DETAILED ACTION
This office action is in response to the correspondence filed on 10/04/2022. This application is a 371 National Stage of PCT/KJUDGE019/000832 and has a provisional application 62/620,754 filed 01/23/2018. Claims 1, and 5-13 are pending and are examined. Claims 2-4 are canceled. Claims 1, 6, 11, and 13 have been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 


Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 06/09/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
The amendments and/or arguments submitted by Applicants for the objection(s)/rejection(s) listed below have been considered and are persuasive; thus, they have been withdrawn:
Claim Objection(s) (However new claim objections are found below with the latest amendments)
Applicant’s arguments with respect to claims 1-13 have been considered. The following are applicant arguments recited in the Remarks followed by Examiner's response:
Applicant argues that “The claims as presented fully satisfy the requirements of 35 U.S.C. 112, including Section 112(b). The skilled worker readily understands the claims as presents, particularly when read in light of the supporting specification, as is proper.” (Remarks, pg. 5)
Examiner respectfully disagrees. The 112(b) rejection is stemmed from the invocation of 112(f) claim interpretation and there is not sufficient structure to support performing the recited functions.  Please see the 112(b) rejection section below for more details.
Examiner notes that “hardware processor” or “microprocessor” and “memory” can be added to comprise these generic placeholders so there is sufficient structure to support the 112(f) or amend the claim language to avoid the accidental invocation of 112(f) altogether.

Applicant argues that “Applicant strongly disagrees with the assertions of claim interpretation and 35 USC § 112(f) as set forth at pages 3-6 of the Office Action.” (Remarks, pg. 6)
Examiner respectfully disagrees. Invocation of 112(f) is dictated by the claim language which should be amended accordingly if it is not the Applicant’s intention to invoke it. As explained in MPEP § 2181, subsection I, claim limitations that meet the three-prong test will be interpreted under 35 U.S.C. 112(f). Please see the Claim interpretation section below for more details. Examiner is unable to withdraw the rejections with merely disagreeing to the Office Action.

Applicant argues that “In preferred aspects, a problem that can be by a system of Applicant is to efficiently operate multiple detection techniques in an electronic device of a vehicle that has limited computing resources and is arranged to determine whether or not network messages collected from an in- vehicle network are a security threat message… None of the cited documents disclose or suggest such a system, or the benefits that can be provided thereby.” (Remarks, pg. 7)
Examiner respectfully disagrees. Although Applicant asserts that the system recited is more efficient, it is nevertheless, still obvious to perform a series of different intrusion detection techniques to incoming messages pertaining to any types or forms of communication. It is well known it the art that various detection techniques can be used for different objectives. There is also no explicit supporting evidence that this particular order recited by the Applicant yields a more efficient or unexpected result than any other orders.
Examiner encourages applicant to further amend the claims to distinguish the invention and clarify the difference with cited support by the specification.

Applicant argues that "Respectfully, grounds of rejection set forth in the Office Action also are unsubstantiated. Referring the rejection for claim 4 in the Office Action, with respect to "applying static detection techniques, misuse detection techniques, anomaly detection techniques in an order as recited " specified in original claim 4, no grounds were presented in the Office Action."  (Remarks, pg. 7)
Examiner respectfully disagrees. The language "in an order as recited" was not recited in the original claim 4. The examiner had no reason to address it. The remaining elements were addressed by Ujiie and Judge.

Applicant argues that "Applicant's independent claim 13 further recites that a rule engine of a (sub-)gateway uses all three detection techniques, and a rule engine of a ECU uses only some of the techniques. " (Remarks, pg. 7)
Examiner respectfully disagrees. Judge teaches using all three detection techniques. See more detailed mapping in the USC § 103 rejection for claim 13 below. One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

Applicant argues that “Applicant's claimed feature "different levels of modules in a vehicle network each perform a detection function and the modules use different detection techniques depending on their levels" are not disclosed or otherwise suggested by cited references.” (Remarks, pg. 8)
Examiner respectfully disagrees. Examiner is unclear which claim the Applicant is referring to that this language is supposedly recited. Examiner was not able to find different detection techniques are used depending on the levels of modules. More clarification is needed from the Applicant.


Claim Objections
Claims 11-12 are objected to because of the following informalities:
Claims 11-12, both claims appear to be missing the language of “by a/the processor” as it was recited in various limitations within these claims in the previous version of the instant claims.
Claim 12, this claim should be canceled similarly as claim 2 which has been incorporated into the independent claims. It does not appear to meaningfully narrow the scope of the independent claim more by having this dependent claim.
Appropriate correction is required.



Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: a message queue module configured to store, a rule engine configured to update, a central gateway configured to connect, a sub-gateway configured to connect, a crypto module configured to perform, an interface manager configured to manage, a first and second electronic apparatus configured to operate, in claims 1, 5-10, and 13. Per the specification [0041], “the various methods, apparatuses, systems described in this disclosure may be implemented by or included in an electronic controller, a gateway, or the like having a processor, memory”, therefore, the central gateway and the sub-gateway are interpreted to have a processor and memory. Per the specification [0011], “the methods described above may be performed by at least one electronic apparatus that includes at least one processor and a memory”, therefore, the a first and second electronic apparatus are interpreted to have a processor and memory. Please see the 112(b) rejection below for more details of the aforementioned modules, engine, and manager.
Because this/these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 5-10, and 13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim limitations: a message queue module configured to store, a rule engine configured to update, a crypto module configured to perform, an interface manager configured to manage, in claims 1, 5-10, and 13 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
The specification is devoid of adequate structure to perform the claimed function. Per the specification [0019], “the terms such as "unit," "module," and the like refer to one or more units for processing at least one function or operation, which may be implemented by hardware, software, or a combination thereof”. There is no disclosure of any particular structure, either explicitly or inherently, to perform these storing, updating, performing, or managing functions (e.g. they can be implemented entirely by software). The use of the terms message queue module, rule engine, crypto module, interface manager are not adequate structure for performing the storing, updating, performing, or managing functions because they do not describe a particular structure for performing the functions. As would be recognized by those of ordinary skill in the art, the terms storing, updating, performing, or managing refer to performing some well-known operations on an input and can be performed in any number of ways in hardware, software or a combination of the two. The specification does not provide sufficient details such that one of ordinary skill in the art would understand which structure or structures perform(s) the claimed functions. 
Therefore, the claims are indefinite and are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-12 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie et al. (US Pub No. 2017/0147812 A1, referred to as Ujiie), in view of Judge et al. (US Pub No. 2003/0172166, referred to as Judge), further in view of Yu et al. (US Pub No. 2015/0067862 A1, referred to as Yu).
Regarding claim 1, Ujiie discloses,
1. An intrusion detection system for providing security to an in-vehicle network, comprising:
a message queue module… (Ujiie: Fig. 1; [0094]; the frame transmitting and receiving unit 110 transmits and receives frames in accordance with the CAN protocol to and from the bus 200a. [0074]; frames/messages.)
a storage configured to store a rule set used in a plurality of detection techniques; and (Ujiie: Fig. 1; [0124]; the fraud detection rule storing unit 481 (storage) stores a list prescribing the message IDs included in frames transmitted from the bus 200a as the fraud detection rules (rule set).)
a rule engine configured to update the rule set stored in the storage with a new rule set downloaded from a backend server on an external network, and (Ujiie: Fig. 1; [0124]; according to a notification of new fraud detection rules from the update determining unit 494 (rule engine), the fraud detection rule storing unit 481 updates the previously stored fraud detection rules with the updated fraud detection rules. [0125]; the external communication unit 490 communicates with the server 500 (backend server) via the external network 600, and thereby acquires delivery data including information such as updated fraud detection rules (new rule set) for updating the fraud detection rules.) to …apply …detection technique(s) to a collected network message to determine whether the collected network message is a security threat message. (Ujiie: Fig. 1; [0123]; the fraud detection processing unit 480 (rule engine) includes a function of determining whether or not a frame acquired from the bus 200a is malicious, based on the fraud detection rules stored by the fraud detection rule storing unit 481. A list of message IDs which are not malicious, also called a whitelist, is used as the fraud detection rules (detection technique).)
Ujiie does not explicitly disclose, however Judge teaches,
…a message queue module configured to store network messages collected from the in-vehicle network in a message queue; (Judge: [0034]; associated with each interrogation engine is a queue of indices for communications to be evaluated by the particular interrogation engine. When a communication is received, it is stored and assigned an index (message queue).) 
…sequentially apply the plurality of detection techniques (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
wherein the plurality of detection techniques include a static detection technique, (Judge: [0071]; policy management 350 allows definition of corporate policies with respect to the particular application in regard to how and what application specific communications are sent, copied or blocked.) a misuse detection technique, (Judge: [0070]; application specific anti-virus protection and anti-spam protection 340 provides support for screening application specific communications for associated viruses and/or spam (signature-based detection per specification [0037]).) and an anomaly detection technique, and (Judge: [0069]; application specific IDS 330 provides realtime monitoring of activities specific to the application server. This may also retrieve information from multiple layers including the application layer, network layer and operating system layer. This compliments a network intrusion detection system by adding an additional layer of application specific IDS monitoring (real-time monitoring based on network state).)
wherein the rule engine is configured to apply to the collected network message the static detection technique, the misuse detection technique, and the anomaly detection technique in an order as recited, and (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques as mapped in the previous limitation). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Judge of into the teachings of Ujiie with a motivation to enhance security of electronic communications by applying different assessment techniques in any particular orders to the collected communication in a queue (Judge: [0031]).
The combination of Ujiie and Judge does not explicitly disclose, however Yu teaches,
wherein the rule engine is further configured to bypass a subsequent application of remaining detection techniques to the collected network message when any one of the plurality of detection techniques determining the collected network message as a security threat message thereby. (Yu: Fig. 3; [0034]; responsive to determining the presence of malware while analyzing the malware on the virtual machine, a notification can be sent that a malware has been detected on the virtual machine, and the remaining steps depicted in Fig. 3 can be skipped (bypass additional tests if a malware is found in the earlier test).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Yu into the combination of Ujiie and Judge with a motivation to take different analysis actions when a malware is found, and optionally including other analysis actions or other actions to prevent or minimize any adverse effects of the malware by skipping the remaining detection steps (Yu: [0034]).	Examiner notes that the language “in response to” is preferred over “when” as it is unclear if the limitation is positively recited.


