Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: a detection apparatus in claims 5 and 7-12. Examiner is viewing “apparatus” as a “unit”. 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-9, and 11-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over KWON (US 2019/0332823 A1), and in further view of Hu (CN 110,213,287 A). 
Regarding Claim 1
Kwon discloses:
A intrusion detection method for a vehicle network (Abstract: The intrusion response method for a vehicle network is performed by an intrusion response apparatus for the vehicle network, and includes receiving attack detection information about an intrusive attack on the vehicle network from an intrusion detection system.), comprising: collecting Ethernet packets from a domain gateway of a vehicle that provides a mirroring port (¶67: When the instruction target selection unit 220 selects a domain gateway … instructing the selected domain gateway to change domain configuration information, switch the domain to a security mode, ¶97: For example, when the intrusion response apparatus 200 for the vehicle network selects a domain gateway 350_1 (mirroring port) of a powertrain domain 300_1 as the target that is to be instructed to respond to the intrusive attack, the intrusion response apparatus 200 for the vehicle network may generate a response instruction message for instructing the domain gateway 350_1 to respond to the intrusive attack on a domain basis, and may send the generated response instruction message to the domain gateway 350_1); performing a primary intrusion detection check on the Ethernet packets using a rule-based intrusion detection technique (Claim 13: The attack detection information reception unit is configured to receive the attack detection information including at least one of a Controller Area Network (CAN) identifier (ID) of an attack packet detected by the intrusion detection system.); 
Kwon does not disclose the following limitation “and performing a secondary intrusion detection check on the Ethernet packets using a machine learning-based intrusion detection technique when no intrusion attack is detected as a result of the primary intrusion detection check”
Hu discloses:
and performing a secondary intrusion detection check on the Ethernet packets using a machine learning-based intrusion detection technique when no intrusion attack is detected as a result of the primary intrusion detection check (Abstract: Network invasion monitoring module matches data flows using inbreak detection rule (primary intrusion detection), if be matched to the data on flows of "black" rule, starts alarm module, for not being matched to the data on flows of rule, then forwards it to intelligent intrusion detection module (secondary intrusion detection); Intelligent intrusion detection module integrates a variety of machine learning intrusion detection algorithms, is detected respectively to received data on flows using intrusion detection algorithm, when testing result is attack traffic, starts alarm module.).
Given the teaching of Hu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teaching of Kwon in order to integrate a feature in which a secondary machine learning intrusion detection check packets within a network when there is no intrusion attack that is detected as from the primary intrusion detection. One of ordinary skill in the art would have been motivated to do so because Hu recognizes that by implementing multiple intrusion detection systems into a network it be less susceptible to intrusion attacks (Abstract: Two kinds of detection techniques are combined common detection attack by the system, greatly improve the precision and detection performance of detection). 
Regarding Claim 2
Kwon discloses:
The intrusion detection method of claim 1, wherein the domain gateway converts Controller Area Network (CAN) packets in accordance with the Ethernet packets and delivers the converted CAN packets, wherein each CAN packet, converted into a corresponding Ethernet packet, is delivered using any one Ethernet port corresponding to a CAN ID based on a preset one-to-one mapping table (¶30: To perform at least one of an operation of changing domain configuration information, an operation of switching the domain to a security mode, and an operation of discarding a packet corresponding to the CAN ID.; ¶100: As illustrated in FIG. 9, a CAN ID value is stored in a message identifier field 910 of a CAN packet 900).
Regarding Claim 3
Kwon discloses:
The intrusion detection method of claim 1, wherein the rule-based intrusion detection technique is performed using a rule-based filter that is generated based on a value of a preset field having fixed characteristics, among amounts of traffic related to the vehicle (¶6 and ¶50 An intrusion detection system (IDS) 100 detects an intrusive attack on the vehicle network, the IDS for vehicles detects a symptom of attacks by analyzing features such as the pattern or period of traffic that is transmitted over the in-vehicle network.).
Regarding Claim 5
Kwon discloses:
The intrusion detection method of claim 1, wherein the primary intrusion detection check and the secondary intrusion detection check are performed by at least one of the domain gateway and an intrusion detection apparatus connected to the domain gateway through the mirroring port (¶67: When the instruction target selection unit 220 selects a domain gateway … instructing the selected domain gateway to change domain configuration information, switch the domain to a security mode, ¶97: For example, when the intrusion response apparatus 200 for the vehicle network selects a domain gateway 350_1 (mirroring port) of a powertrain domain 300_1 as the target that is to be instructed to respond to the intrusive attack, the intrusion response apparatus 200 for the vehicle network may generate a response instruction message for instructing the domain gateway 350_1 to respond to the intrusive attack on a domain basis, and may send the generated response instruction message to the domain gateway 350_1). Kwon teaches a method in which a honeypot domain (which is connected through a mirroring port) reacts to an intrusive attack that occurs in the vehicle domain gateway. 
