DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication (Preliminary Amendment) filed on 04/10/2020.
Status of claims in the instant application:
Claims 1-41 are pending.
Priority
This application is a 371 of PCT/JP2018/039296 filed 10/23/2018, which claim priority to foreign application for patent “JAPAN 2017-208801  filed on 10/30/2017”
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 04/10/2020 and 08/14/2020 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 04/10/2020 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 04/10/2020 has been inspected and it’s in compliance with MPEP 608.01.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
	(1) “a receiving unit that receives …”; recited in claims 1 and 2.
	(2) “sum-of-communication-intervals calculation unit that calculates …”; recited in claims 1 and 2.
	(3) “a detection unit that detects …”; recited in claims 1, 2, 4 and 10.
	(4) “a learning unit that …”; ; recited in claims 2, 5, 6 and 11-22.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
Examiner has investigated the specification/disclosure of the instant application and finds the following (in the published application, US 20200259846 A1):
“[0045] <Receiving Unit 11 (at the Time of Learning)>
[0046] The receiving unit 11 receives communication data for learning, which is a communication on a machine control information communication network or communication data generated by, for example, processing a communication and does not include an attack communication (S11-1). The receiving unit 11 assigns a communication time to each unit of data (for example, each packet or each frame) of the communication data for learning. It is assumed that the communication data for learning is distinguished from each other on a communication ID-by-communication ID basis and the following steps are executed on the communication data for learning with different IDs independently for each ID.
[0047] The receiving unit 11 may obtain a communication by intercepting a network or gateway or may separately obtain communication data as data such as a log from the other monitoring apparatus. The receiving unit 11 assigns the reception time (communication time) to a communication obtained by the interception; however, time assignment may be omitted when the communication data has been obtained as data such as a log and the reception time (communication time) has already been assigned thereto. The receiving unit 11 may select only a communication on which detection is to be performed by checking the ID of the communication and accept the selected communication.
[0052] <Learning Unit 14>
[0053] The learning unit 14 learns the estimated distribution of the communication interval of the communication data for learning, the estimated distribution of the sum of communication intervals of the communication data for learning, the threshold T for these estimated distributions, and so forth by using the communication interval and the sum of communication intervals calculated in Step S13-1 with the assumed distribution and the maximum false detection rate (or the minimum detection rate) designated in the setting being used as conditions (S14). These estimated distributions, threshold T, and so forth are stored in the estimated distribution model storage 15 as an estimated distribution model.
[0054] For instance, the learning unit 14 determines estimated distributions and the threshold T for each ID using the communication interval and the sum of communication intervals calculated in Step S13-1 as sample data with the assumed distribution, the maximum false detection rate (or the minimum detection rate), and so forth designated in the setting (which is entered by an administrator of the device) being used as conditions, learns them as an estimated distribution model, and records the estimated distribution model on the estimated distribution model storage 15.
[0055] The learning unit 14 compiles a certain amount of sample data, executes preprocessing thereon, and then determines the estimated distributions. Examples of preprocessing of sample data include arranging the data depending on how large the value is and removing the top and bottom few percent of the data to curb the influence of an exception value. On the other hand, if possible, the learning unit 14 may perform learning by a method by which the learning unit 14 sequentially processes the sample data one by one without compiling the sample data and updates the estimated distribution model. For example, when the normal distribution is used, it is possible to perform sequential processing using a moment.
[0066] <Detection Unit 16>
[0067] The detection unit 16 detects whether or not the communication data for detection includes an attack communication based on the estimated distribution model and the sum of communication intervals of the communication data for detection (S16).
[0068] More specifically, the detection unit 16 compares the sum of communication intervals, which is sequentially calculated in Step S13-2, with the estimated distribution model stored in the estimated distribution model storage 15, and judges that the communication data for detection includes an attack communication if the sum of communication intervals of the communication data for detection at an arbitrary time is less than or equal to the threshold T for the estimated distributions and outputs the detection result (S16). As described earlier, the threshold T may be calculated in advance at the time of learning or may be calculated by the detection unit 16 as occasion arises. Detection processing may be performed every time a communication is received or may be performed on a certain number of communications.
