Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
FINAL ACTION
This action is in response to amendment filed on 6/26/2022. Claims 1, 2, 7, 8, 11, 13-15, 19-21, 23, 25, 27 and 28 are amended. Claims 3-6, 12, 16-18 are cancelled. Claims 1, 2, 7-11, 13-15 and 19-28 are pending. 
Response to Arguments
Examiner’s Remarks - 35 USC § 112
The examiner finds applicant’s remarks persuasive with regards to applicant’s anomaly analyzer. Therefore, the examiner withdraws the rejection made under 35 USC § 112. The examiner maintains the rejection made under 35 USC § 112 for applicant’s security monitor and event manager. The applicant has not indicated the proper structure. 
Examiner’s Remarks - 35 USC § 103
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “security monitor arranged to…” in claim 8 and “event manager arrange to…” in claim 11. 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8 and 11 limitation(s) of, “security monitor arranged to” and “event manager arrange to”, invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 7-11, 13-15 and 19-28 are rejected under 35 U.S.C. 103 as being unpatentable over Aher et al. (US Patent Publication No. 2019/0182267 and Aher hereinafter) in view of Chae et al. (US Patent Publication No. 2017/0104631 and Chae hereinafter).

As to claim 1, Aher teaches a system for monitoring intrusion anomalies in an automotive environment, the system comprising: 
a telematic control unit (i.e. …teaches in par. 0035 the following: “telematics control unit (TCU)”); 
a plurality of electronic control units (ECUs) (i.e., …figure 1A illustrates a plurality of ECU), 
each of said plurality of ECUs control units associated with a respective local security monitor and a diagnostic communications manager arranged to receive information regarding intrusion anomalies detected by said local security monitor (i.e., …teaches in figure 1A, a plurality of ECU associated with a security monitor and communication manager…teaches in par.  0037 the following: “detects anomalies and suspicious activities in the monitored data”. …teaches in par. 0044 the following: “The data collected by the SIEM may also enable security analysts and forensic specialists to analyze suspected attacks and identify potential vulnerabilities”.); 
and an anomaly analyzer in communication with each of said diagnostic communication managers and said telematics control unit (i.e., …teaches in par. 0035 the following: “Connectivity is also being introduced to help connect vehicles with external networks, opening the connected car to a multitude of security problems. Current vehicles may comprise several layers of security means. For example, dedicated security controllers may be added to common vehicles networks such as the telematics control unit (TCU)” … …teaches in par. 0046 the following: “For example, the IVS may monitor events and data from the vehicle's firewall and gateway ECU. IVS 130 may interface with the various onboard data sources (which may include third-party software and hardware) in several ways. IVS 130 may run on the same ECU as one or more vehicle data sources, or may be connected to one or more data sources via Ethernet. In such case, IVS 130 may communicate with such data sources using a suitable communication protocol. For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network…”), 
said anomaly analyzer arranged to accumulate on a memory said information regarding intrusion anomalies detected by said respective local security monitors (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data, and executes SEP on the detected suspicious events, to identify potential computer security threats based on results of the SEP. The IVS further executes edge analytics on the data”).

Aher does not expressly teach:
said communication utilizing a diagnostic over Internet protocol.
In this instance the examiner notes the teachings of prior art reference Chae. 
Chae teaches in par. 0071 the following: “a diagnostic over internet protocol (DoIP)”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Aher with the teachings of Chae by having their system comprise diagnostic communication capability. One would have been motivated to do so to provide a simple and effective means to further analyze suspicious data, wherein the diagnostic communication helps identify questionable activity and makes it easier to ensure system integrity.