Regarding claim 6, the combination of Ujiie, Judge and Yu discloses, 
6. The intrusion detection system of claim 5, 
Ujiie disclose, 
wherein the rule engine is configured allow the collected network message to be transferred to the central gateway, the sub-gateway, or a software application of the electronic control unit when all of the plurality of detection techniques determining the collected network message is not a security threat message. (Ujiie: [0123]; the fraud detection processing unit 480 receives the value of the ID field (ID) reported by the frame interpreting unit 420, and if the ID is not listed on the list of message IDs (whitelist) that serves as the fraud detection rules, the fraud detection processing unit 480 notifies the frame generating unit 460 to transmit an error frame. In this case, on the bus 200a, the bit values of the frame (malicious frame) including the ID not listed on the list of message IDs that serves as the fraud detection rules are overwritten by an error frame made up of a series of multiple dominant bits which take priority over recessive bits (only messages listed on the whitelist (not a security threat message) are allow to go onto their destination/corresponding ECU, while the ones that are not, are overwritten and an error frame is transmitted instead).)
Examiner notes that the language “in response to” is preferred over “when” as it is unclear if the limitation is positively recited. Examiner’s claim objection in the previous non-final office action was meant to point out the “for allowing” intended use language and did not mean to change the preferred “in response to” language.


Regarding claim 7, the combination of Ujiie, Judge and Yu discloses, 
7. The intrusion detection system of claim 1, 
Ujiie disclose, 
wherein the system is a separate computing device connected as a node to the in-vehicle network. (Ujiie: Fig. 1; [0057]; the onboard network system 10 is configured to include buses 200a to 200c and respective nodes connected to the buses, such as fraud detecting ECUs 400a to 400c, gateways 300a and 300b, and ECUs such as ECUs 100a to 100e connected to various types of equipment (multiple nodes/apparatus with a set of equipment and they connects to the in-vehicle network). [248]; multiple devices.)


Regarding claim 8, the combination of Ujiie, Judge and Yu discloses, 
8. The intrusion detection system of claim 1, 
Ujiie disclose, 
further comprising:
a crypto module configured to perform an encryption and a decryption of the rule set and to manage an associated key. (Ujiie: Fig. 14; [0068]; a cryptographic processing unit 491 (crypto module), a key storing unit 493. During the receiving of the delivery data (rule set), a process corresponding to the cryptographic process (encryption and a decryption) is performed. Thus, the security of the fraud detection rules may be ensured.)


