DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Claim Rejections - 35 USC § 102(b) and § 103
Applicant’s arguments filed on 9/12/2022, directed at the amended claims submitted on 9/12/2022 were considered, but are moot in view of new rejections made below in response to the latest amendments by applicant.

	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 2, 12, 14 and 16 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hars (US 2020/0042751).

Regarding claims 1 and 16, Hars teaches A method for handling attacks on a unit for controlling a machine, wherein the machine is a vehicle or a component of the vehicle (see [0042] and Fig. 2: “The vehicle control unit 200 is configured to provide a vehicle or car engine with controller functions and its microcontroller unit 240 is adapted to run software allowing such servicing. Thus, when the microcontroller unit 240 determines that the housing 210, 220 may have been tampered with, the vehicle control unit 200 can react by changing the controller behavior”. The Examiner interprets the vehicle control unit 200 as a unit for controlling a machine, wherein the machine is a vehicle or a component of the vehicle. The Examiner further interprets tampering with the housing 210 and 220 of the vehicle control unit 200 as attacks on a unit for controlling a machine, wherein the machine is a vehicle or a component of the vehicle), the method comprising the following steps: 
detecting at least one variable that defines an operation of the unit in the vehicle (see [0057] and Fig. 2: “the protection membrane 290 includes a conductive mesh applied to the surface of the sealing controller unit 250. The conductive mesh is adapted to have a predefined pattern with electrical connectivity, such that the predefined electrical connectivity defines the validity state stored in the memory”. And see [0058] and Fig. 2: “a mechanical force applied to remove the cover 220 of the housing is mechanically coupled by the elongated mechanical coupling element 270 to result in a corresponding mechanical force being applied to the protection membrane 290. And see [0059] and Fig. 2: “It follows that the protection membrane 290 breaks, and the mechanical impact of the mechanical coupling element 270 damages or disrupts the conductive mesh of the protection membrane 290 such as to change its electrical connectivity”. The Examiner interprets measuring the electrical connectivity of the conductive mesh 290 as detecting at least one variable that defines an operation of the unit in the vehicle); 
determining a piece of information that characterizes surroundings in which the unit is operated as a function of the detected variable (see [0060] and Fig. 2: “when the protection membrane 290 breaks, the change in its electrical connectivity influences electrical characteristics of the sealing controller unit 250, and thus changes the validity state stored in the memory”. And see [0061] and Fig. 2: “For example, the protection membrane 290 and its corresponding conductive mesh can be used to form the ROM chip for storing the digital key of the sealing controller unit 250. Then, upon receiving the conveyer mechanical force applied to the surface of the housing 210, 220, the conductive mesh is damaged or disrupted, which damages or corrupts the digital key stored in the sealing controller unit 250”. The Examiner interprets determining the digital key of the sealing controller unit 250 as determining a piece of information that characterizes surroundings in which the unit is operated as a function of the detected variable for the following reasons: Hars teaches in [0046]: “If the content of the digital key changes, or if the digital key is no longer accessible due to damage caused to the memory chip, the validity state of the sealing controller unit 250 is considered to have changed, indicating a mechanical change to the housing 210, 220”. In other words, the digital key characterizes whether there is a mechanical change to the housing 210 and 220 of the vehicle control unit 200 and is a piece of information that characterizes surroundings in which the unit is operated. Additionally, Hars teaches in [0044]: “the memory of the sealing controller unit 250 includes a one-time programmable read-only-memory (ROM) adapted to store a digital key corresponding to the stored validity status”. In other words, the change in the electrical connectivity of the conductive mesh 290 changes the validity state stored in the memory, which corresponds to the digital key (see [0060] and [0044]). Therefore, the digital key (a piece of information that characterizes surroundings in which the unit is operated) is a function of the electrical connectivity of the conductive mesh 290 (the detected variable)); 
checking, as a function of a comparison of the piece of information about the surroundings to a piece of information about a setpoint surroundings for the operation of the unit in the vehicle, whether or not an anomaly is present in the operation of the unit (see [0015]: “The microcontroller unit is configured to use the electrical connector to determine the validity state of the sealing controller unit. Thus, the microcontroller unit is configured to use the electrical connector to read the digital key, or to check the memory content and/or integrity of the memory of the sealing controller unit. Then, if the microcontroller unit determines that the digital key cannot be authenticated, i.e. is invalid or inaccessible, the microcontroller unit can conclude that a mechanical change has occurred to the housing, for example that the housing may have been tampered with. In other words, the microcontroller unit can be configured to determine the validity state of the sealing controller unit by verifying a digital key stored in the memory of the sealing controller unit. For this purpose, preferably, the microcontroller unit is configured to use an encryption/decryption algorithm to verify the digital key stored in the memory of the sealing controller unit, for example by running advanced encryption standard (AES) based encryption algorithms for performing authentication checks by comparison with a corresponding digital key stored in the microcontroller unit”. 
The Examiner interprets the digital key stored in the memory of the sealing controller unit characterizing the housing 210 and 220 of the vehicle control unit 200 as the piece of information about the surroundings. The Examiner further interprets “a corresponding digital key stored in the microcontroller unit” as a piece of information about a setpoint surroundings for the operation of the unit in the vehicle. The Examiner interprets checking whether the housing may have been tampered with by verifying the digital key stored in the memory of the sealing controller unit by comparison with a corresponding digital key stored in the microcontroller unit as checking, as a function of a comparison of the piece of information about the surroundings to a piece of information about a setpoint surroundings for the operation of the unit in the vehicle, whether or not an anomaly is present in the operation of the unit); 
operating the unit in a first operating mode having a first functional range for the vehicle, when no anomaly is detected (see [0017]: “the vehicle control unit is configured to provide a vehicle or car engine with controller functions, and when the microcontroller unit determines that the digital key is invalid, i.e. indicating that the housing may have been tampered with, the vehicle control unit can turn itself off, for example permanently, or configure itself to reduce the scope of provided controller functions”); and 
operating the unit in a second operating mode having a second functional range for the vehicle, which is reduced or changed with regard to the first functional range, when the anomaly is detected (see [0042]: “The vehicle control unit 200 is configured to provide a vehicle or car engine with controller functions and its microcontroller unit 240 is adapted to run software allowing such servicing. Thus, when the microcontroller unit 240 determines that the housing 210, 220 may have been tampered with, the vehicle control unit 200 can react by changing the controller behavior and/or by limiting access to sensitive information stored in the vehicle control unit 200, in particular sensitive information which could be maliciously tempered with”. And see [0043]: “For example, the vehicle control unit 200 could react by turning itself off, for example permanently, or by configuring itself to reduce the scope of provided controller functions”).