As to claim 2, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein said anomaly analyzer is further arranged to compare the received information regarding intrusion anomalies detected by said local security monitor with a black list (i.e., …teaches in par. 0041 the following: “IVS configurations files and policy rules, learned knowledge information (e.g., dynamic white/black lists)”), 
and in the event that the received information is congruent with the black list (i.e, …teaches in par. 0039 the following: “The IVS may also employ dynamic ‘white’ and ‘black’ IP/URL prefix addresses lists. The IVS's Stateful Event Processor may facilitate the creation of dynamic white and black lists based on membership logic. In other words, the dynamic lists will be generated and populated according to predefined algorithms that are able to learn common ‘behaviors’ of a vehicle, or common internet addresses and identities of common paired devices (e.g., mobile phones) for the vehicle in question. For example, a dynamic list of known devices may comprise all the devices that have been detected by the IVS more than a predetermined number of times within a certain time frame. Then, this dynamic list can be used to define one or more rules, such as prompting the IVS to issue an alert with respect to any paired device that is not in the known device white list. In the same way, a common IP communication white list will prompt the IVS to issue an alert regarding any new IP communication that is not in the common IP communications white list.”), 
output a command to disable a communication function of the telematics control unit or and an alert message (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”).

3 - 6. (Cancelled)

As to claim 7, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein each of said plurality of ECUs is within a respective single automotive environment (i.e., …see figure 1A), said anomaly analyzer being within a respective supervisory automotive environment (i.e., …see figure 1A).

As to claim 8, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein said plurality of ECUs are arranged as nodes on a network (i.e., …see figure 1A), the system further comprising a network security monitor arranged to identify anomalies in software packets transmitted on said network to, or from, at least one of said plurality of ECUs (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”), 
said anomaly analyzer further in communication with said anomaly analyzer utilizing the diagnostic over Internet protocol (i.e., …teaches in par. 019 the following: “the instructions further cause the processor to generate a list of authorized and unauthorized network Internet Protocol (IP) addresses, and wherein the detecting of suspicious events, messages, and network activity comprises, at least in part, determining whether an IP address is associated with the list of authorized and unauthorized network IP addresses.”).

As to claim 9, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein each of said diagnostic communication managers are arranged to report on event, to said anomaly analyzer, said intrusion anomalies identified by said respective security monitor (i.e. ..teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data, and executes SEP on the detected suspicious events, to identify potential computer security threats based on results of the SEP.” …teaches in par. 0035 the following: “the various sub-domains of the vehicle's network may comprise secure means such as a message authentication scheme, encryption, intrusion detection, and device validation.”).

As to claim 10, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein said anomaly analyzer is arranged to periodically poll each of said diagnostic communication managers for said intrusion anomalies identified by said respective security monitor (i.e., …teaches in par. 0046 the following: “For example, the IVS may monitor events and data from the vehicle's firewall and gateway ECU. IVS 130 may interface with the various onboard data sources (which may include third-party software and hardware) in several ways. IVS 130 may run on the same ECU as one or more vehicle data sources, or may be connected to one or more data sources via Ethernet. In such case, IVS 130 may communicate with such data sources using a suitable communication protocol. For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network to a central logging server. The central logging server may then be configured to forward the logs sent by the onboard data sources to the IVS 130. In other cases, IVS 130 may receive messages from onboard data sources, e.g. ECUs 110, 112, 114, via CAN bus 118.”).

As to claim 11, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein each of said plurality of ECUs further comprises a diagnostic event manager arranged to generate a diagnostic anomaly code for each of said intrusion anomalies detected by said security monitor (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”), 
said diagnostic communications manager in communication with said diagnostic event manager (i.e., …illustrates in figure 1A figure element 124, 130a, 130, 140 and 150 communicating with each other), 
and wherein said received information comprises said generated diagnostic anomaly codes (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”).

12. (Cancelled)

As to claim 13, the system of Aher and as applied to claim 1 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 1, wherein said anomaly analyzer comprises said plurality of ECUs each comprise a diagnostic over Internet protocol node (i.e., …teaches in par. 0046 the following: “For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network”), for said communication utilizing the diagnostic over Internet protocol (i.e.,. …teaches in par. 0046 the following: “For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network”).

