Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 9-15 have been cancelled.
Claims 1-8 and 16-27 are pending. 
Claim Objections
Claims 26 and 27 are objected to because of the following:  These claims recite the method of claim 24. However, claim 24 is a claim reciting “the CAN node” and not a method. For the purpose of examination claims 26 and 27 are being interpreted as being dependent on claim 25.  Appropriate correction is required.
Specification
The abstract of the disclosure is objected to because it exceeds the 150 word count limit and the abstract references a figure (figure 5).  Correction is required.  See MPEP § 608.01(b).

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: Fig.2 reference number 214.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: 
“security module is configured to” in claims 1-8 and 17-19.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof, see specification [Page 8 lines 27-31, “the security module 460 can be provided by a CAN protocol controller.”] for structure. 
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8, 16-21, 23-27 are rejected under 35 U.S.C. 103 as being unpatentable over ELEND (US-20170093659-A1), in view of VAN DER MAAS (US-20170235698-A1), and further in view of ELEND (US-20150095711-A1), hereinafter ELEND2017-MAAS-ELEND2015.
Regarding claim 1, ELEND2017 teaches “A security module for a controller area network, CAN, node, the security module comprising: a receive data, RXD, input interface for receiving data from a CAN bus; ([ELEND2017, abstract] “Embodiments of a device and method are disclosed. A controller area network (CAN) device includes a compare module configured to interface with a CAN transceiver, the compare module having a receive data (RXD) interface configured to receive data from the CAN transceiver”) ([ELEND2017, para. 0064] “FIG. 5 depicts an embodiment of a CAN node 102 that is configured to implement the above-described intrusion detection/prevention technique. The CAN node includes a CAN transceiver 120, a CAN protocol controller 114, and a host 116 as described above with reference to FIGS. 1 and 2 as well as a compare module 160 located in a data path between the CAN transceiver and the CAN protocol controller. The compare module includes an identifier memory 162 and is configured to decode an identifier of a CAN message that is received on the CAN bus 104 (e.g., CAN messages on the RXD path) and to compare the identifier of the CAN message to an entry (e.g., an identifier or a mask) that is stored in the identifier memory. As shown in FIG. 5, the compare module is located before the CAN protocol controller such that the comparison can take place before the CAN message is completely received at the CAN protocol controller and before any corresponding message is provided to the host. If the comparison indicates that the identifier from the CAN message matches the stored entry (e.g., the identifier or the mask) and assuming the CAN node is not transmitting the CAN message itself, a match signal is output from the compare module. In an embodiment, the match signal triggers the CAN device to invalidate, destroy, and/or kill the incoming CAN message before the corresponding message is provided to the host to prevent the CAN message from implementing any malicious activity within the CAN node itself and/or within other CAN nodes in the CAN network.”) a transmit data, TXD, output interface for transmitting data to the CAN bus; and a RXD output interface for providing data to a local controller; ([ELEND2017, para. 0055] “The CAN transceivers 120 are located between the microcontrollers 110 and the CAN bus 104 and implement physical layer operations. For example, in receive operations, a CAN transceiver converts analog differential signals from the CAN bus to serial digital signals that the CAN protocol controller 114 can interpret. The CAN transceiver also protects the CAN protocol controller from extreme electrical conditions on the CAN bus, e.g., electrical surges. In transmit operations, the CAN transceiver converts serial digital bits received from the CAN protocol controller into analog differential signals that are sent on the CAN bus.”) ([ELEND2017, para. 0064] “As shown in FIG. 5, the compare module is located before the CAN protocol controller such that the comparison can take place before the CAN message is completely received at the CAN protocol controller”) wherein the security module is configured to: receive a CAN frame from the CAN bus via the RXD input interface, wherein the CAN frame includes a CAN message; ([ELEND2017, para. 0065] “The compare module of FIG. 6 includes an identifier memory 162, compare logic 164, a CAN decoder 166, a TXD input interface 168A, a TXD output interface 168B, an RXD input interface 170A, and an RXD output interface 170B. The RXD input interface is configured to receive serial data from the RXD path and the TXD input interface is configured to receive serial data from the TXD path. The identifier memory may be configured to store an entry as an identifier in a manner that allows the identifier to be quickly searched. Multiple identifiers may also be stored in the identifier memory.”) ([ELEND2017, para. 0063] “In operation, an identifier from an incoming CAN message is compared with the mask and if the identifier matches the mask, a match signal is output. In an embodiment, the CAN messages of concern are CAN “data frames” as these are the CAN messages that carry payload data (e.g., in the DATA field). As is known in the field and described in the CAN protocol, CAN “data frames” are CAN frames with the RTR bit set to “0.””) compare an identifier of the received CAN frame with at least one identifier associated with the local controller; and upon detection of a match between the identifier of the received CAN frame and the at least one identifier associated with the local controller …… ([ELEND2017, para. 0065] “The