DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 10/24/2022.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/24/2022 has been entered.
Status of claims in the instant application:
Claims 1-20 are pending.
Claims 1, 6-8, 11, 16, 18 and 20 have been amended.
No claim has been canceled.
No new claim has been added.
Response to Arguments 
Applicant’s arguments, see page [6-7] of the remarks filed on 10/24/2022, with respect to rejections of claims under 35 USC 103 have been fully considered in view of the claims amendments, and they are not persuasive. Therefore, the Applicant is directed to Examiner’s response below.
Applicant states/argues, page [6-7] of the remarks filed on 10/24/2022, that “The Final Office Action alleges that Hayden teaches "identifying patterns within each of the plurality of segments, wherein each pattern comprises one or more commands from the bus controller of the communication bus using a pattern recognition module." (Final Office Action, p. 10.) Contrary to the allegations in the Final Office Action, however, Hayden and the instant application do not use the term "pattern" in the same way. The instant application teaches patterns of commands from a bus controller. Claim 1 has been amended to expressly recite "patterns of commands." Hayden uses the term patterns to refer to traffic patterns of data on a bus, as acknowledged in the Final Office Action, "the CWR characterizes traffic patterns and models the complete range of normal system behaviors (Final Office Action, p. 10, quoting Hayden, emphasis in the Final Office Action). Claim 1 does not relate to traffic patterns. Rather, claim 1 relates to patterns of commands, and thus amended claim 1 recites, "identifying patterns of commands within each of the plurality of segments, wherein each pattern comprises one or more commands from the bus controller of the communication bus using a pattern recognition module." Hayden does not provide such a teaching or suggestion.
In Hayden, "[e]ach sensor may look for different types of data that is inconsistent with known normal bus traffic. Bus traffic identified as anomalous by the anomaly detecting sensors can be input to a data fusing engine to fuse anomalous data events from the different sensors (e.g., that share the same time). The fused data can be identified by the data fusing engine as normal (e.g., falling into patterns of earlier observed anomalous data, so likely harmless) or abnormal (e.g., not observed earlier, so likely to be of concern, such as a cyberattack)." (Paragraph [0025], Hayden.) Thus, Hayden only looks at data bits across the bus and does not treat any of the data bits as a command and thus, does not teach or suggest "identifying patterns within each of the plurality of segments, wherein each pattern comprises one or more commands," as recited in claim 1”
In response, after due consideration, Examiner finds Applicant’s arguments to be not persuasive. Examiner further notes that Applicant has excluded, while arguing against Hayden prior art not disclosing “commands”, portions of Hayden prior art that was cited along with Para [0025]. Examiner also cited Para [0020, 0041, 0047, 0056], in the final office action Page [10] dated 07/22/2022, along with Para [0025]. Examiner reproduces below Para [0056] and some other portions from Hayden prior art that had/has been cited in the office action:
“Hayden, Para [0056]: Bus controllers have a great degree of control over a 1553 network. A compromised bus controller enables a high degree of control by the cyber-attacker, such as enabling the attacker to initiate new messages, remove existing messages, or intercept and modify data in transit between remote terminals. Compromised remote terminals, on the other hand, can disrupt the network by, for example, initiating new messages on the 1553 bus without coordination by the bus controller, impersonating a different remote terminal, or even attempting to become the bus controller. A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information.
Hayden, Abstract: Techniques are provided for cyber warning. One technique includes a cyber warning receiver (CWR). The CWR includes a bus sensing circuit to sense traffic on a communications bus over time, an anomaly detecting circuit to detect anomalous behavior in the sensed bus traffic, a data fusing circuit to fuse the detected anomalous behavior into groups having similar characteristics, a decision making circuit to decide if the fused anomalous behavior is normal or abnormal, and a behavior logging circuit to log the detected anomalous behavior on an electronic storage device. In one embodiment, the CWR further includes a behavior alerting circuit to alert an operator to the fused anomalous behavior identified as abnormal. In one embodiment, the communications bus is an embedded communications bus, such as a MIL-STD-1553 bus, and the CWR is a standalone device configured to connect to the MIL-STD-1553 bus as a bus monitor.
Hayden, Para [0020]: In some embodiments, CWR units couple other anomaly detection and data fusion capabilities with the multitude of communications technologies commonly employed by platforms to provide the missing cyber situational awareness. The CWR can monitor platform traffic data from a bus monitor location, ensuring bus traffic is monitored with no interference to the other systems operating on the bus. According to one or more embodiments, during controlled training periods, the CWR characterizes traffic patterns and models the complete range of normal system behaviors. After training, the CWR detects abnormal behavior between systems residing on the platform bus and takes appropriate action, such as alerting an operator of the anomalous behavior as well as logging the behavior for post mission/test analysis. In some embodiments, fusion capabilities aggregate system-wide observations to infer and report the overall system security state. The CWR thus provides situational awareness, active defense, and forensics data for novel attacks, protecting the platform from malicious messages and data being transmitted on the bus.
Hayden, Para [0025]: In some embodiments, the CWR includes anomaly detecting sensors. Such sensors may be machine learning sensors (such as neural network sensors), trained on real (e.g., uncompromised) bus traffic to look for characteristics of normal bus traffic. Each sensor may look for different types of data that is inconsistent with known normal bus traffic. Bus traffic identified as anomalous by the anomaly detecting sensors can be input to a data fusing engine to fuse anomalous data events from the different sensors (e.g., that share the same time). The fused data can be identified by the data fusing engine as normal (e.g., falling into patterns of earlier observed anomalous data, so likely harmless) or abnormal (e.g., not observed earlier, so likely to be of concern, such as a cyberattack). Today's weapon systems can benefit from the ability to both detect cyberattacks in real time and allow for post-mission system cyberattack analysis. Knowing when and how a system is experiencing cyberattacks informs the next steps required for persistent cyber defense of military weapons systems. In one or more embodiments, a CWR located on aviation platforms (manned or unmanned) provides real-time cyberattack notification (such as alerting an operator of abnormal bus traffic) and the ability to conduct post mission cyber analysis.
Hayden, Para [0047]: In one or more embodiments, the anomaly detecting circuit 420 applies a joint probability distribution over the observable space of traffic generated by system component interactions. These include, but are not limited to, frequency, rate, volume, and content of messages exchanged over a common bus. In order to avoid making incorrect assumptions about the parametric form of these distributions, in some embodiments, non-parametric learning via kernel density estimation (KDE) is used to train the anomaly detecting circuit 420. Then when presented with new observations, the CWR 400 identifies anomalous communication patterns and, using prior observations, calculates the marginal distribution to estimate the expected response given the impulse. This method is a non-parametric method, such as one where there are no a priori assumptions about the structure of underlying stochastic process (e.g., Gaussian, multinomial, Bernoulli, or the like). Instead, in one or more embodiments, for each sample, the joint probability is estimated based on its “proximity” to other previously observed samples. In some embodiments, the anomaly detecting circuit 420, in conjunction with the data fusing circuit 430 and decision making circuit 440, will yield detection artifacts that provide human-readable policy language, which allows for post-mission cyber analysis”
Examiner asserts that portions of Hayden prior art, as reproduced above, along with other portions clearly discloses that traffic/message/data on the bus is monitored over time for anomaly detection, the traffic/message/data from/to bus controller include control “commands”, among others. Thus, the system of Hayden is detecting/identifying commands on the bus between controllers, and/or between controller[s] and terminal[s], to detect/identify patterns of anomalous communication over time, so as to detect compromised entities (controller[s], terminal[s], …). Applicant is further directed to Para [0057, 0060, 0078] of Hayden for additional clarification.