[0069] The detection result indicating an abnormal communication or a normal communication may be output, or the detection result may be output only when an abnormal communication has been performed. Information by which the communication data for detection is identified, such as a reception time or an ID, may be assigned to the detection result. When abnormalities are consecutively detected in communications with the same TD, they may be collected and output or they may be collected and output with an abnormality detection start time, an end time, the ID, and so forth assigned thereto. The detection unit 16 may transmit the detection result through a network or may provide transmission and notification of the detection result via the other device.
[0070] When an attack communication is frequently inserted, the attack communication collides with a normal communication and one of the communications is sometimes not sent. In this case, the receiving unit 11 may receive an error frame which is transmitted in CAN, infer the communication which has not been sent based on the error frame, and treat the communication the same as a regular communication. When an attack communication collides with a normal communication and only the attack communication is sent, the communication interval and the sum of communication intervals in this case cannot be distinguished from those observed when the normal communication is performed. However, as described above, with an error frame taken into consideration, these communications can be treated as two communications: the normal communication and the attack communication that have been sent at the same time, which makes it possible to distinguish the communication interval and the sum of communication intervals observed when the attack communication is performed from those observed when the normal communication is performed.
[0071] The attack communication detection device 1 may be configured as a device that performs only learning, from which the detection unit 16 is removed, and a device that performs only detection, from which the learning unit 14 is removed. The device that performs only learning stores the estimated distribution model in the estimated distribution model storage 15 as the result of learning. By storing the stored estimated distribution model in the estimated distribution model storage 15 of the device that performs only detection, it is possible to perform detection in the device without learning. The device that performs only detection will be described later in a first modification.
 [0050] <Communication Interval And Sum-of-Communication-Intervals calculation unit 13 (at the Time of Learning)>
[0044] Hereinafter, the configuration of an attack communication detection device of a first embodiment will be described with reference to FIG. 3. As shown in FIG. 3, an attack communication detection device 1 of the present embodiment includes a receiving unit 11, a temporary holding unit 12, a communication interval and sum-of-communication-intervals calculation unit 13, a learning unit 14, an estimated distribution model storage 15, and a detection unit 16. Hereinafter, the operation of each component element at the time of learning will be described with reference to FIG. 4.
[0051] The communication interval and sum-of-communication-intervals calculation uni13 calculates a communication interval of the communication data for learning by using the communication times of the communication data for learning held in Step S12-1 (S13-1). Moreover, the communication interval and sum-of-communication-intervals calculation unit 13 also calculates the sum of communication intervals of the communication data for learning in order to calculate the above-described threshold T.
[0087] Each device according to the present invention has, as a single hardware entity, for example, an input unit to which a keyboard or the like is connectable, an output unit to which a liquid crystal display or the like is connectable, a communication unit to which a communication device (for example, communication cable) capable of communication with the outside of the hardware entity is connectable, a central processing unit (CPU, which may include cache memory and/or registers), RAM or ROM as memories, an external storage device which is a hard disk, and a bus that connects the input unit, the output unit, the communication unit, the CPU, the RAM, the ROM, and the external storage device so that data can be exchanged between them. The hardware entity may also include, for example, a device (drive) capable of reading and writing a recording medium such as a CD-ROM as desired. A physical entity having such hardware resources may be a general-purpose computer or an embedded device, for example.
[0089] In the hardware entity, the programs and data necessary for processing of the programs stored in the external storage device (or ROM and the like) are read into memory as necessary to be interpreted and executed/processed as appropriate by the CPU. As a consequence, the CPU embodies predetermined functions (the component elements represented above as units, means, or the like).”
Examiner concludes, based on the above description in the specification of the instant application, that the elements (units) identified in the claims above are performing respective functions are in fact being performed by a CPU with programs/functions that are embodied therewith. CPU is a known hardware element.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8 and 23-41  are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to a “software per se”.
