Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 9/17/2020.  Claims 1-25 are pending.  Claims 1 (a machine), 10 (a method), and 19 (a non-transitory CRM) are independent.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 10, and 19 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Shin et al., US 2019/0245872 (filed 2017-01).
As to claims 1, 10, and 19, Shin discloses a machine/method/CRM comprising:
a processor; and memory storing (Shin ¶ 149)
a machine learning (ML) model and instructions, (“classification algorithms, including but not limited to k-nearest neighbor or support vector machine, may be used to compare the unknown fingerprint to the plurality of the learned fingerprints.” Shin ¶ 71) the instructions when executed by the processor, configure the apparatus to: 
train the ML model (During a learning phase, a fingerprint is learned for each ECU connected to a vehicle bus.” Shin ¶ 69) to infer one of a plurality of electronic control unit (ECU) labels (“By comparing the unknown fingerprint to the plurality of learned fingerprints, the identity of the unknown transmitting ECU can be determined at 65” Shin ¶ 71) from voltage signatures associated with a plurality of message identifications (MIDs) of messages transmitted on a bus; (“the proposed detection scheme collects dominant voltages from the CAN bus and learns an ACK threshold.” Shin ¶ 72) 
determine whether a first one of the plurality of MIDs overlap at least a second one of the plurality of MIDs based on an overlap threshold; (“A voltage instance (F1-F6) represents the momentary voltage output behavior of the message transmitter. So, to log the transmitter's usual behavior, exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96)
collapse the first one of the plurality of MIDs and the at least the second one of the plurality of MIDs into a one of the plurality of ECU labels to generate an updated mapping between MIDs and ECU labels responsive to a determination that first one of the plurality of MIDs overlaps at least the second one of the plurality of MIDs; and (“The reason for the proposed detection scheme's summing of all the CVDs is to exploit V4. Recall from above that V4 indicates that transient deviations in CANH and CANL output voltages are opposite in direction. Accordingly, via CVD summation, the proposed detection scheme suppresses any transient deviations that have occurred (due to changes in driver control, temperature, etc.) when constructing and updating the voltage profiles.” Shin ¶ 98)
train the ML model on the updated mapping between the plurality MIDs and the plurality of ECU labels. (“exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96 “the proposed detection scheme continuously updates four different tracking points, {ΛH 1 , ΛH 2 , ΛL 1 , ΛL 2 } points which estimate and thus reflect ΛH 1 : 75th; ΛH 2 : 90th percentile of the transmitter's CANH outputs;” Shin ¶ 93. “the proposed detection scheme next computes or updates the cumulative voltage deviations (CVDs) of features F1-F6 as indicated in steps 103 and 105.” Shin ¶ 97.)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2-9, 11-18, and 20-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shin et al., US 2019/0245872 (filed 2017-01), in view of Samel et al., US 2019/0354810 (filed 2019-05).
	As to claims 2, 11, 20 Shin discloses the machine/method/CRM of claims 1, 10, and 19 but does not disclose:
	the instructions when executed by the processor, configure the apparatus to determine whether an accuracy of the ML model is less than or equal to an accuracy threshold. 

Samel discloses:
	the instructions when executed by the processor, configure the apparatus to determine whether an accuracy of the ML model is less than or equal to an accuracy threshold. (“While updating of the labels continues, model creation engine 206 retrains 410 the machine learning model using the updated labels from a previous iteration….. Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57. The change in labels is an accuracy indicator.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shin with Samel by iteratively updating the labels of Shin until a label change falls below a threshold.  It would have been obvious to a person of ordinary skill in the art to combine Shin with Samel in order to reduce noise, inconsistency, and inaccuracy in the fingerprints used in the machine learner of Shin, Samel ¶ 9. 