Regarding claim 9, the combination of Ujiie, Judge and Yu discloses, 
9. The intrusion detection system of claim 1, 
Ujiie disclose, 
further comprising:
an interface manager configured to manage a communication linkage with the backend server to download a new rule set from the backend server or transmit a detection log to the backend server. (Ujiie: Fig. 1; [0124]; according to a notification of new fraud detection rules from the update determining unit 494, the fraud detection rule storing unit 481 updates the previously stored fraud detection rules with the updated fraud detection rules. [0125]; the external communication unit 490 (interface manager) communicates with the server 500 (backend server) via the external network 600, and thereby acquires delivery data including information such as updated fraud detection rules (new rule set) for updating the fraud detection rules.)


Regarding claim 10, the combination of Ujiie, Judge and Yu discloses, 
10. The intrusion detection system of claim 1, 
Ujiie disclose, 
wherein the in-vehicle network includes:
a controller area network (CAN). (Ujiie: Fig. 1; [0069]; the plurality of electronic control units communicate over the bus in accordance with a controller area network (CAN) protocol.)


Regarding claim 11, Ujiie discloses,
11. A method performed by an intrusion detection system for providing security to an in- vehicle network, comprising:
downloading, by a processor, a rule set used in a plurality of detection techniques from a backend server on an external network and updating a pre-stored rule set; (Ujiie: Fig. 1; [0070]; processor. [0124]; according to a notification of new fraud detection rules from the update determining unit 494, the fraud detection rule storing unit 481 updates the previously stored fraud detection rules with the updated fraud detection rules. [0125]; the external communication unit 490 communicates with the server 500 (backend server) via the external network 600, and thereby acquires delivery data including information such as updated fraud detection rules (updating a pre-stored rule set) for updating the fraud detection rules.)
…applying, by the processor, …detection technique(s) to a collected network message to determine whether the collected network message is a security threat message. (Ujiie: Fig. 1; [0123]; the fraud detection processing unit 480 includes a function of determining whether or not a frame acquired from the bus 200a is malicious, based on the fraud detection rules stored by the fraud detection rule storing unit 481. A list of message IDs which are not malicious, also called a whitelist, is used as the fraud detection rules (detection technique). [0074]; frames/messages.)
Ujiie does not explicitly disclose, however Judge teaches,
storing, by the processor, network messages collected from the in-vehicle network in a message queue; and (Judge: [0034]; associated with each interrogation engine is a queue of indices for communications to be evaluated by the particular interrogation engine. When a communication is received, it is stored and assigned an index (message queue).)
…sequentially applying, by the processor, the plurality of detection techniques (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
wherein the plurality of detection techniques include a static detection technique, (Judge: [0071]; policy management 350 allows definition of corporate policies with respect to the particular application in regard to how and what application specific communications are sent, copied or blocked.) a misuse detection technique, (Judge: [0070]; application specific anti-virus protection and anti-spam protection 340 provides support for screening application specific communications for associated viruses and/or spam (signature-based detection per specification [0037]).) and an anomaly detection technique, and (Judge: [0069]; application specific IDS 330 provides realtime monitoring of activities specific to the application server. This may also retrieve information from multiple layers including the application layer, network layer and operating system layer. This compliments a network intrusion detection system by adding an additional layer of application specific IDS monitoring (real-time monitoring based on network state).)
wherein the sequentially applying the plurality of detection techniques including:
applying to the collected network message the static detection technique, the misuse detection technique, and the anomaly detection technique in an order as recited, and (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques as mapped in the previous limitation). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Judge of into the teachings of Ujiie with a motivation to enhance security of electronic communications by applying different assessment techniques in any particular orders to the collected communication in a queue (Judge: [0031]).
The combination of Ujiie and Judge does not explicitly disclose, however Yu teaches,
bypass a subsequent application of remaining detection techniques to the collected network message when any one of the plurality of detection techniques determines the collected network message as a security threat message. (Yu: Fig. 3; [0034]; responsive to determining the presence of malware while analyzing the malware on the virtual machine, a notification can be sent that a malware has been detected on the virtual machine, and the remaining steps depicted in Fig. 3 can be skipped (bypass additional tests if a malware is found in the earlier test).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Yu into the combination of Ujiie and Judge with a motivation to take different analysis actions when a malware is found, and optionally including other analysis actions or other actions to prevent or minimize any adverse effects of the malware by skipping the remaining detection steps (Yu: [0034]).	Examiner notes that the language “in response to” is preferred over “when” as it is unclear if the limitation is positively recited.


