Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 5/2/2020. Claims 1-7 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s amendments and arguments regarding the claim interpretation under 35 USC 112(f) of claim 1 have been considered and deemed persuasive.  As a result the claim interpretation of claim 1 has been withdrawn.

	B) Applicant’s arguments with respect to claim(s) 1 have been considered but are moot because the new ground of rejection does not rely on the same exact combination of references in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2 and 4-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099) in view of Kfir et al. (US 2020/0159181).

	As per claim 1, Kerstein teaches an anomaly monitoring device comprising: a power supply; an Ethernet port; a non-transitory memory configured to store a program: and a hardware processor configured to execute the program and control the anomaly monitoring device to operate as: (Kerstein, Paragraph 0007 recites “FIG. 1 illustrates a high level block diagram of an automotive communication network 10 known to the prior art comprising: an Ethernet switch 20; a plurality of ECUs 30; a telematic control unit (TCU) 40; an external tester 50; a DoIP client 70; a domain controller unit (DCU) 80; a DoIP gateway 85; a controller area network (CAN) bus 90; and a plurality of CAN ECUs 95. Each of the plurality of ECUs 30, TCU 40, DoIP client 70, DCU 80 and DoIP gateway 85 are coupled to a respective port of Ethernet switch 20.” And Paragraph 0050 recites “Anomaly analyzer 170 may be implemented in an FPGA, microcontroller, or processor with associated memory, the associated memory holding electronically readable instructions, which when implemented perform the tasks as described.”); 
	an anomaly determination unit configured to determine as an anomaly related to Ethernet communication between a [[peripheral]] device and a control device (Kerstein, Paragraph 0012 recites “In one embodiment, the anomaly analyzer is further arranged to compare the received inf/ormation regarding intrusion anomalies detected by the local security monitor with a black list, and in the event that the received information is congruent with the black list, output at least one of: a command to disable a communication function of the telematics control unit; and an alert message.”); 
	an information collection unit configured to collect operation information regarding operations of the [[peripheral]] device at a time of the anomaly and when the anomaly determination unit determines that the anomaly related to the Ethernet communication has occurred (Kerstein, Paragraphs 0050 and 0051 recites “In stage 1000, the DACs and DTCs generated by the respective ECUs 30; network security device 180; TCUs 40 and CAN ECUs 95 are received. As indicated above, DACs are associated with intrusion anomalies, and DTC are associated with hardware anomalies. Optionally, as described above, for each type of intrusion anomaly, a unique DAC is generated. In stage 1010, the received DACs and DTCs of stage 1000 are stored on a respective memory associated with anomaly analyzer 170. In stage 1020, the received DACs are compared with a black list, stored on respective memory locations associated with anomaly analyzer 170. There is no requirement that the actual DACs be compared with the black list, and in another embodiment the payload information of the received DACs are compared with the black list. The comparison is not meant to be limited to a direct item by item comparison, and identification of a range of values, or a translation of values may be utilized without exceeding the scope.”);
	and an information transmission unit configured to transmit the collected operation information outside of the anomaly monitoring device via the Ethernet port to the control device, on the basis of the Ethernet communication (Kerstein, Paragraph 0052 recites “In stage 1030 the result of the comparison of stage 1020 is identified. In the event that any of the received DACs of stage 1000, or payload information thereof, are congruent with the black list of stage 1020, in stage 1040 anomaly analyzer 170 is arranged to output a warning indicator to a monitor, as will be described further below, and optionally disable the communication function of TCU 40.”).
	But Kerstein fails to explicitly teach an anomaly detection with a peripheral device and [[an anomaly determination unit configured to an anomaly related to Ethernet communication between a peripheral device and a control device]] at least a state in which a power supply of the peripheral device is off, a state in which communication processing in a processer of the peripheral device has been terminated anomalously, or a state in which no communication packet has been exchanged between the peripheral device and the control device over a predetermined period of time
	However, in an analogous art Kfir teaches anomaly detection with a peripheral device (Kfir, Paragraph 0025 recites “Reference is made to FIG. 1 that schematically illustrates an exemplary industrial plant comprising an ICS 10. ICS 10 comprises an ICS controller 12 and an ICS network 20 comprising five switches 22A-E that connect the ICS controller to network-connectable field devices such as computer workstation 13, robots 15A-D and a motor 16. ICS network 20 may also connect the field devices to each other. The network connections of the ICS network are schematically represented as solid lines 25. The ICS 10 may operate under a given industrial protocol and use ICS network 20 to transmit packets between ICS controller 12 and the field devices. Each field device connected to the ICS network, including the ICS controller, may be identified with a unique unit identifier in accordance with a given industrial protocol.”);
	and [[an anomaly determination unit configured to an anomaly related to Ethernet communication between a peripheral device and a control device]] at least a state in which a power supply of the peripheral device is off, a state in which communication processing in a processer of the peripheral device has been terminated anomalously, or a state in which no communication packet has been exchanged between the peripheral device and the control device over a predetermined period of time (Kfir, Paragraphs 0044-0045 recites “Malware or a malicious intruder who gained access to ICS 10 may direct or reprogram one or more end device controllers to execute actions not intended by an authorized operator of the ICS, which may result in end device controllers being rendered inoperable or unresponsive, or otherwise cause unexpected changes to a configuration, device logic, or identity of end device controllers comprised in the ICS. By way of example, end device controller for robot 15A may have its device ID improperly changed from “B221” to a different device ID, be rendered unresponsive, have its device logic reprogrammed so that robot 15A executes operations that damages itself or others nearby, or have its device log modified or erased. An active probe may conduct a Keep-Alive Scan (which may be alternatively referred to as a Ping Scan), in which the active probe transmits one or more query packets (“Keep-Alive query packets”) instructing an end device controller to respond with a status packet (a “Keep-Alive status packet”) indicating presence on the ICS network. QP server 200 optionally designates an end device controller as possible compromised if reception of a Keep-Alive query packet directed to the end device controller is not followed by reception of a corresponding Keep-Alive status packet from the end device within a predetermined time window. Additionally or alternatively, QP server 200 designates an end device controller as possibly compromised if reception of a Keep-Alive status packet from the end device controller is not preceded by reception of a corresponding Keep-alive query packet within a predetermined time window.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kfir’s hybrid network monitoring system with Kerstein’s intrusion anomaly monitoring in a vehicle environment because monitoring for these types of anomalies if beneficial in automated systems where a user cannot be messaged to question a possibly compromised device. 

