Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8 and 14 – 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims 8 and 14 – 20 claimed a computer program. It can be interpreted as a software. It fails to fall within a statutory category of invention. It is not a process occurring as a result of executing the software, a machine programmed to operate in accordance with the software nor a manufacture structurally and functionally interconnected with the software in a manner which enables the software to act as a computer component and realize its functionality. It is also clearly not directed to a composition of matter. Therefore, it is non-statutory under 35 U.S.C. 101. 

Claim Rejections - 35 USC § 112 
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claim limitation “a receiving part”, “a knowledge information acquiring part”, “an allocation rule generating part”, and “an allocating part” in claims 1 – 4 and 9 – 12  has/have been interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because it uses/they use a generic placeholder “part” coupled with functional language “receiving”, “acquiring”, “generating”, and “allocating” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claim(s) 1 – 4 and 9 – 12 has/have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation: the Examiner considers the above parts are part of computer processor described in paragraph 0087 – 0088 (in PGPUB).
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gupta et al. (US Patent Application Publication 2016/0350657, IDS), hereinafter referred to as Gupta.

Regarding Claim 1, Gupta discloses an abnormal communication detection apparatus detecting abnormal communication from communication of each electronic control apparatus in a communication network (Fig. 1A), the abnormal communication detection apparatus comprising: 
a receiving part receiving observed module for learning that includes an identifier and observed module for detection that includes the identifier ([0030], the observer module may be configured to generate a behavior vector of size “n” that maps the observer real-time data into an n-dimensional space. Each number or symbol in the behavior vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature. The observer module may analyze the behavior vector (e.g., by applying the behavior vector to a model of various observed modules to evaluate the behavior of each observed module. [0031], “A model of an observed module may identify one or more features of observable behavior of the observed module that may indicate the observed module is behaving anomalously”. [0054], “The classifier models may be preinstalled on the observer module, downloaded or received from a network server, generated in the observer module, or any combination thereof. The classifier models may be generated by using behavior modeling techniques, machine learning algorithms, or other methods of generating classifier models”. [0065], “… each observer module may observe the behavior or behaviors of an observed module. Each observer module may observe behavior(s) of a plurality of observed modules. Each observer module may have a different perspective on the behavior of the observed module, as each observer module may have different quantities and/or qualities of interactions with the observed module. Thus, different observer modules may observe different behaviors from the observed module. The observed module's behavior may include or be based on one or more of messages, instructions, memory accesses, requests, data transformations, activities, conditions, operations, events, and other module behavior observed over a communication link between the observer module and the observed module.” [0007], "In some aspects, a step for generating, by each of the observer modules, a behavior representation based on the behavior of the observed module may include a step for generating, by each of the observer modules, a behavior vector based on the behavior of the observed module, and a step for applying, by each of the observer modules, the behavior representation to a behavior classifier model for the observed module may include a step for applying, by each of the observer modules, the behavior vector to a behavior classifier model for the observed module." In other words, the classifier model of Gupta is generated in an observer module by a machine learning algorithm, etc., the observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models), and a behavior vector (the behavior vector in which real-time data of a sensor or hardware or software behavior is mapped to an n-dimensional space) is applied to a behavior classifier model for the observed module.); 
a knowledge information acquiring part acquiring knowledge information that is information about at least either temporal characteristics or payload characteristics of the observed module for learning ([0030], the observer module may be configured to generate a behavior vector of size “n” that maps the observer real-time data into an n-dimensional space. Each number or symbol in the behavior vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature. The observer module may analyze the behavior vector (e.g., by applying the behavior vector to a model of various observed modules to evaluate the behavior of each observed module. [0031], “A model of an observed module may identify one or more features of observable behavior of the observed module that may indicate the observed module is behaving anomalously”. [0054], “The classifier models may be preinstalled on the observer module, downloaded or received from a network server, generated in the observer module, or any combination thereof. The classifier models may be generated by using behavior modeling techniques, machine learning algorithms, or other methods of generating classifier models”. [0065], “… each observer module may observe the behavior or behaviors of an observed module. Each observer module may observe behavior(s) of a plurality of observed modules. Each observer module may have a different perspective on the behavior of the observed module, as each observer module may have different quantities and/or qualities of interactions with the observed module. Thus, different observer modules may observe different behaviors from the observed module. The observed module's behavior may include or be based on one or more of messages, instructions, memory accesses, requests, data transformations, activities, conditions, operations, events, and other module behavior observed over a communication link between the observer module and the observed module.” [0007], "In some aspects, a step for generating, by each of the observer modules, a behavior representation based on the behavior of the observed module may include a step for generating, by each of the observer modules, a behavior vector based on the behavior of the observed module, and a step for applying, by each of the observer modules, the behavior representation to a behavior classifier model for the observed module may include a step for applying, by each of the observer modules, the behavior vector to a behavior classifier model for the observed module." In other words, the classifier model of Gupta is generated in an observer module by a machine learning algorithm, etc., the observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models), and a behavior vector (the behavior vector in which real-time data of a sensor or hardware or software behavior is mapped to an n-dimensional space) is applied to a behavior classifier model for the observed module.); 