Aher does not expressly teach:
diagnostic over Internet protocol client.
In this instance the examiner notes the teachings of prior art reference Chae. 
Chae teaches in par. 0071 the following: “a diagnostic over internet protocol (DoIP)”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Aher with the teachings of Chae by having their system comprise diagnostic communication capability. One would have been motivated to do so to provide a simple and effective means to further analyze suspicious data, wherein the diagnostic communication helps identify questionable activity and makes it easier to ensure system integrity.

As to claim 14, Aher teaches a method of monitoring intrusion anomalies in an automotive environment, the method comprising: 
detecting intrusion anomalies for each of a plurality of electronic control units (ECUs) (i.e., …teaches in his abstract the following: “detect suspicious events, messages, and network activity, in the monitored events, messages, and network activity, respectively…”); 
receiving information, at a respective diagnostic communications manager associated with the respective ECU, regarding said detected intrusion anomalies (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”); 
and communicating, utilizing a diagnostic over Internet protocol, said received information to an anomaly analyzer (i.e., …teaches in par. 0046 the following: “For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network”); 
accumulating on a memory, said detected intrusion anomalies of said plurality of ECUs (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”).

Aher does not expressly teach:
utilizing a diagnostic over Internet protocol.
In this instance the examiner notes the teachings of prior art reference Chae. 
Chae teaches in par. 0071 the following: “a diagnostic over internet protocol (DoIP)”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Aher with the teachings of Chae by having their system comprise diagnostic communication capability. One would have been motivated to do so to provide a simple and effective means to further analyze suspicious data, wherein the diagnostic communication helps identify questionable activity and makes it easier to ensure system integrity.

As to claim 15, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, further comprising: comparing said received information with a black list (i.e., …teaches in par. 0041 the following: “IVS configurations files and policy rules, learned knowledge information (e.g., dynamic white/black lists)”); 
and in the event that said received information is congruent with the black list, output a command to disable a communication function of the telematics control unit; or and an alert message (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”).

16 - 18. (Cancelled)

As to claim 19, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, wherein the accumulation is performed by an anomaly analyzer (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”), 
wherein each of the plurality of ECUs is within a respective single automotive environment (see figure 1a),  
and said anomaly analyzer is being within a respective supervisory automotive environment (see figure 1a).

As to claim 20, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, wherein said detecting intrusion anomalies comprises identifying intrusion anomalies in software packets transmitted to, or from, at least one of the plurality of ECUs (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”).

As to claim 21, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, further comprising setting each of the diagnostic communication managers to report on event said detected intrusion anomalies (i.e. ...teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data, and executes SEP on the detected suspicious events, to identify potential computer security threats based on results of the SEP.” …teaches in par. 0035 the following: “the various sub-domains of the vehicle's network may comprise secure means such as a message authentication scheme, encryption, intrusion detection, and device validation.”).

As to claim 22, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, further comprising periodically polling each of said diagnostic communication managers for said detected intrusion anomalies (i.e., …teaches in par. 0060 the following: “IVS 130 may periodically poll”).

As to claim 23, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 14, further comprising generating a diagnostic anomaly code for each of said detected intrusion anomalies, said received information comprising said generated diagnostic anomaly codes (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”).

As to claim 24, the system of Aher and as applied to claim 14 above teaches vehicle intrusion detection, specifically Aher teaches a method of claim 23, wherein for each type of detected intrusion anomaly said generated diagnostic anomaly code is unique (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”).

