DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 7, 10, 11-14, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dyakin (US 2019/0306180), and further in view of O'Conner (US 2015/0052018).

Regarding Claims 1, 10 and 11, Dyakin teaches A method for contextual connected vehicle security incident integration (see [0009]: “a computer-implemented method is provided for detecting attacks on electronics systems of a vehicle”), comprising: 
wherein the security incident violation is indicated in security incident data collected by at least one connected vehicle security system of the connected vehicle, wherein the security incident violation indicates a deviation from normal operation of the connected vehicle (see [0023]: “A means of transportation (hereafter, MT) is a device configured to transport people, freight, or equipment installed aboard it on the roads. For example, the device may be a vehicle, such as an automobile”. And see [0054] and FIG. 3: “The system contains at least one means of transportation 301, which in turn includes an occupant protection system (OPS) 331 and a protection module 102”. The Examiner interprets one means of transportation 301 (a vehicle) shown in Fig. 3 and [0054] as the connected vehicle. The Examiner interprets a protection module 102 of one means of transportation 301 (a vehicle) shown in Fig. 3 and [0054] as at least one connected vehicle security system of the connected vehicle.  
And see [0034]: “In the present application, by “incident with a means of transportation” (hereafter, incident) is meant one or more undesirable or unexpected events resulting in a change in the expected behavior of an MT, including a road traffic accident (RTA)”. The Examiner interprets  “incident with a means of transportation” (hereafter, incident) meaning “one or more undesirable or unexpected events resulting in a change in the expected behavior of an MT, including a road traffic accident (RTA)” as the security incident violation…, wherein the security incident violation indicates a deviation from normal operation of the connected vehicle. 
And see [0055] and FIG. 3: “The protection module 102 also serves to transmit to the server 303 the portion of the log 304 containing the messages, as well as the information as to at least one ECU which is the recipient of at least one of the mentioned messages which were intercepted by the protection module 102 on the buses of the MT in a certain period around the time of occurrence of the incident with the MT (i.e., in the interval (t.sub.o−Δt, t.sub.0+Δt), where t.sub.0 is the time of occurrence of the incident with the MT, and Δt is the certain period around the time of occurrence of the incident with the MT, for example 10 seconds)”.  The Examiner interprets “where t.sub.0 is the time of occurrence of the incident with the MT” taught in [0055] as wherein the security incident violation is indicated in security incident data collected by at least one connected vehicle security system of the connected vehicle, wherein the security incident violation indicates a deviation from normal operation of the connected vehicle. And see [0103] and Fig. 5: “In step 501 the server 303 receives the log 304 from the protection module 102 of at least one MT 301. The log 304 contains messages, and also information on at least one ECU which is the recipient of at least one of the mentioned messages that have been intercepted by the protection module 102 on the buses of the MT 301 in a certain period around of the time of occurrence of an incident with the MT (such as an RTA)”); 
enriching security incident data of a connected vehicle with cybersecurity data related to at least one of: the connected vehicle, and communications between the connected vehicle and at least one external system (see [0103] and FIG. 5A: “In step 501 the server 303 receives the log 304 from the protection module 102 of at least one MT 301. The log 304 contains messages, and also information on at least one ECU which is the recipient of at least one of the mentioned messages that have been intercepted by the protection module 102 on the buses of the MT 301 in a certain period around of the time of occurrence of an incident with the MT (such as an RTA). Next, in step 502, the detection of a computer attack is carried out by analyzing the obtained log 304”. And see [0106]: “In calculating the probability of a computer attack being conducted, the server 303 take the following into consideration: that the RTA was caused by a set of factors, each of which is not an anomaly, but in their totality they result in the RTA and the probability that all of these factors occurred at the same time in the course of normal operation of the MT is low. Thus, the ECU malfunctioning at the time of occurrence of the incident are determined, and the probability of a computer attack being conducted is determined as being equal to the probability of the simultaneous malfunctioning of all the mentioned ECU (the probability of malfunctioning of each ECU is known in advance, for example it may be provided by the maker of the MT or the ECU)”. The Examiner interprets “the ECU malfunctioning at the time of occurrence of the incident are determined” and “at least one of the mentioned messages that have been intercepted by the protection module 102 on the buses of the MT 301 in a certain period around of the time of occurrence of an incident with the MT (such as an RTA)” as cybersecurity data related to … the connected vehicle. The Examiner further