	As per claim 2, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 1, Kerstein further teaches the anomaly monitoring device comprising: a storage unit configured to store information about the Ethernet communication (Kerstein, Paragraph 0043 recites “Anomaly analyzer 170 further serves as a target for DTCs generated by any of ECU 30, TCU 40, CAN ECU 95, and/or a DAC generated by network security device 180. Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below”). 
	and wherein the information transmission unit transmits the operation information outside by broadcast communication, on the basis of the information about the Ethernet communication (Kerstein, Paragraph 0012 recites “In one embodiment, the anomaly analyzer is further arranged to compare the received information regarding intrusion anomalies detected by the local security monitor with a black list, and in the event that the received information is congruent with the black list, output at least one of: a command to disable a communication function of the telematics control unit; and an alert message. In one further embodiment, the system further comprises an anomaly monitor in communication with the anomaly analyzer, the alert message being sent to the anomaly monitor, wherein the plurality of engine control units, the anomaly analyzer and the anomaly monitor are located within a single automotive environment” The alert message would be sent to all the units to inform them of the alert, which would be considered to be a broadcast in itself.).

	As per claim 4, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 1, Kerstein further teaches the anomaly monitoring device being an Ethernet transceiver (Kerstein, Paragraph 0041 recites “Each of the plurality of ECUs 30, TCU 40, anomaly analyzer 170 and DCU 80 are coupled to a respective port of Ethernet switch 20 and represent nodes of automotive communication network 100.”).

	As per claim 5, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 1, Kerstein further teaches wherein the peripheral device includes the anomaly monitoring device (Kerstein, Paragraph 0043 recites “Anomaly analyzer 170 further serves as a target for DTCs generated by any of ECU 30, TCU 40, CAN ECU 95, and/or a DAC generated by network security device 180. Anomaly analyzer 170 typically further comprises a memory (not shown) arranged to store the received DTCs/DACs for retrieval by external tester 50, and further comprises a processor arranged to analyze the received DTCs/DACs, and in certain circumstances take protective action responsive thereto, as will be described further below”). 