compare logic is configured to compare a received identifier from a CAN message with the stored identifier (or identifiers) in the identifier memory and to output a “match” signal when the comparison indicates that the received identifier of the CAN message matches the stored identifier. In an embodiment, the match signal triggers the CAN node to invalidate, destroy, and/or kill the CAN message before the CAN message is completely and successfully received at the CAN protocol controller. In one embodiment, the CAN device is configured to invalidate a suspicious CAN message on the CAN bus by sending an error signal such as an error flag onto the CAN bus.”) ([ELEND2017, para. 0061] “CAN messages are broadcast messages and the identifier is unique to the sender CAN node. The CAN protocol controllers of the receiving CAN nodes have identifier filters that are “tuned” to certain identifiers to make sure that the host receives relevant messages and is not bothered with irrelevant messages.”) ([ELEND2017, 0062] “For example, in response to detecting a match between a received identifier and a stored identifier, the CAN node can be configured to immediately send an error signal such as an error flag onto the CAN bus to prevent the malicious CAN message from being successfully and completely received by any CAN nodes on the CAN bus”) …... and invalidate the CAN message on the CAN bus via the TXD output interface. ([ELEND2017, 0064] “In an embodiment, the match signal triggers the CAN device to invalidate, destroy, and/or kill the incoming CAN message before the corresponding message is provided to the host to prevent the CAN message from implementing any malicious activity within the CAN node itself and/or within other CAN nodes in the CAN network. In an embodiment, the compare module decodes outgoing CAN messages (e.g., CAN messages on the TXD path) and populates the identifier memory with the decoded identifiers.”).
However, ELEND2017 does not teach “and upon detection of a match between the identifier….: pass the received CAN message to the local controller via the RXD output interface; decouple the local controller from the CAN bus;”.
In analogous teaching, MAAS teaches “and upon detection of a match between the identifier….: pass the received CAN message to the local controller via the RXD output interface;” ([MAAS, para. 0042] “FIG. 5 illustrates a method 200 for filtering CAN network messages according to the identifiers stored in the ID table 170. Accordingly, at step 202, a CAN message is received by the receiver 136. The received CAN message is transferred to the security module 160. At step 204, the security module 160 retrieves the identifier from the received CAN message. At step 206, the ID table 170 is searched for the identifier. At decision step 208, if the identifier is found, the received CAN message is transmitted to the CAN protocol controller 114 or to the host 116.”).
Thus, given the teaching of MAAS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of passing the message to the controller by MAAS into the teaching of a security module for a controller area network as taught by ELEND2017. One of ordinary skill in the art would have been motivated to do so because MAAS recognizes the need to security of CAN bus ([MAAS, para. 0002] “One growing concern with in-vehicle networks, such as in-vehicle networks that use the CAN bus protocol, is network security. It is possible for a rogue device connected to an ECU to be able to read messages not meant for that ECU and perform rogue operations through the CAN network.”) ([MAAS, para. 0037] “When the CAN controller 114 or the host 116 receive a message, it checks the identifier and discard the message if the message is not meant for that CAN node 102. However, for example, a host 116 that is compromised through a device connected thereto may not discard the message and can effectively “spy” on the entire network. To prevent any such potential breach of security of the CAN network, the security module 160, after looking up the ID table 170, may alter the incoming message to a state that contains no data. Ideally, the security module 160 should simply disregard such messages and not transmit them to the CAN protocol controller 114 or the host 116.”).
However, ELEND2017-MAAS does not teach “decouple the local controller from the CAN bus”.
In analogous teaching, ELEND2015 teaches “decouple the local controller from the CAN bus” ([ELEND2015, para. 0059] “In accordance with an embodiment of the invention, a CAN transceiver of an ECU in a CAN is configured to detect the presence of CAN FD mode traffic and to implement a change in an operating state of the CAN transceiver, such as disconnecting the CAN protocol controller of the ECU from the CAN bus, if CAN FD mode traffic is detected.”).
Thus, given the teaching of ELEND2015, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of decoupling the controller by ELEND2015 into the teaching of a security module for a controller area network as taught by ELEND2017-MAAS. One of ordinary skill in the art would have been motivated to do so because ELEND2015 recognizes the benefits of multiple CAN coexisting in a system ([ELEND2015, para. 0087] “The above-described techniques enable microcontrollers that use the CAN normal (or “classic”) mode to coexist with microcontrollers that use the CAN FD mode in a way that all ECUs are fully functional during normal operation of the CAN, e.g., during normal operation of an automobile. Additionally, the above-described techniques can be installed in to CANs of, for example, automobiles by simply equipping the normal mode ECUs with CAN transceivers or CAN shield devices as described above with reference to FIGS. 5A-10. No software updates to the microcontrollers or replacement microcontrollers are needed to enable the different microcontrollers (using different CAN modes) to coexist on the same CAN bus.”).