	Claim 8 recites, “A program that makes a computer function as the attack communication detection device according to claim 1.”
	Claims 23-41 also recite similar limitations as claim 8; i.e. they also claim “A program”
	But program (i.e. software) is not one of the patent eligible subject matter, and hence the claims are being rejected under 35 USC 101, as “software per se”.
	Appropriate corrections required.
	**** Note: Applicant can consider to amend the claims as below, for example, to overcome the “software per se” rejection and at the same time not create any “signal per se” issue:
“A non-transitory computer readable storage medium containing program instructions when the instructions are executed by a central processing unit (CPU) the program instructions perform the function of the attack communication detection device according to claim 1”
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20200396238 A1 to HAGA et al. (hereinafter “HAGA”) in view of Pub. No.: US 20150172306 A1 to KIM et al. (hereinafter “KIM”).
Regarding Claim 1: HAGA discloses An attack communication detection device that detects an attack communication from a communication of each electronic control unit in a communication network (HAGA, Para [0064]: … The following will describe an on-board network management system that includes multiple vehicles equipped with an on-board network (on-board network system) in which multiple electronic control units (ECUs) communicate on a CAN bus, and a server (anomaly detection server), as well as a security processing method that acts as a security technology used in such an on-board network management system. The security processing method is a method of assessing the anomaly level of a frame in an on-board network of a certain vehicle, to thereby enable appropriate counteraction in the case in which a frame transmitted on the CAN bus used for communication among each of the ECUs provided in the vehicle is suspected of being an attack frame …), the attack communication detection device comprising:
a receiving unit that receives communication data for detection which may or may not include the attack communication (HAGA, Para [0080-0085], FIG. 4: … FIG. 4 is a configuration diagram of the server (anomaly detection server) 80. The anomaly detection server 80 for counteracting anomalous frames transmitted on the on-board network of the vehicle 1010a and the like is realized by a computer provided with a processor, memory, a communication interface, and the like, for example. The anomaly detection server 80 is configured to include a communication unit 810 … The communication unit 810, by communicating with the vehicles 1010a, 1010b, 1010c, 1010d, 1010e, and 1010f over the network 81, successively receives log information, such as information related to frames (messages) flowing on the CAN bus of each on-board network. The log information includes, for example, information related to the content of frames (messages) received from the CAN bus in the on-board network, and the reception timing (such as the interval and frequency). The communication unit 810 functions as an acquisition unit that acquires by receiving information about frames received on the on-board network of each vehicle …);
However HAGA does not explicitly teach, but KIM from same or similar field of endeavor teaches:
“a sum-of-communication-intervals calculation unit that calculates a sum of communication intervals, which is a sum of two adjacent communication intervals, of the communication data for detection (KIM, Para [0021-0022. 0030-0031, 0070-0073]: … the authentication procedure may include collecting, from the controller having passed the authentication, a message identifier (ID) list used by the controller, wherein, when a message ID not contained in the message ID list is sensed, the sensed message ID may be recorded in a predetermined recording region …  the message generated by the controller may include a first message and a second message, the first message being a periodic message and the second message being an aperiodic message … The moving average may be an average value of a sum of transmission intervals for at least three consecutively sensed messages … If the moving average is less than a predetermined maximum allowable latency, it may be determined that the hacking message is included in a corresponding one of the transmission intervals … As shown in FIG. 2(a), the gateway 100 is configured to receive a security message from first to fourth messages for which authentication has been completed, during a certain period T. In this case, it is assumed that transmission latency of a security message does not occur between the first to fourth controllers and the gateway 100. Referring to FIG. 2(a), the first to fourth controllers sequentially transmit a security message with period T, and then the first controller transmits the security message again at a timing point T(n+2) … FIG. 2(b) illustrates reception of a hacking message at a time between T(n-1) and T(n) of FIG. 2(a). FIG. 2(b) shows that the hacking message has been received at timing point T(n-b) or T(n-1+a). Herein, one of a and b has a value greater than 0.5*T, and the sum of a and b is T …);”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of KIM into the teachings of HAGA, because it discloses that “object of the present invention is to provide a method for enhancing security in an in-vehicle communication network with which a hacking message can be identified based on periodic information by performing a predetermined security process with a certain periodicity through a control device connected over a CAN communication channel (KIM, Para [0015])”.
