PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/992,257
Filing Date: 30 May 2018
Appellant(s): Argus Cyber Security Ltd



__________________
Morey B. Wildes 
(Reg No. 36.968)           
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 06/26/2022.

Every ground of rejection set forth in the Office action dated 10/28/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”Appellant’s Arguments

3.  Ruvio Does Not Anticipate Independent Claim 20
Appellant Asserts:  Appellant asserts that Ruvio does not teach at least the following limitations of independent claim 20:
               identifying by the server, a cyber threat related to at least one of: a fleet and a
vehicle in the fleet, based on identifying, in the data, at least one of:
                an attribute which is common to a plurality of vehicles in the fleet, and
                an event occurring in a plurality of vehicles in the fleet. (emphasis added)

In order to find the claimed element of “an attribute which is common to a plurality of
vehicles” the Examiner, on page 5 of the final Office Action, cites to paragraph [0005] of Ruvio,
specifically pointing to license plates and registration data. Paragraph [0005] of Ruvio describes
types of data theft, such as theft of “license plates and other vehicle registration data” and so on.

License plates and registration data are indeed attributes which are common to vehicles,
but so are engines, wheels and seatbelts, and a cyber-attack cannot be identified based on the fact that some, or all, vehicles have license plates, engines or wheels. Accordingly, Ruvio cannot (and, therefore, does not) disclose identifying a cyber threat based on “an attribute which is common to a plurality of vehicles”.

In order to find the claimed element of “an event occurring in a plurality of vehicles”, the
Examiner, on page 7 of the Office Action, cites to paragraph [0110] of Ruvio. Paragraph [0110]
of Ruvio states that “the sensor data and the data sent out by the vehicle may be time stamped”.  This is done “to compare data generated at the same time’, i.e., in order to compare the sensor data with the relevant data that is sent out from the vehicle, e.g., in order to avoid comparing sensor data captured at 21:00 with data sent out a minute earlier, at 20:59. However, the timestamping described by Ruvio is done for a specific sensor of a specific vehicle, and data sent out from the same specific vehicle. That is, the timestamping is relevant for a specific sensor in a specific vehicle but has no meaning or usage for a plurality of vehicles.
Accordingly, the timestamping described in paragraph [0110] of Ruvio cannot be used to
identify an event occurring in a plurality of vehicles, nor can such timestamping be used to
identify an attribute that is common to a plurality of vehicles.
Examiner Response:  Ruvio Anticipates Independent Claim 20 because:
Respectfully, the Examiner disagrees with appellant assertion that Ruvio does not teach:
            an attribute which is common to a plurality of vehicles in the fleet; and
an event occurring in a plurality of vehicles in the fleet.  

Per Attribute - The Examiner and Appellant agree that a license plate is an attribute common to the vehicle in the fleet.  The Examiner understands appellant’s point that it would appear that a license plate cannot be the subject of a cyber theft.  The Examiner disagrees with appellant summation above that “a cyber-attack cannot be identified based on the fact that some, or all, vehicles have license plates, engines or wheels”.  This statement is not true.  At location [0005] Ruvio is referring to an article Experimental Security Analysis of a Modern Automobile in 2010 whereby the foreseeable exploits of the vehicle data integrity might lead to “data theft” of the metadata describing these common attributes, such as license plates.  Swapping a license plate may not be a cybercrime or attack.  However, swapping the license plate number/data is a cybercrime as clearly taught by Ruvio at [0005].
Per Event Occurring - So what happens if there is a rash of airbags deployed in the fleet?  The airbags are in the vehicles that are identified by at least license plate data.  The common attribute ‘license plates’ would serve as a primary key to identify the plurality of vehicles that deployed airbags. The previous office action of 10/28/2021 cited Ruvio [0110] to teach this limitation.  The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag.

re: timestamping – Respectfully, the Examiner disagrees.  For ease of reference the Examiner copied Ruvio here:
[0110] The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag).

