DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to the amendment and the communication filed on 07/12/2022. As per instant Examiner Amendment, Claims 1 and 7-8 have been amended. Claims 2 and 5-6 have be cancelled. Claims 1, 3-4, 7-11 have been examined and are pending in this application. Claims 1, 3-4, 7-11 are allowed

Examiner Amendments


An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Mr. Carl J. Pellegrini (Reg No. 40766), and conducted a telephone interview on 08/03/2022. During the interview, the Examiner proposed an examiner amendment to the claims with rolling up Claim 2 and Claim 5 into Claim 1. Mirror other independent claims with amended claim 1 for better clarity of the claims’ scope, and for putting the application in condition for allowance. Authorization for this Examiner's Amendment was given by Mr. Carl J. Pellegrini (Reg No. 40766), on 08/03/2022. Mr. Carl J. Pellegrini (Reg No. 40766), has agreed and authorized the Examiner’s amendment. 


Amendments to the Claims:

Please replace claims 1, 3-4, 7-11 as following:

Claim 1.	(Currently Amended): A monitoring apparatus comprising:
an extraction device comprising:
at least one first memory configured to store instructions; and
at least one first processor configured to execute the instructions to:
sort each set of frames that have the same identifier associated with a node, into frames maintaining a cycle and frames out of the cycle; 
extract, as an event rule, a feature of a bit change in a data field related to an event occurrence, from the frames that have the same identifier and are out of the cycle; and
exclude the frames that have the same identifier and maintain the cycle from the set of frames having the same identifier, and select the frames that are out of the cycle, and
a detection device that is communicably connected to the extraction device comprising:
at least one second memory configured to store instructions; and
at least one second processor configured to execute the instructions to:
determine a detection target frame out of the cycle to be an illegal frame when the data field of the detection target frame does not match the feature extracted by the extraction device and determine the detection target frame out of the cycle to be a normal frame when the data field of the detection target frame matches the feature extracted by the extraction device; and
update, after a frame out of the cycle is determined to be a normal frame, a base point of the cycle to a frame that is output at a time of an event occurrence,
wherein the feature of the bit change in the data field is that a bit at a specific position in the data field takes the same value before and after the event occurrence.

Claim 2.	(Canceled)

Claim 3.	(Previously Presented): The extraction device according to claim 1, wherein the feature of the bit change in the data field is inversion of a bit at a specific position in the data field.

Claim 4.	(Previously Presented): The extraction device according to claim 1, wherein the feature of the bit change in the data field is a combination of bits designated as 0 and 1 in the data field.

Claim 5-6.	(Canceled)

Claim 7.	(Currently Amended): An extraction method comprising:
sorting frames that have the same identifier associated with a node, into frames maintaining a cycle and frames out of the cycle; 
extracting, as an event rule, a feature of a bit change in a data field related to an event occurrence, from the frames that have the same identifier and are out of the cycle;
excluding the frames that have the same identifier and maintain the cycle from the set of frames having the same identifier, and select the frames that are out of the cycle;
determining a detection target frame out of the cycle to be an illegal frame when the data field of the detection target frame does not match the extracted feature and determine the detection target frame out of the cycle to be a normal frame when the data field of the detection target frame matches the extracted feature; and
updating, after a frame out of the cycle is determined to be a normal frame, a base point of the cycle to a frame that is output at a time of an event occurrence,
wherein the feature of the bit change in the data field is that a bit at a specific position in the data field takes the same value before and after the event occurrence.

