DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	Claims 1-20 are pending.  Claims 1, 8 and 15 are independent and currently amended.  Amendments to the claims are accepted.

Response to Arguments
3.	Applicant’s arguments based on rejections under 35 U.S.C. 102 and 103 have been fully considered; however, they are not persuasive based on new ground(s) of rejection.

Claim Objections
4.	Claim 8 is objected to because of claim 8 recites “determine a weighted score for the malicious activity, the weight score based on at least one of a predetermined priority of the CAN data” (emphasis added).  The limitation “the weight score” is lacking of antecedent basis and should be modified to “the weighted score” that is previously recited in the claim.

Appropriate correction is required.




Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


7.	Claims 1, 2, 8, 10, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US PG Pub. 2016/0019389) in view of Ricci (US PG Pub. 2018/0012091).
Regarding claim 1, Yan discloses A threat forensics platform, comprising: 
a memory configured to store a baseline model of controller area network (CAN) data [para. 23; storing inbound CAN message whitelist and outbound CAN message blacklist]; and
 a processor coupled to the memory [para. 9] and configured to: 
obtain controller area network (CAN) data including a plurality of messages [para. 24; obtaining a plurality of inbound message commands], 
compare the controller area network data including the plurality of messages with the baseline model of the CAN data [para. 24; comparing the count of the plurality of inbound message commands with a threshold predefined within a time window], 
determine a threat score for the CAN data based on the comparison [para. 24; determining the count of the plurality of inbound message commands with a threshold], 
determine that there is a threat within the CAN data based on the threat score [para. 24; if the count of the plurality of inbound message commands meets or exceed the threshold, determining that the command associated with a malicious attack], 
Yan does not explicitly disclose limitation determine a weighed score based on at least one of a predetermined priority of the threat score, a degree of difference between the threat score and the baseline model, or a category of the threat score. However, Ricci discloses it [para. 114-115 and 124-126].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan’s system to further comprise the missing feature, which is disclosed by Ricci, for determining priority level of safety condition [Ricci para. 114-115].
Yan further discloses limitation provide an indication that there is the threat to a driver of a vehicle or a service provider based on the weighted score [para. 28; providing a warning to the driver].  

Regarding claim 2, Yan further discloses The threat forensics platform of claim 1, wherein the processor is configured to: determine that the threat score is greater than or equal to a threshold value [para. 24; if the count of the plurality of inbound message commands meets or exceed the threshold, determining that the command associated with a malicious attack]; and provide the indication that there is the threat to the driver of the vehicle or the service provider in response to determining that that the threat score is greater than or equal to the threshold value [para. 28; providing a warning to the driver].  

Regarding claim 8, Yan discloses A threat detection apparatus for an autonomous vehicle, comprising: 
a memory configured to store a baseline model of controller area network (CAN) data from a CAN bus [para. 23; storing inbound CAN message whitelist and outbound CAN message blacklist]; and  31 4826-3875-958115269-38700 
a processor coupled to the memory [para. 9] and configured to: 
determine that malicious activity is occurring on the CAN bus based on a comparison of the baseline model with the CAN data [para. 24; determining the count of the plurality of inbound message commands with a threshold], 
Yan does not discloses limitation determine a weighted score for the malicious activity, the weight score based on at least one of a predetermined priority of the CAN data, a degree of difference between the CAN data and the baseline model, or a category of the CAN data.
However, Ricci discloses it [para. 114-115 and 124-126].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan’s processor to further comprise the missing feature, which is disclosed by Ricci, for determining priority level of safety condition [Ricci para. 114-115].
Yan further discloses limitation notify a driver of the vehicle that there is malicious activity based on the determination of the weighted score and that malicious activity is occurring on the CAN bus [para. 24 and 28; if the count of the plurality of inbound message commands meets or exceed the threshold, determining that the command associated with a malicious attack and providing a warning to the driver].  

