DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 3, and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017).

Regarding claim 1, Noon discloses a process for detecting anomalies on a controller area network (CAN) bus comprising: (See Noon para. 25, lines 5-7, fig. 1b; CAN bus)
analyzing an arbitration field in a message on the CAN bus;  (See Noon para. 32, lines 6-14; CAN messages characterized based upon arbitration ID (e.g. field) of message)
inspecting a data field in the message on the CAN bus; (See Noon para. 50; data content of message valid (e.g. inspecting data field)) 
monitoring a frequency of message identifiers that are transmitted across the CAN bus;  (See Noon para. 46; message frequency is acquired)
transmitting an alert when the analyzing the arbitration field, the inspecting the data field, the monitoring the frequency, and the determining the overall bus load indicate that an anomaly has occurred on the CAN bus.  (See Noon para. 44; displaying a number of anomalies (e.g. it is transmitted to the display); para. 50; minimum time between seeing a message and allowing the message to appear again (e.g. load))
Noon does not explicitly disclose determining that an overall bus load crosses a threshold.  However, Froschle does disclose determining that an overall bus load crosses a threshold.  (See Froschle pg. 475, para. 1; bus load 100% (e.g. over 99.99999999% (e.g. threshold))  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the process of Noon to include the teaching of determining that an overall bus load crosses a threshold of Froschle with the motivation being to detect blind spot attacks (See Froschle pg. 475, para. 1) and further to prevent unauthorized access to a network and further to prevent malicious activity on a network.



	Regarding claim 2, Noon in view of Froschle discloses the process of claim 1, wherein the analyzing the arbitration field comprises determining that an arbitration identifier and a data length code are contained on a whitelist, thereby indicating that an anomaly has not occurred. (See Noon para. 38; white list (which indicates anomaly has not occurred) from message ID (e.g. arbitration code) during a period or periods (e.g. data length; period has a certain length and has data))

	Regarding claim 3, Noon in view of Froschle discloses the process of claim 1, wherein the inspecting the data field comprises interpreting one or more parts of the data field as signals based on one or more signal rules in a configuration file.  (See Noon para. 39; messages in white list are interpreted according to manufacturer CAN spec (e.g. rules) which contain configuration information such as amounts and types of comm traffic anticipated and are in watchman format (e.g. config file))

	Regarding claim 4, Noon in view of Froschle discloses the process of claim 3, wherein the signal rules in the configuration file comprise a list of data that are allowed and a list of data that are not allowed. (See Noon para. 39; white list (e.g. allowed); para. 41 black list (e.g. not allowed))


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Copeland (2002/0144156).

	Regarding claim 5, Noon in view of Froschle discloses the process of claim 1, comprising:
	determining a normal frequency for the frequency of message identifiers that are transmitted across the CAN bus; and
generating an alarm when the frequency of message identifiers that are transmitted across the CAN bus deviates from the normal frequency.  (See Noon para. 38; determining frequency of messages transmitted across CAN; para. 44; displaying anomalies or malfunctions detected (e.g. an alarm))
Noon in view of Froschle do not explicitly disclose storing information in a table.  However, Copeland does disclose storing information in a table.  (See Copeland para. 64; data is stored in a table)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of storing information in a table of Copeland with the motivation being to allow for convenient access and further using known methods (e.g. table storage) that yields predictable results (wide compatibility).


Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Copeland (2002/0144156) and further in view of Bauer (2013/0212422).


	Regarding claim 6, Noon in view of Froschle in view of Copeland discloses the process of claim 5.  Noon in view of Froschle in view of Copeland do not explicitly disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  However, Bauer does disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  (See Bauer para. 18)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Copeland to include the teaching of detecting an abnormal condition based upon when the rate is greater than twice the normal rate of Bauer with the motivation being to prevent false positives and further to ensure accurate detection of a issue.


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Ishiguro (2004/0038680) and further in view of Brown (2011/0153103).

	Regarding claim 7, Noon in view of Froschle discloses the process of claim 1.
	Noon in view of Froschle do not explicitly disclose determining a threshold from a table.  However, Ishiguro does disclose determining a threshold from a table.  (See Ishiguro para. 50)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of determining a threshold from a table of Ishiguro with the motivation being to allow for flexible parameters (as opposed to just one fixed threshold) which can allow for flexible configurations.
Noon in view of Froschle in view of Ishiguro do not explicitly disclose transmitting an alert when the load is greater than the threshold.  However, Brown does disclose transmitting an alert when the load is greater than the threshold.  (See Brown para. 12; last sentence)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Ishiguro to include the teaching of transmitting an alert when the load is greater than the threshold of Brown with the motivation being to allow for corrective action to be taken and further to allow the user to make adjustments.


Claims 8-11 are rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017).

