DETAILED ACTION
	This is in response to the application filed on September 23, 2020 where Claims 1 – 21, of which Claims 1, 11, and 21 are in independent form, are presented for examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statements (IDSs) submitted on December 23, 2020 and January 19, 2021 were filed before the mailing date of the current invention.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
101 Analysis
	Claims 1, 11, and 21 are directed to validating distributed firmware by calculating a hash and signature for each of the plurality of segments of the firmware.  While the use of hashes and other mathematical computations are generally not considered statutory, the application of the a security device coupled to the bus of the to-be-updated components that perform different actions when the firmware is not validated based on the mode the security device is in ties the statutory exception into improving security in the particular field of firmware/software distribution within low-capacity networks [See Specification, Para. 0004-5].  Therefore, the claims integrate the judicial exception into a practical application and satisfies Step 2A, Prong Two of the 2019 Revised 101 Patent Eligibility Guidelines as patent eligible subject matter.
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 21 are rejected under 35 U.S.C. 103 as being unpatentable over PGPub. 2020/0264864 (hereinafter “Yang”), in view of PGPub. 2018/0300477 (hereinafter “Galula”).
1. 	Regarding Claim 1, Yang discloses of a method for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus [Fig. 3 and 5], the method comprising:
transmitting, by a maintenance device coupled to the data bus, cryptographic metadata for authorized upgrade images to at least one target computing device coupled to the data bus [Fig. 5; Para. 0136, 0141-142; receiving the plurality of data blocks that carry the first MAC and contain upgrade subfiles sent by the vehicle-mounted control device (maintenance device) to the to-be-upgraded vehicle-mounted device (at least one target device)], the cryptographic metadata comprising a manifest list of upgrade images [Para. 0151, 0161; e.g., hash values for each of the subfiles sent from vehicle-mounted control device];
monitoring0141-142; waiting to receive the plurality of data blocks that carry the first MAC and contain upgrade subfiles sent by the vehicle-mounted control device];
providing
validating the striped update hashes using information in the manifest list [Fig. 5; Para. 0142, 0155, 0161; validating the subfiles using the received hash values];


Yang, however, does not specifically disclose of a security appliance coupled to the data bus that performs the monitoring and receiving the transmissions from the maintenance device, logging by the security appliance that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and performing at least one mitigation action in response to the attempted unauthorized upload.
Galula discloses a system and method for monitoring communications within a CAN utilizing a monitoring device coupled to the data bus [Fig. 1B; Para. 0010].  Galula further discloses that the monitoring device can validate data and/or computer executable instructions by comparing a received hash value with an expected hash value [Para. 0083-84].  Galula additionally describes that when a message fails validation, the monitoring device log that an unauthorized message has been sent and transmits poison bits on the bus to corrupt and destroy the unauthorized message (when at least one of messages fails validation, logging by the security appliance that an unauthorized message has been attempted and performing at least one mitigation action in response to the attempted unauthorized message) [Fig. 2C; Para. 0068-70, 0074-75].  The combination of Galula with Yang would enable the verification procedure of the messages containing the update fragments to be performed on the monitoring device instead of the to-be-upgraded vehicle-mounted device and discard any of the update fragments if they do not pass the verification procedure.  It would have been obvious to one skilled in the art before the effective filing date of the current invention to incorporate the teachings of Galula with Yang since both systems monitor and validate CAN messages within the vehicle network.  The motivation to do so is to perform heavy computational tasks on a device other than a less powerful device to ensure secure and efficient firmware upgrades for vehicle mounted devices, since many of these devices have limited computational capacity or storage space [See Yang, Para. 0005].
2.	Regarding Claims 11 and 21, Yang discloses of an apparatus (Security Appliance of Claim 21) for preventing unauthorized software or firmware upgrades between two or more computing devices connected on a data bus [Fig. 3 and 8; Para. 0247; to-be-upgraded vehicle-mounted device], the apparatus comprising:
at least one processor [Para. 0090-91, 0240]; 
memory coupled with the at least one processor (computer program product of Claim 21) [Fig. 3 and 8; Para. 0243-244; code stored in memory]; and 
a cryptographic engine coupled with the at least one processor [Para. 0247; cryptographic processing software to implement the security verification], the cryptographic engine storing cryptographic metadata for authorized upgrade images for updating at least one target computing device coupled to the data bus [Fig. 3; to-be-upgraded vehicle-mounted device is at least one target computing device coupled to the bus], the cryptographic metadata comprising a manifest list of upgrade images [Para. 0151, 0161; e.g., hash values for each of the subfiles sent from vehicle-mounted control device]; 
wherein the at least one processor is configured [Para. 0244]: 
to monitor the data bus for transmissions of striped update hashes from a maintenance device coupled to the data bus [Fig. 5; Para. 0136, 0141-142; waiting to receive the plurality of data blocks that carry the first MAC and contain upgrade subfiles sent by the vehicle-mounted control device (maintenance device)]; 
to obtain signed striped hashes corresponding to an upgrade image file transmitted by the maintenance device [Fig. 5; Para. 0136, 0141-142; receiving the plurality of data blocks that carry the first MAC and contain upgrade subfiles sent by the vehicle-mounted control device]; 
to validate the striped update hashes using information in the manifest list [Fig. 5; Para. 0142, 0155, 0161; validating the subfiles using the received hash values]; 


Yang, however, does not specifically disclose of a separate security appliance coupled to the data bus that performs the security functions, logging by the security appliance that an unauthorized upload has been attempted when at least one of the striped update hashes fails validation, and performing at least one mitigation action in response to the attempted unauthorized upload.
