DETAILED ACTION
The instant application having Application No. 16/921126 filed on July 6, 2020 is presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Oath/Declaration
The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.

Drawings
The drawings are objected to under 37 CFR 1.83(a).  The drawings must show every feature of the invention specified in the claims.  Therefore, the claimed features must be shown or the feature(s) canceled from the claim(s).  No new matter should be entered. The independent claims are drawn towards detecting anomalies based on a property of a communication deviating from an expected property more than an allowable deviation. None of these features appear to be included in the current drawings. Additional features from the dependent claims are also missing from the drawings such as the anomaly severity, anomaly response, vehicle, and vehicle states.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Priority
As required by M.P.E.P. 201.14(c), acknowledgement is made of applicant’s claim for priority based on applications filed on July 10, 2019 (DE102019210227.1).


Claim Objections
Claim 13 is objected to because of the following informalities:
Claim 13 recites “a port of the communications network”, which should be “the port of the communications network”. Appropriate correction is required.

Claim Analysis – 35 USC § 112 (f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “processing unit” in claim 13.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claim(s) 13 has/have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation: Figure 1 and associated texts on pages 9-10 of the specification show that the “processing unit” is a part of a hardware system containing a micro-controller and switch. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-6 and 9-14 are rejected under 35 U.S.C. 103 as being unpatentable over Tzadikario (US 2006/0107321) in view of Basavapatna (US 2013/0097709) and Galula (US 2016/0381068).

As per claims 1, 13, and 14, Tzadikario discloses A method for anomaly detection in a communications network, the method comprising the following steps: 
observing at least two messages at a port of the communications network (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 47-48, teaches that an unusually high rate of packets to a particular application or port can be indicative of a worm attack. This shows that multiple messages/packets are received and monitored at ports of the network.); 
determining a property of a communication behavior of a network user as a function of the at least two messages (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior.); 
determining a deviation of the property from an expected property (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior and monitoring for deviations from the normal baseline behavior.); and 
detecting a presence of an anomaly based on the deviation … the expected property defining a communication behavior of the network user as a function of a … network architecture of the communications network (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior and monitoring for deviations from the normal baseline behavior. The baseline or “expected property” is the normal communication behavior of the user on the network.)
However, Tzadikario does not specifically teach “detecting a presence of an anomaly based on the deviation differing from an allowable deviation”.
Basavapatna discloses detecting a presence of an anomaly based on the deviation differing from an allowable deviation, the expected property defining a communication behavior of the network user as a function of a … network architecture of the communications network (Basavapatna, Figure 7A and paragraphs 12-15, 40-44, 51, teaches detecting an anomaly or risk event by comparing the user’s normal behavior to a threshold.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Basavapatna with the teachings of Tzadikario. Tzadikario teaches establishing a baseline of normal user behavior on a network and monitoring the current user behavior to detect deviations and anomalies from the normal user behavior. Basavapatna similarly detects anomalies based on a baseline of the user’s normal behavior, but does so by comparing the normal behavior to a threshold as “user behavior can naturally deviate from day to day” and “thresholds can be defined for determining whether user behavior diverges in a meaningful or potentially threatening way from the behavior profile” (Basavapatna paragraph 51). Therefore, it would have been obvious to have improved upon the teachings of Tzadikario by adding the teachings of Basavapatna for the purpose of using thresholds to detect anomalies in order to reduce false positives that could occur from normal user behavior deviations that are under the threshold while also detecting potential threats when the user behavior is above the threshold.
However, Tzadikario in view of Basavapatna do not specifically teach “static network architecture”.
Galula discloses detecting a presence of an anomaly based on the deviation … the expected property defining a communication behavior of the network user as a function of a static network architecture of the communications network (Galula, abstract and Figure 7 and associated texts and paragraphs 11-14 and 212, teaches performing anomaly detection on an in-vehicle network which is considered as a static network. The written description pages 9-10 and 13 describe the vehicle network as being a static network. Galula, paragraph 212, teaches setting different thresholds for anomaly detection based on the different states of the vehicle.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Galula with the teachings of Tzadikario in view of Basavapatna. Tzadikario in view of Basavapatna teaches establishing a baseline of normal user behavior on a network and monitoring the current user behavior to detect deviations and anomalies from the normal user behavior by comparing the user behavior to a threshold. Galula similarly detects anomalies in a network, but does so on a static in-vehicle network. Therefore, it would have been obvious to have performed the anomaly detection of Tzadikario in view of Basavapatna on a static in-vehicle network (as in Galula) as this would have been a simple substitution of one known network for another to yield the predictable results of anomaly detection in a network/vehicle.
Claim 13 recites the additional limitations of “the device comprising: a port; and a processing unit configured to …” (Tzadikario, paragraphs 47-48, teaches ports of the network. Tzadikario, Figure 1 and associated texts, teaches various network items such as servers and routers which contain processors, ports and switches. Basavapatna, Figure 1 and associated texts and paragraphs 13, 19, 42, 73, teaches various network items such as user devices, phones, computers, and severs which contain processors, ports, and switches.)  
Claim 14 recites the additional limitation of “A non-transitory computer-readable memory medium on which is stored a computer program for anomaly detection in a communications network, the computer program, when executed by a computer, causing the computer to perform the following steps …” (Tzadikario, claim 43, teaches a medium storing instructions to be executed by a computer. Basavapatna, paragraphs 37 and 72, teaches a medium storing instructions.)