Under a broad yet reasonable interpretation the Examiner finds Ruvio teaching that collecting time stamps from a plurality of vehicles is a sample size used for comparison.  The comparison can be based not only on when (timestamp) the events happened, but where (location), and to what (deployment of airbag.  Common among these elements is the time.  

re: does not teach comparing data – Respectfully, the Examiner disagrees. For ease of reference the Examiner copied Ruvio here:
[0042] Optionally, the analysis is performed based on a comparison between the sensor data received from the computing unit of the vehicle, and sensor data designated as normal operation received from other vehicles. Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity.


Appellant Asserts:  Indeed, Applicant notes that Ruvio can detect malicious activity in a plurality of vehicles, but Ruvio does that for each vehicle separately, that is, Ruvio operates on each specific vehicle (and each specific sensor therein) separately. However, Ruvio never compares, correlates or relates data from one vehicle in a fleet with data of another vehicle in the fleet. Therefore, Ruvio has no way of identifying an event or attribute which two or more vehicles share or have in common. 

Examiner Response:  See Ruvio [0042] above as the Examiner has addressed the common attribute and events above.

Appellant Asserts: The mere teaching of separately identifying a threat in more than one vehicle does not suffice to teach identification of a threat based on an event or attribute common to a plurality of vehicles in a fleet.
In light of the foregoing arguments, it is clear that Ruvio does not teach or suggest all the
limitations of independent claim 20. Accordingly, Appellant respectfully submits that claim 20 is
patentable under 35 U.S.C. § 102(a)(1) over Ruvio.
Examiner Response: Respectfully, the Examiner disagrees that the teaching of separately identifying a threat in more than one vehicle does not suffice to teach identification of a threat based on an event or attribute common to a plurality of vehicles because more than one vehicle constitutes a fleet whereby the threat associated with the more than one vehicle is an event.  It is at least for the reasons as stated above that the Examiner finds Ruvio anticipates claim 20 and would maintain the rejection of Claim 20.

B.  
	4.  Ruvio and Holzhauer Do Not Render Indecent Claims 1 and 9 ObviousAppellant Asserts:  On page 4 of the final Office Action, in order to find the claimed element of “identify that at least one of: the fleet and a vehicle in the fleet is under a cyber-attack based on identifying, in   the reports, at least one of: an attribute which is common to a plurality of vehicles in the fleet, and an event occurring in a plurality of vehicles in the fleet”, the Examiner cites to paragraph [0193] of Ruvio. Paragraph [0193] of Ruvio describes a server providing analysis service to a vehicle, where the vehicle can be one of a plurality of vehicles.

However, nowhere in paragraph [0193] does Ruvio teach aggregation of data or describe
usage of aggregated data. For example, paragraph [0193] does not describe comparing or relating data of a first vehicle with that of another vehicle. Accordingly, the teaching of paragraph [0193] cannot be used to identify an attribute or event common to a plurality of vehicles, let alone identify a cyber threat based in a common attribute or event in/of a plurality of vehicles.

Examiner Response:  Respectfully, appellant is arguing Response to Arguments instead of the mapping of the claims to the prior art.  Appellant argues that the deficiency of a paragraph [0193] not even cited in claims 1 and 9, as is stated under appellant’s heading.  The Examiner cannot respond to assertions not in evidence to the action set forth.

Appellant Asserts:  The attack surface and attack vectors mentioned in paragraph [0005] of Ruvio are descriptive terms used in the industry which classify, or describe, ways by which a vehicle can be attacked. However, an attack vector or surface is not an event, nor are these an attribute of a vehicle, such as an IP address or a connected dongle.
Applicant contends that broadly stating that an attack can be based on practically
anything, e.g., a location of a vehicle, software in the vehicle etc. as in paragraph [0005] of
Ruvio, cannot describe or enable identifying an attack based on an attribute or event common to
a plurality of vehicles, e.g., identifying an attack based on a common CD played in a plurality of
vehicles as enabled by amended independent claim 20.