Regarding claim 14, Hars teaches A device for handling an anomaly (see [0042] and Fig. 2: “the microcontroller unit 240 determines that the housing 210, 220 may have been tampered with”. The Examiner interprets the microcontroller unit 240 as A device for handling an anomaly ) in a control unit for a machine or a vehicle (see [0042] and Fig. 2: “The vehicle control unit 200 is configured to provide a vehicle or car engine with controller functions and its microcontroller unit 240 is adapted to run software allowing such servicing”), wherein the device is integrated into the control unit (see [0042] and Fig. 2: “The vehicle control unit 200 is configured to provide a vehicle or car engine with controller functions and its microcontroller unit 240”) and includes a processor (see [0045]: “The microcontroller unit 240 comprises a hardware secure model (HSM)”), an interface (see [0036] and Fig. 2: “An electrical connector 260 is configured to couple the microcontroller unit 240 to the sealing controller unit 250”), and a memory to store instructions (see [0042]: “The vehicle control unit 200 is configured to provide a vehicle or car engine with controller functions and its microcontroller unit 240 is adapted to run software allowing such servicing”. And see [0048]: “wherein the digital key stored in the memory of the sealing controller unit 250 is compared with a corresponding digital key stored in the microcontroller unit 240”. Hars inherently teaches that the microcontroller unit 240 including a memory because otherwise it cannot store the digital key), wherein the processor is configured to carry of the instructions, the instructions causing the device to perform the following: 
detecting at least one variable that defines an operation of the control unit (see the rejection of claim 1 above); 
determining a piece of information that characterizes surroundings in which the control unit is operated as a function of the detected variable (see the rejection of claim 1 above); 
checking, as a function of a comparison of the piece of information about the surroundings to a piece of information about a setpoint surroundings for the operation of the control unit, whether or not an anomaly is present in the operation of the control unit (see the rejection of claim 1 above); 
operating the control unit in a first operating mode having a first functional range, when no anomaly is detected (see the rejection of claim 1 above); and 
operating the control unit in a second operating mode having a second functional range, which is reduced or changed with regard to the first functional range, when the anomaly is detected (see the rejection of claim 1 above).