As per claim 2, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 1, wherein the expected property is determined based on a model that models a communication behavior of network users (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior. Basavapatna, paragraphs 40-44 and 50-51, teaches comparing normal/baseline user’s behavior on the network to the current behavior to detect deviations. Galula, abstract and Figure 7 and associated texts and paragraphs 11-14 and 212, teaches performing anomaly detection on an in-vehicle network by comparing user behavior to thresholds.)

As per claim 3, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 1, wherein a measure for the severity of the anomaly is determined as a function of: (i) the property of the communication behavior of the network user, and/or (ii) the expected property, and/or (iii) the deviation, a response being determined as a function of the severity of the anomaly (Basavapatna, paragraphs 44, 49, 51, and 70, teaches applying various countermeasures (such as blocking network traffic, locking the user out of the network, or sending an alert to IT personnel) based on the severity of the violation.)

As per claim 4, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 3, wherein the response is selected from a plurality of defined responses as a function of the severity of the anomaly (Basavapatna, paragraphs 44, 49, 51, and 70, teaches applying various countermeasures (such as blocking network traffic, locking the user out of the network, or sending an alert to IT personnel) based on the severity of the violation.) 

As per claim 5, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 3, wherein the response 100661488.117includes a report to a central unit, and/or discarding of a data packet of one of the messages, and/or a transition of the communications network into a secure state (Basavapatna, paragraphs 44, 49, 51, and 70, teaches applying various countermeasures (such as blocking network traffic, locking the user out of the network, or sending an alert to IT personnel) based on the severity of the violation.)

As per claim 6, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 2, wherein the model is defined as a function of information concerning a static network architecture of a vehicle, the expected property being defined as a function of information concerning the static portion of the static network architecture (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior. Basavapatna, paragraphs 40-44 and 50-51, teaches comparing normal/baseline user’s behavior on the network to the current behavior to detect deviations. Galula, abstract and Figure 7 and associated texts and paragraphs 11-14 and 212, teaches performing anomaly detection on a static in-vehicle network. Galula, paragraph 212, teaches setting different thresholds for anomaly detection based on the different states of the vehicle.)

As per claim 9, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 1, wherein a measure for the deviation is determined at synchronous or asynchronous points in time, and the measure for the deviation is compared to a threshold value that defines the allowable deviation (Basavapatna, paragraphs 50, 52, and 57, teaches monitoring the user behavior over a period of time. Basavapatna, Figure 7A and paragraphs 12-15, 40-44, 51, teaches detecting an anomaly or risk event by comparing the user’s normal behavior to a threshold.)

As per claim 10, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 2, wherein the model defines the expected property as a function of a predefined sequence of a network protocol used in the communications network (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches detecting a baseline of normal network behavior. Basavapatna, paragraphs 40-44 and 50-51, teaches comparing normal/baseline user’s behavior on the network to the current behavior to detect deviations. Galula, abstract and Figure 7 and associated texts and paragraphs 11-14 and 212, teaches performing anomaly detection on an in-vehicle network by comparing user behavior to thresholds.)  

As per claim 11, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 2, wherein the model defines a measure for data traffic that is aggregated by a counter or leaky bucket mechanism, per most recent time units and/or per communication user, the measure being a number of transferred data packets, or an average size of the transferred data packets, or an average number of the network connections, or an average data volume per network connection, or a number of the terminated network connections, or a response time, or a ratio between sent and received data (Tzadikario, claim 23, teaches analyzing communications traffic to establish a baseline behavior pattern and detect deviations from the baseline behavior pattern to indicate an anomaly/attack. Tzadikario, paragraphs 5 and 47-49, also teaches monitoring incoming and outgoing traffic to detect deviations from the normal behavior such as an unusually high rate of packets.) 