HAGA further discloses:
“an estimated distribution model storage that stores in advance an estimated distribution model of the communication interval and the sum of communication intervals of communication data for learning which does not include the attack communication (HAGA, Para [0084-0085]: … The log analysis processing unit 840 includes a function of analyzing the log information collected from each vehicle and stored (accumulated) in the vehicle log storage DB 870, and thereby assessing the anomaly level, which is an index associated with whether or not a frame received on the on-board network of a certain vehicle is anomalous (whether or not an attack frame has been sent out on the on-board network by an attacker). The log analysis processing unit 840 may perform statistical processing or the like, for example, with respect to information about multiple frames collected from each vehicle (information such as the content of each of the multiple frames, the reception timings, and the like), which is expressed by the collected log information …  the log analysis processing unit 840 may construct a designated model regarding each frame flowing on the on-board network in a normal state, the designated model being usable for comparison against an anomalous state, and on the basis of the successively acquired log information, use machine learning to adjust (update) the designated model to a more appropriate model. In this case, the log analysis processing unit 840 may perform a treatment process (such as multivariate analysis, for example) as appropriate on the information about multiple frames expressed by the collected log information, and supply the treated information for the learning of the designated model …); and
a detection unit that detects whether or not the communication data for detection includes the attack communication based on the estimated distribution model and the sum of communication intervals of the communication data for detection (HAGA, Para [0097, 0120]: … in the case in which the message ID of a frame assessed to have an anomaly level indicating that the frame is anomalous is a message ID other than a message prescribed to be transmitted by each ECU connected to the on-board network in the normal state of the on-board network, or in the case in which the reception interval (transmission interval) of the frame is different from that of a normal frame, or the like, the security information generation unit 850 may determine Phase 1 of a sign of attack. Also, for example, in the case in which the message ID of a frame assessed to have an anomaly level indicating that the frame is anomalous is the message ID of a diagnostic command, and is an ID that does not correspond to a phase higher (more severe) than Phase 1, the security information generation unit 850 may determine Phase 1 of a sign of attack. Note that a diagnostic command is, for example, a frame that includes a specific message ID (diagnostic message ID) prescribed in advance for use by an authorized diagnostic tool connected to a diagnostic port. Note that any other methods may also be used as a technique for determining Phase 1 of a sign of attack … the treatment process extracts feature values from features such as the frame content, the reception interval, and the reception frequency, performs normalization or the like, condenses the amount of information in the feature values, and the like. The condensation of the amount of information in the feature values is realized by, for example, expressing the information as a feature vector in which the feature values are taken as each component, and on the basis of information obtained in conjunction with the anomaly detection server 80, reducing the dimensionality of the feature vector by principal component analysis. Additionally, every time the frame transmitting and receiving unit 901 receives a frame from the CAN bus, the frame uploading unit 950 may transmit log information including information about the frame to the anomaly detection server 80, or at a stage when multiple frames have been received, the frame uploading unit 950 may transmit log information including information about each frame to the anomaly detection server 80. However, if information about a frame received from the CAN bus is rapidly transmitted to the anomaly detection server 80, the anomaly detection server 80 may rapidly detect whether or not the frame is anomalous, making rapid counteraction possible …).”
