DETAILED ACTION
This first non-final action is in response to applicants’ original filing on 03/03/2021.  Claims 1-17 are currently pending and have been considered as follows.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Priority
Acknowledgment is made of applicants’ claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been retrieved on 04/26/2021.
Drawings
The drawings filed on 03/03/2021 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/03/2021 has been placed in the application file, and the information referred therein has been considered as to the merits.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 6-8, 12-15, and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 recites “communicate with an outside” in lines 3-4 but is vague and indefinite as to what the meaning of “an outside” constitutes technically.
Claim 6 recites “the threshold value is smaller as the anomaly location is farther from an external communication electronic controller” in lines 5-6 which is unclear and indefinite.  The terms “smaller” and “farther” in claim 6 are relative terms which render the claim indefinite.  The specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  It is unclear and ambiguous as to whether the threshold value and anomaly location are static or dynamically changed or whether they are singular or plural in number. 
Claim 7 recites “the threshold value for the anomaly location that is the electronic controller for controlling a component of the moving object is the smallest” in lines 6-7.  This language is unclear and indefinite because there could be more than one electronic controller meeting this condition “for controlling a component of the moving object” since a vehicle (i.e. moving object) comprises a plurality of electronic controllers for controlling a plurality of components.  Therefore, there would be no smallest threshold value for anomaly locations meeting this same condition because they would have equally small threshold values.
Claim 8 recites “the anomaly location that is the network” in line 5 but this is unclear and indefinite since the resulting claim does not clearly set forth the metes and bounds in ascertaining the location that is “the network”.  One of ordinary skill in the art understands the common and ordinary meaning of “the network” to comprise multiple nodes/elements communicatively coupled to each other either locally or remotely (i.e. LAN or WAN).  It is ambiguous as to what “location” is referred to on “the network” since a network comprises multiple logical/physical locations.
Claim 12 recites the limitations "the first security device" in line 5 and “the second security device” in line 8.  There is insufficient antecedent basis for these limitations in the claim.
Claim 12 recites “a second security management device is provided outside the system” in line 4, but it is unclear and indefinite as to whether applicants’ claimed invention attempts to include “the system” itself and “a second security management device”.  Claim 1 is directed to a “security management device” which itself does not comprise “a system” nor “a second security management device” provided outside the system.  Since these elements are not specifically nor positively recited as part of Claim 1’s security management device, the features pertaining to the “second security management device” are extraneous to the scope of the claimed invention.
Claim 13 recites the limitations "the first security device" in line 5 and “the second security device” in line 8.  There is insufficient antecedent basis for these limitations in the claim.
Claim 13 recites “a first security management device is provided inside the system” in line 4, but it is unclear and indefinite as to whether applicants’ claimed invention attempts to include “the system” itself and the “first security management device”.  Claim 1 is directed to a “security management device” which itself does not comprise “a system” nor the “first security management device” provided inside the system.  Since these elements are not specifically nor positively recited as part of Claim 1’s security management device, the features pertaining to the “first security management device” are extraneous to the scope of the claimed invention.  
Claim 14 recites “a second security management device is provided outside the system” in line 4, but it is unclear and indefinite as to whether applicants’ claimed invention attempts to include “the system” itself and “a second security management device”.  Claim 1 is directed to a “security management device” which itself does not comprise “a system” nor “a second security management device” provided outside the system.  Since these elements are not specifically nor positively recited as part of Claim 1’s security management device, the features pertaining to the “second security management device” are extraneous to the scope of the claimed invention.
Claim 14 further recites “in layers farther from the external communication electronic controller” in lines 6-7 and “in layers closer to the external communication electronic controller” in lines 9-10.  The terms “farther” and “closer” in claim 14 are relative terms which render the claim indefinite. The terms “farther” and “closer” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  It is unclear and ambiguous as to what specific position layers are considered farther or closer.
Claim 15 recites “a first security management device is provided inside the system” in line 4, but it is unclear and indefinite as to whether applicants’ claimed invention attempts to include “the system” itself and the “first security management device”.  Claim 1 is directed to a “security management device” which itself does not comprise “a system” nor the “first security management device” provided inside the system.  Since these elements are not specifically nor positively recited as part of Claim 1’s security management device, the features pertaining to the “first security management device” are extraneous to the scope of the claimed invention.  
