DETAILED ACTION
This communication is in response to the claims filed on 12/20/2019.
Application No: 16/723,142.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 
EXAMINER’S AMENDMENT 
An examiner’s amendment to the record appears below. Should the changes and/OR additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with 
John Kacvinsky on April 19, 2022.

The claims have been amended as follows:
The listing of claims will replace all prior versions of the claims in the application.

LISTING OF CLAIMS

1.	(Currently Amended) An autonomous vehicle, comprising:
	a plurality of electronic control units communicably coupled by a network; and
	logic, at least a portion of which is implemented in hardware, the logic to:
receive an indication from a first electronic control unit (ECU) of the plurality of ECUs specifying to transmit a first data frame via the network;
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; [[and]]
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.

2.	(Currently Amended) The autonomous vehicle of claim 1, the logic further configured to:
determine whether [[that]] a second ECU of the plurality of ECUs is to transmit a data frame via the network during the transmit window for the first ECU; 
determine that the first ECU is subject to the flooding attack when the second ECU is to not transmit the data frame via the network during the transmit window of the first ECU; or
determine that the first ECU is not subject to the flooding attack when the second ECU is to transmit the data frame via the network during the transmit window of the first ECU, and the logic further configured to:
		delay the transmission of the first data frame by the first ECU; and
permit the first ECU to transmit the first data frame subsequent to the second ECU transmitting the data frame and during the transmit window for the first ECU, at least a portion of the transmit window included in a transmit interval to transmit data via the network.

3.	The autonomous vehicle of claim 2, the logic further configured to:
	receive, during the transmit interval, a second indication from the first ECU specifying to transmit a second data frame via the network during a second transmit window, at least a portion of the second transmit window included in the transmit interval; and
	permit the first ECU to transmit the second data frame during the portion of the second transmit window included in the transmit interval based on the determination that the second ECU transmitted data via the network during the transmit window for the first ECU. 

4.	(Currently Amended) The autonomous vehicle of claim 1, the logic further configured to:
	determine, based on the message ID of the first ECU, that a transmit interval for the first ECU has expired;
determine that the first ECU did not transmit data during the transmit interval; 
	determine that the first ECU is subject to the [[a]] suspension attack; and
	generate the [[an]] alert specifying that the first ECU is subject to the suspension attack.

5.	The autonomous vehicle of claim 1, the logic further configured to:
determine a voltage fingerprint of the first data frame;
determine that the voltage fingerprint is not equal to a known voltage feature of the first ECU; and
modify, based on the determination that the voltage fingerprint is not equal to the known voltage feature of the first ECU, at least a portion of the first data frame.

6.	The autonomous vehicle of claim 5, wherein one or more of a cyclic redundancy check portion of the first data frame or a payload of the first data frame are to be modified to cause the other ECUs to reject the first data frame, wherein the network comprises a controller area network (CAN).

7.	The autonomous vehicle of claim 1, further comprising a standby ECU of the plurality of ECUs configured to:
analyze a first portion of a payload of the first data frame;
determine that the first portion of the payload specifies to modify an operational parameter of the autonomous vehicle to a specified value;
determine, based on a current state of the autonomous vehicle, that the specified value is outside a range of expected values for the operational parameter; and
modify a second portion of the payload of the first data frame to cause the other ECUs to refrain from causing the operational parameter of the autonomous vehicle to have the specified value.

8.	The autonomous vehicle of claim 7, the standby ECU further configured to:
	restricting the first ECU from operating in the autonomous vehicle; and
operate as the first ECU in the autonomous vehicle. 

9.	(Currently Amended) An apparatus, comprising:
a plurality of electronic control units of an autonomous vehicle communicably coupled by a network; and
	logic, at least a portion of which is implemented in hardware, the logic to:
receive an indication from a first electronic control unit (ECU) of the plurality of ECUs specifying to transmit a first data frame via the network;
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; [[and]]
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.