Regarding Claim 2: HAGA discloses An attack communication detection device that detects an attack communication from a communication of each electronic control unit in a communication network (HAGA, Para [0064]: … The following will describe an on-board network management system that includes multiple vehicles equipped with an on-board network (on-board network system) in which multiple electronic control units (ECUs) communicate on a CAN bus, and a server (anomaly detection server), as well as a security processing method that acts as a security technology used in such an on-board network management system. The security processing method is a method of assessing the anomaly level of a frame in an on-board network of a certain vehicle, to thereby enable appropriate counteraction in the case in which a frame transmitted on the CAN bus used for communication among each of the ECUs provided in the vehicle is suspected of being an attack frame …), the attack communication detection device comprising:
a receiving unit that receives communication data for learning which does not include the attack communication and communication data for detection which may or may not include the attack communication (HAGA, Para [0080-0085], FIG. 4: … FIG. 4 is a configuration diagram of the server (anomaly detection server) 80. The anomaly detection server 80 for counteracting anomalous frames transmitted on the on-board network of the vehicle 1010a and the like is realized by a computer provided with a processor, memory, a communication interface, and the like, for example. The anomaly detection server 80 is configured to include a communication unit 810 … The communication unit 810, by communicating with the vehicles 1010a, 1010b, 1010c, 1010d, 1010e, and 1010f over the network 81, successively receives log information, such as information related to frames (messages) flowing on the CAN bus of each on-board network. The log information includes, for example, information related to the content of frames (messages) received from the CAN bus in the on-board network, and the reception timing (such as the interval and frequency). The communication unit 810 functions as an acquisition unit that acquires by receiving information about frames received on the on-board network of each vehicle …);
However HAGA does not explicitly teach, but KIM from same or similar field of endeavor teaches:
“a communication interval and sum-of-communication-intervals calculation unit that calculates a communication interval of the communication data for learning and a sum of 2Docket No. 527703USPreliminary Amendmentcommunication intervals, which is a sum of two adjacent communication intervals, of the communication data for detection (KIM, Para [0021-0022. 0030-0031, 0070-0073]: … the authentication procedure may include collecting, from the controller having passed the authentication, a message identifier (ID) list used by the controller, wherein, when a message ID not contained in the message ID list is sensed, the sensed message ID may be recorded in a predetermined recording region …  the message generated by the controller may include a first message and a second message, the first message being a periodic message and the second message being an aperiodic message … The moving average may be an average value of a sum of transmission intervals for at least three consecutively sensed messages … If the moving average is less than a predetermined maximum allowable latency, it may be determined that the hacking message is included in a corresponding one of the transmission intervals … As shown in FIG. 2(a), the gateway 100 is configured to receive a security message from first to fourth messages for which authentication has been completed, during a certain period T. In this case, it is assumed that transmission latency of a security message does not occur between the first to fourth controllers and the gateway 100. Referring to FIG. 2(a), the first to fourth controllers sequentially transmit a security message with period T, and then the first controller transmits the security message again at a timing point T(n+2) … FIG. 2(b) illustrates reception of a hacking message at a time between T(n-1) and T(n) of FIG. 2(a). FIG. 2(b) shows that the hacking message has been received at timing point T(n-b) or T(n-1+a). Herein, one of a and b has a value greater than 0.5*T, and the sum of a and b is T …);”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of KIM into the teachings of HAGA, because it discloses that “object of the present invention is to provide a method for enhancing security in an in-vehicle communication network with which a hacking message can be identified based on periodic information by performing a predetermined security process with a certain periodicity through a control device connected over a CAN communication channel (KIM, Para [0015])”.