As to claim 25, Aher teaches a system for monitoring intrusion anomalies in an automotive environment, the system comprising: a plurality of (ECUs) arranged as nodes on a network (see figure 1a); 
a network security device comprising a network security monitor arranged to identify intrusion anomalies in software packets transmitted on said network to, or from, at least one of said plurality of ECUs (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”); 
and an anomaly analyzer in communication with said network security monitor (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”), 
said anomaly analyzer arranged to: receive from said network security device information regarding said detected intrusion anomalies, accumulate on a memory said received information regarding said detected intrusion anomalies (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”), 
and compare the received information regarding intrusion anomalies detected by said network security device with a black list (i.e., …teaches in par. 0041 the following: “IVS configurations files and policy rules, learned knowledge information (e.g., dynamic white/black lists)”), 
and in the event that the received information is congruent with the black list (i.e., …teaches in par. 0041 the following: “IVS configurations files and policy rules, learned knowledge information (e.g., dynamic white/black lists)”), 
output a command to disable a communication function of the telematics control unit; or and an alert message (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”).

Aher does not expressly teach:
said communication utilizing a diagnostic over Internet protocol. 
In this instance the examiner notes the teachings of prior art reference Chae.
Chae teaches in par. 0071 the following: “a diagnostic over internet protocol (DoIP)”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Aher with the teachings of Chae by having their system comprise diagnostic communication capability. One would have been motivated to do so to provide a simple and effective means to further analyze suspicious data, wherein the diagnostic communication helps identify questionable activity and makes it easier to ensure system integrity.

As to claim 26, the system of Aher and as applied to claim 25 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 25, wherein said network security device further comprises a diagnostic communications manager arranged to report on event, to said anomaly analyzer, said information regarding intrusion anomalies detected by said network security monitor (i.e. ..teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data, and executes SEP on the detected suspicious events, to identify potential computer security threats based on results of the SEP.” …teaches in par. 0035 the following: “the various sub-domains of the vehicle's network may comprise secure means such as a message authentication scheme, encryption, intrusion detection, and device validation.”).

As to claim 27, the system of Aher and as applied to claim 25 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 25, wherein said plurality of ECUs each comprise a local security monitor and a diagnostic communications manager arranged to receive information regarding intrusion anomalies detected by said local security monitor (i.e., …teaches in par. 0037 the following: “The IVS detects anomalies and suspicious activities in the monitored data”), 
wherein said anomaly analyzer is further in communication with each of said diagnostic communication managers of said engine control units utilizing the diagnostic over Internet protocol (i.e., …teaches in par. 0046 the following: “For example, the onboard data sources may forward their logs, such as key management logs and critical interfaces access logs, over an Internet Protocol (IP) network”), 
said anomaly analyzer arranged to accumulate said information regarding intrusion anomalies detected by said respective local security monitors (i.e., …teaches in par. 0046 the following: “The IVS may comprise a Stateful Event Processor (SEP) 130a. SEP 130a may be capable of processing multiple events in order to detect patterns among them. An event pattern is a template specifying one or more combinations of events. Given any collection of events, one or more subsets of those events may be found to match a particular pattern. Patterns may be incorporated into rule policies, which comprise a specified action upon detection of a pattern in the stream of events.”).

Aher does not expressly teach:
utilizing a diagnostic over Internet protocol. 
In this instance the examiner notes the teachings of prior art reference Chae.
Chae teaches in par. 0071 the following: “a diagnostic over internet protocol (DoIP)”. 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Aher with the teachings of Chae by having their system comprise diagnostic communication capability. One would have been motivated to do so to provide a simple and effective means to further analyze suspicious data, wherein the diagnostic communication helps identify questionable activity and makes it easier to ensure system integrity.

As to claim 28, the system of Aher and as applied to claim 25 above teaches vehicle intrusion detection, specifically Aher teaches a system of claim 27, wherein said anomaly analyzer is further arranged to: compare the received information regarding intrusion anomalies from said diagnostic communication managers of said engine control units with the black list (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”), 
and in the event that the received information regarding intrusion anomalies from any of said diagnostic communication managers is congruent with the black list (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”), 
output the command to disable a communication function of the telematics control unit; or and the alert message (i.e.,. ….teaches in par. 0039 the following: “to issue an alert regarding any new IP communication that is not in the common IP communications white list.”).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRYAN F WRIGHT/Examiner, Art Unit 2497