Examiner Response:  Respectfully, the Examiner disagrees with appellant characterization of Ruvio at [0005] because:

a. the vector in an attack vector are the components used to implement the malfeasance.  The actual ‘attack’ is the event and as such, an attack vector describes the event and the target.  For example, if the “attack vector” is the particular Bluetooth™ element whereas the “attack” is a malicious event against the Bluetooth™ element.
  
b.  Ruvio does not make a broad declaration of an attack.  Rather, [0005] of Ruvio and the Appellant cite Ruvio as providing specific examples such (including mechanics tools, compact disc players, Bluetooth™ links, and cellular radio); and further, that wireless communications channels can allow remote vehicle control, location tracking, in-cabin audio ‘exfiltration’, and vehicle theft).
c.  The argument that Ruvio cannot describe or enable identifying an attack based on an attribute or event common to a plurality of vehicles has been addressed by the Examiner above in section 3.
Appellant Assets:  In contrast, the application as filed provides examples of identifying an event or attribute which is common to a plurality of vehicles. For example:

Accordingly, by examining a history of devices that were paired with
attacked vehicles, server 210 may identify an attack surface, for example, if a
type of device is common to all attacked vehicles” (para. [0047], emphasis
added)

Correlation may include, once an attack has been verified, searching for
common IP addresses and/or domain name serves (DNSs) in logs to find a
source of an attack. Identifying a source of an attack may enable server 210
to identify additional attacks which might still be unnoticed. Any
communication logs in multiple vehicles may be examined to identify if
attacks are from the same source or place. (para. [0060], emphasis added)

An embodiment may analyze or look at entertainment devices logs at time of
attacks across multiple vehicles to identify common media (e.g., CD, File,
etc.) as a suggested attack vector. (para. [0073], emphasis added).

An embodiment may look at connectivity devices visibility (not necessarily
paired) logs at time of attacks across multiple vehicles to identify common
devices (smartphone, dongles etc.) as a suggested attack vector.
Examiner Response:  Respectfully, if appellant desired these examples for consideration they should have been claimed.  The Examiner is compelled to consider the claims under a broad and reasonable interpretation in light of the specification and in light of one of ordinary skill in the art.  In the above examples the Examiner would have cited the prior art of Record or introduced new art if particular elements of the claims were not taught.  In this case:
- per type of device is common – Ruvio [0005] exploitation of connected vehicles is feasible via a broad range of attack vectors (including mechanics tools, compact disc players, Bluetooth links, and cellular radio.
- per common IP addresses and/or domain name serves - Holzhauer [0079] The ability to generate threat signatures at the domain layer, and apply these signatures to other industrial asset sites, may significantly improve fleet security.
- per identify common media (e.g., CD, File, etc.) as a suggested attack vector - Holzhauer [0001] Industrial assets control systems that operate physical systems (e.g., associated with power turbines, jet engines, locomotives, autonomous vehicles, etc.) are increasingly connected to the Internet. As a result, these control systems may be vulnerable to threats, such as cyber-attacks (e.g., associated with a computer virus, malicious software, etc.), that could disrupt electric power generation and distribution, damage engines, inflict vehicle malfunctions, etc.Appellant Asserts:  In light of the foregoing arguments, it is clear that the combination of Ruvio in view of Holzhauer does not teach or suggest all the limitations of independent claims 1 and 9. Each of claims 2-8 and 10-19 depends, directly or indirectly, from one of independent claims 1 and 9, and is thus likewise allowable. Accordingly, Appellant respectfully submits that claims 1-19 are patentable under 35 U.S.C. § 103(a) over Ruvio and Holzhauer.

Examiner Response:  Respectfully, the Examiner maintains that the prior art of record Ruvio in view of Holzhauer teaches the limitation of independent claims 1 and 9 for the reasons as set forth above, and in the Final Office action of 10/28/2021.

	For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/WILLIAM B JONES/Examiner, Art Unit 2491                                                                                                                                                                                                        

Conferees:

/ALEXANDER LAGOR/Supervisory Patent Examiner, TC 4100                                                                                                                                                                                                        
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee. In order to avoid dismissal of the instant appeal
in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an
appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely
paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.