HAGA further discloses:
“a learning unit that learns an estimated distribution model of the communication interval and the sum of communication intervals of the communication data for learning (HAGA, Para [0084-0085, 0118, 0131]: … The log analysis processing unit 840 includes a function of analyzing the log information collected from each vehicle and stored (accumulated) in the vehicle log storage DB 870, and thereby assessing the anomaly level, which is an index associated with whether or not a frame received on the on-board network of a certain vehicle is anomalous (whether or not an attack frame has been sent out on the on-board network by an attacker). The log analysis processing unit 840 may perform statistical processing or the like, for example, with respect to information about multiple frames collected from each vehicle (information such as the content of each of the multiple frames, the reception timings, and the like), which is expressed by the collected log information …  the log analysis processing unit 840 may construct a designated model regarding each frame flowing on the on-board network in a normal state, the designated model being usable for comparison against an anomalous state, and on the basis of the successively acquired log information, use machine learning to adjust (update) the designated model to a more appropriate model. In this case, the log analysis processing unit 840 may perform a treatment process (such as multivariate analysis, for example) as appropriate on the information about multiple frames expressed by the collected log information, and supply the treated information for the learning of the designated model … In the case in which the fraudulent frame detection unit 903 detects a fraudulent frame, in order to notify the driver or the like of the fraud detection, the fraud detection notification unit 930 controls (such as by controlling the frame transmitting and receiving unit 901) a notification of information about the fraudulent frame (for example, information indicating fraud detection, or information indicating fraud detection and the content of the fraudulent frame) to the head unit. Also, in the case in which the fraudulent frame detection unit 903 detects a fraudulent frame, for example, the fraud detection notification unit 930 may also control a notification of log information or the like including information indicating the fraud detection and information about the fraudulent frame to the anomaly detection server 80. The log information that distinguishes fraudulent frames from non-fraudulent frames by the indication of a fraud detection may be used for supervised learning in the anomaly detection server 80 …); and
a detection unit that detects whether or not the communication data for detection includes the attack communication based on the estimated distribution model and the sum of communication intervals of the communication data for detection (HAGA, Para [0097, 0118-0120]: … in the case in which the message ID of a frame assessed to have an anomaly level indicating that the frame is anomalous is a message ID other than a message prescribed to be transmitted by each ECU connected to the on-board network in the normal state of the on-board network, or in the case in which the reception interval (transmission interval) of the frame is different from that of a normal frame, or the like, the security information generation unit 850 may determine Phase 1 of a sign of attack. Also, for example, in the case in which the message ID of a frame assessed to have an anomaly level indicating that the frame is anomalous is the message ID of a diagnostic command, and is an ID that does not correspond to a phase higher (more severe) than Phase 1, the security information generation unit 850 may determine Phase 1 of a sign of attack. Note that a diagnostic command is, for example, a frame that includes a specific message ID (diagnostic message ID) prescribed in advance for use by an authorized diagnostic tool connected to a diagnostic port. Note that any other methods may also be used as a technique for determining Phase 1 of a sign of attack … the treatment process extracts feature values from features such as the frame content, the reception interval, and the reception frequency, performs normalization or the like, condenses the amount of information in the feature values, and the like. The condensation of the amount of information in the feature values is realized by, for example, expressing the information as a feature vector in which the feature values are taken as each component, and on the basis of information obtained in conjunction with the anomaly detection server 80, reducing the dimensionality of the feature vector by principal component analysis. Additionally, every time the frame transmitting and receiving unit 901 receives a frame from the CAN bus, the frame uploading unit 950 may transmit log information including information about the frame to the anomaly detection server 80, or at a stage when multiple frames have been received, the frame uploading unit 950 may transmit log information including information about each frame to the anomaly detection server 80. However, if information about a frame received from the CAN bus is rapidly transmitted to the anomaly detection server 80, the anomaly detection server 80 may rapidly detect whether or not the frame is anomalous, making rapid counteraction possible …).”