Claim 15 further recites “in layers farther from the external communication electronic controller” in lines 6-7 and “in layers closer to the external communication electronic controller” in lines 9-10.  The terms “farther” and “closer” in claim 15 are relative terms which render the claim indefinite. The terms “farther” and “closer” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  It is unclear and ambiguous as to what specific position layers are considered farther or closer.
Claim 17 recites the limitation "the determination result" in line 9.  There is insufficient antecedent basis for this limitation in the claim.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a management unit”, “a determination unit”, “an output unit” in Claim 1, “a second security management device” in Claims 12 and 14, “a first security management device” in Claims 13 and 15.
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification on pages 6-7 as performing the claimed function, and equivalents thereof.
If applicant does not intend to have these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-17 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by GALULA et al. (US 20160381067 A1, hereinafter Galula).
As to Claim 1:
Galula discloses a security management device (e.g. Galula “A system and method according to some embodiments of the invention may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security or proper function of a system and/or a network. In some embodiments and as described, one or more computing devices may be used in order to enforce security in network. For example, a system according to some embodiments may include one or more computing devices 100 as described herein” [0036]; [0037]; [0038]) comprising:
a management unit (e.g. Galula computing device’s controller, processor CPU, etc. [0037]; security enforcement units SEU [0038]) configured to manage an anomaly location of an anomaly (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]) in a system in which electronic controllers are connected through a network (e.g. Galula “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
a determination unit (e.g. Galula computing device’s controller, processor CPU, etc. [0037]; security enforcement units SEU [0038]) configured to determine whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
an output unit (e.g. Galula computing device’s controller, processor CPU, etc. [0037]; security enforcement units SEU [0038]) configured to output an instruction based on a determination result by the determination unit (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]).
As to Claim 2:
Galula discloses the security management device according to claim 1, wherein the anomaly location is identified as a layer of a hierarchy whose reference layer is an external communication electronic controller configured to communicate with an outside (e.g. Galula FIG. 1C “FIG. 1C that shows a schematic block diagram of components of a system 60 according to illustrative embodiments of the present invention. As shown, system 60 may include an in-vehicle CAN 61 communication network analyzed or protected by a set of SEUs (e.g., SEU similar to SEUs 40), in accordance embodiments of the present invention. FIG. 1C shows a schematic block diagram of portions of an in-vehicle communication network that may be CAN 61 and CAN 71. As shown, an in-vehicle communication network that may include two portions (e.g., CAN 61 and CAN 71) may be protected by a set of SEUs 40A, 40B, 40C and 40D that may protect the network and specific control systems included in vehicle 30” [0074]; “The control systems and/or their respective components may be connected to, for example, high-speed and medium-speed CAN buses (or other bus bars or systems as known in the art) 61 and 71. For example, medium-speed CAN bus 71 may be a class B CAN bus that operates at data transmission speeds of up to 125 kilobits per second (Kbps), to support communications between nodes, such as components of vehicle body control systems and infotainment systems that can function properly receiving and transmitting data at relatively low data transmission rates. By way of example, medium-speed CAN bus 71 is schematically shown connected to nodes that are, as shown, headlights 72, instrument display 73, environment control 74, door control 75 and rear light control 76” [0075]; [0079]; wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; external hub [0120]).
As to Claim 3:
Galula discloses the security management device according to claim 1, wherein the anomaly location is identified as a set of the electronic controllers having a specific function (e.g. Galula ECUs of various control systems for engine control, suspension control, traction control, gearbox control, etc. [0077]; “a context may be related to an in-vehicle network (e.g., an intrusion to the network was detected) and a context may be related to nodes attached to an in-vehicle network (e.g., a fault in, or malfunction of, a node or component attached to the in-vehicle network detected). A context may be a combination of contexts or a complex context. For example, with respect to table 590, if a vehicle is accelerating and the engine is running then a combined or complex context as defined and used by an SEU 40 may be “A/B”. For example, a context of “A/B” may be treated, or identified, by an embodiment, as normal while a context of “A” without “B” may indicate an anomaly or even real danger” [0127]; “a plurality of ECUs connected to an in-vehicle network; receive a data communication associated with one of the ECUs; compare, the received data communication with the behavior model or examine the received data communication with respect to the behavior model; determine, based on the comparing or examination, whether or not the received data communication complies with the behavior model; and, if the data communication does not comply with the model then perform, at least one action related to the message” [0203]).
