DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  Pursuant to communications filed on 02 May 2022, amendments and/or remarks have been submitted and placed in the application file.  Claims 1, 3-12 and 14-20 are currently pending in the instant application.


Response to Arguments
Applicant’s arguments, see Remarks, pages 6-7, filed 02 May 2022, with respect to the rejections of claims 1, 3-12 and 14-20 have been fully considered and are persuasive.  The previous 35 USC 112(b) rejection(s) of claims 1, 3-12 and 14-20 have been withdrawn. 
Applicant’s arguments with respect to the rejections of claim(s) 1, 3-12 and 14-20 under 35 USC 102 & 103 have been considered but are moot in view of the new grounds of rejection provided below, which was necessitated based on Applicant’s amendments to the claims.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 3-12 and 14-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Harel et al (US 2018/0349612 A1, hereinafter Harel).
Regarding claim 1, Harel discloses a security system (Figure 2, system 200) comprising: 
a memory (Figure 2, memory 206; at least as in paragraphs 0047-0048, specifically as shown in at least Figure 2), and
a security layer (Figure 2, security middleware layer 228; at least as in paragraphs 0047-0053, specifically as shown in at least Figure 2) adapted to:
detect an event related to exploitation of a component connected to an in-vehicle network based on a deviation of a system from an expected behavior (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, wherein various heuristics are utilized to identify security threats within the system/controller), wherein a deviation is detected based on identifying an unexpected sequence of events (Figures 1A-4A; at least as in paragraphs 0063-0066 and 0076-0081, wherein at least one of a plurality of heuristics models are utilized to identify/determine a risk/security threat to the security system/controller) Examiner notes wherein given the broadest reasonable interpretation of the claimed phraseology of “an unexpected sequence of events” as provided in the claim language, this limitation has been construed as “more than one detected/identified event/risk level” which is clearly taught by at least the referenced sections of the prior art, specifically at least as exemplified by the different code portions discussed/shown in Figure 3 of Harel wherein different code portions are assigned different risk levels; and 
if a deviation is detected, then log the event (Figures 1A-4A; at least as in paragraphs 0037 and 0078-0081, specifically as shown in at least Figure 4A, step 416, wherein the risk levels and condition for modifying risk levels are recorded as part of the security policy for the controller).
Regarding claim 3, Harel further discloses wherein the system is adapted to provide a server with data related to detected security threats and the server is adapted to generate and present data related to a fleet of vehicles (Figures 1A-2; at least as in paragraphs 0027-0028 and 0038, wherein the “management computer system 122 can receive reports from the controller 114 as well as from multiple other controllers and devices, and can aggregate the reports into a central database system”).  Examiner notes wherein Harel specifically gives the example of one of the IOT devices being a vehicle, and therefore, it is implicit wherein the above indicated “multiple other controllers and devices” would reasonably include a “fleet of vehicles”.
Regarding claim 4, Harel further discloses wherein the system is adapted to receive events from one or more software sensors (Figure 2; at least as in paragraphs 0049-0053 & 0073-0074, regarding at least the security agents 232, reporting agent 234).
Regarding claim 5, Harel further discloses wherein at least some of the software sensors are adapted to: 
intercept a system call or an instruction to be executed (Figures 2 & 4; at least as in paragraphs 0049-0053 & 0073-0074); 
detect a security threat based analyzing data related to the intercepted call or instruction (Figures 2 & 4; at least as in paragraphs 0049-0053 & 0073-0074); and 
log the threat (Figures 2 & 4; at least as in paragraphs 0037, 0049-0053 & 0073-0074).
Regarding claim 6, Harel further discloses wherein at least some of the software sensors are adapted block or prevent the call or instruction (Figures 2 & 4; at least as in paragraphs 0049-0053 & 0073-0074).
Regarding claim 7, Harel further discloses wherein the system is adapted to: 
associate a security policy with at least one application (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraphs 0031 & 0041); 
digitally sign the security policy (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraph 0032); and 
verify the security based on a signature (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraph 0032).
Regarding claim 8, Harel further discloses wherein the system is adapted to: 
detect a security threat (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, wherein various heuristics are utilized to identify security threats within the system/controller); 
associate the threat with a confidence level (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, specifically regarding the determination of risk levels); and 
select performing at least one action based on the confidence level (Figures 1A-4B; at least as in paragraphs 0049-0051, 0076-0081 and 0093-0094, specifically regarding corrective actions based on the security threat and corresponding risk level).
Regarding claim 9, Harel further discloses wherein the system is adapted to scan a memory to detect a deviation based on a timer or based on an event (Figure 2; at least as in paragraphs 0040-0043, 0047-0050 and 0053-0055).