Regarding Claim 6: The combination of HAGA-KIM discloses the attack communication detection device according to Claim 1, HAGA further discloses, “wherein the learning unit learns the estimated distribution model for each machine condition of the electronic control unit (HAGA, Para [0085, 0162]: … The anomaly level is assessed by a comparison between information about the frame and the designated model (that is, a computational process using the information about the frame and the designated model). As the designated model for assessing anomaly level, for example, the log analysis processing unit 840 may construct a designated model on the basis of the log information for each vehicle of the same vehicle family, to express a distribution of features (such as feature vectors including components such as frame content, reception interval, and reception frequency) regarding the frames received on the on-board network in the normal state. Note that the designated model may be, for example, a model expressing a relationship between an objective variable and an explanatory variable, in which the anomaly level is treated as the objective variable and the log information is treated as the explanatory variable. The anomaly level may be defined so that the non-anomalous (normal) case takes a value of 0 (zero), and the anomalous case takes a positive numerical value in accordance with the degree of anomaly. The anomaly level may also take the binary value of 0 (for example, not anomalous) and 1 (for example, anomalous). The anomaly level may also take three or more values, with the anomalous case being classified into multiple stages …  The anomaly detection server 80 assesses the anomaly level of a frame received on the on-board network of a certain vehicle, on the basis of information about the frame. In the case in which the anomaly level of the frame indicates that the frame is anomalous, when a fixed condition is satisfied, the anomaly detection server 80 transmits a key update request to the vehicle (the vehicle in which the anomalous frame is detected) and to vehicles having a certain relationship with the vehicle. Vehicles having a certain relationship with the vehicle in which the anomalous frame is detected are, for example, vehicles in the same vehicle family, vehicles provided with the same type of ECU, or the like. If the vehicles having the certain relationship are specifiable on the basis of information related to the vehicle in which the anomalous frame is detected, the vehicles may also have some other fixed relationship. Also, the fixed condition described above is a condition for estimating that a cryptographic key (for example, an encryption key) or a MAC key has leaked, and is satisfied when, for example, the anomalous frame is a key-related message (that is, when the frame is a frame for which encryption of the frame content is prescribed, or a frame for which the attachment of a MAC to the frame is prescribed). Additionally, a condition such as that the running state of the vehicle or the like is anomalous (a condition for more accurately estimating that a cryptographic key or a MAC key has leaked) may also be added to the fixed condition. The anomaly detection server 80 may also determine whether or not the leak of a cryptographic key or a MAC key may be estimated, according to computational processing using log information acquired from a vehicle and a designated model …).”
Regarding Claim 7: This is a method claim that contains all the same or similar limitation as claim 1, and hence similarly rejected as claim 1.
Regarding Claim 14: The combination of HAGA-KIM discloses the attack communication detection device according to Claim 2, HAGA further discloses, “wherein the learning unit learns the estimated distribution model for each machine condition of the electronic control unit HAGA, Para [0085, 0162]: … The anomaly level is assessed by a comparison between information about the frame and the designated model (that is, a computational process using the information about the frame and the designated model). As the designated model for assessing anomaly level, for example, the log analysis processing unit 840 may construct a designated model on the basis of the log information for each vehicle of the same vehicle family, to express a distribution of features (such as feature vectors including components such as frame content, reception interval, and reception frequency) regarding the frames received on the on-board network in the normal state. Note that the designated model may be, for example, a model expressing a relationship between an objective variable and an explanatory variable, in which the anomaly level is treated as the objective variable and the log information is treated as the explanatory variable. The anomaly level may be defined so that the non-anomalous (normal) case takes a value of 0 (zero), and the anomalous case takes a positive numerical value in accordance with the degree of anomaly. The anomaly level may also take the binary value of 0 (for example, not anomalous) and 1 (for example, anomalous). The anomaly level may also take three or more values, with the anomalous case being classified into multiple stages …  The anomaly detection server 80 assesses the anomaly level of a frame received on the on-board network of a certain vehicle, on the basis of information about the frame. In the case in which the anomaly level of the frame indicates that the frame is anomalous, when a fixed condition is satisfied, the anomaly detection server 80 transmits a key update request to the vehicle (the vehicle in which the anomalous frame is detected) and to vehicles having a certain relationship with the vehicle. Vehicles having a certain relationship with the vehicle in which the anomalous frame is detected are, for example, vehicles in the same vehicle family, vehicles provided with the same type of ECU, or the like. If the vehicles having the certain relationship are specifiable on the basis of information related to the vehicle in which the anomalous frame is detected, the vehicles may also have some other fixed relationship. Also, the fixed condition described above is a condition for estimating that a cryptographic key (for example, an encryption key) or a MAC key has leaked, and is satisfied when, for example, the anomalous frame is a key-related message (that is, when the frame is a frame for which encryption of the frame content is prescribed, or a frame for which the attachment of a MAC to the frame is prescribed). Additionally, a condition such as that the running state of the vehicle or the like is anomalous (a condition for more accurately estimating that a cryptographic key or a MAC key has leaked) may also be added to the fixed condition. The anomaly detection server 80 may also determine whether or not the leak of a cryptographic key or a MAC key may be estimated, according to computational processing using log information acquired from a vehicle and a designated model …).