Regarding claim 8, Noon discloses a system comprising: 
a computer processor; and 
a computer memory coupled to the computer processor, wherein the computer processor is operable for detecting anomalies on a controller area network (CAN) bus by: (See Noon para. 52, 53; processor executing an algorithm stored in memory) (See Noon para. 25, lines 5-7, fig. 1b; CAN bus)
analyzing an arbitration field in a message on the CAN bus;  (See Noon para. 32, lines 6-14; CAN messages characterized based upon arbitration ID (e.g. field) of message)
inspecting a data field in the message on the CAN bus; (See Noon para. 50; data content of message valid (e.g. inspecting data field)) 
monitoring a frequency of message identifiers that are transmitted across the CAN bus;  (See Noon para. 46; message frequency is acquired)
transmitting an alert when the analyzing the arbitration field, the inspecting the data field, the monitoring the frequency, and the determining the overall bus load indicate that an anomaly has occurred on the CAN bus.  (See Noon para. 44; displaying a number of anomalies (e.g. it is transmitted to the display); para. 50; minimum time between seeing a message and allowing the message to appear again (e.g. load))
Noon does not explicitly disclose determining that an overall bus load crosses a threshold.  However, Froschle does disclose determining that an overall bus load crosses a threshold.  (See Froschle pg. 475, para. 1; bus load 100% (e.g. over 99.99999999% (e.g. threshold))  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the process of Noon to include the teaching of determining that an overall bus load crosses a threshold of Froschle with the motivation being to detect blind spot attacks (See Froschle pg. 475, para. 1) and further to prevent unauthorized access to a network and further to prevent malicious activity on a network.

	Regarding claim 9, Noon in view of Froschle discloses the system of claim 8, wherein the analyzing the arbitration field comprises determining that an arbitration identifier and a data length code are contained on a whitelist, thereby indicating that an anomaly has not occurred. (See Noon para. 38; white list (which indicates anomaly has not occurred) from message ID (e.g. arbitration code) during a period or periods (e.g. data length; period has a certain length and has data))

Regarding claim 10, Noon in view of Froschle discloses the system of claim 8, wherein the inspecting the data field comprises interpreting one or more parts of the data field as signals based on one or more signal rules in a configuration file. (See Noon para. 39; messages in white list are interpreted according to manufacturer CAN spec (e.g. rules) which contain configuration information such as amounts and types of comm traffic anticipated and are in watchman format (e.g. config file))

	Regarding claim 11, Noon in view of Froschle discloses the system of claim 10, wherein the signal rules in the configuration file comprise a list of data that are allowed and a list of data that are not allowed. (See Noon para. 39; white list (e.g. allowed); para. 41 black list (e.g. not allowed))


Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Copeland (2002/0144156).

	Regarding claim 12, Noon in view of Froschle discloses the system of claim 8, wherein the computer processor is operable for:
	determining a normal frequency for the frequency of message identifiers that are transmitted across the CAN bus; and
generating an alarm when the frequency of message identifiers that are transmitted across the CAN bus deviates from the normal frequency.  (See Noon para. 38; determining frequency of messages transmitted across CAN; para. 44; displaying anomalies or malfunctions detected (e.g. an alarm))
Noon in view of Froschle do not explicitly disclose storing information in a table.  However, Copeland does disclose storing information in a table.  (See Copeland para. 64; data is stored in a table)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of storing information in a table of Copeland with the motivation being to allow for convenient access and further using known methods (e.g. table storage) that yields predictable results (wide compatibility).


Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Copeland (2002/0144156) and further in view of Bauer (2013/0212422).

	Regarding claim 13, Noon in view of Froschle in view of Copeland discloses the system of claim 12.  Noon in view of Froschle in view of Copeland do not explicitly disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  However, Bauer does disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  (See Bauer para. 18)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Copeland to include the teaching of detecting an abnormal condition based upon when the rate is greater than twice the normal rate of Bauer with the motivation being to prevent false positives and further to ensure accurate detection of an issue.


Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Ishiguro (2004/0038680) and further in view of Brown (2011/0153103).

	Regarding claim 14, Noon in view of Froschle discloses the system of claim 8.
Noon in view of Froschle do not explicitly disclose determining a threshold from a table.  However, Ishiguro does disclose determining a threshold from a table.  (See Ishiguro para. 50)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of determining a threshold from a table of Ishiguro with the motivation being to allow for flexible parameters (as opposed to just one fixed threshold) which can allow for flexible configurations.
Noon in view of Froschle in view of Ishiguro do not explicitly disclose transmitting an alert when the load is greater than the threshold.  However, Brown does disclose transmitting an alert when the load is greater than the threshold.  (See Brown para. 12; last sentence)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Ishiguro to include the teaching of transmitting an alert when the load is greater than the threshold of Brown with the motivation being to allow for corrective action to be taken and further to allow the user to make adjustments.


Claims 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017).