Examiner further notes that Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant makes no further arguments regarding claim 1, other than that has already been addressed by the Examiner above. Thus, Examiner asserts that the combination of Hayden and Ruvio makes Applicant’s claimed invention obvious.
Applicant also makes no argument regarding the remaining claims (claim 2-20), and refers to the arguments made for claim 1 that the Examiner has already addressed above. Thus, the Applicant is directed to Examiner’s response above for the remaining claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 6, 7, 8, 9, 10, 11, 16, 17, 18, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0367553 A1 to Hayden et al. (hereinafter “Hayden”) in view of Pub. No.: US 2018/0196941 A1 to RUVIO et al. (hereinafter “RUVIO”).
Regarding Claim 1. Hayden discloses A method for detecting a communication anomaly on a communication bus (Hayden, Abstract: … Techniques are provided for cyber warning. One technique includes a cyber warning receiver (CWR). The CWR includes a bus sensing circuit to sense traffic on a communications bus over time, an anomaly detecting circuit to detect anomalous behavior in the sensed bus traffic …), the method comprising:
segmenting a training data set into a plurality of segments (Hayden, FIG. 6-7, Para [0015, 0078, 0080-0084]: … The anomaly-based approach can use a two-stage decision and classification process. Using machine learning techniques, normal bus traffic can be monitored to train one or more anomaly detectors to identify anomalous bus traffic. Anomalous behavior from these detectors can then be used to train a data fuser that fuses anomalous data sharing similar characteristics (such as being collected at the same time) to identify which of the anomalous behavior is normal and which is abnormal (e.g., possible cyberattack)  … The MIL-STD-1553 bus is identified as a prime location for observing cyberattacks in progress. This bus is pervasive across both modern and legacy defense platforms, and forms the backbone for exchanges of commands, status, and data between operators and the critical subsystems essential to the function of a platform … FIG. 6 is a schematic diagram illustrating an example neural network-based anomaly sensor 600 for analyzing bus traffic and a partially observable Markov decision process (POMDP) based alert generator 650 for deciding if the analyzed bus traffic is normal or abnormal. The anomaly sensor 600 includes a neural network 610 for inputting bus traffic messages 615 (such as MIL-STD-1553 messages) at input nodes (or neurons) 620 that make up a first layer (or input layer) of the neural network 610. The inputted bus traffic (e.g., next bus traffic message) causes some of the input nodes 620 to fire, sending weighted signals down corresponding connections (or axions or synapses) 625 to hidden nodes 630 that make up a second layer (or hidden layer) of the neural network 610 … The output state 645 is the useful information (e.g., classification, such as anomalous or not) returned by the neural network 610 based on the input bus traffic message 615. The neural network 610 can be trained to identify whether or not bus traffic messages exhibit anomalous behavior based on machine learning techniques that assign weights to the connections 625 and 635 … The neural network 710 is an example of a feedforward neural network (e.g., processing moves in one direction from inputs to outputs and without any feedback). For example, each input node 720 in the input layer can represent a different corresponding byte of a fixed length message (in this case, N =162 input nodes for a 162-byte message, as might be used in a message packet in a 1553 network) …; Examiner’s Note: training data i.e. the 1553 message is split into segments at input nodes 620), wherein the training data set comprises of commands from a bus controller of the communication bus (Hayden, Para [0056]: … Bus controllers have a great degree of control over a 1553 network. A compromised bus controller enables a high degree of control by the cyber-attacker, such as enabling the attacker to initiate new messages, remove existing messages, or intercept and modify data in transit between remote terminals. Compromised remote terminals, on the other hand, can disrupt the network by, for example, initiating new messages on the 1553 bus without coordination by the bus controller, impersonating a different remote terminal, or even attempting to become the bus controller. A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information …);
identifying patterns of commands within each of the plurality of segments, wherein each pattern comprises one or more commands from the bus controller of the communication bus [using a pattern recognition module] (Hayden, Para [0020, 0025,  0041, 0047, 0056]: … The CWR can monitor platform traffic data from a bus monitor location, ensuring bus traffic is monitored with no interference to the other systems operating on the bus. According to one or more embodiments, during controlled training periods, the CWR characterizes traffic patterns and models the complete range of normal system behaviors … The data fusing circuit 430 can group instances of anomalous behavior detected by the anomaly detecting circuit 420 into collections or patterns of instances that share common characteristics (such as common temporal or behavioral characteristics)… the anomaly detecting circuit 420 applies a joint probability distribution over the observable space of traffic generated by system component interactions. These include, but are not limited to, frequency, rate, volume, and content of messages exchanged over a common bus. In order to avoid making incorrect assumptions about the parametric form of these distributions, in some embodiments, non-parametric learning via kernel density estimation (KDE) is used to train the anomaly detecting circuit 420. Then when presented with new observations, the CWR 400 identifies anomalous communication patterns and, using prior observations, calculates the marginal distribution to estimate the expected response given the impulse. This method is a non-parametric method, such as one where there are no a priori assumptions about the structure of underlying stochastic process (e.g., Gaussian, multinomial, Bernoulli, or the like). Instead, in one or more embodiments, for each sample, the joint probability is estimated based on its "proximity" to other previously observed samples. In some embodiments, the anomaly detecting circuit 420, in conjunction with the data fusing circuit 430 and decision making circuit 440, will yield detection artifacts that provide human-readable policy language, which allows for post-mission cyber analysis … Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information …); and
generating a statistical model within a training module, the statistical model representing probability relationships between identified patterns of commands (Hayden, Para [0039, 0047, 0056]: …  The anomaly detecting circuit 420 may generate a significant amount of data. For example, it can be quite challenging to subject an avionics platform to all of the possible use scenarios during testing of the platform (and corresponding training of the anomaly detection algorithm used in the anomaly detecting circuit 420) … the CWR 400 identifies anomalous communication patterns and, using prior observations, calculates the marginal distribution to estimate the expected response given the impulse. This method is a non-parametric method, such as one where there are no a priori assumptions about the structure of underlying stochastic process (e.g., Gaussian, multinomial, Bernoulli, or the like). Instead, in one or more embodiments, for each sample, the joint probability is estimated based on its "proximity" to other previously observed samples …), [wherein the probability relationships define the probability of a first pattern of commands to occur after a second pattern of commands].