Regarding claim 2, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2017 further teaches “further comprising a TXD input interface for receiving data from the local controller;” ([ELEND2017, para. 0009] “In an embodiment, the compare module further includes a transmit data (TXD) input interface configured to receive data from a CAN protocol controller”).
However, ELEND2017-MAAS does not teach “wherein the security module is further configured to decouple the local controller from the CAN bus by coupling the TXD input interface to the RXD output interface.”.
ELEND2015 further teaches “wherein the security module is further configured to decouple the local controller from the CAN bus by coupling the TXD input interface to the RXD output interface.” ([ELEND2015, para. 0067] “Additionally, immediately upon detecting that the received frame is a CAN FD mode frame, the CAN protocol controller changes an operation state of the CAN transceiver to disconnect the CAN bus interface from the RXD interface to prevent CAN FD mode frames from reaching the CAN protocol controller 114 of an ECU 102. For example, the CAN protocol controller 252 in the CAN transceiver 220 asserts the CAN_FD_Detected_RXD signal to cause the receive path multiplexer 256 to select data from the CAN protocol controller (TXD′) for output to the RXD interface 240 instead of data received directly from the CAN bus.”).
The same motivation to modify ELEND2017-MAAS with ELEND2015 as in the rejection of claim 1, applies. 

Regarding claim 3, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2017 further teaches “wherein the security module is configured to invalidate the CAN message on the CAN bus by setting a plurality of bits, after a cyclic redundancy check, CRC, bit of the CAN frame, to a dominant value.” ([ELEND2017, para. 0065] “In an embodiment, sending an error signal as a single dominant bit in the EOF would be sufficient to invalidate a CAN message on the CAN bus. Invalidating a CAN message in the EOF can be beneficial because the CRC has been processed and thus it can be assured that the wrong CAN message (with a corresponding identifier) has not been invalidated, e.g., due to a receive error in the identifier field. Invalidating a CAN message with a few bits, e.g., less than 6 bits which would make an error flag, might also be beneficial.”) ([ELEND2017, para. 0090] “In an embodiment, an error signal may be an active error flag as specified by the CAN protocol or one or more dominant bits in the EOF field, which will cause a format error as specified by the CAN protocol. In an embodiment, a CAN message can be invalidated with an error flag immediately after the identifier has been sent, or at any time later but before the EOF ends. In an embodiment, sending a single dominant bit in the EOF would be sufficient to invalidate a CAN message on the CAN bus. Invalidating a CAN message in the EOF can be beneficial because the CRC has been processed and thus it can be assured that the wrong CAN message (with a corresponding identifier) has not been invalidated, e.g., due to a receive error in the identifier field. Invalidating a CAN message with a few bits, e.g., less than 6 bits which would make an error flag, might also be beneficial.”).