interprets “the detection of a computer attack is carried out by analyzing the obtained log 304”, wherein the “log 304 contains messages, and also information on at least one ECU which is the recipient of at least one of the mentioned messages that have been intercepted by the protection module 102 on the buses of the MT 301 in a certain period around of the time of occurrence of an incident with the MT (such as an RTA)” and “In calculating the probability of a computer attack being conducted, the server 303 take the following into consideration:… the ECU malfunctioning at the time of occurrence of the incident are determined” as  enriching security incident data of a connected vehicle with cybersecurity data related to at least one of: the connected vehicle, and communications between the connected vehicle and at least one external system); 
generating a risk assessment for the connected vehicle based on the enriched violation data (see [0105] and FIG. 5A: “In another particular aspect, the analysis of the log 304 further includes a determination of the probability of a computer attack being conducted on the basis of the log 304. In step 514, if the probability of a computer attack being conducted exceeds a given value (such as 0.997, or within 3 standard deviations) or if the incident with the MT had severe consequences (for example, an RTA with serious consequences), it is considered that a computer attack has been detected or the conducting of a further detailed analysis of the log 304 is initiated (step 515)”. And see [0106]: “In calculating the probability of a computer attack being conducted, the server 303 take the following into consideration: that the RTA was caused by a set of factors, each of which is not an anomaly, but in their totality they result in the RTA and the probability that all of these factors occurred at the same time in the course of normal operation of the MT is low. Thus, the ECU malfunctioning at the time of occurrence of the incident are determined, and the probability of a computer attack being conducted is determined as being equal to the probability of the simultaneous malfunctioning of all the mentioned ECU (the probability of malfunctioning of each ECU is known in advance, for example it may be provided by the maker of the MT or the ECU). Let us consider an example in which the RTA occurred as a result of the coordinated failure of 3 different independent ECU, the failure of any two of which will not result in an RTA. Let us assume that the probability of failure of the first system is 0.1, the probability of failure of the second system is 0.15 and the probability of failure of the third system is 0.18. The combined probability of a random failure of all three systems in this case is 0.0027, and accordingly the probability that the failure was not caused by random factors is 0.9973, which surpasses the threshold value”. The Examiner interprets “the probability of a computer attack being conducted is determined as being equal to the probability of the simultaneous malfunctioning of all the mentioned ECU” as generating a risk assessment for the connected vehicle based on the enriched violation data); and 
performing at least one mitigation action with respect to the connected vehicle based on the risk assessment (see [0103] and FIG. 5A: “After this, in step 503, upon detecting a computer attack the following indicators of compromise in particular are determined: the messages used in the computer attack, and for each message information on at least one ECU of the MT which is the recipient of that message. As a result, in step 504 a rule is created for the protection module 102 on the basis of the indicators of compromise, which rule contains at least one condition for the application of the rule for the detection of a computer attack on the MT, and at least one action upon application of the rule for the blocking of the computer attack on the MT”. And see [0110] and FIG. 5B: “the rules created by the server 303 in steps 501-504 are then used in the method of blocking a computer attack on the MT. In step 521 the protection module 102 receives at least one rule. Then, in step 522, the protection module 102 intercepts messages being transmitted on the buses of the MT and in step 523 in the process of intercepting the messages the protection module 102 saves the intercepted messages in the log 304, and also for each intercepted message at least one ECU of the MT which is the recipient of that message”. And see [0112] and FIG. 5B: “In step 524 in the process of intercepting messages the protection module 102 checks the conditions for application of the received rules with the use of the log 304. In one aspect, the protection module 102 may detect a computer attack of the vehicle based on satisfaction of at least one condition of a rule by the stored messages and information in the log”. And see [0113] and FIG. 5B: “Upon fulfillment of the conditions for application of at least one rule, in step 525 the computer attack on the MT is blocked by carrying out the actions upon application of the rule”. The Examiner interprets upon detecting a computer attack, determining indicators of compromise, creating a rule on the basis of the indicators of compromise, detecting a computer attack of the vehicle based on satisfaction of at least one condition of the rule and blocking the computer attack on the MT as performing at least one mitigation action with respect to the connected vehicle based on the risk assessment).

