DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed on 8/29/2022, directed at the amended claims submitted on 8/29/2022 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

 (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-4, 6-8, 10, 11-14, and 16-18 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Galula (US 2018/0351980).

Regarding claims 1, 10 and 11, Galula teaches A method for contextual connected vehicle security incident integration (see abstract: “A system and method for providing fleet cyber-security comprising may include collecting, by a plurality of data collection units installed in a respective plurality of vehicles in the fleet, information related to cyber security and including the information in reports to a server. Data in reports may be aggregated, by the server. A cyber-attack may be identified based on aggregated data”), comprising: 
correlating a security incident violation with a connected vehicle, wherein the security incident violation is indicated in security incident data collected by at least one connected vehicle security system of the connected vehicle, wherein the security incident violation indicates a deviation from normal operation of the connected vehicle (see [0077] and Fig. 2: “An embodiment may fuse vehicle logs with accidents database (DB). For example, if there is an unlikely pattern shared by some cars that were involved in accidents, this could be a covert attack. An accidents DB may be any database, online or other source that may include or provide information related to accidents, e.g., location and time of accidents, identifications of vehicles involved (e.g., plate numbers) and so on. Identifying a specific pattern of messages destined to and/or originating from, a set of vehicles involved in an accident may be used by server 210 to identify an attack that took place when or where an accident occurred”. And see [0050] and Fig. 2: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB”. The Examiner interprets the accidents database in server 260 as at least one connected vehicle security system of the connected vehicle. The Examiner interprets an accident as a security incident violation, wherein the security incident violation is indicated in security incident data collected by at least one connected vehicle security system of the connected vehicle, wherein the security incident violation indicates a deviation from normal operation of the connected vehicle. The Examiner further interprets “identifications of vehicles involved (e.g., plate numbers)” in an accident in [0077] as correlating a security incident violation with a connected vehicle. And see [0024] and Fig. 1: “storage system may include, or may be used for storing, aggregated data 131, server logs, lists or databases 132, reports 133, entity codes 134 and server data 135. …Entity codes 134 may be codes that identify entities (e.g. vehicles, vehicle or other components, automobile parts, vehicle systems such as a steering system or an audio system, etc.)”. Also see [0041]); 
enriching the security incident data of the connected vehicle with cybersecurity data based on the correlation in order to create enriched security incident data, wherein the cybersecurity data is related to at least one of: the connected vehicle, and communications between the connected vehicle and at least one external system (see [0050]: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB. For example, if right before an accident, logs in vehicles all show that a communication through a specific cell tower was made then server 210 may determine the cell tower is the source of an attack”. The Examiner interprets the specific cell tower as at least one external system. The Examiner interprets a communication with vehicles through a specific cell tower as cybersecurity data, wherein the cybersecurity data is related to at least one of: the connected vehicle, and communications between the connected vehicle and at least one external system. The Examiner interprets relating vehicle logs with an accidents DB to show that a communication through a specific cell tower was made right before an accident as enriching the security incident data of the connected vehicle with cybersecurity data based on the correlation in order to create enriched security incident data, wherein the cybersecurity data is related to at least one of: the connected vehicle, and communications between the connected vehicle and at least one external system. And see [0035], [0038], [0041], [0042]); 
generating a risk assessment for the connected vehicle based on the enriched security incident data (see [0125] and Fig. 3: “As shown by block 320, information in reports may be aggregated. For example, server 210 may aggregate information in reports from DCUs 221 to produce aggregated data 131. As shown by block 325, a cyber threat may be identified based on aggregated reports. For example, server 210 may identify a cyber attack or other threat based on aggregated data 131 as described”. And see [0050]: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB. For example, if right before an accident, logs in vehicles all show that a communication through a specific cell tower was made then server 210 may determine the cell tower is the source of an attack”. The Examiner interprets identifying cyberattacks based on aggregated data 131 as generating a risk assessment for the connected vehicle based on the enriched security incident data. And see [0037], [0044], [0070], [0108], [0117], [0120]); and 
performing at least one mitigation action with respect to the connected vehicle based on the risk assessment (see [0126]: “a unit such as server 210 may perform one or more actions if or when an attack is detected or identified as described. For example, server 210 may send a message (e.g., an electronic mail (email) or a Short Message Service (SMS) message) to a predefined list of recipients informing the recipients of the attack, possibly including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on. An action taken by server 210 may include communicating with the driver of an attacked vehicle, with a dealership, service facility and/or a relevant authority”. And see [0121]: “some attacks may leave malware in attacked vehicles thus, by detecting or identifying that an attack occurred in the past, malware left in vehicles can be detected and removed”. And see [0090]).