As to Claim 4:
Galula discloses the security management device according to claim 1, wherein the anomaly amount is a number of times the anomaly occurred (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Claim 5:
Galula discloses the security management device according to claim 1, wherein the anomaly amount is (i) a time length for which the anomaly continued, (ii) a size of abnormal data, or (iii) a number of abnormal data (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Claim 6:
Galula discloses the security management device according to claim 1, wherein the determination unit is configured to determine to implement countermeasures when the anomaly amount is equal to or greater than a threshold value set for each anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]), the threshold value is smaller as the anomaly location is farther from an external communication electronic controller (e.g. Galula  wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120]).
As to Claim 7:
Galula discloses the security management device according to claim 1, wherein the system is mounted on a moving object (e.g. Galula FIG. 1B components in-vehicle [0038]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]), the determination unit is configured to determine to implement countermeasures when the anomaly amount is equal to or greater than a threshold value set for each anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]), and the threshold value for the anomaly location that is the electronic controller for controlling a component of the moving object is the smallest.
As to Claim 8:
Galula discloses the security management device according to claim 1, wherein the determination unit is configured to determine to implement countermeasures when the anomaly amount is equal to or greater than a threshold value set for each anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]), and the threshold value for the anomaly location that is the network is smaller than the threshold value for another anomaly location that is the electronic controller.
As to Claim 9:
Galula discloses the security management device according to claim 1, wherein the
security management device is provided in one or more electronic controllers in the system (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]).
As to Claim 10:
Galula discloses the security management device according to claim 1, wherein the security management device is provided in one or both of a central electronic controller and an external communication electronic controller (e.g. Galula “Computing device 100 may include a controller 105 that may be, for example, a central processing unit processor (CPU), a chip or any suitable computing or computational device, an operating system 115, a memory 120, executable code 125, a storage system 130 that may include a model 136, input devices 135 and output devices 140. Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120]).
As to Claim 11:
Galula discloses the security management device according to claim 1, wherein the security management device is provided outside the system (e.g. Galula “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120]).
As to Claim 12:
Galula discloses the security management device according to claim 1, the security management device being provided inside the system as a first security management device (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]), wherein a second security management device is provided outside the system, the first security device is actuated when a communication between the first security management device and the second security management device is unavailable, and the second security device is actuated when the communication between the first security management device and the second security management device is available (e.g. Galula “Several SEUs, each installed in a different network may be linked together by at least one common external hub” [0120]).
As to Claim 13:
Galula discloses the security management device according to claim 1, the security management device being provided outside the system as a second security management device (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]), wherein a first security management device is provided inside the system, the first security device is actuated when a communication between the first security management device and the second security management device is unavailable, and the second security device is actuated when the communication between the first security management device and the second security management device is available (e.g. Galula “an SEU may include an authentication module 47 for authenticating messages the SEU receives and a wireless communication interface 48 for communicating with entities outside of, or external to, an in-vehicle communication network (e.g., external to CAN 61) via a wireless communication channel For example, wireless interface 48 may provide connectivity to a WiFi network, and/or a Bluetooth channel and/or a mobile phone network such as a 3G network” [0085]).