Dyakin fails to teach correlating a security incident violation with a connected vehicle.
However, O'Conner teaches correlating a security incident violation with a connected vehicle (see [0022] and Fig. 2: “the client 230 and/or server 220 used to upload images of a vehicle involved in an accident to the data storage 240 are configured to associate the pictures uploaded with a unique identification number such as the VIN (Vehicle Identification Number) for the vehicle”. The Examiner interprets an accident as a security incident violation. The Examiner further interprets associating images of a vehicle involved in an accident with a unique identification number such as the VIN (Vehicle Identification Number) for the vehicle as correlating a security incident violation with a connected vehicle). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method for contextual connected vehicle security incident integration taught by Dyakin the step of correlating a security incident violation with a connected vehicle taught by O'Conner. It would have been obvious because O'Conner teaches that doing so allows “a user to provide a unique identification number for a vehicle to retrieve any pictures previously uploaded and stored for the vehicle” (see O'Conner [0022], last sentence).

Regarding claims 2 and 12, Dyakin further teaches wherein the at least one connected vehicle security system of the connected vehicle (the Examiner interprets a protection module 102 of one means of transportation 301 as the at least one connected vehicle security system of the connected vehicle, see [0054] and Fig. 3) and the at least one external system are among a communications ecosystem, wherein systems among the communications ecosystem communicate with each other (see [0107] and Fig. 3: “the server 303 take the following into consideration for calculating the probability of a computer attack being conducted”. And see [0109]: “the calculation of the probability of a computer attack being conducted, and also the subsequent further analysis of the log 304 may include manual analysis by a security specialist. In yet another particular aspect, all similar incidents may be aggregated and an analysis conducted using the methods of machine learning. The aggregation of the incidents may be performed by identical makes and models of the MT, the ECU and gateways used, similar circumstances of the incident (RTA), partially coinciding or intersecting logs 304 for different MT and other characteristics”. The Examiner interprets “different MT”, which is different from MT 301, as the at least one external system. The Examiner further interprets the server 303 and multiple means of transportation (MT) 301 as a communications ecosystem, wherein systems among the communications ecosystem communicate with each other), further comprising: 
correlating the security incident violation to each system among the communications ecosystem such that the cybersecurity data used for enriching the security incident data includes data related to communications within the communications ecosystem (see [0109]: “the calculation of the probability of a computer attack being conducted, and also the subsequent further analysis of the log 304 may include manual analysis by a security specialist. In yet another particular aspect, all similar incidents may be aggregated and an analysis conducted using the methods of machine learning. The aggregation of the incidents may be performed by identical makes and models of the MT, the ECU and gateways used, similar circumstances of the incident (RTA), partially coinciding or intersecting logs 304 for different MT and other characteristics”).

Regarding claims 3 and 13, Dyakin further teaches wherein the communications ecosystem includes a fleet of connected vehicles, wherein the cybersecurity data used for enriching the security incident data includes a number of connected vehicles including systems among the communications ecosystem exhibiting the same type of security incident violation(see [0109]: “the calculation of the probability of a computer attack being conducted, and also the subsequent further analysis of the log 304 may include manual analysis by a security specialist. In yet another particular aspect, all similar incidents may be aggregated and an analysis conducted using the methods of machine learning. The aggregation of the incidents may be performed by identical makes and models of the MT, the ECU and gateways used, similar circumstances of the incident (RTA), partially coinciding or intersecting logs 304 for different MT and other characteristics”. The Examiner interprets multiple means of transportation (MT) 301 as a fleet of connected vehicles. The Examiner further interprets “similar circumstances of the incident (RTA)” as exhibiting the same type of security incident violation).

Regarding claims 4 and 14, O'Conner further teaches wherein correlating the security incident violation with the connected vehicle further comprises enriching the security incident data with an identifier of the connected vehicle (see [0022] and Fig. 2: “the client 230 and/or server 220 used to upload images of a vehicle involved in an accident to the data storage 240 are configured to associate the pictures uploaded with a unique identification number such as the VIN (Vehicle Identification Number) for the vehicle”).

Regarding claims 6 and 16, Dyakin further teaches wherein the security incident violation is a mobility violation indicating at least one abnormal driving activity of the connected vehicle (see [0034]: “In the present application, by “incident with a means of transportation” (hereafter, incident) is meant one or more undesirable or unexpected events resulting in a change in the expected behavior of an MT, including a road traffic accident (RTA)”. The Examiner interprets  “incident with a means of transportation” (hereafter, incident) meaning “one or more undesirable or unexpected events resulting in a change in the expected behavior of an MT, including a road traffic accident (RTA)” as wherein the security incident violation is a mobility violation indicating at least one abnormal driving activity of the connected vehicle).

Regarding claims 7 and 17, Dyakin further teaches wherein the cybersecurity data includes at least one of: update data, at least one alert by a cybersecurity threat detector, at least one cybersecurity threat detected for at least one other connected vehicle, at least one mobility threat detected for at least one other connected vehicle, and error data (see [0106]: “In calculating the probability of a computer attack being conducted, the server 303 take the following into consideration: that the RTA was caused by a set of factors, each of which is not an anomaly, but in their totality they result in the RTA and the probability that all of these factors occurred at the same time in the course of normal operation of the MT is low. Thus, the ECU malfunctioning at the time of occurrence of the incident are determined, and the probability of a computer attack being conducted is determined as being equal to the probability of the simultaneous malfunctioning of all the mentioned ECU (the probability of malfunctioning of each ECU is known in advance, for example it may be provided by the maker of the MT or the ECU)”. The Examiner interprets “the ECU malfunctioning at the time of occurrence of the incident are determined” as wherein the cybersecurity data includes… error data).