Regarding claims 2 and 12, Galula further teaches wherein the at least one connected vehicle security system of the connected vehicle and the at least one external system are among a communications ecosystem, wherein systems among the communications ecosystem communicate with each other (see [0029] and Fig. 2: “a system 200 may include one or more server(s) 210 and a fleet of vehicles 220 that may communicate over one or more network(s) 230…. Server 260 may be a web server or any other suitable server from which server 210 may get information related to traffic, weather and the like. For example, server 260 may be a web server or a server operated by an authority that provides information related to traffic accidents, weather storms, communication systems failures etc.”), further comprising: 
correlating the security incident violation to each system among the communications ecosystem such that the cybersecurity data used for enriching the security incident data includes data related to communications within the communications ecosystem (see [0041]: “Server 210 may fuse, correlate and/or aggregate data from any number of vehicles 220 with data from other sources. For example, data received from dealerships, weather sources, traffic reports, the internet and so on may be fused or combined with data received from vehicles 220 such that various cyber-security conclusions may be derived”. And see [0050]: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB. For example, if right before an accident, logs in vehicles all show that a communication through a specific cell tower was made then server 210 may determine the cell tower is the source of an attack”).

Regarding claims 3 and 13, Galula further teaches wherein the communications ecosystem includes a fleet of connected vehicles (see [0029] and Fig. 2: “a system 200 may include one or more server(s) 210 and a fleet of vehicles 220 that may communicate over one or more network(s) 230”), wherein the cybersecurity data used for enriching the security incident data includes a number of connected vehicles including systems among the communications ecosystem exhibiting the same type of security incident violation (see [0050]: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB. For example, if right before an accident, logs in vehicles all show that a communication through a specific cell tower was made then server 210 may determine the cell tower is the source of an attack”).

Regarding claims 4 and 14, Galula further teaches wherein correlating the security incident violation with the connected vehicle further comprises enriching the security incident data with an identifier of the connected vehicle (see [0077] and Fig. 2: “An embodiment may fuse vehicle logs with accidents database (DB). For example, if there is an unlikely pattern shared by some cars that were involved in accidents, this could be a covert attack. An accidents DB may be any database, online or other source that may include or provide information related to accidents, e.g., location and time of accidents, identifications of vehicles involved (e.g., plate numbers) and so on. Identifying a specific pattern of messages destined to and/or originating from, a set of vehicles involved in an accident may be used by server 210 to identify an attack that took place when or where an accident occurred”).

Regarding claims 6 and 16, Galula further teaches wherein the security incident violation is a mobility violation indicating at least one abnormal driving activity of the connected vehicle  (see [0077] and Fig. 2: “An embodiment may fuse vehicle logs with accidents database (DB). For example, if there is an unlikely pattern shared by some cars that were involved in accidents, this could be a covert attack. An accidents DB may be any database, online or other source that may include or provide information related to accidents, e.g., location and time of accidents, identifications of vehicles involved (e.g., plate numbers) and so on. Identifying a specific pattern of messages destined to and/or originating from, a set of vehicles involved in an accident may be used by server 210 to identify an attack that took place when or where an accident occurred”. The Examiner interprets an accident as a security incident violation, wherein the security incident violation is a mobility violation indicating at least one abnormal driving activity of the connected vehicle).

Regarding claims 7 and 17, Galula further teaches wherein the cybersecurity data includes at least one of: update data, at least one alert by a cybersecurity threat detector, at least one cybersecurity threat detected for at least one other connected vehicle, at least one mobility threat detected for at least one other connected vehicle (see [0077] and Fig. 2: “An embodiment may fuse vehicle logs with accidents database (DB). For example, if there is an unlikely pattern shared by some cars that were involved in accidents, this could be a covert attack. An accidents DB may be any database, online or other source that may include or provide information related to accidents, e.g., location and time of accidents, identifications of vehicles involved (e.g., plate numbers) and so on. Identifying a specific pattern of messages destined to and/or originating from, a set of vehicles involved in an accident may be used by server 210 to identify an attack that took place when or where an accident occurred”. And see [0050] and Fig. 2: “Correlation may include comparing, grouping or relating vehicle logs with an accidents DB, e.g., in server 260. For example, if there is an unlikely pattern shared by some vehicles that were involved in accidents, this could be a covert attack that may be identified by server 210 by elating vehicle logs to data in an accidents DB. For example, if right before an accident, logs in vehicles all show that a communication through a specific cell tower was made then server 210 may determine the cell tower is the source of an attack”. The Examiner interprets one other vehicle being involved in another accident taught by [0077] and [0050] as at least one mobility threat detected for at least one other connected vehicle), and error data.