	Regarding claim 15, Noon discloses a non-transitory computer-readable medium comprising instructions that when executed by a processor execute a process for detecting anomalies on a computer network bus by: (See Noon para. 52, 53; processor executing an algorithm stored in memory) (See Noon para. 25, lines 5-7, fig. 1b; CAN bus (e.g. network bus))
	analyzing an arbitration field in a message on the computer network bus; (See Noon para. 32, lines 6-14; CAN messages characterized based upon arbitration ID (e.g. field) of message)
inspecting a data field in the message on the computer network bus; (See Noon para. 50; data content of message valid (e.g. inspecting data field))
monitoring a frequency of message identifiers that are transmitted across the computer network bus; (See Noon para. 46; message frequency is acquired)
transmitting an alert when the analyzing the arbitration field, the inspecting the data field, the monitoring the frequency, and the determining the overall bus load indicate that an anomaly has occurred on the computer network bus. (See Noon para. 44; displaying a number of anomalies (e.g. it is transmitted to the display); para. 50; minimum time between seeing a message and allowing the message to appear again (e.g. load))
Noon does not explicitly disclose determining that an overall bus load crosses a threshold.  However, Froschle does disclose determining that an overall bus load crosses a threshold.  (See Froschle pg. 475, para. 1; bus load 100% (e.g. over 99.99999999% (e.g. threshold))  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the process of Noon to include the teaching of determining that an overall bus load crosses a threshold of Froschle with the motivation being to detect blind spot attacks (See Froschle pg. 475, para. 1) and further to prevent unauthorized access to a network and further to prevent malicious activity on a network.

	Regarding claim 16, Noon in view of Froschle discloses the non-transitory computer-readable medium of claim 15, wherein the computer network bus comprises a controller area network (CAN) bus. (See Noon para. 25, lines 5-7, fig. 1b; CAN bus (e.g. network bus))

	Regarding claim 17, Noon in view of Froschle discloses the non-transitory computer-readable medium of claim 15, wherein the analyzing the arbitration field comprises determining that an arbitration identifier and a data length code are contained on a whitelist, thereby indicating that an anomaly has not occurred. (See Noon para. 38; white list (which indicates anomaly has not occurred) from message ID (e.g. arbitration code) during a period or periods (e.g. data length; period has a certain length and has data))

	Regarding claim 18, Noon in view of Froschle discloses the non-transitory computer-readable medium of claim 15, wherein the inspecting the data field comprises interpreting one or more parts of the data field as signals based on one or more signal rules in a configuration file. (See Noon para. 39; messages in white list are interpreted according to manufacturer CAN spec (e.g. rules) which contain configuration information such as amounts and types of comm traffic anticipated and are in watchman format (e.g. config file))


Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Copeland (2002/0144156) and further in view of Bauer (2013/0212422).

	Regarding claim 19, Noon in view of Froschle discloses the non-transitory computer-readable medium of claim 15, comprising instructions for:
	determining a normal frequency for the frequency of message identifiers that are transmitted across the CAN bus; and
generating an alarm when the frequency of message identifiers that are transmitted across the CAN bus deviates from the normal frequency.  (See Noon para. 38; determining frequency of messages transmitted across CAN; para. 44; displaying anomalies or malfunctions detected (e.g. an alarm))
Noon in view of Froschle do not explicitly disclose storing information in a table.  However, Copeland does disclose storing information in a table.  (See Copeland para. 64; data is stored in a table)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of storing information in a table of Copeland with the motivation being to allow for convenient access and further using known methods (e.g. table storage) that yields predictable results (wide compatibility).
Noon in view of Froschle in view of Copeland do not explicitly disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  However, Bauer does disclose detecting an abnormal condition based upon when the rate is greater than twice the normal rate.  (See Bauer para. 18)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Copeland to include the teaching of detecting an abnormal condition based upon when the rate is greater than twice the normal rate of Bauer with the motivation being to prevent false positives and further to ensure accurate detection of an issue.


Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Noon (2015/0191135), and further in view of Froschle (“Analyzing the Capabilities of the CAN Attacker”; 2017) and further in view of Ishiguro (2004/0038680) and further in view of Brown (2011/0153103).

	Regarding claim 20, Noon in view of Froschle discloses the non-transitory computer-readable medium of claim 15.
Noon in view of Froschle do not explicitly disclose determining a threshold from a table.  However, Ishiguro does disclose determining a threshold from a table.  (See Ishiguro para. 50)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle to include the teaching of determining a threshold from a table of Ishiguro with the motivation being to allow for flexible parameters (as opposed to just one fixed threshold) which can allow for flexible configurations.
Noon in view of Froschle in view of Ishiguro do not explicitly disclose transmitting an alert when the load is greater than the threshold.  However, Brown does disclose transmitting an alert when the load is greater than the threshold.  (See Brown para. 12; last sentence)  Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the apparatus of Noon in view of Froschle in view of Ishiguro to include the teaching of transmitting an alert when the load is greater than the threshold of Brown with the motivation being to allow for corrective action to be taken and further to allow the user to make adjustments.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN J CLAWSON whose telephone number is (571)270-7498. The examiner can normally be reached M-F 7:30-5:00 pm est.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Huy D Vu can be reached on (571) 272-3155. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Stephen J Clawson/Primary Examiner, Art Unit 2461