Regarding claim 10, Yan further discloses The threat apparatus of claim 8, wherein the processor is configured to: obtain the baseline model; and compare the baseline model with CAN data on the CAN bus of the vehicle [para. 24; comparing the count of the plurality of inbound message commands with a threshold predefined within a time window].  

Regarding claim 13, Yan further discloses The threat apparatus of claim 8, wherein the processor is further configured to: provide the CAN data on the CAN bus to a threat forensics platform [para. 24; obtaining a plurality of inbound message commands]; and obtain from the threat forensics platform results of a comparison between the baseline model with the CAN data [para. 24; if the count of the plurality of inbound message commands meets or exceed the threshold, determining that the command associated with a malicious attack].  

Regarding claim 15, Yan discloses A method for detecting malicious activity, comprising: 
obtaining, by a processor of a threat forensics platform, a first set of controller area network (CAN) data from a plurality of vehicles [para. 23; storing inbound CAN message whitelist and outbound CAN message blacklist]; 
generating, by the processor of the threat forensics platform, a baseline model based on the first set of CAN data [para. 23; storing inbound CAN message whitelist and outbound CAN message blacklist]; 
obtaining, by a processor of the threat forensics platform, a second set of CAN data including a plurality of messages [para. 24; obtaining a plurality of inbound message commands]; 
comparing, by the processor of the threat forensics platform, the second set of CAN data with the baseline model [para. 24; comparing the count of the plurality of inbound message commands with a threshold predefined within a time window]; 
determining, by the processor of the threat forensics platform, a threat score for the second set of CAN data based on the comparison [para. 24; comparing the count of the plurality of inbound message commands with a threshold predefined within a time window];  33 4826-3875-958115269-38700 
determining, by the processor of the threat forensics platform, that there is a threat within the second set of CAN data based on the threat score [para. 24; if the count of the plurality of inbound message commands meets or exceed the threshold, determining that the command associated with a malicious attack]; and 
Yan does not discloses determining a weighted score for the threat score, the weighted score based on at least one of a predetermined priority of the threat score, a degree of difference between the threat score and the baseline model, or a category of the threat score.
However, Ricci discloses it [para. 114-115 and 124-126].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan’s system to further comprise the missing feature, which is disclosed by Ricci, for determining priority level of safety condition [Ricci para. 114-115].
Yan further discloses causing, by the processor of the threat forensics platform, a processor of the threat detection apparatus to send an indication that there is a threat to a driver of a vehicle, to other drivers of other vehicles or to another entity including law enforcement or a service provider based on the weighted score [para. 28; providing a warning to the driver].  

8.	Claims 3, 12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US PG Pub. 2016/0019389) in view of Ricci (US PG Pub. 2018/0012091) and further in view of Kishikawa (US PG Pub. 2016/0205194).
Regarding claim 3, Yan and Ricci do not explicitly disclose the processor is further configured to: determine that a message of the plurality of messages does not have a message identifier; and 304826-3875-958115269-38700determine the threat score for the CAN data further based on the determination that the message does not have the message identifier; however, Kishikawa discloses it [para. 104].  
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan and Ricci’s system to further comprise the missing feature, which is disclosed by Kishikawa, in order to identify a frame without a message ID indicating a malicious activity.

Regarding claim 12, Yan, Ricci and Kishikawa also disclose The threat apparatus of claim 8, wherein the CAN data has a plurality of messages, wherein the processor is configured to: check each message of the plurality of messages for a message identifier; and32 determine that malicious activity is occurring on the CAN bus further based on the check [Kishikawa para. 104].  

Regarding claim 17, Yan, Ricci and Kishikawa also disclose The method of claim 15, further comprising: checking each message of the plurality of messages for a message identifier; and determining the threat score for the second set of CAN data further based on the check of each message [Kishikawa para. 104].  