	As to claims 3, 12 and 21, Shin in view of Samel discloses the machine/method/CRM of claims 2, 11, and 20 and further discloses:
increase the overlap threshold responsive to a determination that the accuracy of the ML model is not less than or equal to the accuracy threshold; (“Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57. “detection scheme also keeps track of the dispersions of CANH and CANL dominant voltages. As the transmitter's voltage output behavior can change over time (due to changes in temperature, load, etc.), the proposed detection scheme continuously updates four different tracking points.” Shin ¶ 93)
…
collapse the additional overlapping ones of the plurality of MIDs into a one of the plurality of ECU labels to generate a second updated mapping between the plurality MIDs and the plurality of ECU labels responsive to a determination that additional ones of the plurality of MIDs overlap based on the increased overlap threshold; and (“While updating of the labels continues, model creation engine 206 retrains 410 the machine learning model using the updated labels from a previous iteration” Samel ¶ 57. “The reason for the proposed detection scheme's summing of all the CVDs is to exploit V4. Recall from above that V4 indicates that transient deviations in CANH and CANL output voltages are opposite in direction. Accordingly, via CVD summation, the proposed detection scheme suppresses any transient deviations that have occurred (due to changes in driver control, temperature, etc.) when constructing and updating the voltage profiles.” Shin ¶ 98)
train the ML model on the second updated mapping between the plurality MIDs and the plurality of ECU labels. (“Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57. “exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96 “the proposed detection scheme continuously updates four different tracking points, {ΛH 1 , ΛH 2 , ΛL 1 , ΛL 2 } points which estimate and thus reflect ΛH 1 : 75th; ΛH 2 : 90th percentile of the transmitter's CANH outputs;” Shin ¶ 93. “the proposed detection scheme next computes or updates the cumulative voltage deviations (CVDs) of features F1-F6 as indicated in steps 103 and 105.” Shin ¶ 97.)

Shin in view of Samel, as combined in claim 2, does not disclose:
determine whether additional ones of the plurality of MIDs overlap based on the increased overlap threshold; 

	Samel further discloses:
determine whether additional ones of the plurality of MIDs overlap based on the increased overlap threshold; (Overlap determination by iteratively updating the labels: “denoising engine 214 generates groupings 214 of features 210 and labels 232 in the training data by clustering the training data by internal representations 212.… clustering of the training data by internal representations 212 allows denoising engine 214 to identify groupings 214 of features 210 that produce different labels 232, even when significant noise and/or inconsistency is present in the original labels 232.” Samel ¶ 32. “After groupings 214 are generated, denoising engine 204 generates updated labels 216 for training data in each grouping based on the occurrences of label values 218 of original labels 232 in the grouping.” Samel ¶ 34.  “Model creation engine 206 and denoising engine 204 may continue iteratively training machine learning model 208 using features 210 and updated labels 216 from a previous iteration, generating new groupings 214 of training data by internal representations 212 of the training data from the retrained machine learning model 208, and generating new sets of updated labels 216 to improve the consistency of groupings 214 and/or labels 232 in groupings 214. After the accuracy of machine learning model 208 and/or the consistency of groupings 214 and/or labels 232 converges, model creation engine 206 and denoising engine 204 may discontinue updating machine learning model 208, groupings 214, and labels 232.” Samel ¶ 35.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Shin in view of Samel with Samel by iteratively updating the labels of Shin until a label change falls below a threshold.  It would have been obvious to a person of ordinary skill in the art to further combine Shin in view of Samel with Samel in order to reduce noise, inconsistency, and inaccuracy in the fingerprints used in the machine learner of Shin, Samel ¶ 9. 

As to claim 4, 13, and 22, Shin in view of Samel discloses the machine/method/CRM of claims 2, 11, and 20 and further discloses:
configure the apparatus to determine whether all MIDs are included in updated mapping between the plurality MIDs and the plurality of ECU labels (note Applicant’s specification ¶ 41; the model is updated in response to new observations: “A voltage instance (F1-F6) represents the momentary voltage output behavior of the message transmitter. So, to log the transmitter's usual behavior, exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96) responsive to a determination that the accuracy of the ML model is less than or equal to the accuracy threshold. (the new observations being after a full training of the model: “While updating of the labels continues, model creation engine 206 retrains 410 the machine learning model using the updated labels from a previous iteration….. Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57.)

As to claim 5, 14, 23, Shin in view of Samel discloses the machine/method/CRM of claims 4, 13, and 22 and further discloses:
… responsive to a determination that all the MIDs are not included in the updated mapping between the plurality MIDs and the plurality of ECU labels; (new input data: (“A voltage instance (F1-F6) represents the momentary voltage output behavior of the message transmitter. So, to log the transmitter's usual behavior, exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96)
collapse the additional overlapping ones of the plurality of MIDs into a one of the plurality of ECU labels to generate a second updated mapping between the plurality MIDs and the plurality of ECU labels responsive to a determination that ones of the MIDs overlap based on the increased overlap threshold; and (“While updating of the labels continues, model creation engine 206 retrains 410 the machine learning model using the updated labels from a previous iteration” Samel ¶ 57. “The reason for the proposed detection scheme's summing of all the CVDs is to exploit V4. Recall from above that V4 indicates that transient deviations in CANH and CANL output voltages are opposite in direction. Accordingly, via CVD summation, the proposed detection scheme suppresses any transient deviations that have occurred (due to changes in driver control, temperature, etc.) when constructing and updating the voltage profiles.” Shin ¶ 98)
 train the ML model on the second updated mapping between the plurality MIDs and the plurality of ECU labels. (“Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57. “exploiting every newly derived voltage instance, the proposed detection scheme constructs/updates the voltage profile of the message transmitter.” Shin ¶ 96 “the proposed detection scheme continuously updates four different tracking points, {ΛH 1 , ΛH 2 , ΛL 1 , ΛL 2 } points which estimate and thus reflect ΛH 1 : 75th; ΛH 2 : 90th percentile of the transmitter's CANH outputs;” Shin ¶ 93. “the proposed detection scheme next computes or updates the cumulative voltage deviations (CVDs) of features F1-F6 as indicated in steps 103 and 105.” Shin ¶ 97.)

