security cloud (110) in response to determining a communication poses a security threat to the vehicle, [par. 50]; wherein the defense module gathers and sends data that can be used to analyze the performance of the module and the server determine how many of the vehicles identifies a false threat as an actual threat, [par. 103, 104].


As to claim 22. Valasek discloses A system for providing security to a fleet of vehicles, the vehicles being real vehicles, [0019], the system comprising: 
a plurality of modules, attach monitoring unit (118) which can be implemented on a plurality of vehicles [par. 49], each module configured to monitor messages propagating in an in-vehicle network, [par. 22], of one vehicle, which is the vehicle the module is present on, comprised in the fleet, [par. 49] wherein all the vehicles with the monitoring unit is considered the fleet and each module detects attach on the individual vehicles, the in-vehicle network having a bus, bus (102) [par. 21], and at least one node connected to the bus, [fig. 1], each module comprising: 
at least one communication port, communication interface (208) [par. 24], connectable to a portion of the in-vehicle network, via which the module receives and transmits messages, [par. 24]; 
a memory, memory (204), having data characterizing messages that the at least one node transmits and receives during normal operation of the node, [par. 25], and software, [par. 48] executable to: 
identify, responsive to the data characterizing messages and messages received from the in-vehicle network, an anomaly in communications over the in- vehicle communication network, [par. 25, 26]; and 
a processor, processor (202), configured to execute the software in the memory, [par. 48]; and 
a communication interface, WiFi system (112) [par. 42];
a data monitoring and processing hub external to the vehicles comprised in the fleet, [par. 43] that the system can be implemented in a remote machine.
Valasek fails to disclose that the communication interface is configured to support communication with an entity external to the vehicle, and the software instructs the communication interface to transmit monitoring data responsive to the received messages; and wherein the data monitoring and processing hub is operable to receive transmission of monitoring data from the plurality of modules and process data in the monitoring data to identify whether within a same specified timeframe a plurality of vehicles having messages monitored by the modules is subject to a same cyber attack, and wherein none of the processed data is generated from a message in a communication solicited by the hub between a vehicle in the fleet and an identified, suspected source of malware.
Zhang teaches cloud-assisted threat defense for connected vehicles comprising a vehicle security communication gateway (208) capable of communication with an external entity, [par. 34], and an on-board threat defense module (402) to send a threat report to a security cloud (110) capable of being connected to any number of vehicles, [par. 28]; wherein in response to determining a communication poses a security threat to a vehicle, the security cloud receives and processes the received report, [par. 46, 51]; wherein the hub determines an attach based on determining if other vehicles are experiencing the same security threat of the same type at a predetermined timeframe from the same source, [0104]; wherein the processed data is not solicited by the hub from a vehicle and the data is a result of an automatic transmission from a In an example embodiment, a Type II threat report is transmitted from the on-board defense module 402 to the threat detection logic 704”; wherein the threat report 728 is transmitted from a plurality of vehicles, [fig. 7, 0089].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of Valasek with that of Zhang so that the system can aggregate intrusion types from a plurality of vehicles in a central location.

Claims 6, 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Valasek in view of Zhang as applied to claim 1 above, further in view of Deb et al. [Deb, US 9171171].
As to claim 6. The combination of Valasek and Zhang fails to disclose The system according to claim 1, wherein the hub is operable to provide a user interface that displays information regarding health of the fleet with respect to cyber attacks.
Deb teaches a system for generating a heat map to identify data vulnerability in a system wherein the system provides a display showing the distribution of data incidents, [fig. 6].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Deb so that a user can easily determine how localized the attack is using the display.

As to claim 7 The combination of Valasek and Zhang fails to disclose The system according to claim 6, wherein the user interface of the hub is operable to display a distribution of anomalous messages detected by at least a portion of the plurality of modules in a specified timeframe.

It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Deb so that a user can easily determine how localized with respect to the specific required period of time the attack is.

Claims 8, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Valasek in view of Zhang  and Deb as applied to claim 6 above, further in view of Corinella [US 20140196025].
As to claim 8. The combination of Valasek, Zhang and Deb fails to disclose The system according to claim 6, wherein the user interface of the hub is operable to display a distribution of anomalous messages detected by at least a portion of the plurality of modules in a specified geographical area.
Corinella teaches a system of wireless network wherein the system generates a heat map of devices within the network for a predetermined location, [par. 113].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek, Zhang and Deb with that of Corinella so that a user can easily determine how localized with respect to the specific geographic area the attack is.

claim 9. The combination of Valasek and Zhang fails to disclose The system according to claim 8, wherein the distribution is displayed as a heat map.
Deb teaches a system for generating a heat map to identify data vulnerability in a system wherein the system provides a display showing the distribution of data incidents, [fig. 6].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Deb so that a user can easily determine how localized the attack is against a determined parameter using the display.

Claim 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Valasek in view of Zhang as applied to claim 1 above, further in view of Miyake [US 20130227650].
As to claim 18. The combination of Valasek and Zhang fails to disclose The system according to claim 1 wherein the module is configured to transmit the monitoring data or a portion thereof based on a request that the module receives from the hub.
Miyake teaches a vehicle-mounted network system wherein the device (102) sends a request to the vehicle before starting other communication, [fig. 4] [par. 37].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Miyake so that the server gets required data when needed from the vehicle.

As to claim 19. The combination of Valasek and Zhang fails to disclose The system according to claim 18 wherein the transmission of the monitoring data or portion thereof is subject to authenticating the request.

It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Miyake so that the vehicle makes sure that the request is from an authorized entity.

As to claim 20. The combination of Valasek and Zhang fails to disclose The system according to claim 19 wherein the module is configured to stop transmitting the monitoring data or portion thereof in response to a communication from the hub.
Miyake teaches a vehicle-mounted network system wherein the device (102) sends a request to the vehicle before starting other communication, [fig. 4] [par. 37]; wherein the vehicle determines if the request is authenticated, [par. 39-41] and deny the communication based on the result of authentication from the server, [par. 43].
It would have been obvious for one of ordinary skill in the art at the time of the filing of the claimed invention to combine the teachings of the combination of Valasek and Zhang with that of Miyake so that the vehicle makes sure that the request is from an authorized entity.

Response to Arguments
Applicant's arguments filed 05/23/2018 have been fully considered but they are not persuasive. 
Argument 1: The combination of Valasek and Zhang does not teach the newly added limitations of claims 1, 22.
Response 1: Zhang, in [0089] teaches that the vehicles transmit a threat report to the hub, without any solicitation from the hub; wherein [0104] the hub uses the threat report to identify a cyber attach.

















Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENYAM HAILE whose telephone number is (571)272-2080. The examiner can normally be reached 7:00 AM - 5:30 PM Mon. - Thur..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Steven Lim can be reached on (571)270-1210. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Benyam Haile/Primary Examiner, Art Unit 2688