Allowable Subject Matter
Claims 3-5, 9-13 and 15-22 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
The method claim 7 needs to be amended to be similar in scope of amended device claims 1 and 2, as condition for allowability of the claims.
Reasons for allowance will be furnished upon allowance.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	US 20160381068 A1 GALULA et al. : GALULA discloses a system and method for providing security to a network may include maintaining, by a processor, a model of an expected behavior of data communications over the in-vehicle communication network; receiving, by the processor, a message sent over the network; determining, by the processor, based on the model and based on a timing attribute of the message, whether or not the message complies with the model; and if the message does not comply with the model then performing, by the processor, at least one action related to the message.
The present invention relates generally to detecting anomalous transmissions in communication networks. In particular, embodiments of the invention enable detecting anomalous messages in an in-vehicle communication network.
In some embodiments, a sum of the durations of time lapse bins σ−n,m and σ+n,m is set, determined, or defined such that it is substantially equal to repetition period T(IDn,m) and relative to T(IDn,m) time lapse bins σ+n,m are shifted to later times by a relatively small time interval δ+n,m. Bin widths of time lapse bins σ−n,m and σ+n,m may be varied to accommodate changes in the state of vehicle 30, and/or the state of an in-vehicle communication network (e.g., a state of CAN 61).
If a first message is transmitted at time tj−1 and a second message (with the same message ID) is transmitted at time tj then, in some embodiments, if the time lapse Δtj,j−1 calculated by Δtj,j−1=tj−tj−1 falls in time lapse bin σ+n,m, then MSG(IDn) transmitted at time tj may be considered to be anomalous. If Δtj,j−1 falls in time lapse bin σ+n,m, then, in some embodiments, the message may be considered to be non-anomalous.
US 20140328352 A1; Mabuchi et al.: Mabuchi discloses a communication system and a communication method that are capable of determining with a simple configuration the validity of a message that is communicated with the communication system, a plurality of ECUs is connected in the communication system to a communication bus, allowing communication of messages. A communication interval, which is defined for each message being communicated, is set for each ECU. The ECU that transmits the message transmits the message on the basis of the defined communication interval. The ECU that receives the transmitted message detects the communication interval of the received message, and determines the validity of the received message on the basis of a comparison between the detected communication interval and the defined communication interval.
The present invention relates to a communication system in which communication devices are connected via a network in a vehicle or the like and to a communication method.
NPL: Intrusion Detection System Based on the Analysis of Time Intervals of CAN Messages for In-Vehicle Network; Song et al.: Song discloses that  Controller Area Network (CAN) bus in the vehicles is a de facto standard for serial communication to provide an efficient, reliable and economical link between Electronic Control Units (ECU). However, CAN bus does not have enough security features to protect itself from inside or outside attacks. Intrusion Detection System (IDS) is one of the best ways to enhance the vehicle security level. Unlike the traditional IDS for network security, IDS for vehicle requires light-weight detection algorithm because of the limitations of the computing power of electronic devices reside in cars. In this paper, we propose a lightweight intrusion detection algorithm for in-vehicle network based on the analysis of time intervals of CAN messages. We captured CAN messages from the cars made by a famous manufacturer and performed three kinds of message injection attacks. As a result, we find the time interval is a meaningful feature to detect attacks in the CAN traffic. Also, our intrusion detection system detects all of message injection attacks without making false positive errors.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434