10.	(Currently Amended) The apparatus of claim 9, the logic further configured to:
	determine whether [[that]] a second ECU of the plurality of ECUs is to transmit a data frame via the network during the transmit window for the first ECU; 
determine that the first ECU is subject to the flooding attack when the second ECU is to not transmit the data frame via the network during the transmit window of the first ECU; or
determine that the first ECU is not subject to the flooding attack when the second ECU is to transmit the data frame via the network during the transmit window of the first ECU, and the logic further configured to:
		delay the transmission of the first data frame by the first ECU; and
permit the first ECU to transmit the first data frame subsequent to the second ECU transmitting the data frame and during the transmit window for the first ECU, at least a portion of the transmit window included in a transmit interval to transmit data via the network

11.	The apparatus of claim 10, the logic further configured to:
	receive, during the transmit interval, a second indication from the first ECU specifying to transmit a second data frame via the network during a second transmit window, at least a portion of the second transmit window included in the transmit interval; and
	permit the first ECU to transmit the second data frame during the portion of the second transmit window included in the transmit interval based on the determination that the second ECU transmitted data via the network during the transmit window for the first ECU. 

12.	(Currently Amended) The apparatus of claim 9, the logic further configured to:
	determine, based on the message ID of the first ECU, that a transmit interval for the first ECU has expired;
determine that the first ECU did not transmit data during the transmit interval; 
	determine that the first ECU is subject to the [[a]] suspension attack; and
	generate the [[an]] alert specifying that the first ECU is subject to the suspension attack.

13.	The apparatus of claim 9, the logic further configured to:
determine a voltage fingerprint of the first data frame;
determine that the voltage fingerprint is not equal to a voltage feature of the first ECU; and
modify, based on the determination that the voltage fingerprint is not equal to the voltage feature of the first ECU, at least a portion of the first data frame.

14.	The apparatus of claim 13, wherein one or more of a cyclic redundancy check portion of the first data frame or a payload of the first data frame are to be modified to cause the other ECUs to reject the first data frame, wherein the network comprises a controller area network (CAN).

15.	The apparatus of claim 9, further comprising a standby ECU of the plurality of ECUs configured to:
analyze a first portion of a payload of the first data frame;
determine that the first portion of the payload specifies to modify an operational parameter of the autonomous vehicle to a specified value;
determine, based on a current state of the autonomous vehicle, that the specified value is outside a range of expected values for the operational parameter; and
modify a second portion of the payload of the first data frame to cause the other ECUs to refrain from causing the operational parameter of the autonomous vehicle to have the specified value.

16.	(Currently Amended) A method, comprising:
receiving, by logic implemented at least partially in hardware, an indication from a first electronic control unit (ECU) of a plurality of ECUs specifying to transmit a first data frame via a network of an autonomous vehicle;
determining [[determine]], by the logic based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; [[and]]
permitting [[permit]], by the logic, the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determining, by the logic, whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determining, by the logic, whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generating, by the logic, an alert in response to a flooding attack or a suspension attack.

17.	(Currently Amended) The method of claim 16, wherein the network comprises a controller area network (CAN) network, the method further comprising:
determining, by the logic, whether [[that]] a second ECU of the plurality of ECUs is to transmit a data frame via the network during the transmit window for the first ECU; 
determining, by the logic, that the first ECU is subject to the flooding attack when the second ECU is to not transmit the data frame via the network during the transmit window of the first ECU; or
determining, by the logic, that the first ECU is not subject to the flooding attack when the second ECU is to transmit the data frame via the network during the transmit window of the first ECU, and the logic further configured to:
delaying, by the logic, the transmission of the first data frame by the first ECU; and
permitting, by the logic, the first ECU to transmit the first data frame subsequent to the second ECU transmitting the data frame and during the transmit window for the first ECU, at least a portion of the transmit window included in a transmit interval to transmit data via the network

18.	The method of claim 17, further comprising:
receiving, by the logic during the transmit interval, a second indication from the first ECU specifying to transmit a second data frame via the network during a second transmit window, at least a portion of the second transmit window included in the transmit interval; and
	permitting, by the logic, the first ECU to transmit the second data frame during the portion of the second transmit window included in the transmit interval based on the determination that the second ECU transmitted data via the network during the transmit window for the first ECU. 
 