Shin in view of Samel, as combined in claim 2, does not disclose:
determine whether the additional ones of the plurality of MIDs overlap based on the overlap threshold 

Samel further discloses: determine whether the additional ones of the plurality of MIDs overlap based on the overlap threshold  (Samel ¶¶ 32-35).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Shin in view of Samel with Samel by iteratively updating the labels of Shin until a label change falls below a threshold.  It would have been obvious to a person of ordinary skill in the art to further combine Shin in view of Samel with Samel in order to reduce noise, inconsistency, and inaccuracy in the fingerprints used in the machine learner of Shin, Samel ¶ 9. 

As to claims 6 and 24, Shin in view of Samel discloses the machine/method/CRM of claims 4, 13, and 22 and further discloses:
	configure the apparatus to deploy the trained ML model in an intrusion detection system (IDS) to establish ground truth for the intrusion detection system (“voltage profiles from the proposed detection scheme are sufficient for the purpose of root-cause analysis, intrusion detection” Shin ¶ 104. Shin ¶ 129) responsive to a determination that all MIDs are included in the second updated mapping between the plurality MIDs and the plurality of ECU labels.(The model of Shin is continuously updated and used in detection: “Since the proposed detection scheme continuously updates the voltage profiles via RLS and exploits them for root-cause analysis, in most cases, the proposed detection scheme can locate the source of the attack.” Shin ¶ 144.)

As to claims 7 and 16, Shin in view of Samel discloses the machine/method/CRM of claims 2, 11, and 20 and further discloses:
wherein the ML model is a supervised classifier. (“During a learning phase, a fingerprint is learned for each ECU connected to a vehicle bus.” Shin ¶ 69, A supervised classifier that determines the desired/supervised output, ECU determination.)

As to claims 8, 17 and 25, Shin in view of Samel discloses the machine/method/CRM of claims 2, 11, and 20 and further discloses:
wherein the bus is an in-vehicle network. (“During a learning phase, a fingerprint is learned for each ECU connected to a vehicle bus.” Shin ¶ 69)

As to claims 9 and 18, Shin in view of Samel discloses the machine/method/CRM of claims 2, and 15 and further discloses:
wherein the accuracy is a recall of the ML model, an F l score of the ML model. or a precision of the ML model. (“While updating of the labels continues, model creation engine 206 retrains 410 the machine learning model using the updated labels from a previous iteration….. Model creation engine 206 and denoising engine 204 may repeat operations 404-410 until changes to the groupings of training data and/or the corresponding labels fall below a threshold.” Samel ¶ 57. Changing to the groupings is analogous to recall or precision, see Samel ¶ 9)

As to claims 15, Shin in view of Samel discloses the method of claims 13 and further discloses:
comprising training the ML model on the second updated mapping between the plurality MIDs and the plurality of ECU labels to increase an accuracy of the ML model. (“Model creation engine 206 and denoising engine 204 may continue iteratively training machine learning model 208 using features 210 and updated labels 216 from a previous iteration, generating new groupings 214 of training data by internal representations 212 of the training data from the retrained machine learning model 208, and generating new sets of updated labels 216 to improve the consistency of groupings 214 and/or labels 232 in groupings 214. After the accuracy of machine learning model 208 and/or the consistency of groupings 214 and/or labels 232 converges, model creation engine 206 and denoising engine 204 may discontinue updating machine learning model 208, groupings 214, and labels 232.” Samel ¶ 35. Performed to increase accuracy per Samel ¶ 9)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, specifically:
Tian et al., US 2018/0351994, discloses fraudulent device detection and profiling based on vibration.
Shrivastava et al., US 2019/0317458 discloses security event detection using voltage probing and response detection.
Harata et al., US 20130081106, discloses bus monitoring for security detection. 
Rohde et al., US 20160173513 discloses fingerprinting the packets in a CAN bus for intrusion detection. 
Shukla at al., US 2021/0044444 discloses grouping elements to improve machine learning accuracy.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492