However, Hayden does not explicitly teach, but RUVIO from same or similar field of endeavor teaches:
“identifying patterns of commands …  using a pattern recognition module (RUVIO, Abstract, Para [0018, 0024, 0058, 0069, 0093, 0130, 0142]: …  a comparator unit in communication with the characterization module, configured to compare one or more the characteristics of at least one frame against characteristics of each the ECU communication in order to detect at least one anomaly …  It is another object of the present invention to disclose the system as described in any of the above, wherein the relation characteristic comprises at least one of: (a) timing between sending at least one frame and receiving at least one response frame; (h) the sent frame and the response frame at least one characteristic selected from: time based characteristic, electrical based characteristic, physical CAN BUS based characteristic; (i) the sent frame and the response frame one or more time evaluated characteristic selected from: (i) timing between consecutive frames; (ii) timing between a frame and a last similar frame; (iii) timing between predefined frame patterns; (iv) timing between learned patterns … The term “CAN”, “Controller Area Network”, refers hereinafter to any controller network with a frame based protocol, for communication between devices without a host computer. CAN further provides a multi-master redundant network, operating even if some of the nodes are not functioning. CAN frames are not associated with a recipient address but are classified over their identifier. As a consequence, CAN controllers broadcast their frames to all connected nodes … (iii) one or more Comparator unit(s) in communication with the characterization module, configured to compare one or more the characteristics of at least one frame against characteristics of each the ECU communication in order to detect at least one anomaly; and, (iv) one or more Identification module(s) in communication with the Comparator, configured to identify at least one ECU originating an attack on the CAN bus; (b) monitoring (320) the CAN bus communication to and from at least one ECU by means of the monitoring unit; (c) (330) characterizing the communication (at least one frame) by generating at least one characteristics of the monitored communication by means of the Characterization module; (d) comparing (340) at least one characteristics of at least one frame by means of the comparator against at least one ECU characteristics in order to detect at least one anomaly; (e) identifying (350) at least one ECU by means of the identification module, originating an attack on the CAN bus; wherein the step (d) of comparing at least one characteristic by the comparator additionally comprising generating at least one event for at least one detected anomaly comprising at least one characteristic difference and forwarding the event to the identification module configured to identify at least one ECU originating the attack according to the characteristic difference …); Examiner’s Note: Hayden already discloses “patterns of commands”, as cited previously;
wherein the probability relationships define the probability of a first pattern of commands to occur after a second pattern of commands (RUVIO, Para [0031-0032, 0103, 0113, 0130]: … the mapping module is configured to generate at least one probability matrix of possible the response frames and/or the response frames characteristics and/or the frame relation characteristics for at least one sent frame according to the mapping database … compare at least one relation characteristics between at least one first frame and at least one second frame against one or more the probability matrix provided relation characteristic … Additionally or alternatively, when characterizing at least one ECU communication by said characterizing module and/or said mapping module, the characterization can be a factor of, for example, at least one or any combination thereof of: at least one frame communicated, an analysis of a plurality of (more than 1) frames at least temporarily stored and analyzed for at least one characteristic, characteristic set, a characteristics probability matrix, a Markov model of the optional characteristics of each ECU, statistical correlation examination of at least one characteristic to a set of data, statistical significance of at least one characteristic, the usability of using a specific characteristic in reference to its divergence, characterizing messages comprising one or more frames, the typical frame sequence, the typical frame timing, electrical based characteristics, time based characteristics, physical based characteristics … According to another embodiment of the invention, the system as described above is disclosed, wherein the characterization module is further configured to evaluate time based characteristics selected from: (a) timing between consecutive frames; (b) timing between a frame and the last similar frame; (c) timing between predefined frame patterns; (d) timing between detected frame patterns; (e) sequence in which frames are transmitted; (f) timing distribution within frame patterns; (g) timing between different frame types; (h) timing between same frame types; (i) timing between interframe spaces; and, (j) any combination thereof …); Examiner’s Note: Hayden already discloses “patterns of commands”, as cited previously”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of RUVIO into the teachings of Hayden, because it discloses that “none of the prior art examples disclose means of identifying an attack originator by specific characteristics, or any means of mapping the architecture and/or logic of the specific bus communication system thereby providing rapid identification of an attack originator (RUVIO, Para [0016]), and it is crucial to identifying both the actual frames that construct the attack and the source of the attack, there is a long felt need for tools enabling the identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems and present invention provides a security system, useful for vehicle CAN bus communication attack originator identification (RUVIO, Para [0017-0018])”.
Regarding Claim 5. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “wherein the statistical model comprises a Markov chain model (Hayden, Para [0009]: … FIG. 6 is a schematic diagram illustrating an example neural network-based anomaly sensor for analyzing bus traffic and a partially observable Markov decision process (POMDP) based alert generator for deciding if the analyzed bus traffic is normal or abnormal …).”
Regarding Claim 6. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “wherein identifying patterns of commands within each of the plurality of segments comprises identifying largest possible patterns of commands before identifying smaller patterns of commands within each segment (Hayden, Para [0047, 0056, 0060]: … The next level up is the transport layer, which is responsible for schedule compliance (e.g., concepts such as valid message set, rates, and sequencing, retry, redundancy behaviors, and asynchronous message management). The transport layer defines platform-specific attributes relating to the use of 1553, such as number and length of message packets. Messages that occur on 1553 can be uniquely identified by attributes including their type, source, destination, and length. At this layer, it can be verified that the system is using the set of messages expected to occur as part of the defined schedule, with the appropriate sequence and timing. The CWR can account for changes to this schedule that may result from different operating modes for the platform. At this level, it is possible to enforce that retransmit or redundancy features spreading messages across multiple busses are performing as expected without misuse …; Examiner’s Note: the message/frame sequence, as discloses by Hayden, can be based on the length of the message, thus making it obvious that identification of messages/frames/patterns can be done for the largest possible patterns before identifying smaller patterns within each segment).”
Regarding Claim 7. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “wherein identifying patterns of commands within each of the plurality of segments comprises identifying one or more commands that do not fit into any pattern (Hayden, Para [0047, 0056, 0069]: … Further training of the anomaly detection algorithm can be performed, such as with the false positive data, all of the recently acquired bus data, or further acquired bus data (to name a few techniques) to better train the anomaly detection algorithm to identify bus data as either normal (e.g., matching the characteristics of previously acquired bus data under normal operating conditions) or anomalous (e.g., not matching the characteristics of previously acquired bus data under normal operating conditions). Such further training can be repeated through the above process until the rate of false positive data (or presumed false positive data) is reduced to an acceptable level (e.g., sufficiently low that the burden placed on experts to analyze the bus data identified as anomalous is acceptable, or within their capabilities) …).”.
Regarding Claim 8. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “wherein the patterns of commands are non-overlapping (RUVIO, Para [0024]: … the system as described in any of the above, wherein the characterization module is further configured to evaluate time based characteristics selected from: (a) timing between consecutive frames; …); Examiner’s Note: Hayden already discloses “patterns of commands”, as cited previously.”
The motivation to further combine RUVIO remains same as in claim 1.
Regarding Claim 9. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “wherein the communication bus comprises a MIL-STD- 1533 (Hayden, Abstract: … the communications bus is an embedded communications bus, such as a MIL-STD-1553 bus, and the CWR is a standalone device configured to connect to the MIL-STD-1553 bus as a bus monitor …) or controller area network (CAN) communication bus.”
Regarding Claim 10. The combination of Hayden-RUVIO discloses the method of claim 1, Hayden further discloses, “further comprising:
monitoring commands transmitted from a second bus controller to one or more remote terminals (Hayden, Para [0035]: … the second communications bus 360 is connected to a bus controller 370, remote terminals 382, 384, 386, and 388, and CWR 390 … Each communications bus has its own CWR (e.g., CWR 340 or CWR 390) for monitoring bus traffic on its corresponding communications bus …); and
determining whether a first command in a group of commands from the second bus controller to the one or more remote terminals is abnormal using the statistical model (Hayden, Para [0035]: … Each communications bus has its own CWR (e.g., CWR 340 or CWR 390) for monitoring bus traffic on its corresponding communications bus. In other embodiments, there can be three or more such communications busses and corresponding controllers, remote terminals, and CWRs, all part of a larger CWR system …).”