Regarding claim 12, the combination of Ujiie, Judge and Yu discloses, 
12. The method of claim 11, 
Ujiie does not explicitly disclose, however Judge teaches,
wherein sequentially applying of the plurality of detection techniques includes: (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
The same motivation that was utilized for combining Ujiie and Judge as set forth in claim 11 is equally applicable to claim 12.
The combination of Ujiie and Judge does not explicitly disclose, however Yu teaches,
in response to any one of the plurality of detection techniques determining the collected network message as a security threat message, bypassing, by the processor, a subsequent application of remaining detection techniques to the collected network message. (Yu: Fig. 3; [0034]; responsive to determining the presence of malware while analyzing the malware on the virtual machine, a notification can be sent that a malware has been detected on the virtual machine, and the remaining steps depicted in Fig. 3 can be skipped (bypass additional tests if a malware is found in the earlier test).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Yu into the combination of Ujiie and Judge with a motivation to take different analysis actions when a malware is found, and optionally including other analysis actions or other actions to prevent or minimize any adverse effects of the malware by skipping the remaining detection steps (Yu: [0034]).


Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ujiie in view of Judge, further in view of Yu, further in view of Jeon et al. (US Pub No. 2011/0153149 A1, referred to as Jeon).
Regarding claim 5, the combination of Ujiie, Judge and Yu discloses, 
5. The intrusion detection system of claim 1, 
Ujiie disclose, 
…an electronic control unit (ECU) belonging to each of the functional domains. (Ujiie: Fig. 1; [0057]; the onboard network system 10 is configured to include buses 200a to 200c and respective nodes connected to the buses, such as fraud detecting ECUs 400a to 400c, gateways 300a and 300b, and ECUs such as ECUs 100a to 100e connected to various types of equipment (an ECU for each functional domains like the brake or engine).)
The combination of Ujiie, Judge and Yu does not explicitly disclose, however Jeon teaches,
wherein the system is embedded in any one of:
a central gateway configured to connect an external network with the in-vehicle network, (Jeon: [0011]; a vehicle gateway (central gateway) to support vehicle internal communication network for communications with the at least one ECU and to support vehicle external communication network for communications with a terminal of a service provider.)
a sub-gateway configured to connect each of functional domains of the in-vehicle network with the central gateway, and… (see above for one of the options)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Jeon into the combination of Ujiie, Judge and Yu with a motivation to provide a communication method for a vehicle, in which an external network node may be connected to an ECU via an Internet Protocol version 6 (IPv6) network to perform a communication by using a vehicle gateway (Jeon: [0011]).