an allocation rule generating part generating allocation rules that are rules for specifying which observed module having which identifier is to be allocated to which detector among a plurality of detectors, based on the knowledge information ([0030], the observer module may be configured to generate a behavior vector of size “n” that maps the observer real-time data into an n-dimensional space. Each number or symbol in the behavior vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature. The observer module may analyze the behavior vector (e.g., by applying the behavior vector to a model of various observed modules to evaluate the behavior of each observed module. [0031], “A model of an observed module may identify one or more features of observable behavior of the observed module that may indicate the observed module is behaving anomalously”. [0054], “The classifier models may be preinstalled on the observer module, downloaded or received from a network server, generated in the observer module, or any combination thereof. The classifier models may be generated by using behavior modeling techniques, machine learning algorithms, or other methods of generating classifier models”. [0065], “… each observer module may observe the behavior or behaviors of an observed module. Each observer module may observe behavior(s) of a plurality of observed modules. Each observer module may have a different perspective on the behavior of the observed module, as each observer module may have different quantities and/or qualities of interactions with the observed module. Thus, different observer modules may observe different behaviors from the observed module. The observed module's behavior may include or be based on one or more of messages, instructions, memory accesses, requests, data transformations, activities, conditions, operations, events, and other module behavior observed over a communication link between the observer module and the observed module.” [0007], "In some aspects, a step for generating, by each of the observer modules, a behavior representation based on the behavior of the observed module may include a step for generating, by each of the observer modules, a behavior vector based on the behavior of the observed module, and a step for applying, by each of the observer modules, the behavior representation to a behavior classifier model for the observed module may include a step for applying, by each of the observer modules, the behavior vector to a behavior classifier model for the observed module." In other words, the classifier model of Gupta is generated in an observer module by a machine learning algorithm, etc., the observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models), and a behavior vector (the behavior vector in which real-time data of a sensor or hardware or software behavior is mapped to an n-dimensional space) is applied to a behavior classifier model for the observed module.); 
an allocating part allocating the communication data to any of the detectors based on the allocation rules ([0030], the observer module may be configured to generate a behavior vector of size “n” that maps the observer real-time data into an n-dimensional space. Each number or symbol in the behavior vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature. The observer module may analyze the behavior vector (e.g., by applying the behavior vector to a model of various observed modules to evaluate the behavior of each observed module. [0031], “A model of an observed module may identify one or more features of observable behavior of the observed module that may indicate the observed module is behaving anomalously”. [0054], “The classifier models may be preinstalled on the observer module, downloaded or received from a network server, generated in the observer module, or any combination thereof. The classifier models may be generated by using behavior modeling techniques, machine learning algorithms, or other methods of generating classifier models”. [0065], “… each observer module may observe the behavior or behaviors of an observed module. Each observer module may observe behavior(s) of a plurality of observed modules. Each observer module may have a different perspective on the behavior of the observed module, as each observer module may have different quantities and/or qualities of interactions with the observed module. Thus, different observer modules may observe different behaviors from the observed module. The observed module's behavior may include or be based on one or more of messages, instructions, memory accesses, requests, data transformations, activities, conditions, operations, events, and other module behavior observed over a communication link between the observer module and the observed module.” [0007], "In some aspects, a step for generating, by each of the observer modules, a behavior representation based on the behavior of the observed module may include a step for generating, by each of the observer modules, a behavior vector based on the behavior of the observed module, and a step for applying, by each of the observer modules, the behavior representation to a behavior classifier model for the observed module may include a step for applying, by each of the observer modules, the behavior vector to a behavior classifier model for the observed module." In other words, the classifier model of Gupta is generated in an observer module by a machine learning algorithm, etc., the observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models), and a behavior vector (the behavior vector in which real-time data of a sensor or hardware or software behavior is mapped to an n-dimensional space) is applied to a behavior classifier model for the observed module.); and 
the plurality of detectors each of which learns, when the observed module for learning is allocated, a model for detecting whether the observed module allocated to the detector is normal or abnormal, and detects, when the observed module for detection is allocated, whether the observed module for detection is normal or abnormal based on the learned model ([0030], the observer module may be configured to generate a behavior vector of size “n” that maps the observer real-time data into an n-dimensional space. Each number or symbol in the behavior vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature. The observer module may analyze the behavior vector (e.g., by applying the behavior vector to a model of various observed modules to evaluate the behavior of each observed module. [0031], “A model of an observed module may identify one or more features of observable behavior of the observed module that may indicate the observed module is behaving anomalously”. [0054], “The classifier models may be preinstalled on the observer module, downloaded or received from a network server, generated in the observer module, or any combination thereof. The classifier models may be generated by using behavior modeling techniques, machine learning algorithms, or other methods of generating classifier models”. [0065], “… each observer module may observe the behavior or behaviors of an observed module. Each observer module may observe behavior(s) of a plurality of observed modules. Each observer module may have a different perspective on the behavior of the observed module, as each observer module may have different quantities and/or qualities of interactions with the observed module. Thus, different observer modules may observe different behaviors from the observed module. The observed module's behavior may include or be based on one or more of messages, instructions, memory accesses, requests, data transformations, activities, conditions, operations, events, and other module behavior observed over a communication link between the observer module and the observed module.” [0007], "In some aspects, a step for generating, by each of the observer modules, a behavior representation based on the behavior of the observed module may include a step for generating, by each of the observer modules, a behavior vector based on the behavior of the observed module, and a step for applying, by each of the observer modules, the behavior representation to a behavior classifier model for the observed module may include a step for applying, by each of the observer modules, the behavior vector to a behavior classifier model for the observed module." In other words, the classifier model of Gupta is generated in an observer module by a machine learning algorithm, etc., the observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models), and a behavior vector (the behavior vector in which real-time data of a sensor or hardware or software behavior is mapped to an n-dimensional space) is applied to a behavior classifier model for the observed module. [0053, 0068], indicates that a normal and abnormal classification is made as an observation result). 
However, Gupta fails to explicitly disclose the apparatus wherein determining whether the communication data to the detector is normal or abnormal (instead of determining whether the observed module to the detector is normal or abnormal).  
However, Gupta indicates, in respect of an abnormality in an observed module, that abnormal communication is also envisaged ([0002], "maintaining system integrity against malfunctions and malicious attacks is of increasing importance." And [0023], "may independently determine whether a particular module is behaving anomalously (e.g., is malfunctioning, or has been compromised by malware)"). Substituting communication data for observation were know in the art.
One of ordinary skill in the art could have substituted one know element for another, and the results of the substitution would have been predictable (KSR scenario B. Simple substitution of one known element for another to obtain predictable results).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gupta, and determining whether the communication data to the detector is normal or abnormal. The motivation for doing this is that difference aspect of data can be observed so that the application of Gupta can be broadened.
 