Regarding Claim 11. Hayden discloses A system for detecting a communication anomaly on a communication bus (Hayden, FIG. 2-3: Referring to FIG. 2, the CWR system 200 includes a communications bus 210 (such as a serial data bus configured to be driven according to the MIL-STD-1553 architecture), a bus controller 220 for controlling communications transmitted along the communications bus 210 according to an agreed-upon protocol (such as 1553), remote terminals 232, 234, 236, and 238 for performing various functions related to the avionics platform (such as weapons, other stores, or instrumentation control), and a CWR 240 for sensing communication or other traffic on the communications bus 210, detecting anomalous behavior among the traffic, fusing the detected anomalous behavior into groups of similar events, logging the detected anomalous behavior on an electronic data storage device, and alerting an operator if any of the fused groups have abnormal data (e.g., data with which to be concerned) … Referring to FIG. 3, the CWR system 300 is similar to the CWR system 200 of FIG. 2, however, the CWR system 300 includes two communications busses, namely a first communications bus 310 and a second communications bus 360 (such as serial data busses configured to be driven according to the MIL-STD-1553 architecture) on the same avionics platform …), the system comprising:
a memory (Hayden, Para [0029]: … The instructions, when executed on a given processor, cause the method 500 to be performed. For example, in one or more embodiments, a computer program product is provided. The computer program product includes one or more non-transitory machine-readable mediums (such as a compact disc, a DVD, a solid-state drive, a hard drive, RAM, ROM, on-chip processor cache, or the like);
one or more processors coupled to the memory (Hayden, Para [0029]: … the method 500 may be implemented as a series of computer instructions, such as software, firmware, or a combination of the two, together with one or more computer processors (e.g., one or more microprocessors). The instructions, when executed on a given processor, cause the method 500 to be performed. For example, in one or more embodiments, a computer program product is provided. The computer program product includes one or more non-transitory machine-readable mediums (such as a compact disc, a DVD, a solid-state drive, a hard drive, RAM, ROM, on-chip processor cache, or the like) encoded with instructions that when executed by one or more processors cause the method 500 (or other method described herein) to be carried out for cyber warning …), the one or more processors configured to:
segment a training data set into a plurality of segments (Hayden, FIG. 6-7, Para [0015, 0078, 0080-0084]: … The anomaly-based approach can use a two-stage decision and classification process. Using machine learning techniques, normal bus traffic can be monitored to train one or more anomaly detectors to identify anomalous bus traffic. Anomalous behavior from these detectors can then be used to train a data fuser that fuses anomalous data sharing similar characteristics (such as being collected at the same time) to identify which of the anomalous behavior is normal and which is abnormal (e.g., possible cyberattack) … The MIL-STD-1553 bus is identified as a prime location for observing cyberattacks in progress. This bus is pervasive across both modern and legacy defense platforms, and forms the backbone for exchanges of commands, status, and data between operators and the critical subsystems essential to the function of a platform … FIG. 6 is a schematic diagram illustrating an example neural network-based anomaly sensor 600 for analyzing bus traffic and a partially observable Markov decision process (POMDP) based alert generator 650 for deciding if the analyzed bus traffic is normal or abnormal. The anomaly sensor 600 includes a neural network 610 for inputting bus traffic messages 615 (such as MIL-STD-1553 messages) at input nodes (or neurons) 620 that make up a first layer (or input layer) of the neural network 610. The inputted bus traffic (e.g., next bus traffic message) causes some of the input nodes 620 to fire, sending weighted signals down corresponding connections (or axions or synapses) 625 to hidden nodes 630 that make up a second layer (or hidden layer) of the neural network 610 … The output state 645 is the useful information (e.g., classification, such as anomalous or not) returned by the neural network 610 based on the input bus traffic message 615. The neural network 610 can be trained to identify whether or not bus traffic messages exhibit anomalous behavior based on machine learning techniques that assign weights to the connections 625 and 635 … The neural network 710 is an example of a feedforward neural network (e.g., processing moves in one direction from inputs to outputs and without any feedback). For example, each input node 720 in the input layer can represent a different corresponding byte of a fixed length message (in this case, N =162 input nodes for a 162-byte message, as might be used in a message packet in a 1553 network)…; Examiner’s Note: training data i.e. the 1553 message is split into segments at input nodes 620), wherein the training data set comprises of commands from a bus controller of a communication bus (Hayden, Para [0015, 0047, 0056]: … Bus controllers have a great degree of control over a 1553 network. A compromised bus controller enables a high degree of control by the cyber-attacker, such as enabling the attacker to initiate new messages, remove existing messages, or intercept and modify data in transit between remote terminals. Compromised remote terminals, on the other hand, can disrupt the network by, for example, initiating new messages on the 1553 bus without coordination by the bus controller, impersonating a different remote terminal, or even attempting to become the bus controller. A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information …);
identify patterns of commands within each of the plurality of segments, wherein each pattern comprises one or more commands from the bus controller of the communication bus [using a pattern recognition module] (Hayden, Para [0020, 0025,  0041, 0047, 0056]: … The CWR can monitor platform traffic data from a bus monitor location, ensuring bus traffic is monitored with no interference to the other systems operating on the bus. According to one or more embodiments, during controlled training periods, the CWR characterizes traffic patterns and models the complete range of normal system behaviors … The data fusing circuit 430 can group instances of anomalous behavior detected by the anomaly detecting circuit 420 into collections or patterns of instances that share common characteristics (such as common temporal or behavioral characteristics)… the anomaly detecting circuit 420 applies a joint probability distribution over the observable space of traffic generated by system component interactions. These include, but are not limited to, frequency, rate, volume, and content of messages exchanged over a common bus. In order to avoid making incorrect assumptions about the parametric form of these distributions, in some embodiments, non-parametric learning via kernel density estimation (KDE) is used to train the anomaly detecting circuit 420. Then when presented with new observations, the CWR 400 identifies anomalous communication patterns and, using prior observations, calculates the marginal distribution to estimate the expected response given the impulse. This method is a non-parametric method, such as one where there are no a priori assumptions about the structure of underlying stochastic process (e.g., Gaussian, multinomial, Bernoulli, or the like). Instead, in one or more embodiments, for each sample, the joint probability is estimated based on its "proximity" to other previously observed samples. In some embodiments, the anomaly detecting circuit 420, in conjunction with the data fusing circuit 430 and decision making circuit 440, will yield detection artifacts that provide human-readable policy language, which allows for post-mission cyber analysis … Bus controllers have a great degree of control over a 1553 network. A compromised bus controller enables a high degree of control by the cyber-attacker, such as enabling the attacker to initiate new messages, remove existing messages, or intercept and modify data in transit between remote terminals. Compromised remote terminals, on the other hand, can disrupt the network by, for example, initiating new messages on the 1553 bus without coordination by the bus controller, impersonating a different remote terminal, or even attempting to become the bus controller. A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information … ); and
generate a Markov chain model representing probability relationships between identified patterns of commands (Hayden, Para [0009, 0047, 0056, 0088]: … FIG. 6 is a schematic diagram illustrating an example neural network-based anomaly sensor for analyzing bus traffic and a partially observable Markov decision process (POMDP) based alert generator for deciding if the analyzed bus traffic is normal or abnormal, according to an embodiment of the present disclosure … the CWR 400 identifies anomalous communication patterns and, using prior observations, calculates the marginal distribution to estimate the expected response given the impulse. This method is a non-parametric method, such as one where there are no a priori assumptions about the structure of underlying stochastic process (e.g., Gaussian, multinomial, Bernoulli, or the like). Instead, in one or more embodiments, for each sample, the joint probability is estimated based on its "proximity" to other previously observed samples … a POMDP is Markov in that the model satisfies the Markovian property: the state of the system at time k depends only on the state at time k-1 and observations at time k. Further, a POMDP is a decision process in that it uses the estimate of the condition of the system to make a decision about what action to take. A POMDP follows a state model in that the condition of the system is modeled by a set of states. However, the system is not "in a state" in the sense that the system is in one such state at any given time. Rather, the "state" of the system is a probability distribution across the possible states …), [wherein the probability relationships define the probability of a first pattern to occur after a second pattern].