19.	(Currently Amended) The method of claim 16, further comprising: 
determining, by the logic based on the message ID of the first ECU, that a second transmit interval for the first ECU has expired;
determining, by the logic, that the first ECU did not transmit data during the second transmit interval; 
	determining, by the logic, that the first ECU is subject to the [[a]] suspension attack; and
	generating, by the logic, the [[an]] alert specifying that the first ECU is subject to the suspension attack.

20.	The method of claim 19, further comprising:
determining, by the logic, a voltage fingerprint of the first data frame;
determining, by the logic, that the voltage fingerprint is not equal to a voltage feature of the first ECU; and
modifying, by the logic based on the determination that the voltage fingerprint is not equal to the voltage feature of the first ECU, at least a portion of the first data frame, the at least the portion of the first data frame comprising a cyclic redundancy check portion of the first data frame or a payload of the first data frame.

21.	The method of claim 16, further comprising:
analyzing, by the logic, a first portion of a payload of the first data frame;
determining, by the logic, that the first portion of the payload specifies to modify an operational parameter of the autonomous vehicle to a specified value;
determining, by the logic based on a current state of the autonomous vehicle, that the specified value is outside a range of expected values for the operational parameter; and
modifying, by the logic, a second portion of the payload of the first data frame to cause the other ECUs to refrain from causing the operational parameter of the autonomous vehicle to have the specified value.

22.	The method of claim 16, further comprising:
restricting the first ECU from operating in the autonomous vehicle; and
causing a standby ECU of the plurality of ECUs to operate as the first ECU in the autonomous vehicle.


***
 
Reasons for allowance
Claims 1-22 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The reason for allowance is that the prior arts of record fail to teach the limitations along with preamble as a whole claim. The limitations recited in the independent claims comprise a particular combination of elements, functions and preamble, which are neither taught nor-suggested by the prior arts as a whole claim. 

The representative claim 1 distinguish features are underlined and summarized below: 
 	An autonomous vehicle, comprising:
	a plurality of electronic control units communicably coupled by a network; and
	logic, at least a portion of which is implemented in hardware, the logic to:
receive an indication from a first electronic control unit (ECU) of the plurality of ECUs specifying to transmit a first data frame via the network;
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; 
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.

The representative claim 9 distinguish features are underlined and summarized below: 
An apparatus, comprising:
a plurality of electronic control units of an autonomous vehicle communicably coupled by a network; and
	logic, at least a portion of which is implemented in hardware, the logic to:
receive an indication from a first electronic control unit (ECU) of the plurality of ECUs specifying to transmit a first data frame via the network;
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; 
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.


The representative claim 16 distinguish features are underlined and summarized below: 
 
A method, comprising:
receiving, by logic implemented at least partially in hardware, an indication from a first electronic control unit (ECU) of a plurality of ECUs specifying to transmit a first data frame via a network of an autonomous vehicle;
determining [[determine]], by the logic based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; [[and]]
permitting [[permit]], by the logic, the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determining, by the logic, whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determining, by the logic, whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generating, by the logic, an alert in response to a flooding attack or a suspension attack.

 
Applicant's independent claim 1 comprises a particular combination of underlined features in combination with other recited limitations, which are neither taught nor-suggested by the prior arts as a whole claim. 
Similarly, other independent claims 9 and 16 comprises a particular combination of underlined features in combination with other recited limitations with analogous wording, which are neither taught nor-suggested by the prior arts as a whole claim.
Dependent claims are deemed allowable for the same reasons as corresponding independent claims.
 