As to Claim 14:
Galula discloses the security management device according to claim 2, the security management device being provided inside the system as a first security management device (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]), wherein a second security management device is provided outside the system, the first security management device is configured to manage the anomaly location and the anomaly amount of the anomaly occurred in layers farther from the external communication electronic controller (e.g. Galula FIG. 1C “FIG. 1C that shows a schematic block diagram of components of a system 60 according to illustrative embodiments of the present invention. As shown, system 60 may include an in-vehicle CAN 61 communication network analyzed or protected by a set of SEUs (e.g., SEU similar to SEUs 40), in accordance embodiments of the present invention. FIG. 1C shows a schematic block diagram of portions of an in-vehicle communication network that may be CAN 61 and CAN 71. As shown, an in-vehicle communication network that may include two portions (e.g., CAN 61 and CAN 71) may be protected by a set of SEUs 40A, 40B, 40C and 40D that may protect the network and specific control systems included in vehicle 30” [0074]; “The control systems and/or their respective components may be connected to, for example, high-speed and medium-speed CAN buses (or other bus bars or systems as known in the art) 61 and 71. For example, medium-speed CAN bus 71 may be a class B CAN bus that operates at data transmission speeds of up to 125 kilobits per second (Kbps), to support communications between nodes, such as components of vehicle body control systems and infotainment systems that can function properly receiving and transmitting data at relatively low data transmission rates. By way of example, medium-speed CAN bus 71 is schematically shown connected to nodes that are, as shown, headlights 72, instrument display 73, environment control 74, door control 75 and rear light control 76” [0075]; [0079]; wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; external hub [0120]), and the second security management device is configured to manage the anomaly location and the anomaly amount of the anomaly occurred in layers closer to the external communication electronic controller.
As to Claim 15:
Galula discloses the security management device according to claim 2, the security management device being provided outside the system as a second security management device (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]), wherein a first security management device is provided inside the system, the first security management device is configured to manage the anomaly location and the anomaly amount of the anomaly occurred in layers farther from the external communication electronic controller, and the second security management device is configured to manage the anomaly location and the anomaly amount of the anomaly occurred in layers closer to the external communication electronic controller (e.g. Galula FIG. 1C “FIG. 1C that shows a schematic block diagram of components of a system 60 according to illustrative embodiments of the present invention. As shown, system 60 may include an in-vehicle CAN 61 communication network analyzed or protected by a set of SEUs (e.g., SEU similar to SEUs 40), in accordance embodiments of the present invention. FIG. 1C shows a schematic block diagram of portions of an in-vehicle communication network that may be CAN 61 and CAN 71. As shown, an in-vehicle communication network that may include two portions (e.g., CAN 61 and CAN 71) may be protected by a set of SEUs 40A, 40B, 40C and 40D that may protect the network and specific control systems included in vehicle 30” [0074]; “The control systems and/or their respective components may be connected to, for example, high-speed and medium-speed CAN buses (or other bus bars or systems as known in the art) 61 and 71. For example, medium-speed CAN bus 71 may be a class B CAN bus that operates at data transmission speeds of up to 125 kilobits per second (Kbps), to support communications between nodes, such as components of vehicle body control systems and infotainment systems that can function properly receiving and transmitting data at relatively low data transmission rates. By way of example, medium-speed CAN bus 71 is schematically shown connected to nodes that are, as shown, headlights 72, instrument display 73, environment control 74, door control 75 and rear light control 76” [0075]; [0079]; wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; external hub [0120]).
As to Claim 16:
Galula discloses a security management method (e.g. Galula “A system and method according to some embodiments of the invention may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security or proper function of a system and/or a network. In some embodiments and as described, one or more computing devices may be used in order to enforce security in network. For example, a system according to some embodiments may include one or more computing devices 100 as described herein” [0036]; [0037]; [0038]) comprising:
acquiring an anomaly location of an anomaly in a system in which a plurality of electronic controllers are connected through a network (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
determining whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
outputting an instruction based on a determination result in the determining (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]).
As to Claim 17:
Galula discloses a computer program product stored on a non-transitory computer readable medium and comprising instructions configured to (e.g. Galula “providing security to an in-vehicle communication network may include a non-transitory computer readable medium or computer storage medium (e.g., memory 120 or memory 45) including instructions (e.g., executable code 125) that, when executed by at least one processor (e.g., controller 105), cause the at least one processor to perform methods” [0133], when executed by a security management device, cause the security management device to:
acquire an anomaly location of an anomaly in a system in which a plurality of electronic controllers are connected through a network (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
determine whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
output an instruction based on the determination result (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Litichever et al. (US 20150020152 A1) is cited for protecting a vehicle electronic system by preventing malicious messages at ECUs.
Valasek et al. (US 20150113638 A1) is cited for detecting threats or attacks on an automobile network by monitoring data messages.
Sonalker et al. (US 20160188396 A1) is cited for an anomaly detector for CAN bus on vehicles implemented on ECUs.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

06.14.2022