However, Hayden does not explicitly teach, but RUVIO from same or similar field of endeavor teaches:
“identifying patterns of commands …  using a pattern recognition module (RUVIO; Abstract, Para [0058, 0069, 0093, 0142]: … a characterization module in communication with the CBM, configured to generate at least one characteristic for the monitored communication from each the ECU and at least one characteristic for each communication frame; (c) a comparator unit in communication with the characterization module, configured to compare one or more the characteristics of at least one frame against characteristics of each the ECU communication in order to detect at least one anomaly …  It is another object of the present invention to disclose the system as described in any of the above, wherein the relation characteristic comprises at least one of: (a) timing between sending at least one frame and receiving at least one response frame; (h) the sent frame and the response frame at least one characteristic selected from: time based characteristic, electrical based characteristic, physical CAN BUS based characteristic; (i) the sent frame and the response frame one or more time evaluated characteristic selected from: (i) timing between consecutive frames; (ii) timing between a frame and a last similar frame; (iii) timing between predefined frame patterns; (iv) timing between learned patterns … The term “CAN”, “Controller Area Network”, refers hereinafter to any controller network with a frame based protocol, for communication between devices without a host computer. CAN further provides a multi-master redundant network, operating even if some of the nodes are not functioning. CAN frames are not associated with a recipient address but are classified over their identifier. As a consequence, CAN controllers broadcast their frames to all connected nodes … (iii) one or more Comparator unit(s) in communication with the characterization module, configured to compare one or more the characteristics of at least one frame against characteristics of each the ECU communication in order to detect at least one anomaly; and, (iv) one or more Identification module(s) in communication with the Comparator, configured to identify at least one ECU originating an attack on the CAN bus; (b) monitoring (320) the CAN bus communication to and from at least one ECU by means of the monitoring unit; (c) (330) characterizing the communication (at least one frame) by generating at least one characteristics of the monitored communication by means of the Characterization module; (d) comparing (340) at least one characteristics of at least one frame by means of the comparator against at least one ECU characteristics in order to detect at least one anomaly; (e) identifying (350) at least one ECU by means of the identification module, originating an attack on the CAN bus; wherein the step (d) of comparing at least one characteristic by the comparator additionally comprising generating at least one event for at least one detected anomaly comprising at least one characteristic difference and forwarding the event to the identification module configured to identify at least one ECU originating the attack according to the characteristic difference …); Examiner’s Note: Hayden already discloses “patterns of commands”, as cited previously”,
wherein the probability relationships define the probability of a first pattern to occur after a second pattern (RUVIO, Para [0103, 0113, 0130]: … Additionally or alternatively, when characterizing at least one ECU communication by said characterizing module and/or said mapping module, the characterization can be a factor of, for example, at least one or any combination thereof of: at least one frame communicated, an analysis of a plurality of (more than 1) frames at least temporarily stored and analyzed for at least one characteristic, characteristic set, a characteristics probability matrix, a Markov model of the optional characteristics of each ECU, statistical correlation examination of at least one characteristic to a set of data, statistical significance of at least one characteristic, the usability of using a specific characteristic in reference to its divergence, characterizing messages comprising one or more frames, the typical frame sequence, the typical frame timing, electrical based characteristics, time based characteristics, physical based characteristics … According to another embodiment of the invention, the system as described above is disclosed, wherein the characterization module is further configured to evaluate time based characteristics selected from: (a) timing between consecutive frames; (b) timing between a frame and the last similar frame; (c) timing between predefined frame patterns; (d) timing between detected frame patterns; (e) sequence in which frames are transmitted; (f) timing distribution within frame patterns; (g) timing between different frame types; (h) timing between same frame types; (i) timing between interframe spaces; and, (j) any combination thereof …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of RUVIO into the teachings of Hayden, because it discloses that “none of the prior art examples disclose means of identifying an attack originator by specific characteristics, or any means of mapping the architecture and/or logic of the specific bus communication system thereby providing rapid identification of an attack originator (RUVIO, Para [0016]), and it is crucial to identifying both the actual frames that construct the attack and the source of the attack, there is a long felt need for tools enabling the identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems and present invention provides a security system, useful for vehicle CAN bus communication attack originator identification (RUVIO, Para [0017-0018])”.
Regarding Claim 16. This claim contains all the same or similar limitations as claim 6, hence similarly rejected
Regarding Claim 17. The combination of Hayden-RUVIO discloses the system of claim 16, Hayden further discloses, “wherein the one or more processors are configured to identify one or more commands within a segment that do not fit into any pattern (Hayden, Para [0069]: … Further training of the anomaly detection algorithm can be performed, such as with the false positive data, all of the recently acquired bus data, or further acquired bus data (to name a few techniques) to better train the anomaly detection algorithm to identify bus data as either normal (e.g., matching the characteristics of previously acquired bus data under normal operating conditions) or anomalous (e.g., not matching the characteristics of previously acquired bus data under normal operating conditions). Such further training can be repeated through the above process until the rate of false positive data (or presumed false positive data) is reduced to an acceptable level (e.g., sufficiently low that the burden placed on experts to analyze the bus data identified as anomalous is acceptable, or within their capabilities) …).”
Regarding Claim 18. This claim contains all the same or similar limitations as claim 8, hence similarly rejected
Regarding Claim 19. This claim contains all the same or similar limitations as claim 10, hence similarly rejected
Regarding Claim 20. Hayden discloses A method for detecting a communication anomaly on a communication bus (Hayden, Abstract: … Techniques are provided for cyber warning. One technique includes a cyber warning receiver (CWR). The CWR includes a bus sensing circuit to sense traffic on a communications bus over time, an anomaly detecting circuit to detect anomalous behavior in the sensed bus traffic …), the method comprising:
monitoring commands transmit from a bus controller to one or more remote terminals, wherein the bus controller and the one or more remote terminals are coupled to the communication bus (Hayden, abstract, FIG. 2-3, Para [0019-0029, 0033-0034, 0056]: … The CWR can monitor platform traffic data from a bus monitor location … the communications bus is an embedded communications bus, such as a MIL-STD-1553 bus, and the CWR is a standalone device configured to connect to the MIL-STD-1553 bus as a bus monitor … Referring to FIG. 2, the CWR system 200 includes a communications bus 210 (such as a serial data bus configured to be driven according to the MIL-STD-1553 architecture), a bus controller 220 for controlling communications transmitted along the communications bus 210 according to an agreed-upon protocol (such as 1553), remote terminals 232, 234, 236, and 238 for performing various functions related to the avionics platform (such as weapons, other stores, or instrumentation control), and a CWR 240 for sensing communication or other traffic on the communications bus 210, detecting anomalous behavior among the traffic .. Bus controllers have a great degree of control over a 1553 network. A compromised bus controller enables a high degree of control by the cyber-attacker, such as enabling the attacker to initiate new messages, remove existing messages, or intercept and modify data in transit between remote terminals. Compromised remote terminals, on the other hand, can disrupt the network by, for example, initiating new messages on the 1553 bus without coordination by the bus controller, impersonating a different remote terminal, or even attempting to become the bus controller. A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information …); and
determining, [using a pattern recognition module], whether a first command in a group of commands from the bus controller to the one or more remote terminals is abnormal using a trained Markov chain model within a training module (Hayden, Para [0015, 0033-0034, 0040-0043, 0047,0056]: … The anomaly-based approach can use a two-stage decision and classification process. Using machine learning techniques, normal bus traffic can be monitored to train one or more anomaly detectors to identify anomalous bus traffic. Anomalous behavior from these detectors can then be used to train a data fuser that fuses anomalous data sharing similar characteristics (such as being collected at the same time) to identify which of the anomalous behavior is normal and which is abnormal (e.g., possible cyberattack) … Referring to FIG. 2, the CWR system 200 includes a communications bus 210 (such as a serial data bus configured to be driven according to the MIL-STD-1553 architecture), a bus controller 220 for controlling communications transmitted along the communications bus 210 according to an agreed-upon protocol (such as 1553), remote terminals 232, 234, 236, and 238 for performing various functions related to the avionics platform (such as weapons, other stores, or instrumentation control), and a CWR 240 for sensing communication or other traffic on the communications bus 210, detecting anomalous behavior among the traffic, fusing the detected anomalous behavior into groups of similar events, logging the detected anomalous behavior on an electronic data storage device, and alerting an operator if any of the fused groups have abnormal data (e.g., data with which to be concerned)… In addition, in some embodiments, the CWR further includes a decision making circuit 440 to further classify the different groups by likelihood of being a cyberattack, such as being normal (not likely a cyberattack) or abnormal (likely a cyberattack, or at least bus traffic to be concerned about) … In some embodiments, the decision making circuit 440 uses a partially observable Markov decision process to integrate the fused outputs of multiple anomaly detectors to improve confidence before notifying or alerting operators of potential cyberattacks  … In some embodiments, the decision making circuit 