Prior Art References xxx
The closest combined references of SHIN, GALULA and SHANG teach following:
 	SHIN ( US 20190245872 A1) teaches that to detect and prevent possible attacks on vehicles have led to various defense schemes that are capable of preventing attacks and/or determining the presence/absence of an attack on the in-vehicle network. However, these efforts still cannot identify which Electronic Control Unit (ECU) on the in-vehicle network actually mounted the attack. Moreover, they cannot detect attacks by an adversary that impersonates ECUs injecting in-vehicle messages a periodically. Identifying the source of an attack is essential for efficient forensic, isolation, security patch, etc. To fill these gaps, a method is presented for detecting and identifying compromised ECUs in a vehicle network.

GALULA ( EP 3113529 A1) teaches a system and method for providing security to a network may include maintaining, by a processor, a timing model of an expected behavior of data communications over the in-vehicle communication network; receiving, by the processor, a message sent over the network; determining, by the controller, based on the model and based on a timing attribute of the message, whether or not the message complies with the model; and if the message does not comply with the model then performing, by the processor, at least one action related to the message.

SHANG (CN 101789931 A) teaches a method for network invasion detection system and method based on data mining; the system comprises a data packet capturing module, a data packet analysis module, a fragment reconstruction module, a data mining module, a protocol analysis module, an alarm response module and a rule resolution module. The invention effectively combines the data mining technology and protocol analysis technology to improve the accuracy and reliability of detection, and utilizes the data mining technology to process mass data so as to realize real-time response.

 	However cited references, alone or in any combination, neither discloses nor fairly suggests combination of features specifically listed above and/or underlined, in particular, 
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; 
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.


SHIN teaches that to detect and prevent possible attacks on vehicles have led to various defense schemes that are capable of preventing attacks; but failed to teach one or more limitations, including, 
determine, based on a message identifier (ID) of the first ECU, whether a transmit window for the first ECU is open; 
permit the first ECU to transmit the first data frame via the network based on a determination that the transmit window for the first ECU is open;
determine whether the first ECU is subject to a flooding attack when the first ECU transmits the first data frame during the transmit window; 
determine whether the first ECU is subject to a suspension attack when the first ECU does not transmit the first data frame during the transmit window; and
generate an alert in response to a flooding attack or a suspension attack.


GALULA and SHANG alone or in combination failed to cure the deficiency of SHIN.

	 Thus, the cited references, alone or in combination, fail to disclose or suggest each of the elements recited by the independent claims.


The present invention provides an improved method to provide active attack detection in autonomous vehicle networks. Further, Autonomous vehicles include a plurality of components which may be communicably coupled via an in-vehicle communications network. Malicious attackers may attempt to take control over one or more components, which may negatively impact the operation of the autonomous vehicle and pose significant safety risks. Often, it is difficult to detect and/or prevent attacks while keeping authentic message flows intact on the in-vehicle network. Further, Embodiments disclosed herein provide techniques to detect attacks to components of autonomous vehicles and take corrective actions to neutralize the attack. For example, embodiments disclosed herein may detect flooding attacks and/or suspension attacks while allowing authentic message flows (e.g., data frames) to remain intact on an in-vehicle network. Furthermore, embodiments disclosed herein may neutralize messages transmitted by a compromised system component to prevent other system components from implementing the commands specified by the messages. Further still, embodiments disclosed herein provide techniques to remove the compromised component from the system such that the compromised component is replaced by a standby component.

Therefore, when taken as a whole application, and incorporating all the respective limitations, none of the prior art discloses the features as claimed.

Conclusion
Any comments considered necessary by applicant must be submitted no laterthan the payment of the issue fee and, to avoid processing delays, should preferablyaccompany the issue fee. Such submission should be clearly labeled "Comments onStatement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mahendra Patel whose telephone number is (571)270-7499. The examiner can normally be reached on 9:30 AM to 5:30 PM (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Anthony Addy can be reached on (571) 272-779. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAHENDRA R PATEL/Primary Examiner, Art Unit 2645