Galula discloses a system and method for monitoring communications within a CAN utilizing a monitoring device coupled to the data bus [Fig. 1B; Para. 0010].  Galula further discloses that the monitoring device can validate data and/or computer executable instructions by comparing a received hash value with an expected hash value [Para. 0083-84].  Galula additionally describes that when a message fails validation, the monitoring device log that an unauthorized message has been sent and transmits poison bits on the bus to corrupt and destroy the unauthorized message (when at least one of messages fails validation, logging by the security appliance that an unauthorized message has been attempted and performing at least one mitigation action in response to the attempted unauthorized message) [Fig. 2C; Para. 0068-70, 0074-75].  The combination of Galula with Yang would enable the verification procedure of the messages containing the update fragments to be performed on the monitoring device instead of the to-be-upgraded vehicle-mounted device and discard any of the update fragments if they do not pass the verification procedure.  It would have been obvious to one skilled in the art before the effective filing date of the current invention to incorporate the teachings of Galula with Yang since both systems monitor and validate CAN messages within the vehicle network.  The motivation to do so is to perform heavy computational tasks on a device other than a less powerful device to ensure secure and efficient firmware upgrades for vehicle mounted devices, since many of these devices have limited computational capacity or storage space [See Yang, Para. 0005].
3.	Regarding Claims 2 and 12, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Galula further discloses that when at least one of the signed striped hashes fails validation [Figs. 2B and 2C], the method further comprises:
when the security appliance is configured in a passive mode, queuing a fault code for the maintenance device which is indicative of an unauthorized upload [Fig. 2B; Para. 0061; aggregate the message ID and store the whole message for further processing by another entity]; and
when the security appliance is configured in an active mode, intervening on the data bus to prevent further transmission from the maintenance device to the target computing device [Fig. 2C; Para. 0070, 0077; the monitoring device can send poison bits on the bus to corrupt the messages or shut down the bus or a portion of the in-vehicle network based on an anomaly detection].
4.	Regarding Claims 3 and 13, Yang, in view of Galula, discloses the limitations of Claims 2 and 12.  Galula further discloses that intervening on the data bus comprises the security appliance transmitting interfering signals on the data bus, the interfering signals being configured to disrupt transmissions from the maintenance device to the target computing device [Fig. 2C; Para. 0070; the monitoring device can send poison bits on the bus to corrupt the messages].
5.	Regarding Claims 4 and 14, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses of:
determining whether there are any further signed striped hashes to process [Para. 0136, 0142, 0144];
when a last signed striped hash has been received, stopping the method [Para. 0142, 0144]; and
when the last signed striped hash has not yet been received, continuing to monitor the data bus for update image transmissions [Para. 0136].
6.	Regarding Claims 5 and 15, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses of:
performing a data integrity check as part of a data validation process to confirm that an update image transmission received from the maintenance device has not been corrupted [Para. 0129; vehicle-mounted control device verifies the authenticity of the signature of the update package]; and
when the data integrity check fails, rejecting, by the target computing device, the update image transmission and stopping the method [Para. 0129; vehicle-mounted control device cancels upgrade if verification fails].
7.	Regarding Claims 6 and 16, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses of:
when at least one of the striped update hashes fails validation, determining whether reprogramming of the target computing device is required [Para. 0128, 0131, 0140; rollback when upgrade fails];
when it is determined that reprogramming of the target computing device is required, transmitting, by the security appliance, one or more last known valid update images to the target computing device [Para. 0128, 0131, 0140]; and
when it is determined that reprogramming of the target computing device is not required, stopping the method [Para. 0128, 0131, 0140; rollback is optional].
8.	Regarding Claims 7 and 17, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses that validating the signed striped hashes comprises comparing the striped update hashes transmitted by the maintenance device with signed striped hashes provided to the security appliance [Para. 0148-162] and, when the striped update hashes match the signed striped hashes, the security appliance indicating that the striped update hashes are valid [Para. 0148-162].
9.	Regarding Claims 8 and 18, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses that the manifest list comprises at least one of image version number [Para. 0123], target computing device information, image size, image cryptographic chunk size, cryptographic support information, a list of chunked hashes and/or signature of chunked hashes, type of hash function used to generate the striped update hashes, public key, Certificate Authority (CA), intermediate CA key chains and sets, file certificate and hash, and metadata [Para. 0123].
10.	Regarding Claims 9 and 19, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses that the security appliance, operating in a passive mode, receiving and recording the cryptographic metadata and image files into memory [Fig. 2B; Para. 0061, 0123; aggregate the message ID and store the whole message, including all metadata, for further processing by another entity].
11.	Regarding Claims 10 and 20, Yang, in view of Galula, discloses the limitations of Claims 1 and 11.  Yang further discloses of: 
the security appliance checking the cryptographic metadata with known keys to verify signatures in the metadata [Para. 0123, 0132]; and 
the security appliance recording verified and unverified image data in memory, wherein valid signatures are added to a trusted update list and invalid signatures are logged as a security fault [Para. 0136, 0142].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. PGPub. 2015/0113520 – system and method for verifying updating firmware for an automobile; PGPub. 2019/0217870 – system and method for implementing a monitoring apparatus within a in-vehicle network system .
Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tae K. Kim, whose telephone number is (571) 270-1979.  The examiner can normally be reached on Monday - Friday (10:00 AM - 6:30 PM EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jorge Ortiz-Criado, can be reached on (571) 272-7624.  The fax phone number for submitting all Official communications is (703) 872-9306.  The fax phone number for submitting informal communications such as drafts, proposed amendments, etc., may be faxed directly to the examiner at (571) 270-2979.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).
/TAE K KIM/Primary Examiner, Art Unit 2496