440 is an expert-coded model of anomalous behavior characterization. Using known patterns of benign, yet still anomalous, behavior, and perhaps known patterns of concerning (and possibly cyberattack) behavior, an expert could program the decision making circuit 440 to classify the patterns of anomalous bus traffic identified by the anomaly detecting circuit 420 (and fused by the data fusing circuit 430) as either harmless or concerning (e.g., worthy of alerting the operator of the avionics platform or specially identifying for post mission/test analysis by an expert as a possible cyberattack). In some embodiments, the decision making circuit 440 uses a partially observable Markov decision process to integrate the fused outputs of multiple anomaly detectors to improve confidence before notifying or alerting operators of potential cyberattacks …  the detected anomalous behavior can be output to, for example, analysts or other analyzing tools for further analysis and follow-up activities, or for later retraining of the anomaly detecting circuit 420…) [that defines a probability of the first command occurring after a group of one or more commands previously sent by the bus controller], wherein the Markov chain model is trained using identified patterns of commands in each 24Docket No. AERCO.0009ID: 18-0021of a plurality of training data segments (Hayden, FIG. 6-7, Para [0056, 0078, 0080-0084]: … A compromised bus controller or remote terminal on the 1553 network could deny messaging between other remote terminals. Attacks can also violate the basic rules and conventions of the 1553 standard, or the application layer data they contain. Cyberattacks can also involve a compromised bus controller or remote terminal that deliberately sends incorrect data to another bus controller or remote terminal as part of the normal data exchange cycle. This can include, for example, measurement data, control commands, system status, or other types of information … The MIL-STD-1553 bus is identified as a prime location for observing cyberattacks in progress. This bus is pervasive across both modern and legacy defense platforms, and forms the backbone for exchanges of commands, status, and data between operators and the critical subsystems essential to the function of a platform … FIG. 6 is a schematic diagram illustrating an example neural network-based anomaly sensor 600 for analyzing bus traffic and a partially observable Markov decision process (POMDP) based alert generator 650 for deciding if the analyzed bus traffic is normal or abnormal. The anomaly sensor 600 includes a neural network 610 for inputting bus traffic messages 615 (such as MIL-STD-1553 messages) at input nodes (or neurons) 620 that make up a first layer (or input layer) of the neural network 610. The inputted bus traffic (e.g., next bus traffic message) causes some of the input nodes 620 to fire, sending weighted signals down corresponding connections (or axions or synapses) 625 to hidden nodes 630 that make up a second layer (or hidden layer) of the neural network 610 … The output state 645 is the useful information (e.g., classification, such as anomalous or not) returned by the neural network 610 based on the input bus traffic message 615. The neural network 610 can be trained to identify whether or not bus traffic messages exhibit anomalous behavior based on machine learning techniques that assign weights to the connections 625 and 635 … The neural network 710 is an example of a feedforward neural network (e.g., processing moves in one direction from inputs to outputs and without any feedback). For example, each input node 720 in the input layer can represent a different corresponding byte of a fixed length message (in this case, N =162 input nodes for a 162-byte message, as might be used in a message packet in a 1553 network) …; Examiner’s Note: training data i.e. the 1553 message is split into segments at input nodes 620), [wherein training data segments are segmented based on a statistical analysis of time intervals between two consecutive commands of an entire training data set].
However, Hayden does not explicitly teach, but RUVIO from same or similar field of endeavor teaches:
“determining …  using a pattern recognition module (RUVIO, Para [0058, 0069, 0093, 0142]: …  It is another object of the present invention to disclose the system as described in any of the above, wherein the relation characteristic comprises at least one of: (a) timing between sending at least one frame and receiving at least one response frame; (h) the sent frame and the response frame at least one characteristic selected from: time based characteristic, electrical based characteristic, physical CAN BUS based characteristic; (i) the sent frame and the response frame one or more time evaluated characteristic selected from: (i) timing between consecutive frames; (ii) timing between a frame and a last similar frame; (iii) timing between predefined frame patterns; (iv) timing between learned patterns … The term “CAN”, “Controller Area Network”, refers hereinafter to any controller network with a frame based protocol, for communication between devices without a host computer. CAN further provides a multi-master redundant network, operating even if some of the nodes are not functioning. CAN frames are not associated with a recipient address but are classified over their identifier. As a consequence, CAN controllers broadcast their frames to all connected nodes … (iii) one or more Comparator unit(s) in communication with the characterization module, configured to compare one or more the characteristics of at least one frame against characteristics of each the ECU communication in order to detect at least one anomaly; and, (iv) one or more Identification module(s) in communication with the Comparator, configured to identify at least one ECU originating an attack on the CAN bus; (b) monitoring (320) the CAN bus communication to and from at least one ECU by means of the monitoring unit; (c) (330) characterizing the communication (at least one frame) by generating at least one characteristics of the monitored communication by means of the Characterization module; (d) comparing (340) at least one characteristics of at least one frame by means of the comparator against at least one ECU characteristics in order to detect at least one anomaly; (e) identifying (350) at least one ECU by means of the identification module, originating an attack on the CAN bus; wherein the step (d) of comparing at least one characteristic by the comparator additionally comprising generating at least one event for at least one detected anomaly comprising at least one characteristic difference and forwarding the event to the identification module configured to identify at least one ECU originating the attack according to the characteristic difference …)
defines a probability of the first command occurring after a group of one or more commands previously sent by the bus controller and wherein training data segments are segmented based on a statistical analysis of time intervals between two consecutive commands of an entire training data set (RUVIO, Para [0100-0103, 0113, 0130]: … The term "Time based characteristics" interchangeably refers hereinafter to timing of frames within the CAN communication. Time based characteristics can be assessed for every specific frame and evaluated as to the relationship to one or more frames in terms of their timing. Initial timing of a frame includes: timing and synchronization and variation of the bit nominal time, specifically compared and analyzed to generate a value of time quanta within the bit nominal time segment (sync, prop, phase 1 and phase 2) … Timing of more than one frames includes for example one frame from a specific node always transmitted following another specific frame from a designated node in a predetermined time lapse range); the transfer rate of an incoming frame is analyzed and compared to other system frames transfer rate, and any timing base data learned by the system and or inputted therein … Timing analysis further includes, but not limited to, statistical analysis including average frame time difference, standard deviation of frame timing, and assurance of the statistical significance of the result (e.g. tests such as T-test, determining P value and as such). Further in the scope of the invention is calculating a timing parameter according to at least one of the aforementioned time based characteristics. This can further include calculating a value comprising individual timing of a frame and relevant timing in relevance to the system logic … A dedicated algorithm measures the validity of an incoming frame based on statistical analysis, including a probability matrix, and/or a Gaussian probability curve. The purpose of preforming bus timing analysis is to extract the timing characteristics of the specified frame. Following statistical analysis the process can include clustering of the data to main groups and within them calculating the probabilities of each data point. In addition, a calculation can be performed to see the probability for any random new data point to be located in a specific cluster. Additionally or alternatively, a Markov model is utilized to determine the possible transition states  … when characterizing at least one ECU communication by said characterizing module and/or said mapping module, the characterization can be a factor of, for example, at least one or any combination thereof of: at least one frame communicated, an analysis of a plurality of (more than 1) frames at least temporarily stored and analyzed for at least one characteristic, characteristic set, a characteristics probability matrix, a Markov model of the optional characteristics of each ECU, statistical correlation examination of at least one characteristic to a set of data, statistical significance of at least one characteristic, the usability of using a specific characteristic in reference to its divergence, characterizing messages comprising one or more frames, the typical frame sequence, the typical frame timing, electrical based characteristics, time based characteristics, physical based characteristics … According to another embodiment of the invention, the system as described above is disclosed, wherein the characterization module is further configured to evaluate time based characteristics selected from: (a) timing between consecutive frames; (b) timing between a frame and the last similar frame; (c) timing between predefined frame patterns; (d) timing between detected frame patterns; (e) sequence in which frames are transmitted; (f) timing distribution within frame patterns; (g) timing between different frame types; (h) timing between same frame types; (i) timing between interframe spaces; and, (j) any combination thereof …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of RUVIO into the teachings of Hayden, because it discloses that “none of the prior art examples disclose means of identifying an attack originator by specific characteristics, or any means of mapping the architecture and/or logic of the specific bus communication system thereby providing rapid identification of an attack originator (RUVIO, Para [0016]), and it is crucial to identifying both the actual frames that construct the attack and the source of the attack, there is a long felt need for tools enabling the identification of the network architecture malicious communication source, and malicious frames for providing security, in a cost effective, efficient manner to automotive bus communication systems and present invention provides a security system, useful for vehicle CAN bus communication attack originator identification (RUVIO, Para [0017-0018])”.