Regarding claim 2, Hars further teaches detecting the anomaly based on the checking (see [0015]: “The microcontroller unit is configured to use the electrical connector to determine the validity state of the sealing controller unit. Thus, the microcontroller unit is configured to use the electrical connector to read the digital key, or to check the memory content and/or integrity of the memory of the sealing controller unit. Then, if the microcontroller unit determines that the digital key cannot be authenticated, i.e. is invalid or inaccessible, the microcontroller unit can conclude that a mechanical change has occurred to the housing, for example that the housing may have been tampered with. In other words, the microcontroller unit can be configured to determine the validity state of the sealing controller unit by verifying a digital key stored in the memory of the sealing controller unit. For this purpose, preferably, the microcontroller unit is configured to use an encryption/decryption algorithm to verify the digital key stored in the memory of the sealing controller unit, for example by running advanced encryption standard (AES) based encryption algorithms for performing authentication checks by comparison with a corresponding digital key stored in the microcontroller unit”), wherein the unit is operated in the second operating range based on the detecting the anomaly (see [0017]: “the vehicle control unit is configured to provide a vehicle or car engine with controller functions, and when the microcontroller unit determines that the digital key is invalid, i.e. indicating that the housing may have been tampered with, the vehicle control unit can turn itself off, for example permanently, or configure itself to reduce the scope of provided controller functions”).

Regarding claim 12, Hars further teaches wherein functions from the first functional range that characterize a privileged function of the unit are missing in the second functional range (see [0017]: “the vehicle control unit is configured to provide a vehicle or car engine with controller functions, and when the microcontroller unit determines that the digital key is invalid, i.e. indicating that the housing may have been tampered with, the vehicle control unit can turn itself off, for example permanently, or configure itself to reduce the scope of provided controller functions”. The Examiner interprets the controller functions that are missing from the reduced scope of provided controller functions when the housing of the vehicle control unit has been determined to have been tampered with as wherein functions from the first functional range that characterize a privileged function of the unit are missing in the second functional range).


	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751), and further in view of Meiler (US 2020/0074123).