Regarding claim 4, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2017 further teaches “…… and invalidate the CAN message on the CAN bus for bits of the CAN frame immediately following a cyclic redundancy check, CRC, bit of the CAN frame.” ([ELEND2017, para. 0065] “In an embodiment, sending an error signal as a single dominant bit in the EOF would be sufficient to invalidate a CAN message on the CAN bus. Invalidating a CAN message in the EOF can be beneficial because the CRC has been processed and thus it can be assured that the wrong CAN message (with a corresponding identifier) has not been invalidated, e.g., due to a receive error in the identifier field. Invalidating a CAN message with a few bits, e.g., less than 6 bits which would make an error flag, might also be beneficial.”).
However, ELEND2017-MASS does not teach “wherein the security module is configured to decouple the local controller from the CAN bus ….”.
ELEND2015 teaches “wherein the security module is configured to decouple the local controller from the CAN bus ….” ([ELEND2015, para. 0059] “In accordance with an embodiment of the invention, a CAN transceiver of an ECU in a CAN is configured to detect the presence of CAN FD mode traffic and to implement a change in an operating state of the CAN transceiver, such as disconnecting the CAN protocol controller of the ECU from the CAN bus, if CAN FD mode traffic is detected.”).
The same motivation to modify ELEND2017-MAAS with ELEND2015 as in the rejection of claim 1, applies. 

Regarding claim 5, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2015 further teaches “wherein the security module is configured to decouple the local controller from the CAN bus until it receives a recessive bit from the CAN bus via the RXD input interface.” ([ELEND2015, para. 0059] “In accordance with an embodiment of the invention, a CAN transceiver of an ECU in a CAN is configured to detect the presence of CAN FD mode traffic and to implement a change in an operating state of the CAN transceiver, such as disconnecting the CAN protocol controller of the ECU from the CAN bus, if CAN FD mode traffic is detected.”) ([ELEND2015, para. 0060] “changing an operation state of the CAN transceiver involves disconnecting the receive data (RXD) from the CAN protocol controller of the ECU to prevent CAN FD mode frames from reaching the CAN protocol controller. When the end of a CAN FD mode frame is detected (e.g., as indicated by the Acknowledge slot, which is the bit after the CRC delimiter (CRC DEL)), the CAN transceiver can reconnect the CAN protocol controller of the ECU to the CAN bus.”) ([ELEND2015, para. 0068] “In an embodiment, when RXD is clamped dominant (e.g., logical low) by the traffic control system 250, a classic CAN protocol controller at an ECU is forced to send an error flag. ISO 11898-1 specifies that “After sending an error [or overload] flag, each node shall . . . monitor the bus until it detects a recessive bit.””) ([ELEND2015, para. 0073] “In an embodiment, changing the operating state of the traffic control system 250 involves disconnecting the RXD interface from the CAN bus and forcing RXD dominant”).
The same motivation to modify ELEND2017-MAAS with ELEND2015 as in the rejection of claim 1, applies. 

Regarding claim 6, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2015 further teaches “wherein the security module is further configured to recouple the local controller to the CAN bus following receipt of a recessive bit from the CAN bus” ([ELEND2015, para. 0060] “When the end of a CAN FD mode frame is detected (e.g., as indicated by the Acknowledge slot, which is the bit after the CRC delimiter (CRC DEL)), the CAN transceiver can reconnect the CAN protocol controller of the ECU to the CAN bus.”) ([ELEND2015, para. 0080] “In an embodiment, if TXD at the TXD interface 342 is dominant when the end of a CAN FD frame is detected, then the traffic control system 350 is not switched back to normal mode until TXD is recessive”).
The same motivation to modify ELEND2017-MAAS with ELEND2015 as in the rejection of claim 1, applies. 