Claims 2, 3, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0367553 A1 to Hayden et al. (hereinafter “Hayden”) in view of Pub. No.: US 2018/0196941 A1 to RUVIO et al. (hereinafter “RUVIO”), as applied to claim 1 above, and further in view of Pub. No.: US 2016/0188396 A1 to Sonalker et al. (hereinafter “Sonalker”).
Regarding Claim 2. The combination of Hayden-RUVIO discloses the method of claim 1, however it does not explicitly teach, but Sonalker from same or similar field of endeavor teaches, “wherein segmenting the training data set comprises segmenting the training data at every time interval, between two commands, where it is above a predetermined time interval threshold (Sonalker, Para [0027-0031]: With brief reference to FIG. 3, in general the temporal classifier characterizes the rate at which messages arrive (either all messages, or messages of a particular arbitration ID or type of arbitration ID or particular bus/stream) using suitable statistical characteristics, such as the minimum inter-message arrival time (t.sub.ima,min), maximum inter-message arrival time (t.sub.ima,max), average inter-message arrival time (t.sub.ima,avg), and standard deviation (.sigma..sub.ima) or variance (.sigma..sub.ima.sup.2) of the inter-message arrival time, over a specified window. In the case of generating statistics for all messages, the inter-message arrival time is the time interval from arrival of one message to arrival of the next consecutive message in the CAN bus message stream. This is done per stream. In the case of generating statistics for messages of a particular type (e.g. a particular arbitration ID), the inter-message arrival time is the time interval from arrival of one message of that type to arrival of the next message of that type in the CAN bus message stream--there may be intervening messages of other types. In illustrative examples, the window is defined by a number of messages (N), and the time interval over which these N messages arrive is designated as the burst time (t.sub.window). These are merely illustrative parameters, and other statistical parameters and window definitions may be used in temporally characterizing occurrences of messages of various type and/or of the entire stream of CAN bus messages. If sufficient training data are available, these statistical metrics may be computed by sliding the window of size N over the data set and then averaging to generate more representative values, or more generally performing suitable segmentation/averaging of the statistics over the data set …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sonalker into the combined teachings of Hayden-RUVIO, because it discloses that “the anomaly detector may be implemented on a vehicle Electronic Control Unit (ECU) communicating via a vehicle CAN bus. The anomaly detector does not rely on an database of messages and their periodicity from manufacturers (dbc files) and in that sense is truly a zero knowledge detector (Sonalker, Abstract)”.
Regarding Claim 3. The combination of Hayden-RUVIO-Sonalker discloses the method of claim 2, RUVIO further discloses, “wherein the predetermined time interval threshold comprises a mean value of time intervals between every two sequential commands of the training data set (RUVIO, Para [0100-0102]: … The term "Time based characteristics" interchangeably refers hereinafter to timing of frames within the CAN communication. Time based characteristics can be assessed for every specific frame and evaluated as to the relationship to one or more frames in terms of their timing … Timing of more than one frames includes for example one frame from a specific node always transmitted following another specific frame from a designated node in a predetermined time lapse range); the transfer rate of an incoming frame is analyzed and compared to other system frames transfer rate, and any timing base data learned by the system and or inputted therein … Timing analysis further includes, but not limited to, statistical analysis including average frame time difference …).”
The motivation to further combine RUVIO remains same as in claim 1.
Regarding Claim 12. This claim contains all the same or similar limitations as claim 2, hence similarly rejected.
Regarding Claim 13. This claim contains all the same or similar limitations as claim 3, hence similarly rejected
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0367553 A1 to Hayden et al. (hereinafter “Hayden”) in view of Pub. No.: US 2018/0196941 A1 to RUVIO et al. (hereinafter “RUVIO”) and Pub. No.: US 2016/0188396 A1 to Sonalker et al. (hereinafter “Sonalker”), as applied to claim 3 above, and further in view of Pub. No.: US 2016/0114886 A1 to Downey et al. (hereinafter “Downey”).
Regarding Claim 4. The combination of Hayden-RUVIO-Sonalker discloses the method of claim 3, however it does not explicitly teach, but Downey from same or similar field of endeavor teaches, “wherein the mean value comprises one of a winsorized mean, a truncated mean, or a modified mean value (Downey, Para [0078]: … The system obtains bandwidth usage by modules (block 504). The system determines a bandwidth usage of the flight critical modules and the payload modules. Since many of the flight critical systems need sufficient bandwidth to remain functional, the system determines a measure of central tendency of bandwidth (e.g., mean, median, mode, geometric mean, harmonic mean, weighted mean, truncated mean, midrange mean, trimean, winsorized mean, etc.) use by the flight critical modules, and additionally peak bandwidth usage by the flight critical modules …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Downey into the combined teachings of Hayden-RUVIO-Sonalker, because it discloses that “a system can separate the control and operation of flight critical systems from payload systems. The system can guard against a payload system failure, which can consume too much power or lock up a data bus, resulting in the failure of one or more flight critical systems. Additionally, the system can negotiate power concerns between the payload systems and flight critical systems, to ensure that flight critical systems are given ample power to function properly. The system can also modify the power states of payload modules depending on the current flight phase of an unmanned aerial vehicle. For instance, during a takeoff flight phase, the included payload modules can be set to a low power state (Downey, Para [0004])”.