Regarding claim 3, Hars fails to teach wherein the variable characterizes a communication of the unit in a communication network.
In the same field of endeavor, Meiler teaches A device (first device 802, see Fig. 8A and [0082]) for handling an anomaly (see [0087] and Fig. 8A: “The first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800a. A match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800a. If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected”) in a control unit for a machine or a vehicle (see [0068]: “FIG. 7 is a block diagram of an x-ray system according to some embodiments. The x-ray system 700 includes a host controller 702, an interface board (IFB) 704, and tube auxiliary unit (TAU) 732, and an x-ray tube 736”. The Examiner interprets the x-ray system 700 as a machine. And see [0070] and Fig. 7: “In some embodiments, a device 102 is an authentication daughter board (ADB) 703 that is mounted on the IFB 704”. And see [0107]: “Referring to FIG. 8B, in some embodiments, an x-ray system 800b includes a host controller 822, an ADB 824, a TAU 832, and an x-ray tube 836. The host controller 822 may be a system controller for the x-ray system 800b. The host controller 822 may act as the first device 802 of FIG. 8A and perform the associated operations described in FIGS. 9A-D”. The Examiner interprets the host controller 822/702 as a control unit for a machine), wherein the device is integrated into the control unit (see [0107] and FIG. 8B: “The host controller 822 may act as the first device 802 of FIG. 8A”) and includes a processor (see [0091] and Fig. 8A: “A processor of the second device 804”. Similarly, the first device 802 also has a processor), an interface (see [0082] and FIG. 8A: “The devices 802 and 804 are coupled through a communication link 806. The communication link may be any medium that allows the devices 802 and 804 to communication”), and a memory (see [0032]: “FIGS. 3A-3C are block diagrams of circuitry of devices with anti-tamper circuitry according to some embodiments. In these embodiments, the circuitry includes anti-tamper circuitry 110 similar to that described above, a processor 113, and a memory 118”. And see [0144] and Figs. 8A: “Some embodiments include a device, comprising: means for detecting, by a device, removal of the device from a component external to the device; and means for disabling at least one function of circuitry of the device in response to the means for detecting the removal of the device from the component. Examples of the means for detecting include the anti-tamper circuitry 110, switch 220 or SW1, or the like. Examples of the means for disabling at least one function of circuitry of the device include the anti-tamper circuitry 110, the processor 113, the memory 118 or 808, or the like”) to store instructions, wherein the processor is configured to carry of the instructions, the instructions causing the device to perform the following: 
detecting at least one variable (see [0095] and Figs. 8A, 9A: “If the system ID is determined to be stored at the second device 804 in 904, a response based on the system ID is returned to the first device 802 in 914. For example, the second device 804 may read the system ID, encrypt it, and transmit the encrypted system ID to the first device 802”. And see [0096] and Figs. 8A, 9A: “The first device 802 receives the response based on the system ID stored at the second device 804 in 916”. The Examiner interprets the first device 802 receiving the encrypted system ID of the second device 804 from the second device 804 in step 916 as detecting at least one variable); 
determining a piece of information that characterizes surroundings in which the control unit is operated as a function of the detected variable (see [0096] and Fig. 8A: “the first device 802 may extract the system ID by reading it from the response, decoding an encrypted response, or the like and comparing it to the system ID stored on the first device 802”. The Examiner interprets the first device 802 “decoding an encrypted response”, where the encrypted response is the encrypted system ID of the second device 804, as determining a piece of information that characterizes surroundings in which the control unit is operated as a function of the detected variable); 
checking, as a function of a comparison of the piece of information about the surroundings to a piece of information about a setpoint surroundings for the operation of the control unit, whether or not an anomaly is present in the operation of the control unit (see [0096] and Figs. 8A, 9A: “The first device 802 receives the response based on the system ID stored at the second device 804 in 916 and determines if the response indicates that the system ID stored at the second device 804 matches the actual system ID in 918. For example, the first device 802 may extract the system ID by reading it from the response, decoding an encrypted response, or the like and comparing it to the system ID stored on the first device 802”. And see [0087]: “a system ID can be stored on devices 804 in a system 800a. The first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800a. A match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800a. If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected”. The Examiner interprets determining “if the response indicates that the system ID stored at the second device 804 matches the actual system ID” as checking, as a function of a comparison of the piece of information about the surroundings to a piece of information about a setpoint surroundings for the operation of the control unit, whether or not an anomaly is present in the operation of the control unit ); 
operating the control unit in a first operating mode having a first functional range, when no anomaly is detected; and operating the control unit in a second operating mode having a second functional range, which is reduced or changed with regard to the first functional range, when the anomaly is detected (see [0097] and Figs. 8A, 9A: “If the system ID indicated by the response from the second device 804 is not correct, if the second device 804 does not respond or times out, if the second device 804 returns an improper response, or the like, counter measures may be performed in 920. The counter measures may take a variety of forms. For example, in some embodiments, the system 800a may be shutdown, the devices 802, 804, 816, or the like may be disabled temporarily or permanently, particular functions may be disabled, ranges of operation may be reduced or limited, or the like”).
Meiler further teaches wherein the variable characterizes a communication of the unit in a communication network (see [0095] and Figs. 8A, 9A: “If the system ID is determined to be stored at the second device 804 in 904, a response based on the system ID is returned to the first device 802 in 914. For example, the second device 804 may read the system ID, encrypt it, and transmit the encrypted system ID to the first device 802”. And see [0096] and Figs. 8A, 9A: “The first device 802 receives the response based on the system ID stored at the second device 804 in 916”. The Examiner interprets the encrypted system ID of the second device 804 received by the first device 802 from the second device 804 in step 916 as wherein the variable characterizes a communication of the unit in a communication network).
Both Hars and Meiler teach a method for handling attacks on a unit for controlling a machine. Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the variable that defines an operation of the unit in the vehicle taught by Hars with the variable that characterizes a communication of the unit in a communication network (the encrypted system ID of the second device 804 received by the first device 802 from the second device 804 in step 916 of Figs. 8A, 9A) taught by Meiler. It would have been obvious because Meiler teaches that doing so achieves the following benefit: “The first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800a. A match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800a. If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected” (see Meiler [0087] and Fig. 8A).