Claim 8.	(Currently Amended): A non-transitory computer-readable recording medium storing a program for causing a computer to:
sort each set of frames that have the same identifier associated with a node, into frames maintaining a cycle and frames out of the cycle; 
extract, as an event rule, a feature of a bit change in a data field related to an event occurrence, from the frames that have the same identifier and are out of the cycle;
exclude the frames that have the same identifier and maintain the cycle from the set of frames having the same identifier, and select the frames that are out of the cycle;
determine a detection target frame out of the cycle to be an illegal frame when the data field of the detection target frame does not match the extracted feature and determine the detection target frame out of the cycle to be a normal frame when the data field of the detection target frame matches the extracted feature; and
update, after a frame out of the cycle is determined to be a normal frame, a base point of the cycle to a frame that is output at a time of an event occurrence,
wherein the feature of the bit change in the data field is that a bit at a specific position in the data field takes the same value before and after the event occurrence.

Claim 9.	(Previously Presented): The extraction device according to claim 2, wherein the feature of the bit change in the data field is inversion of a bit at a specific position in the data field.

Claim 10.	(Previously Presented): The extraction device according to claim 2, wherein the feature of the bit change in the data field is a combination of bits designated as 0 and 1 in the data field.

Claim 11.	(Previously Presented): The extraction device according to claim 2, wherein the feature of the bit change in the data field is that a bit at a specific position in the data field takes the same value before and after the event occurrence.


Response to Arguments/Remarks
Claim 1, 3-4, 7-11 are allowed

Examiner’s Statement of reason for Allowance
Claims 1, 3-4, 7-11 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is an indication of detecting malicious frame by sort each set of frames that have the same identifier associated with a node into a cycle of the frames; extract with an event rule, a bit change in a data field related to an event from the frames that have the same identifier and are out of the cycle; determine a detection target frame out of the cycle to be an illegal frame when the data field of the detection target frame does not match the extracted feature and determine the detection target frame out of the cycle to be a normal frame when the data field of the detection target frame matches the extracted feature.
The closest prior art, as previously recited, are UNAGAMI (US 20170026386), Zhao (US 9906545) in which, UNAGAMI discloses a fraud-detection method for use in an in-vehicle network system including a plurality of electronic control units (ECUs) that exchange messages on a plurality of buses, a plurality of fraud-detection ECUs each connected to a different one of the buses, and a gateway device, a fraud-detection ECU determines whether a message transmitted on a bus connected to the fraud-detection ECU is malicious by using rule information stored in a memory. The fraud-detection ECU transmits an error message including a message identifier of a message determined to be malicious. Zhao discloses  identifying message payload bit fields in electronic communications may include (i) monitoring messages transmitted via a network, (ii) selecting a plurality of messages transmitted via the network, each of the plurality of messages comprising an identical message identifier corresponding to a specified message type having a payload, (iii) determining for each bit position in the payload of the specified message type, a quasi-entropy value based on a proportion of occurrences of a first bit value and a proportion of occurrences of a second bit value at each corresponding bit position in the plurality of messages, and (iv) identifying at least one of a near-random bit field, a periodic bit field, and a constant bit field within the specified message type based on the determined quasi-entropy values.

However, none of UNAGAMI (US 20170026386), Zhao (US 9906545), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim1 and similarly Claim 7 and Claim 8. For example, none of the cited prior teaches or suggest the steps of Claim 1 and similarly Claim 7 and Claim 8: sort each set of frames that have the same identifier associated with a node, into frames maintaining a cycle and frames out of the cycle; extract, as an event rule, a feature of a bit change in a data field related to an event occurrence, from the frames that have the same identifier and are out of the cycle; exclude the frames that have the same identifier and maintain the cycle from the set of frames having the same identifier, and select the frames that are out of the cycle; determine a detection target frame out of the cycle to be an illegal frame when the data field of the detection target frame does not match the extracted feature and determine the detection target frame out of the cycle to be a normal frame when the data field of the detection target frame matches the extracted feature; and update, after a frame out of the cycle is determined to be a normal frame, a base point of the cycle to a frame that is output at a time of an event occurrence, wherein the feature of the bit change in the data field is that a bit at a specific position in the data field takes the same value before and after the event occurrence.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/C.W./Examiner, Art Unit 2439   




/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439