Regarding claim 2 (depends on claim 1), Gupta discloses the apparatus wherein, when the communication data is the communication data transmitted from the electronic control apparatus having a plurality of machine states, the knowledge information acquiring part acquires the knowledge information for each of the machine 2Docket No. 526759USPreliminary Amendmentstates, the allocation rule generating part generates the allocation rules for each of the machine states, and each of the detectors learns the model for each of the machine states ( [0065] indicates that an observed module may be observed from different perspectives in different observer modules (in other words, as a plurality of models). In this respect, the "perspective" in document 1 corresponds to the "state" of the present application. Therefore, it is considered that the invention of the present application could be conceived of easily on the basis of Gupta).  

Regarding claim 3 (depends on claim 1), Gupta discloses the apparatus comprising a particular detector group that is a group of detectors having the same performance; wherein the allocation rule generating part generates the allocation rules so that a total communication amount of the communication data allocated to each of the detectors belonging to the particular detector group per unit time is equal ([0071], indicates that an ensemble of classifications (normal/abnormal) of a plurality of observer modules are determined, and hence the classifications are determined from the results of a plurality of modules).

Regarding claim 4 (depends on claim 1), Gupta discloses the apparatus wherein the allocation rule generating part generates the allocation rules so that the communication data is allocated to the plurality of detectors at the same time; and the abnormal communication detection apparatus comprises a detection results aggregating part aggregating detection results by the plurality of detectors for the communication data and outputting a final detection result of the communication data based on the aggregated detection results ([0071], indicates that an ensemble of classifications (normal/abnormal) of a plurality of observer modules are determined, and hence the classifications are determined from the results of a plurality of modules).  

Regarding claims 5 – 7 and 10, they are corresponding to claims 1 – 4, respectively, thus, they are rejected for the reasons set forth above in the rejection of claims 1 – 4.

Regarding claim 8, it is corresponding to claim, thus, it is rejected for the reasons set forth above in the rejection of claim 1.

Regarding claims 9 and 11, they are corresponding to claims 3 – 4, respectively, thus, they are rejected for the reasons set forth above in the rejection of claims 3 – 4.

Regarding claims 12 and 13, they are corresponding to claims 4 and 3, respectively, thus, they are rejected for the reasons set forth above in the rejection of claims 4 and 3.

Regarding claims 14 - 20, they are corresponding to claims 2 – 4 and 9 – 12, respectively, thus, they are rejected for the reasons set forth above in the rejection of claims 2 – 4 and 9 – 12.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QIAN YANG whose telephone number is (571)270-7239.  The examiner can normally be reached on Monday-Thursday 6am-6pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vu Le can be reached on 571-272-7332.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/QIAN YANG/Primary Examiner, Art Unit 2668