	As per claim 6, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 1, Kfir further teaches wherein the peripheral device is a robot peripheral device (Kfir, Paragraph 0025 recites “Reference is made to FIG. 1 that schematically illustrates an exemplary industrial plant comprising an ICS 10. ICS 10 comprises an ICS controller 12 and an ICS network 20 comprising five switches 22A-E that connect the ICS controller to network-connectable field devices such as computer workstation 13, robots 15A-D and a motor 16. ICS network 20 may also connect the field devices to each other. The network connections of the ICS network are schematically represented as solid lines 25. The ICS 10 may operate under a given industrial protocol and use ICS network 20 to transmit packets between ICS controller 12 and the field devices. Each field device connected to the ICS network, including the ICS controller, may be identified with a unique unit identifier in accordance with a given industrial protocol.”);

	and Kerstein further teaches the control device is a robot control device (Kerstein, Paragraph 0064 recites “illustrates a high level block diagram of a multi-vehicle arrangement 500 wherein anomaly analyzer 170 of first vehicle 410 is communication with an anomaly analyzer 170 of a second vehicle 510. In particular, vehicle 410 is as described above in relation to FIG. 4A, and vehicle 510 comprises: Ethernet switch 20; ECU 235; anomaly analyzer 170; TCU 40; and an anomaly monitor 520. Each of ECU 235, anomaly analyzer 170 and TCU 40 of vehicle 510 are in communication with each other, and with anomaly monitor 520, through Ethernet switch 20 of vehicle 510. In the embodiment of FIG. 4B, the monitor is thus implemented remotely by anomaly monitor 520 located in a different vehicle. In one particular embodiment, a monitoring vehicle of a convoy may implement a single anomaly monitor for all individual vehicles in the convoy, thus allowing supervision of the entire convoy at a single anomaly monitor 520.” It is determined that a vehicle could read on a robot.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kfir’s hybrid network monitoring system with Kerstein’s intrusion anomaly monitoring in a vehicle environment because monitoring for these types of anomalies if beneficial in automated systems where a user cannot be messaged to question a possibly compromised device. 


	As per claim 7, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 6, Kerstein further teaches wherein the robot peripheral device is a teaching operation panel (Kerstein, Paragraph 0064 recites “illustrates a high level block diagram of a multi-vehicle arrangement 500 wherein anomaly analyzer 170 of first vehicle 410 is communication with an anomaly analyzer 170 of a second vehicle 510. In particular, vehicle 410 is as described above in relation to FIG. 4A, and vehicle 510 comprises: Ethernet switch 20; ECU 235; anomaly analyzer 170; TCU 40; and an anomaly monitor 520. Each of ECU 235, anomaly analyzer 170 and TCU 40 of vehicle 510 are in communication with each other, and with anomaly monitor 520, through Ethernet switch 20 of vehicle 510. In the embodiment of FIG. 4B, the monitor is thus implemented remotely by anomaly monitor 520 located in a different vehicle. In one particular embodiment, a monitoring vehicle of a convoy may implement a single anomaly monitor for all individual vehicles in the convoy, thus allowing supervision of the entire convoy at a single anomaly monitor 520.” It is determined that a vehicle could read on a robot.).


Claim 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kerstein (US 2020/0342099) and Kfir et al. (US 2020/0159181) and in further view of Sato (US 2013/0346145).

	As per claim 3, Kerstein in combination with Kfir teaches the anomaly monitoring device according to claim 1, but fails to teach wherein the operation information about the operation of the peripheral device indicates a case of the power supply of the peripheral device being in an off state, a case of anomalous termination of communication processing, or a case of physical disconnection of an Ethernet cable.
	However, in an analogous art Sato teaches (Sato, Paragraph 0054 recites “On the other hand, when the communication is disconnected due to occurrence of anomaly in the multifunctional peripheral device 102 (S608), the multifunctional peripheral device 101 never receives a 200_OK response from the multifunctional peripheral device 102 even if transmitting the Re-Invite request to the multifunctional peripheral device 102 (S609). Accordingly, when a response from multifunctional peripheral device 102 has not been received within the failure determination time 407, the multifunctional peripheral device 101 determines that the SIP session continuity is lost, transmits a Bye request to the multifunctional peripheral device 102 (S610), and performs an SIP session disconnection process.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Sato’s communication device, control method therefor, and storage medium storing control program therefor with Kerstein’s intrusion anomaly monitoring in a vehicle environment because the function of monitoring a peripheral device can determine if a device has lost connection with a network. 






Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439