Regarding claims 8 and 18, Galula further teaches wherein the at least one mitigation action includes reconfiguring at least one detector of the connected vehicle with respect to data collection based on the enriched security incident data (see [0051]: “Correlation may include comparing anomalies with weather reports to detect possible false positives and/or faulty ECUs in extreme weather conditions. For example, server 210 may remove or ignore anomalies which are false positive caused by extreme environmental conditions (such as extreme low/high temperatures) by fusing geolocation with weather data feed, e.g., obtained from the internet”. And see [0070]: “server 210 may run or execute logic to detect security related events based on aggregated, correlated, grouped and/or fused data. For example, based on weather conditions received from a website and reports of suspected anomalies in some of vehicles 220, server 210 may determine whether or not the suspected anomalies are indeed indicative of an attack or they are a result of severe weather conditions”. And see [0071]: “An embodiment may ignore anomalies which are false positive caused by extreme environmental conditions (such as storms, extreme high/low temperature etc.) by for example fusing geolocation with weather data feed. For example, an SEU in a vehicle 220 may provide server 210 with a location of vehicle 220, server 210 may obtain weather information (or condition) for the location, and server 210 may process cyber-security data received from, or related to, vehicle 220, based on the weather condition at the location of vehicle 220. For example, based on weather conditions, server 210 may change thresholds, e.g., such that missed messages are not treated as anomalies (e.g., they are attributed to bad communication resulting from extreme weather conditions) or (possibly a very high frequency of) messages related to exceptional engine temperature (that may otherwise be considered an indication of an anomaly) may be ignored, e.g., attributed to extremely high temperature where vehicle 220 is”. The Examiner interprets changing thresholds for treating missed messages as anomalies based on weather conditions as reconfiguring at least one detector of the connected vehicle with respect to data collection based on the enriched security incident data).

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5, 9, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Galula (US 2018/0351980), and further in view of Ostergaard (US 2018/0255082).

Regarding claims 5 and 15, Galula fails to teach normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation.
In the same field of endeavor, Ostergaard teaches normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation (see [0055]: “As shown by the example architecture of FIG. 9, data is captured through the tap, whereupon the data is decoded and transformed into a common format for entry in the database. In the example of FIG. 9, the CAN format 905 has a high byte, a low byte, and a payload. The decoding function would thereby translate the high-byte and low-byte into a data source, and further translates the payload into a payload value and the type of payload as shown at 906”. And see [0053]: “For each module, there is a tap that allows it to read data from the source. The data is then transformed and decoded into a format that is able to be used by the anomaly detection system”. And see [0035] and [0054]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method for contextual connected vehicle security incident integration taught by Galula by adding the step of normalizing the security incident data, wherein normalizing the security incident data further comprises converting at least a portion of the security incident data into a unified format based on a type of the security incident violation taught by Ostergaard. It would have been obvious because Ostergaard teaches the following: “For each module, there is a tap that allows it to read data from the source. The data is then transformed and decoded into a format that is able to be used by the anomaly detection system” (see [0053]). 

Regarding claims 9 and 19, Galula fails to teach wherein the at least one mitigation action includes quarantining the connected vehicle from the at least one external system.
In the same field of endeavor, Ostergaard teaches wherein the at least one mitigation action includes quarantining the connected vehicle from the at least one external system (see [0072]: “FIG. 17 illustrates another example process flow, where a malicious payload is being downloaded to a parked vehicle over a mobile network, in accordance with an example implementation. At 1700, suppose that bad sensor data is entered maliciously (e.g. malicious network data is transmitted to the network adapter of the car via mobile broadband or through a wireless connection). At 1701, the driving state is determined as that the vehicle is parked. At 1702, a determination is made as to whether reports are received from the V2X or cloud. In this example, it is determined that the cloud has provided reports indicating that the bad sensor data is malicious. Thus at 1703, the message is labeled as malicious. At 1704, the results are logged and the local security management function is informed. At 1705, the safety mode is activated based on the malicious report and thus the malicious communication can be isolated and terminated”. And see [0041]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method for contextual connected vehicle security incident integration taught by Galula by letting the at least one mitigation action include quarantining the connected vehicle from the at least one external system, as taught by Ostergaard. It would have been obvious because doing so achieves the commonly understood benefit of preventing malicious commands from the at least one external system from harming the operations of the connected vehicle.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495