As per claim 12, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 1, wherein the deviation is determined as a function of information concerning a network protocol used by a network user, the network protocol being one of the network protocols: Ethernet, IPv4/IPv6, TCP/UDP, SOME/IP, DDS, DoIP, and AVB (Tzadikario, paragraph 51, teaches various network protocols such as TCP and IP. Basavapatna, paragraph 79, teaches Internet Protocol (IP). Galula, paragraph 8, teaches various protocols such as CAN, MOST, Ethernet, LIN.) 

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Tzadikario in view of Basavapatna, Galula, and further in view of Kommareddy (US 2008/0028467).

As per claim 7, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 1, wherein … first data packets or messages whose sender is a first network user and whose receiver is a second network user defining the first data volume, and second data packets or messages whose sender is the second network user and whose receiver is the first network user defining the second data volume (Tzadikario, paragraphs 47-48, teaches monitoring both incoming and outgoing traffic for anomalies. Tzadikario notes that an unusually high rate of packets from the same source to a particular application/port/user can be indicative of a worm attack.)
However, Tzadikario in view of Basavapatna and Galula do not specifically disclose wherein the expected property defines a ratio between a first data volume and a second data volume of data that are exchanged in a defined time period.
Kommareddy discloses wherein the expected property defines a ratio between a first data volume and a second data volume of data that are exchanged in a defined time period, first data packets or messages whose sender is a first network user and whose receiver is a second network user defining the first data volume, and second data packets or messages whose sender is the second network user and whose receiver is the first network user defining the second data volume (Kommareddy, paragraphs 4, 14, and 17, teaches monitoring the ratio of incoming and outgoing traffic for each user and that attackers will send out a much greater number of packets than they receive.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kommareddy with the teachings of Tzadikario in view of Basavapatna and Galula. Tzadikario in view of Basavapatna and Galula teaches establishing a baseline of normal user behavior on a network and monitoring the current user behavior to detect deviations and anomalies from the normal user behavior by comparing the user behavior to a threshold. Kommareddy similarly detects anomalies in a network, but does so based on a ratio of incoming to outgoing traffic. Therefore, it would have been obvious to have incorporated the anomaly detection of Kommareddy into the system of Tzadikario in view of Basavapatna and Galula in order to detect additional anomalies such as DOS and flooding attacks based on the ratio of incoming to outgoing traffic.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Tzadikario in view of Basavapatna, Galula, and further in view of Tao (US 10239456)

As per claim 8, Tzadikario in view of Basavapatna and Galula discloses The method as recited in claim 6, wherein during the anomaly detection, a distinction is made between various system states in which the vehicle is in, the system states being "ignition on,"… a system state of the vehicle being determined, and the expected property being determined as a function of the system state (Galula, paragraph 212, teaches setting different thresholds for anomaly detection based on the different states of the vehicle. Galula, Figure 5, teaches various vehicle states such as “engine running”. Galula, paragraph 164, teaches a state where the vehicle is stationary.)
However, Tzadikario in view of Basavapatna and Galula does not specifically teach the system states being … "engine idling," "forward travel," "reverse travel," and "vehicle diagnostics on,".
Tao discloses the system states being … "engine idling," "forward travel," "reverse travel," and "vehicle diagnostics on," (Tao, col. 13 lines 24-33, teaches various vehicle states such as forward, reverse, and idling. Tao, col. 11 lines 38-51, also teaches using information such as information from the diagnostics port to determine the state.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of with the teachings of Tzadikario in view of Basavapatna and Galula. Tzadikario in view of Basavapatna and Galula teaches comparing normal user behavior in an in-vehicle network to a threshold to detect deviations and anomalies where the threshold can be determined based on the various different states of the vehicle such as “engine running”. Tao teaches various different vehicle states such as “forward”, “reverse”, “idling”, etc. Therefore, it would have been obvious to incorporate into Tzadikario in view of Basavapatna and Galula specific vehicle states, such as the vehicle states of Tao, as Tzadikario in view of Basavapatna and Galula uses various different vehicle states and can be varied to include the vehicle states of Tao.  

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Eisenkot (US 2020/0351285), Figure 4 and paragraphs 85-90, teaches comparing a new score to a threshold to determine if a new event is an anomaly.
Ruan (US 2020/0406910) – teaches anomaly detection for a vehicle network.
Raanan (US 7672814) – teaches comparing baseline behavior to a threshold to determine deviations from the baseline.
Baradaran (US 2017/0126718), Figure 7C and paragraphs 261 and 285, teaches performing anomaly detection on a static network.
Yong (US 2007/0245420), paragraph 4, teaches creating a profile for each user based on their standard behavior regarding frequency and ratio of network packets.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498