9.	Claims 4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US PG Pub. 2016/0019389) in view of Ricci (US PG Pub. 2018/0012091) and further in view of Valasek (US PG Pub. 2015/0113638).
Regarding claim 4, Yan and Ricci do not explicitly disclose The threat forensics platform of claim 1, wherein the baseline model includes a baseline pattern, wherein to compare the controller area network data including the plurality of messages with the baseline model of the CAN data the processor is further configured to: determine one or more patterns of the plurality of messages; and compare the one or more patterns of the plurality of messages with the baseline pattern.  However, Valasek discloses it [para. 25].  
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan and Ricci’s threat forensics platform to further comprise the missing feature, which is disclosed by Valasek, as an alternative way for detecting abnormal and malicious activities [Valasek para. 25].

Regarding claim 11, Yan, Ricci and Valasek further disclose The threat apparatus of claim 10, wherein the CAN data has a plurality of messages, wherein to compare the baseline model with the CAN data on the CAN bus of the vehicle the processor is configured to: determine one or more values of the plurality of messages; and compare the one or more values of the plurality of messages with one or more range of values within the baseline model [Valasek para. 25-27].  

10.	Claims 5-7, 9, 14, 16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yan (US PG Pub. 2016/0019389) in view of Ricci (US PG Pub. 2018/0012091) and further in view of Ruvio (US PG Pub. 2019/0036946).
Regarding claim 5, Yan and Ricci do not explicitly disclose the CAN data has a plurality of categories, each message being in one category of the plurality of categories, wherein the baseline model has ranges of values for the different categories of the plurality of categories.  However, Ruvio discloses it [para. 127].  
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Yan and Ricci’s threat forensics platform to further comprise the missing feature, which is disclosed by Ruvio, to improve the ability to detect malicious activities [Ruvio para. 120].

Regarding claim 6, Yan, Ricci and Ruvio further disclose The threat forensics platform of claim 5, wherein the processor is further configured to: determine that a message of the plurality of messages is of a category of the plurality of categories and has a value that exceeds a corresponding range of values associated with the category in the baseline model [Ruvio para. 120 and 129].  

Regarding claim 7, Yan, Ricci and Ruvio further disclose The threat forensics platform of claim 6, wherein the processor is configured to determine the threat score for the CAN data further based determination that the value of the message exceeds the corresponding range of values [Ruvio para. 129].  

Regarding claim 9, Yan, Ricci and Ruvio further disclose The threat apparatus of claim 8, further comprising: 
a camera configured to capture image data [Ruvio para. 80]; wherein the processor is configured to notify a service provider that there is malicious activity [para. 73, 96 and 130], wherein the notification includes the image data [Yan para. 24 and 39; an alert including details (i.e. including image captured by Ruvio’s camera) for analyzing threat forensiss].  

Regarding claim 14, Yan, Ricci and Ruvio further disclose The threat apparatus of claim 11, further comprising: a navigation unit is configured to obtain navigational map information including a current location of the vehicle; wherein the processor is coupled to the navigation unit and is configured to: provide the current location of the vehicle to the threat forensics platform [Ruvio para. 42].  
Regarding claim 16, Yan, Ricci and Ruvio further disclose The method of claim 15, further comprising: obtaining, from traffic infrastructure, forensic data including a location of the vehicle where the threat was detected; wherein the indication includes the location of the vehicle where the threat was detected [Ruvio para. 42].   

Regarding claim 18, Yan, Ricci and Ruvio further disclose The method of claim 15, wherein the second set of CAN data has a plurality of categories, each message being in one category of the plurality of categories, wherein the baseline model has ranges of values for the different categories of the plurality of categories [Ruvio para. 120].  

Regarding claim 19, Yan, Ricci and Ruvio further disclose The method of claim 18, further comprising: determining that a message of the plurality of messages is of a category of the plurality of categories and has a value that exceeds a corresponding range of values associated with the category in the baseline model [Ruvio para. 120 and 129].  

Regarding claim 20, Yan, Ricci and Ruvio further disclose The method of claim 19, wherein determining the threat score for the second set of CAN data is further based the determination that the value of the message exceeds the corresponding range of values [Ruvio para. 129].




Conclusion
Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433