Regarding claim 8, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. MAAS further teaches “wherein the security module is configured to provide the received CAN frame unmodified to the local controller via the RXD output interface.” ([MAAS, para. 0005] “In some embodiments, the identifier table includes a list of identifiers, wherein if the identifier in the incoming CAN message matches one in the list, the security module is configured to send the incoming message to the CAN controller without altering the incoming CAN message.”) ([MAAS, para. 0027] “Data communicated from the microcontroller 110 to the CAN transceiver 120 is identified as transmit data (TXD) and data communicated from the CAN transceiver 120 to the microcontroller 110 is referred to as receive data (RXD). Throughout the description, TXD is carried on a TXD path and RXD is carried on an RXD path.”) ([MAAS, para. 0023] “In one or more embodiments, each CAN node includes a microcontroller 110 having an embedded CAN protocol controller 114”).
The same motivation to modify ELEND2017 with MAAS as in the rejection of claim 1, applies.

Regarding claim 16, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. ELEND2017 further teaches “for use in a Classical CAN, CAN FD or CAN XL network.” ([ELEND2017, para. 0058] “As used herein, “CAN normal mode” (also referred to as “Classical CAN mode”) refers to frames that are formatted according to the ISO 11898-1 standard and “CAN FD mode” refers to frames that are formatted according to the emerging ISO/Draft International Standard (DIS) 11898-1 standard, or an equivalent thereof.”) ([ELEND2017, para. 0092] “In an embodiment, the above-described intrusion detection/protection technique is applicable to CAN, CAN-FD, and ISO 11898 compliant networks. The intrusion detection/prevention technique is also applicable to other network protocols that are often used in vehicles such as Local Interconnect Network (LIN) and FLEXRAY protocols.”).


Regarding claim 17, this claim is a teaches of CAN node that is similar to the features of claim 1. Therefore, claim 17 is rejected in a similar manner as in the rejection of claim 1. ELEND2017 further teaches “and invalidate the CAN message on the CAN bus via the TXD output interface, wherein: the RXD input interface and the TXD output interface of the security module are configured to communicate with the CAN bus via the CAN transceiver, and the security module is configured to communicate with the local controller via the RXD output interface and the TXD input interface.” ([ELEND2017, para. 0063] “CAN message, can be invalidated by the CAN node by, for example, transmitting an error signal such as an error flag onto the CAN bus.”) ([ELEND2017, para. 0064, Fig. 5] “FIG. 5 depicts an embodiment of a CAN node 102 that is configured to implement the above-described intrusion detection/prevention technique. The CAN node includes a CAN transceiver 120, a CAN protocol controller 114, and a host 116 as described above with reference to FIGS. 1 and 2 as well as a compare module 160 located in a data path between the CAN transceiver and the CAN protocol controller. The compare module includes an identifier memory 162 and is configured to decode an identifier of a CAN message that is received on the CAN bus 104 (e.g., CAN messages on the RXD path) and to compare the identifier of the CAN message to an entry (e.g., an identifier or a mask) that is stored in the identifier memory. As shown in FIG. 5, the compare module is located before the CAN protocol controller such that the comparison can take place before the CAN message is completely received at the CAN protocol controller and before any corresponding message is provided to the host.”).

Regarding claim 18, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 17. Furthermore, this claim recites features similar to those in claim 3. Therefore, claim 18 is rejected in a similar manner as in the rejection of claim 3. 

Regarding claim 19, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 17. Furthermore, this claim recites features similar to those in claim 6. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 6.

Regarding claim 20, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 17. ELEND2017 further teaches “wherein the local controller is configured to determine that the received CAN frame is a malicious frame.” ([ELEND2017, para. 0062] “For example, in response to detecting a match between a received identifier and a stored identifier, the CAN node can be configured to immediately send an error signal such as an error flag onto the CAN bus to prevent the malicious CAN message from being successfully and completely received by any CAN nodes on the CAN bus”) ([ELEND2017, para. 0002] “For example, a compromised in-vehicle network could allow an attacker to maliciously control components of a vehicle.”)