Claims 5, 9, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dyakin (US 2019/0306180), further in view of O'Conner (US 2015/0052018), and further in view of Ostergaard (US 2018/0255082).

Regarding claims 5 and 15, Dyakin modified in view of O'Conner fails to teach normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation.
In the same field of endeavor, Ostergaard teaches normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation (see [0055]: “As shown by the example architecture of FIG. 9, data is captured through the tap, whereupon the data is decoded and transformed into a common format for entry in the database. In the example of FIG. 9, the CAN format 905 has a high byte, a low byte, and a payload. The decoding function would thereby translate the high-byte and low-byte into a data source, and further translates the payload into a payload value and the type of payload as shown at 906”. And see [0053]: “For each module, there is a tap that allows it to read data from the source. The data is then transformed and decoded into a format that is able to be used by the anomaly detection system”. And see [0035] and [0054]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to add to the method for contextual connected vehicle security incident integration taught by Dyakin modified in view of O'Conner the step of normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation taught by Ostergaard. It would have been obvious because Ostergaard teaches the following: “For each module, there is a tap that allows it to read data from the source. The data is then transformed and decoded into a format that is able to be used by the anomaly detection system” (see [0053]). 

Regarding claims 9 and 19, Dyakin modified in view of O'Conner fails to teach wherein the at least one mitigation action includes quarantining the connected vehicle from the at least one external system.
In the same field of endeavor, Ostergaard teaches wherein the at least one mitigation action includes quarantining the connected vehicle from the at least one external system (see [0072]: “FIG. 17 illustrates another example process flow, where a malicious payload is being downloaded to a parked vehicle over a mobile network, in accordance with an example implementation. At 1700, suppose that bad sensor data is entered maliciously (e.g. malicious network data is transmitted to the network adapter of the car via mobile broadband or through a wireless connection). At 1701, the driving state is determined as that the vehicle is parked. At 1702, a determination is made as to whether reports are received from the V2X or cloud. In this example, it is determined that the cloud has provided reports indicating that the bad sensor data is malicious. Thus at 1703, the message is labeled as malicious. At 1704, the results are logged and the local security management function is informed. At 1705, the safety mode is activated based on the malicious report and thus the malicious communication can be isolated and terminated”. And see [0041]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method for contextual connected vehicle security incident integration taught by Dyakin modified in view of O'Conner by letting the at least one mitigation action include quarantining the connected vehicle from the at least one external system, as taught by Ostergaard. It would have been obvious because doing so achieves the commonly understood benefit of preventing malicious commands from the at least one external system from harming the operations of the connected vehicle.

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dyakin (US 2019/0306180), further in view of O'Conner (US 2015/0052018), and further in view of Graefe (US 2019/0222652).

Regarding claims 8 and 18, Dyakin modified in view of O'Conner fails to teach wherein the at least one mitigation action includes reconfiguring at least one detector of the connected vehicle with respect to data collection based on the enriched security incident data. 
In the same field of endeavor, Graefe teaches wherein the at least one mitigation action includes reconfiguring at least one detector of the connected vehicle with respect to data collection based on the enriched security incident data (see [0099]: “At operation 416, the SAS 301 (or the configuration subsystem 306) determines whether a reconfiguration trigger has been detected. Each trigger signals that the intended coverage area 63 and the current sensor arrangement no longer match, and therefore, the sensor arrangement should to be modified. In embodiments, the reconfiguration of the sensor arrangement is triggered by one of the three events, a sensor 262 failure, malfunction, or provides erratic or erroneous sensor data; detecting an unexpected obstacle (e.g., a traffic accident, a parked truck for longer than a predefined amount of time, a construction site that exists for several days, etc.); and an external configuration event changing the observed area 63 and/or priorities of individual grid cells (e.g., a change of the traffic conditions such as a lane closure, construction site, etc.)”). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method for contextual connected vehicle security incident integration taught by Dyakin modified in view of O'Conner by letting the at least one mitigation action include reconfiguring at least one detector of the connected vehicle with respect to data collection based on the enriched security incident data, as taught by Graefe. It would have been obvious because Graefe teaches the following: “This way the sensor network can reconfigure quickly in cases where, for example, individual sensors 262 malfunction or fail, are temporarily occluded, or if the coverage area 63 changes (e.g., construction site, traffic accident)” (see [0082]). 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495