Regarding Claim 6
Kwon discloses:
The intrusion detection method of claim 2, further comprising measuring a CAN packet period for detecting a Denial-of-Service (DoS) attack and a fuzzing attack in consideration of periods of packets that are input for respective Ethernet ports (¶4: The core of vehicle security is to detect and block attacks such as an attack to inject unauthorized data (fuzzing) into an in-vehicle network and a Denial of Service (DoS) attack to damage vehicle availability. ¶103: By utilizing this point, the attacking ECU 15 may use the CAN packet 900 for an attack such as a DoS attack, and may designate the CAN packet 900 to include an unapproved packet or unauthorized control command.).
Regarding Claim 7
A intrusion detection apparatus for a vehicle network, comprising: a processor for collecting Ethernet packets from a domain gateway of a vehicle that provides a mirroring port, performing a primary intrusion detection check on the Ethernet packets using a rule-based intrusion detection technique, and performing a secondary intrusion detection check on the Ethernet packets using a machine learning- based intrusion detection technique when no intrusion attack is detected as a result of the primary intrusion detection check (Refer to claim 1 rejection); and a memory for storing the Ethernet packets (Kwon ¶110: “Each processor 1010 may be a Central Processing Unit (CPU) or a semiconductor device for executing processing instructions stored in the memory 1030 or the storage 1060.”).
Regarding Claim 8
The intrusion detection apparatus of claim 7, wherein the domain gateway converts Controller Area Network (CAN) packets in accordance with the Ethernet packets and delivers the converted CAN packets, wherein each CAN packet, converted into a corresponding Ethernet packet, is delivered using any one Ethernet port corresponding to a CAN ID based on a preset one-to-one mapping table (Refer to claim 2 rejection).
Regarding Claim 9
The intrusion detection apparatus of claim 7, wherein the rule-based intrusion detection technique is performed using a rule-based filter that is generated based on a value of a preset field having fixed characteristics, among amounts of traffic related to the vehicle (Refer to claim 3 rejection).
Regarding Claim 11
The intrusion detection apparatus of claim 7, wherein the primary intrusion detection check and the secondary intrusion detection check are performed by at least one of the domain gateway and the intrusion detection apparatus connected to the domain gateway through the mirroring port (Refer to claim 5 rejection).
Regarding Claim 12
The intrusion detection apparatus of claim 8, wherein the processor measures a CAN packet period for detecting a Denial-of-Service (DoS) attack and a fuzzing attack in consideration of periods of packets that are input for respective Ethernet ports (Refer to claim 12 rejection)
Claims 4 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over KWON (US 2019/0332823 A1), in view of Hu (CN 110,213,287 A), in view of Guo (US 2008/0201778 A1), and in further view of Lan (US 11,429,823 B1). 
	Regarding Claim 4
Kwon and Hu do not disclose the following limitation “wherein performing the secondary intrusion detection check comprises: extracting statistical features of Ethernet packets collected within a preset time window”
	Guo discloses: 
	The intrusion detection method of claim 1, wherein performing the secondary intrusion detection check comprises: extracting statistical features of Ethernet packets collected within a preset time window (Claim 5: The intrusion detection apparatus of claim 1 wherein said data collection system collects data reflective of the occurrence frequency of system calls during a predetermined time window.); 
Given the teaching of Guo, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teaching of Kwon and Hu in order to integrate a feature in which an intrusion detection check packets within a network during a predetermined time window. One of ordinary skill in the art would have been motivated to do so because Guo recognizes that by implementing this feature an intrusion detection system can be configured to execute a detection test based off of a user’s criteria (Claim 5).   
Kwon, Hu and Guo do not disclose the following limitation “and performing a machine learning-based intrusion detection check by inputting the statistical features to a previously learned intrusion detection checking model”
Lan discloses:
and performing a machine learning-based intrusion detection check by inputting the statistical features to a previously learned intrusion detection checking model (Column 3, Line 36: In one example, a computer-implemented method for dynamically augmenting machine learning models based on contextual factors associated with execution environments may include generating a base machine learning model (previous learned model) and a set of supplemental machine learning models, and determining at least one contextual factor (statistical features) associated with an execution environment of a machine learning system that is configured to make predictions regarding a set of input data using at least the base machine learning model.).
Given the teaching of Lan, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teaching of Kwon, Hu and Guo in order to integrate a feature in which a machine learning-based can use contextual factor (statistical features) from a previously learned model. One of ordinary skill in the art would have been motivated to do so because Lan recognizes that by implementing this feature a machine learning model can be configured to have a better prediction outcome when incorporating previous learned data from the first machine learning model (Column 3, Line 36).
Regarding Claim 10
 The intrusion detection apparatus of claim 7, wherein the processor extracts statistical features of Ethernet packets collected within a preset time window, and then performs a machine learning-based intrusion detection check by inputting the statistical features to a previously learned intrusion detection checking model (Refer to claim 4 rejection).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431