Regarding claim 21, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 20. ELEND2017 further teaches “wherein the local controller is configured to determine that the received CAN frame is a malicious frame by comparing the identifier of the received CAN frame with the at least one identifier associated with a local controller.” ([ELEND, 2017, para. 0021] “The compare module includes an RXD input interface configured to receive data from the CAN transceiver via a CAN bus, a CAN decoder configured to decode an identifier of a CAN message received from the RXD input interface, an identifier memory configured to store an entry that corresponds to at least one identifier, and compare logic configured to compare a received identifier from a CAN message with the entry that is stored in the identifier memory and to output a match signal when the comparison indicates that the received identifier of the CAN message matches the entry that is stored at the CAN device.”) ([ELEND, 2017, para. 0062] “For example, in response to detecting a match between a received identifier and a stored identifier, the CAN node can be configured to immediately send an error signal such as an error flag onto the CAN bus to prevent the malicious CAN message from being successfully and completely received by any CAN nodes on the CAN bus”) ([ELEND, 2017, para. 0061] “CAN messages are broadcast messages and the identifier is unique to the sender CAN node. The CAN protocol controllers of the receiving CAN nodes have identifier filters that are “tuned” to certain identifiers to make sure that the host receives relevant messages and is not bothered with irrelevant messages.”).

Regarding claim 23, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 20. ELEND2017 further teaches “wherein upon determination that the received frame is a malicious frame, the local controller is configured to do one or more of: log the CAN frame as a malicious frame; alert or display an error to a network operator that the CAN node and / or the CAN network are under attack; put the CAN node into an emergency mode or shut down the CAN node; put one or more other CAN nodes on the CAN bus and / or the CAN network into an emergency mode; and send a message to other CAN nodes on the CAN bus indicating that the CAN network is under attack.” ([ELEND2017, para. 0071] “For example, in response to the match signal, CAN node 1 generates an error flag (e.g., via a signal generator 174 such as that shown in FIG. 7) and transmits the error flag onto the CAN bus. The error flag causes CAN node 1 and the other CAN nodes on the CAN bus (e.g., CAN node 2) to invalidate the suspicious CAN message before the corresponding hosts are notified of the CAN message. Invalidating the suspicious CAN message before the hosts are notified prevents a corresponding message from being passed to the hosts to implement malicious activity at the corresponding CAN nodes.”).

Regarding claim 24, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 17. Furthermore, this claim recites features similar to those in claim 16. Therefore, claim 24 is rejected in a similar manner as in the rejection of claim 16.

Regarding claim 25, this claim is a method claim that claims features similar to those in claim 1. Therefore, claim 25 is rejected in a similar manner as in the rejection of claim 1. 

Regarding claim 26, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 24. Furthermore, this claim recites features similar to those in claim 2. Therefore, claim 26 is rejected in a similar manner as in the rejection of claim 2. 

 Regarding claim 27, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 24. Furthermore, this claim recites features similar to those in claim 3. Therefore, claim 27 is rejected in a similar manner as in the rejection of claim 3. 


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over ELEND2017-MAAS-ELEND2015, in view of WALTERS (US-20200150677-A1) based on its priority to provisional application 62/760,845, filed on 11/13/2018.
Regarding claim 7, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 1. MAAS further teaches “wherein the portion comprises bits of the CAN frame prior to and optionally including one or more acknowledge bits of the CAN frame.” ([MAAS, para. 0031-0032, Fig. 4] “FIG. 4 shows bit fields of Standard Controller Area Network (CAN) protocol. The CAN protocol is well known, hence detail discussion of the CAN protocol is being omitted so as not to obfuscate this disclosure. SOF is the single dominant start of frame bit that marks the start of a message and is used for synchronization of the CAN nodes on the CAN bus 104 after being idle. 11-Bit ID is the standard CAN 11-bit identifier that establishes the priority of the message. The lower the binary value, the higher its priority …… Every node receiving an accurate message overwrites this recessive bit ACK in the original message with a dominant bit, indicating an error free message has been sent. ”).
The same motivation to modify ELEND2017 with MAAS as in the rejection of claim 1, applies. 
However, ELEND2017-MAAS-ELEND2015 does not teach “wherein the security module is configured to pass a portion of the CAN frame to the local controller”.
In analogous teaching, WALTER teaches “wherein the security module is configured to pass a portion of the CAN frame to the local controller” ([WALTER, para. 0234] “In some embodiments, control signal coupling 2635 may be configured to relay control signals, such as CAN bus frames and/or portions of frames transmitted by manual user interface/joystick 2620 and/or control signal interface 2671 along control signal line 2622 to controller 130 across controller line 2632. Controller 130 may receive the control signals and process the control signals”).
Thus, given the teaching of WALTER, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of passing a portion of the frame by WALTER into the teaching of a security module for a controller area network as taught by ELEND2017-MAAS-ELEND2015. One of ordinary skill in the art would have been motivated to do so because WALTER recognizes the benefits of utilizing CAN bus. ([WALTER, para. 0014] “there is a need for improved sensor calibration methodologies.”) ([WALTER, para. 0078] “Sensor signals, control signals, and other signals may be communicated among elements of system 100 using a variety of wired and/or wireless communication techniques, including …. CAN bus”).

 Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over ELEND2017-MAAS-ELEND2015, in view of DOMINGUES (US-20150347218-A1).
Regarding claim 22, ELEND2017-MAAS-ELEND2015 teach all limitations of claim 17. MAAS further teaches “wherein the local controller is configured to output a dominant acknowledge bit followed by … bits upon receipt of the received CAN frame.” ([MAAS, para. 0031] “Every node receiving an accurate message overwrites this recessive bit ACK in the original message with a dominant bit, indicating an error free message has been sent. Should a receiving node detect an error and leave this bit recessive, it discards the message and the sending node repeats the message after re-arbitration. In this way, each node acknowledges (ACK) the integrity of its data. ACK is 2 bits, one is the acknowledgement bit and the second is a delimiter.”)
The same motivation to modify ELEND2017 with MAAS as in the rejection of claim 1, applies. 
However, ELEND2017-MAAS-ELEND2015 does not teach specifically “acknowledge bit followed by recessive bits”.
In analogous teaching, DOMINGUES teaches “acknowledge bit followed by recessive bits” ([DOMINGUES, para. 0092, Table 1, Fig. 4] “FIG. 4 is a diagram of CAN data frames or messages 400-1 and 400-2 … The contents of the different fields of data frames 400-1 and 400-2 are out lined in Table 1 below: …… Acknowledgement Bits (ACK) 416 2 Indicates acknowledgement of the integrity, ACK Delimiter 417 1 A recessive bit (1)”). [Examiner’s note: DOMINGUES teaches that for a CAN frame a Delimiter is a recessive bit.]
Thus, given the teaching of DOMINGUES, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of passing recessive bits by DOMINGUES into the teaching of a security module for a controller area network as taught by ELEND2017-MAAS-ELEND2015. One of ordinary skill in the art would have been motivated to do so because DOMINGUES recognizes the need to detect errors and faults in CAN system ([DOMINGUES, para. 0005] “The inventors hereof have recognized, however, that the foregoing method makes it difficult for a CAN system to properly discriminate the cause of the error, which in turn affects error statistics and reporting. For instance, a conventional CAN system cannot differentiate between a CAN bus error that takes place under otherwise normal communications and an error introduced by a transmitter due to its internal failure that nonetheless allows transmission of a corrupted message.”) ([DOMINGUES, para. 0012] “Embodiments disclosed herein are configured to provide systems and methods for indicating internal transmitter errors in a CAN. For example, a CAN transmitter may initiate transmission of a message, detect an internal transmitter error, and then continue the transmission without creating a bus error condition.”)


The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
JIANG (US-20140149801-A1): This prior art teaches of A controller area network (CAN) has a plurality of CAN elements including a communication bus and controllers. A method for monitoring the CAN includes identifying each of the controllers as one of an active controller and an inactive controller. A fault-active controller isolation process is executed to detect and isolate presence of a fault-active controller. A fault isolation process can be executed to detect and isolate presence of one of a wire open fault, a wire short fault and a controller fault when one of the controllers is identified as an inactive controller. Presence of a fault associated with a persistent bus disturbance in the CAN is detected when a bus error count is greater than a predetermined threshold continuously for a predetermined period of time.




Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434