Regarding claim 5, Hars fails to teach wherein the surroundings in which the unit is operated is characterized by at least one counterpart for the communication outside of the unit, the anomaly being detected if it is established that a message is received from an unknown counterpart or a receipt of an expected message of a counterpart fails to happen.  
In the same field of endeavor, Meiler teaches wherein the surroundings in which the unit is operated is characterized by at least one counterpart for the communication outside of the unit, the anomaly being detected if it is established that a message is received from an unknown counterpart or a receipt of an expected message of a counterpart fails to happen (see [0097]: “If the system ID indicated by the response from the second device 804 is not correct, if the second device 804 does not respond or times out, if the second device 804 returns an improper response, or the like, counter measures may be performed in 920”).
Both Hars and Meiler teach a method for handling attacks on a unit for controlling a machine. Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Hars such that the surroundings in which the unit is operated is characterized by at least one counterpart for the communication outside of the unit, the anomaly being detected if it is established that a message is received from an unknown counterpart or a receipt of an expected message of a counterpart fails to happen, as taught by Meiler.  It would have been obvious because Meiler teaches that doing so achieves the following benefit: “The first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800a. A match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800a. If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected” (see Meiler [0087] and Fig. 8A).

Regarding claim 15, Hars fails to teach wherein the interface includes: (i) a communication interface for a cryptographically secured communication with a counterpart outside of the control unit, or (ii) a photodiode through which current is generated in the case of an open housing of the control unit, or (iii) a circuit that is open in the case of an open housing of the control unit and closed in the case of a closed housing of the control unit, or (iv) a current or voltage measuring device configured to detect a characteristic curve of a current or voltage of a current or voltage supply from outside the control unit.
In the same field of endeavor, Meiler teaches wherein the interface (see [0082] and FIG. 8A: “The devices 802 and 804 are coupled through a communication link 806. The communication link may be any medium that allows the devices 802 and 804 to communication”) includes: (i) a communication interface for a cryptographically secured communication with a counterpart outside of the control unit, (see [0098] and Figs. 8A, 9A: “when response based on the system ID is transmitted to the first device 802 from the second device 804 in 914, the communication may be encrypted. For example, a secure communication link may be established between the first and second devices 802 and 804, the response or portions of it may be encrypted, the system ID stored on the second device 804 may be encrypted, or the like”) or (ii) a photodiode through which current is generated in the case of an open housing of the control unit, or (iii) a circuit that is open in the case of an open housing of the control unit and closed in the case of a closed housing of the control unit, or (iv) a current or voltage measuring device configured to detect a characteristic curve of a current or voltage of a current or voltage supply from outside the control unit.
Both Hars and Meiler teach a device for handling attacks on a unit for controlling a machine. Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the device of Hars by letting the interface of Hars include: (i) a communication interface for a cryptographically secured communication with a counterpart outside of the control unit, or (ii) a photodiode through which current is generated in the case of an open housing of the control unit, or (iii) a circuit that is open in the case of an open housing of the control unit and closed in the case of a closed housing of the control unit, or (iv) a current or voltage measuring device configured to detect a characteristic curve of a current or voltage of a current or voltage supply from outside the control unit, as taught by Meiler. It would have been obvious because Meiler teaches that doing so achieves the following benefit: “The first device 802 can verify that the system ID stored on the second device 804 or third device 812 matches the expected system ID such as a system ID associated with the system 800a. A match of the system ID may indicate that the second device 804 or third device 812 is a genuine component intended and originally installed on the system 800a. If the system ID does not match, the device 804 or 812 may have been provided or installed by an unauthorized party. As a result, swapping of devices from other systems of the same manufacturer or from a third party may be detected” (see Meiler [0087] and Fig. 8A).


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751) as applied to claim 3 above, further in view of Meiler (US 2020/0074123), and further in view of Hermann (US 7,120,421).