Regarding claim 13, Ujiie discloses,
13. A system for providing security to an in-vehicle network, comprising:
a first electronic apparatus configured to operate as a first node on the in-vehicle network and a second electronic apparatus configured to operate as a second node, wherein each of the first electronic apparatus and the second electronic apparatus incudes: (Ujiie: Fig. 1; [0057]; the onboard network system 10 is configured to include buses 200a to 200c and respective nodes connected to the buses, such as fraud detecting ECUs 400a to 400c, gateways 300a and 300b, and ECUs such as ECUs 100a to 100e connected to various types of equipment (multiple nodes/apparatus with a set of equipment and they connects to the in-vehicle network).)
a message queue module… (Ujiie: Fig. 1; [0094]; the frame transmitting and receiving unit 110 transmits and receives frames in accordance with the CAN protocol to and from the bus 200a. [0074]; frames/messages.)
a storage configured to securely store a rule set used in one or more detection techniques; and (Ujiie: Fig. 1; [0124]; the fraud detection rule storing unit 481 (storage) stores a list prescribing the message IDs included in frames transmitted from the bus 200a as the fraud detection rules (rule set).)
a rule engine configured to update the rule set stored in the storage with a new rule set downloaded from a backend server on an external network, and (Ujiie: Fig. 1; [0124]; according to a notification of new fraud detection rules from the update determining unit 494 (rule engine), the fraud detection rule storing unit 481 updates the previously stored fraud detection rules with the updated fraud detection rules. [0125]; the external communication unit 490 communicates with the server 500 (backend server) via the external network 600, and thereby acquires delivery data including information such as updated fraud detection rules (new rule set) for updating the fraud detection rules.) to …apply the one or more detection techniques to a collected network message to determine whether the collected network message is a security threat message, and (Ujiie: Fig. 1; [0123]; the fraud detection processing unit 480 (rule engine) includes a function of determining whether or not a frame acquired from the bus 200a is malicious, based on the fraud detection rules stored by the fraud detection rule storing unit 481. A list of message IDs which are not malicious, also called a whitelist, is used as the fraud detection rules (detection technique).)
…the second electronic apparatus includes an electronic control unit (ECU) belonging to each of the functional domains, and (Ujiie: Fig. 1; [0057]; the onboard network system 10 is configured to include buses 200a to 200c and respective nodes connected to the buses, such as fraud detecting ECUs 400a to 400c, gateways 300a and 300b, and ECUs such as ECUs 100a to 100e connected to various types of equipment (each node/apparatus includes an ECU for each functional domains like the brake or engine).)
wherein the first electronic apparatus uses …detection techniques… and the second electronic apparatus uses some …detection techniques… (Fig. 1; [0
123]; the fraud detection processing unit 480 includes a function of determining whether or not a frame acquired from the bus 200a is malicious, based on the fraud detection rules stored by the fraud detection rule storing unit 481. A list of message IDs which are not malicious, also called a whitelist, is used as the fraud detection rules (multiple nodes for fraud detection uses a detection technique).)
Ujiie does not explicitly disclose, however Judge teaches,
…a message queue module configured to store network messages collected from the in-vehicle network in a message queue; (Judge: [0034]; associated with each interrogation engine is a queue of indices for communications to be evaluated by the particular interrogation engine. When a communication is received, it is stored and assigned an index (message queue).)
…sequentially apply the one or more detection techniques (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
…wherein the electronic apparatus uses a static detection technique, (Judge: [0071]; policy management 350 allows definition of corporate policies with respect to the particular application in regard to how and what application specific communications are sent, copied or blocked.) a misuse detection technique, (Judge: [0070]; application specific anti-virus protection and anti-spam protection 340 provides support for screening application specific communications for associated viruses and/or spam (signature-based detection per specification [0037]).)  and an anomaly detection technique… (Judge: [0069]; application specific IDS 330 provides realtime monitoring of activities specific to the application server. This may also retrieve information from multiple layers including the application layer, network layer and operating system layer. This compliments a network intrusion detection system by adding an additional layer of application specific IDS monitoring (real-time monitoring based on network state).)
wherein the rule engine included in the first electronic apparatus configured to:
apply to the collected network message the static detection technique, the misuse detection technique, and the anomaly detection technique in an order as recited, and (Judge: [0033]; each received communication is interrogated by a series of interrogation engines of differing types (detection techniques as mapped in the previous limitation). Claim 7; system processor applies each of the plurality of tests in a sequential fashion.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Judge of into the teachings of Ujiie with a motivation to enhance security of electronic communications by applying different assessment techniques in any particular orders to the collected communication in a queue (Judge: [0031]).
The combination of Ujiie and Judge does not explicitly disclose, however Yu teaches,
bypass a subsequent application of remaining detection techniques to the collected network message when any one of the plurality of detection techniques determines the collected network message as a security threat message. (Yu: Fig. 3; [0034]; responsive to determining the presence of malware while analyzing the malware on the virtual machine, a notification can be sent that a malware has been detected on the virtual machine, and the remaining steps depicted in Fig. 3 can be skipped (bypass additional tests if a malware is found in the earlier test).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Yu into the combination of Ujiie and Judge with a motivation to take different analysis actions when a malware is found, and optionally including other analysis actions or other actions to prevent or minimize any adverse effects of the malware by skipping the remaining detection steps (Yu: [0034]).	Examiner notes that the language “in response to” is preferred over “when” as it is unclear if the limitation is positively recited.
The combination of Ujiie, Judge and Yu does not explicitly disclose, however Jeon teaches,
…wherein the first electronic apparatus includes a central gateway configured to connect the external network with the in-vehicle network or a sub-gateway configured to connect each of functional domains of the in-vehicle network with the central gateway, and… (Jeon: [0011]; a vehicle gateway (central gateway) to support vehicle internal communication network for communications with the at least one ECU and to support vehicle external communication network for communications with a terminal of a service provider.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Jeon into the combination of Ujiie, Judge and Yu with a motivation to provide a communication method for a vehicle, in which an external network node may be connected to an ECU via an Internet Protocol version 6 (IPv6) network to perform a communication by using a vehicle gateway (Jeon: [0011]).


	Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
KUPFER; Samuel B. et al.	US-PGPUB	US 20190081960 A1	methods for in-vehicle network intrusion detection
TERAZAWA; Hiroyasu et al.	US-PGPUB	US 20200220888 A1	in-vehicle network anomaly detection system and in-vehicle network anomaly detection method

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435