Regarding claim 10, Harel further discloses wherein the system is adapted to perform at least one action selected from the group consisting of: disabling a component connected to the network, killing a process, activating a component connected to the network, blocking a message, delaying a message, limiting a frequency of a message type, logging a message, alerting a user, modifying content in a message, modifying of attributes of content, modifying metadata related to content, changing permissions of executable code, resetting a component, reverting a component to a known state and executing a process (Figures 1A-4B; at least as in paragraphs 0049-0051, 0076-0081 and 0093-0094, specifically regarding corrective actions).
Regarding claim 11, Harel further discloses wherein the deviation is identified based on a state of the vehicle or based on a state of a component included in the vehicle (Figures 1A-2; at least as in paragraphs 0040-0043, 0047-0050 and 0053-0055).
Regarding claim 12, Harel discloses a method comprising: 
detecting an event related to exploitation of a component connected to an in-vehicle network based on a deviation of a system from an expected behavior (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, wherein various heuristics are utilized to identify security threats within the system/controller), wherein a deviation is detected based on identifying an unexpected sequence of events (Figures 1A-4A; at least as in paragraphs 0063-0066 and 0076-0081, wherein at least one of a plurality of heuristics models are utilized to identify/determine a risk/security threat to the security system/controller) Examiner notes wherein given the broadest reasonable interpretation of the claimed phraseology of “an unexpected sequence of events” as provided in the claim language, this limitation has been construed as “more than one detected/identified event/risk level” which is clearly taught by at least the referenced sections of the prior art, specifically at least as exemplified by the different code portions discussed/shown in Figure 3 of Harel wherein different code portions are assigned different risk levels; and 
if a deviation is detected, then logging the event, wherein the event is detected based on a specific sequence of events (Figures 1A-4A; at least as in paragraphs 0037 and 0078-0081, specifically as shown in at least Figure 4A, step 416, wherein the risk levels and condition for modifying risk levels are recorded as part of the security policy for the controller).
Regarding claim 14, Harel discloses the method further comprising: providing a server with data related to detected security threats; and generating and presenting, by the server, data related to a fleet of vehicles (Figures 1A-2; at least as in paragraphs 0027-0028 and 0038, wherein the “management computer system 122 can receive reports from the controller 114 as well as from multiple other controllers and devices, and can aggregate the reports into a central database system”).  Examiner notes wherein Harel specifically gives the example of one of the IOT devices being a vehicle, and therefore, it is implicit wherein the above indicated “multiple other controllers and devices” would reasonably include a “fleet of vehicles”.
Regarding claim 15, Harel discloses the method further comprising receiving events from one or more software sensors, wherein at least some of the software sensors are adapted block or prevent the call or instruction (Figure 2; at least as in paragraphs 0049-0053 & 0073-0074, regarding at least the security agents 232, reporting agent 234).
Regarding claim 16, Harel discloses the method further comprising: 
intercepting, by a software sensor, a system call or an instruction to be executed (Figures 2 & 4; at least as in paragraphs 0049-0053 & 0073-0074); 
detecting, by the software sensor, a security threat based analyzing data related to the intercepted call or instruction (Figures 2 & 4; at least as in paragraphs 0049-0053 & 0073-0074); and 
logging the threat (Figures 2 & 4; at least as in paragraphs 0037, 0049-0053 & 0073-0074).
Regarding claim 17, Harel discloses the method further comprising: 
associating a security policy with at least one application (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraphs 0031 & 0041); 
digitally signing the security policy (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraph 0032); and 
verifying the security based on a signature (Figures 1A-4; at least as in paragraphs 0031-0035, 0041 and 0073-0074, specifically as in at least paragraph 0032).
Regarding claim 18, Harel discloses the method further comprising: 
detecting a security threat (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, wherein various heuristics are utilized to identify security threats within the system/controller); 
associating the threat with a confidence level (Figures 1A-2 & 4A; at least as in paragraphs 0040-0043, 0063-0066 and 0076-0081, specifically regarding the determination of risk levels); and 
selecting to perform at least one action based on the confidence level (Figures 1A-4B; at least as in paragraphs 0049-0051, 0076-0081 and 0093-0094, specifically regarding corrective actions based on the security threat and corresponding risk level).
Regarding claim 19, Harel discloses the method further comprising scanning a memory to detect a deviation based on a timer or based on an event (Figure 2; at least as in paragraphs 0040-0043, 0047-0050 and 0053-0055).
Regarding claim 20, Harel further discloses wherein the deviation is identified based on a state of the vehicle or based on a state of a component included in the vehicle (Figures 1A-2; at least as in paragraphs 0040-0043, 0047-0050 and 0053-0055).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See attached PTO-892 – Notice of References Cited form.
Examiner additionally notes WO 2017/044446 A1, to Sweeney et al, which teaches a cyber security system for a vehicle.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JONATHAN L SAMPLE whose telephone number is (571)270-5925. The examiner can normally be reached Monday-Friday 7:00am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Adam Mott can be reached on 571-270-5376. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JONATHAN L SAMPLE/Primary Examiner, Art Unit 3664