Regarding claim 4, before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the piece of information that characterize the surroundings in which the unit is operated taught by Hars with the communication message (the encrypted system ID of the second device 804 received by the first device 802 from the second device 804 in step 916 of Figs. 8A, 9A) taught by Meiler (see the rejection of claim 3 above). However, Hars fails to teach wherein the surroundings in which the unit is operated is characterized by messages for the communication that are transmitted in a cryptographically secured manner (emphasis added).
In the same field of endeavor, Meiler teaches wherein the surroundings in which the unit is operated is characterized by messages for the communication that are transmitted in a cryptographically secured manner (see [0095] and Fig. 8A: “the second device 804 may read the system ID, encrypt it, and transmit the encrypted system ID to the first device 802”).
Both Hars and Meiler teach a method for handling attacks on a unit for controlling a machine. Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Hars such that the surroundings in which the unit is operated is characterized by messages for the communication that are transmitted in a cryptographically secured manner, as taught by Meiler. It would have been obvious because Meiler teaches the following: “a secure communication link may be established between the first and second devices 802 and 804, the response or portions of it may be encrypted, the system ID stored on the second device 804 may be encrypted, or the like. As a result, it may be more difficult for an eavesdropper to obtain the correct system ID response from the second device 804” (see Meiler [0098]).
Hars modified in view of Meiler fails to teach the anomaly being detected when it is established that a received message is cryptographically secured in an unknown or inadmissible manner.
However, Hermann teaches the anomaly being detected when it is established that a received message is cryptographically secured in an unknown or inadmissible manner (see col. 8, lines 57-64 and Fig. 7: “If on the side T the correct new cipher key is used, the layer RRC of the side F receives the expected message N(CKCC) in the local message RLC-AM-DAT-I*. If a false new cipher key is used on the side T, the layer RRC of the side F receives a useless or unknown message in the local message RLC-AM-DAT-I*. The layer RRC of the side F infers therefrom that the side T has used a false key i.e. the unknown message is not ignored in this specific case”).
Both Hermann and Hars modified in view of Meiler teach a first device detecting an anomaly of a second device by checking a message received from the second device. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the criterion of the system ID of the second device received in the message from the second device being  unmatched to the system ID of the first device taught by Hars modified in view of Meiler for a received message being cryptographically secured in an unknown or inadmissible manner taught by Hermann. It would have been obvious because doing so achieve the predictable result of detecting the anomaly of the second device.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751) as applied to claim 3 above, further in view of Meiler (US 2020/0074123), and further in view of Iida (US 2014/0081508).

Regarding claim 6, before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the piece of information that characterize the surroundings in which the unit is operated taught by Hars with the communication message (the encrypted system ID of the second device 804 received by the first device 802 from the second device 804 in step 916 of Figs. 8A, 9A) taught by Meiler (see the rejection of claim 3 above). However, Hars fails to teach in the case of a cryptographically secured communication.
In the same field of endeavor, Meiler teaches in the case of a cryptographically secured communication (see [0098] and Fig. 8A: “when response based on the system ID is transmitted to the first device 802 from the second device 804 in 914, the communication may be encrypted. For example, a secure communication link may be established between the first and second devices 802 and 804, the response or portions of it may be encrypted, the system ID stored on the second device 804 may be encrypted, or the like”).
Both Hars and Meiler teach a method for handling attacks on a unit for controlling a machine. Before the effective date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Hars such that the surroundings in which the unit is operated is characterized by messages for the communication that are transmitted in a cryptographically secured manner, as taught by Meiler. It would have been obvious because Meiler teaches the following: “a secure communication link may be established between the first and second devices 802 and 804, the response or portions of it may be encrypted, the system ID stored on the second device 804 may be encrypted, or the like. As a result, it may be more difficult for an eavesdropper to obtain the correct system ID response from the second device 804” (see Meiler [0098]).

Meiler modified in view of Hars fails to teach wherein, a message counter is used that evaluates a piece of information about a relation between messages in the communication, the anomaly being detected if an inadmissible or unknown relation between the messages in the communication is established as a function of an evaluation of the message counter.
However, Iida teaches wherein, a message counter is used that evaluates a piece of information about a relation between messages in the communication, the anomaly being detected if an inadmissible or unknown relation between the messages in the communication is established as a function of an evaluation of the message counter (see [0069] and Fig. 6: “step 602 is performed to determine whether the message counter is abnormal. The message counter is checked for an abnormality by comparing its current value to its previous value stored in the receiving-end communication protection section. If the current value is equal to the previous value or a wrong sequence is stored in the counter, the message counter is determined to be abnormal and processing proceeds to step 604. If the message counter is normal, processing proceeds to step 605”. And see [0071]: “In step 604, the check result is determined to be abnormal as the message counter is abnormal”). 
Both Iida and Hars modified in view of Meiler teach a communication abnormality check method. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the criterion of the system ID of the second device received in the message from the second device being  unmatched to the system ID of the first device taught by Hars modified in view of Meiler for the anomaly being detected if an inadmissible or unknown relation between the messages in the communication is established as a function of an evaluation of the message counter taught by Iida. It would have been obvious because doing so achieves the predictable result of detecting the anomaly of the communication.