Regarding Claim 14. This claim contains all the same or similar limitations as claim 4, hence similarly rejected
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0367553 A1 to Hayden et al. (hereinafter “Hayden”) in view of Pub. No.: US 2018/0196941 A1 to RUVIO et al. (hereinafter “RUVIO”), as applied to claim 11 above, and further in view of “Non Patent Literature: OBD SecureAlert: An Anomaly Detection System for Vehicles; 2016 IEEE Xplore” to Narayanan et al. (hereinafter “Narayanan”)
Regarding Claim 15. The combination of Hayden-RUVIO discloses the system of claim 11, however it does not explicitly teach, but Narayanan from same or similar field of endeavor teaches, “wherein the one or more processors are configured to determine whether the first command is abnormal based at least on a probability value of a transition between one or more preceding groups of command and the first command (Narayanan, Introduction, Sections V-VI: … We collected data by operating different vehicles and stored it in a text file. Next step in our approach is to analyze the collected data to develop a model which can identify anomalous states. In this project, we use Hidden Markov Models (HMM) to create a model. The intuition behind using this model is described below. We consider the movement of a vehicle as a sequence of states which are dependent on its previous state, like Markov’s processes. For example consider a sequence of activities from T1 to T12 as shown in Figure 2. At T1 speed is zero and the Door is open. At T2 the door is closed and it starts moving. The car gathers speed gradually till T6. But at T7 there is a sudden jump of 85 miles per hour making the speed to 100 mph. At T8 the speed of car is 200 miles per hour and the door is open. We can clearly see that the probability of a state change from T6 to T7 and T7 to T8 are very low. This shows that we can detect anomalous behaviors using a time series analysis. We used HMM’s to create a model since they provide a powerful abstraction to predict time series data. To create a HMM model, we generate two set of probabilities, Transition probabilities and Emission probabilities. Transition probability controls how a new state, let’s say “S(t)”, is chosen from a current state “S(t-1)”. Emission probability is the probability that a specific set of observations will be generated given current hidden state “S(t)”. During model generation we try to estimate these probabilities using the collected data set … The first challenge for model generation is how to convert collected data into a series of observations. Our dataset has messages from multiple ECU’s. Instead of training the model with absolute values, we chose to use gradients for each observation, since it is the change in observations which alters the state of a vehicle. For example in case of speed, instead of using actual speed, we find speed gradients and train our system for it. The next challenge is on how to accommodate multiple observations as a single vector. We have different types of sensors in a vehicular system. Some of them will push data on to the CAN bus at regular intervals like speed and RPM. On the other hand there are some other observations which are pushed on to the system only when they are required like door sensors in some vehicles. In our model, we create a vector containing inputs from different systems. Each vector will then represent a single observation and our system will be trained for those observation sequences. We define the sequence of observations, O = O1;O2; :::On where Ot is an observation vector at time t. Each observation vector Ot = fvt;1; vt;2; :::vt;ng where vt;i is the value of ith component at time t. For example Speed is 20 mph, RPM is 3000, State of door is closed etc. are modeled as a single vector. During implementation, we interpret different values from particular slots in the CAN message and convert to decimal values before using them to train our model. To generate the HMM model we used “Statistics and Machine Learning toolkit” in Matlab. We use “hmmtrain” function to generate the model from the sequence of observations O. We chose to use Baum-Welch algorithm for training which will generate Transition and Emission Probabilities corresponding to test sequences … To detect unsafe states, we first convert the values from different components into a sequence of observation vectors in the same way as mentioned in section V. We then use a sliding window of “m” previous observations, Owindow = fO1;O2; :::Omg as shown in Figure 3 to detect the presence of anomalies. The sliding window moves every time a new observation is available. One of the operations which we can do with HMM is to detect posterior probability of a given sequence. In this case, once the sliding window is determined, we use all observations in that window and determine the posterior probability of that sequence. As described before each of the observations would be a vector of different sensor values. It will generate a set of probabilities corresponding to each observation. If the probability of any such sequence is below a threshold, based on the generated model, it implies that probability of the current set of observations is very low and hence we identify it as an anomalous state … The anomaly detection module has the model as its first input. In our implementation, the input stream from the CAN bus is fed to this module. The module will convert it into a sequences of observations using the same procedure we had used during model generation phase. Now when new observations are available, the module will pick up “m” previous observations from the sliding window and use “hmmdecode” from Matlab to find the posterior probability for that sequence in the window. Our module will now generate an alert, if the probability of any observation in the sequence is going below a set threshold value …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Narayanan into the combined teachings of Hayden-RUVIO, because it discloses that “model can be integrated with all current and future car systems as a plug-n-play device or as a system module programmed on the on-board car computer  … Our initial results show that such data analytic techniques could be successfully applied to identify anomalies and unsafe states in vehicles. Unlike some other methods, our method could successfully be utilized in both older and newer vehicles … can also further analyze the OBD data by applying other data mining algorithms on it (Narayanan, Section: Conclusion)”.
Pertinent Prior Arts: The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	PgPub US 20200183373 A1 (CHOI et al.): CHOI discloses a method for detecting anomalies in a controller area network of a vehicle and an apparatus for the same. The method for detecting anomalies in a Controller Area Network (CAN) of a vehicle includes monitoring the controller area network of the vehicle and generating sequence trees for respective multiple sub-networks included in the controller area network at a time at which monitoring is performed, comparing at least one normal sequence tree, generated in accordance with the controller area network when a status of the vehicle is normal, with the generated sequence trees, and calculating differences between traffic proportions for respective nodes based on a result of the comparison between the sequence trees, and detecting an anomaly in the vehicle in consideration of the differences.
	PgPub US 20190149561 A1 (MAEDA et al.): MAEDA discloses an unauthorized activity detection method in an onboard network system. The detection method includes determining whether or not a message sent out onto the network is an attack message, saving information relating to the attack message in at least one memory in a case where the message is an attack message, identifying a communication pattern from information relating to the attack message, and determining whether or not the message matches a communication pattern. The determination of whether an attack message and determination of whether matching a communication pattern are executed on each of a plurality of messages received from the network. In the determining of whether an attack message executed on a message received after executing of determining of whether matching a communication pattern, results of the determination of whether an attack message that has already be executed are used.
	PgPub US 20200344083 A1 (SHIBAHARA et al.): SHIBAHARA discloses a detection device that includes: an object data extraction unit that extracts, from one or more pieces of communication data which are transmitted from one or more electronic control units, at least part of a payload contained in communication data that satisfies a predetermined condition, information by which the communication interval between the communication data can be calculated, and a serial number of the communication data as object data; a partial sequence creation unit that creates, using the extracted object data, a partial sequence containing information corresponding to at least part of a payload and information indicating a communication interval from two or more pieces of object data with the same serial number; and a detection unit that detects, using the created partial sequence, predetermined communication data based on the order relation between at least part of a payload and the corresponding part of another payload and a communication interval. The predetermined condition is a condition for extracting only communication data which is transmitted periodically and also in conjunction with a predetermined event.
PgPub US 20210203682 A1 (BAJPAI): BAJPAI discloses a mechanism for detecting c Cybersecurity on a Controller Area Network (CAN) in a vehicle. In an embodiment, electronic control units (ECUs), connected to a CAN bus, each comprise a hacking detection system, which, during an initialization stage, transmits a message comprising a CAN identifier, used by the respective ECU, to at least one other hacking detection system, receives a message comprising a CAN identifier, used by at least one other ECU, from the other hacking detection system, monitors one or more parameters, including at least one parameter of CAN messages received by the respective ECU and transmitted by the respective ECU, and generates a pattern-detection mechanism based on the monitored one or more parameters. Then, during a detection stage, each hacking detection system monitors the one or more parameters, and detects malicious activity based on the generated pattern-detection mechanism and the one or more parameters monitored during the detection stage.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434