Claims 7, 8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751), and further in view of Priel (US 2010/0332851).

Regarding claim 7, Hars fails to teach wherein the variable characterizes a voltage or current supply of the unit in a supply network of the vehicle, the anomaly being detected when a deviation of a characteristic curve of the voltage or current supply from an expected characteristic curve is established.
In the same field of endeavor, Priel teaches wherein the variable characterizes a voltage or current supply of the unit in a supply network (see [0047] and Fig. 3: “It is noted that method 100 can also include one or more of the following optional stages: (i) stage 140 of determining whether a level of a supply voltage is outside an allowed supply voltage level range; and (ii) stage 142 of determining if a monitored temperature is outside an allowed temperature range. If one (or both) of the answers to these questions is positive then method 100 can jump to stage 130 (if either one of these changes mandates an appliance of a cryptographic module protective measure) or to stage 120 (if either one of these changes is only a factor in the determination of whether to apply a cryptographic module protective measure)”).
Both Priel and Hars teach a method for protecting a unit by detecting an anomaly of the surroundings of the unit. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the variable that defines an operation of the unit in the vehicle taught by Hars with the variable that characterizes a voltage or current supply of the unit in a supply network taught by Priel, the anomaly being detected when a deviation of a characteristic curve of the voltage or current supply from an expected characteristic curve is established, as taught by Priel. It would have been obvious because doing so achieves the predictable result of detecting the anomaly of the surroundings of the unit.
Because Hars teaches that the unit is in a vehicle, Hars modified in view of Priel would teach wherein the variable characterizes a voltage or current supply of the unit in a supply network of the vehicle, the anomaly being detected when a deviation of a characteristic curve of the voltage or current supply from an expected characteristic curve is established, as recited in claim 7.

Regarding claim 8, Priel further teaches wherein the surroundings in which the unit is operated is characterized by a characteristic curve of the voltage or current supply, the deviation being detected when the characteristic curve of the voltage or current supply has a constant value at least temporarily or when the voltage or current supply has fluctuations within a range about a constant value at least temporarily (see [0047] and Fig. 3: “It is noted that method 100 can also include one or more of the following optional stages: (i) stage 140 of determining whether a level of a supply voltage is outside an allowed supply voltage level range; and (ii) stage 142 of determining if a monitored temperature is outside an allowed temperature range. If one (or both) of the answers to these questions is positive then method 100 can jump to stage 130 (if either one of these changes mandates an appliance of a cryptographic module protective measure) or to stage 120 (if either one of these changes is only a factor in the determination of whether to apply a cryptographic module protective measure)”).

Regarding claim 10, Hars fails to teach wherein the variable characterizes a switching-on or switching-off process of the unit, the surroundings in which the unit is operated being characterized by a course of the switching-on or switching-off process of the unit, the anomaly being detected when it is established that the switching-on or switching-off process of the unit is: (i) carried out more infrequently than a predefined minimum number or more frequently than a predefined maximum number within a time interval, or (ii) carried out only incompletely, or (iii) aborted with regard to reaching the first operating mode.
In the same field of endeavor, Priel teaches wherein the variable characterizes a switching-on or switching-off process of the unit, the surroundings in which the unit is operated being characterized by a course of the switching-on or switching-off process of the unit, the anomaly being detected when it is established that the switching-on or switching-off process of the unit is: (i) carried out more infrequently than a predefined minimum number or more frequently than a predefined maximum number within a time interval (see [0043] and Fig. 3: “Stage 110 is followed by stage 120 of estimating a functionality of a circuit that is adapted to malfunction when being provided with a supply voltage of a first level and a clock signal that has a frequency that exceeds a first frequency threshold. The cryptographic module is adapted to malfunction when being provided with a supply voltage of the first level and a clock signal that has a frequency that exceeds a second frequency threshold. The second frequency threshold is higher than the first frequency threshold. The first frequency threshold is higher than a nominal operational frequency of the cryptographic module when provided with a supply voltage of the first level”), or (ii) carried out only incompletely, or (iii) aborted with regard to reaching the first operating mode.
Both Hars and Priel teach a method for protecting a unit by detecting an anomaly of the surroundings of the unit. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the variable that defines an operation of the unit in the vehicle taught by Hars with the variable that characterizes a switching-on or switching-off process of the unit, the surroundings in which the unit is operated being characterized by a course of the switching-on or switching-off process of the unit, the anomaly being detected when it is established that the switching-on or switching-off process of the unit is: (i) carried out more infrequently than a predefined minimum number or more frequently than a predefined maximum number within a time interval, or (ii) carried out only incompletely, or (iii) aborted with regard to reaching the first operating mode, as taught by Priel. It would have been obvious because doing so achieves the predictable result of detecting the anomaly of the surroundings of the unit.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751), and further in view of Inoue (US 2017/0354027).

Regarding claim 9, Hars fails to teach wherein the variable characterizes a current from a photodiode or through a circuit, the surrounding in which the unit is operated being characterized by a characteristic curve of the current, the anomaly being detected when it is established that the current is generated by the photodiode or that there is no current flowing through the circuit.   
However, Inoue teaches an information processing apparatus in a casing with an anti-tampering function by an erasing unit erasing information when opening of the casing is detected (see [0004]), wherein the variable characterizes a current from a photodiode or through a circuit, the surrounding in which the unit is operated being characterized by a characteristic curve of the current, the anomaly being detected when it is established that the current is generated by the photodiode or that there is no current flowing through the circuit (see [0043] and Fig. 2: “in the case where the main body 11 is opened from the surface on the opposite side to the opening part 11a and light enters, light is irradiated onto the light receiving surface 31a of the other photoelectric conversion unit 31. In the case where light is irradiated onto the light receiving surface 31a, the photoelectric conversion unit 31 converts the light irradiated onto the light receiving surface 31a into electric power. A solar cell, for example, is used for the photoelectric conversion unit 31”. The Examiner interprets a solar cell as a photodiode).
Both Hars and Inoue teach a tamper-proof unit. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to substitute the variable that defines an operation of the unit in the vehicle taught by Hars with the variable that characterizes a current from a photodiode or through a circuit, the surrounding in which the unit is operated being characterized by a characteristic curve of the current, the anomaly being detected when it is established that the current is generated by the photodiode or that there is no current flowing through the circuit, as taught by Inoue.  It would have been obvious because doing so achieves the predictable result of detecting tampering of the surroundings of the unit.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751), and further in view of Schwan (US 2004/0187035).
	
	Regarding claim 11, Hars fails to teach wherein the unit is operated in the second operating mode for a predefined period of time after the anomaly has been established.
	In the same field of endeavor, Schwan teaches that a control unit for controlling an automobile engine is enclosed in a housing such that the operability of the control unit is at least partly destroyed when the housing is opened (see abstract and [0013], [0016]), wherein the unit is operated in the second operating mode for a predefined period of time (see [0018]: “The possible change of data or the program code within the control unit by an authorized person while at the same time safely preventing tampering also has the advantage that for example only temporary changes can be made which are automatically reset after a predetermined time period, for example after expiration of a certain additional license. In this way it is e.g. possible to rent or recharge power in the automobile for a limited time. Likewise, in control devices for navigation systems it is possible to rent temporarily for a certain trip geographical data on the regions to be crossed, i.e. maps of cities or regions, whose data are no longer available to the navigation system after expiration of a given time after the end of the trip”).
	Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Hars by letting the unit be operated in the second operating mode for a predefined period of time, as taught by Schwan. It would have been obvious because Schwan teaches that doing so enables automatic reset of the function of the vehicle after a predetermined time period (see Schwan [0018]). Because Hars teaches that the unit is operated in the second operating mode after the anomaly has been established, when Hars is modified in view of Schwan as described above, they would teach wherein the unit is operated in the second operating mode for a predefined period of time after the anomaly has been established.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Hars (US 2020/0042751), and further in view of Norton (US 2019/0089724).

Regarding claim 13, Hars fails to teach wherein an error is stored in an error memory when the anomaly is detected.
In the same field of endeavor, Norton teaches wherein an error is stored in an error memory when the anomaly is detected (see [0021] and Fig. 1: “security processor 102 stores a record of the attempted tampering in a security log”).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the method of Hars by letting an error be stored in an error memory when the anomaly is detected, as taught by Norton. It would have been obvious because doing so achieves the commonly understood benefit of keeping a record of the detected anomaly.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        /JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495