DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
The IDS filed 7/8/2021, the IDS filed 11/8/2021, and the IDS filed 5/11/2022 have been considered.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 2, 5-11, and 14-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Maeda et al. (U.S. Patent Application Publication Number 2019/0149561), hereinafter referred to as Maeda.
Regarding claim 1, Maeda discloses a method for defending against attacks, comprising: acquiring an instruction set, wherein the instruction set comprises: at least one instruction for controlling state of a vehicle (paragraph 128, receives message, and paragraph 63, message is CAN protocol message); comparing each instruction in the instruction set with at least one attack instruction in an attack behavior knowledge base respectively to determine a maximum similarity value corresponding to each instruction, wherein each attack instruction is acquired by performing attack analysis on a chained data set of at least one on-board component (paragraph 129, determines whether message matches communication pattern of attack message, and paragraph 98, derives and identifies communication patterns); and for any instruction in the instruction set, determining a type of the instruction and processing tactics for the instruction according to the maximum similarity value corresponding to the instruction and a preset similarity range (paragraph 129, final comprehensive determination, and paragraph 88, determines whether or not message is an attack message).
Regarding claim 2, Maeda discloses wherein, the determining a type of the instruction and processing tactics for the instruction according to the maximum similarity value corresponding to the instruction and a preset similarity range, comprises: determining that the type of the instruction is an illegal instruction and the processing tactics for the instruction is blocking, in case that the maximum similarity value corresponding to the instruction is greater than or equal to an upper limit of the preset similarity range (paragraph 145, transfer not performed for attack message); determining that the type of the instruction is a safe instruction and the processing tactics for the instruction is running, in case that the maximum similarity value corresponding to the instruction is less than a lower limit of the preset similarity range (paragraph 146, transfer performed for normal message); and determining that the type of the instruction is a suspicious instruction, and the processing tactics is to make a second determination on the suspicious instruction, in case that the maximum similarity value corresponding to the instruction is less than the upper limit of the preset similarity range and greater than or equal to the lower limit of the preset similarity range (paragraph 225, additional determination made for gray message).
Regarding claim 5, Maeda discloses wherein the acquisition instruction set comprises: acquiring an external data set, wherein the external data set comprises at least one of following information: information collected by an on-board infotainment system IVI, information collected by an on-board T-BOX and information collected by a CAN gateway; preprocessing the external data set to acquire a standardized instruction set (paragraph 61, gateway for transferring messages, and paragraph 3, CAN standard).
Regarding claim 6, Maeda discloses a method for defending against attacks, comprising: receiving a data set sent by an on-board terminal, wherein the data set comprises: source data corresponding to at least one suspicious instruction, associated data of the source data and a vehicle inspection report (paragraph 225, additional determination made for gray message, and paragraph 224, gray message and information related to gray message, and paragraph 226, state of vehicle); for each suspicious instruction, analyzing chained data of the suspicious instruction based on the source data corresponding to the suspicious instruction, the associated data of the source data and the vehicle inspection report (paragraph 227, makes additional determination based on multiple messages as system of data), and determining an attack analysis result of the suspicious instruction, wherein the attack analysis result is used to indicate whether the suspicious instruction is actually an illegal instruction or a safe instruction (paragraph 129, final comprehensive determination, and paragraph 88, determines whether or not message is an attack message); sending the attack analysis result of the suspicious instruction to the on-board terminal (paragraph 129, notification of results of the determining).
Regarding claim 7, Maeda discloses wherein the analyzing chained data of the suspicious instruction based on the source data corresponding to the suspicious instruction, the associated data of the source data, and the vehicle inspection report, and determining an attack analysis result of the suspicious instruction, comprises: determining entry information, indication information, and impact information on a vehicle corresponding to the suspicious instruction according to the source data corresponding to the suspicious instruction and the associated data of the source data; and determining the attack analysis result of the suspicious instruction according to the entry information, the indication information and the impact information on the vehicle corresponding to the suspicious instruction (paragraph 129, determines whether message matches communication pattern of attack message, and paragraph 98, derives and identifies communication patterns).
Regarding claim 8, Maeda discloses generating update information according to the attack analysis result of the at least one suspicious instruction, wherein the update information comprises update contents of an attack behavior knowledge base and/or update contents of a scanning module in the on-board terminal; sending the update information to the on-board terminal (paragraph 93, stores information related to attack messages).
Regarding claim 9, Maeda discloses before the generating update information according to the attack analysis result of the at least one suspicious instruction, the method further comprises: acquiring a chained data set of at least one on-board component, wherein the chained data set comprises: source data collected by the corresponding on-board component and associated data of the source data; establishing an attack behavior knowledge base model of each on-board component based on the chained data set of the each on-board component; quantifying the attack behavior knowledge base model of the at least one on-board component to acquire the attack behavior knowledge base that comprises at least one attack instruction; sending the attack behavior knowledge base to the on-board terminal (paragraph 165, model used as communication pattern for determination).
Regarding claim 10, Maeda discloses an apparatus for defending against attacks, comprising at least one processor; and a memory communicatively connected with the at least one processor (paragraph 53, processor and memory); wherein, the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the processor to implement operations comprising: acquiring an instruction set that comprises: at least one instruction for controlling state of a vehicle (paragraph 128, receives message, and paragraph 63, message is CAN protocol message); comparing each instruction in the instruction set with at least one attack instruction in an attack behavior knowledge base respectively to determine a maximum similarity value corresponding to each instruction, wherein each attack instruction is acquired by performing attack analysis on a chained data set of at least one on-board component (paragraph 129, determines whether message matches communication pattern of attack message, and paragraph 98, derives and identifies communication patterns); and with regard to any instruction in the instruction set, determining a type of the instruction and processing tactics for the instruction according to the maximum similarity value corresponding to the instruction and a preset similarity range (paragraph 129, final comprehensive determination, and paragraph 88, determines whether or not message is an attack message).
Regarding claim 11, Maeda discloses wherein the at least one processor is further enabled to implement operations comprising: determining that the type of the instruction is an illegal instruction and the processing tactics for the instruction is blocking, in case that the maximum similarity value corresponding to the instruction is greater than or equal to an upper limit of the preset similarity range (paragraph 145, transfer not performed for attack message); determining that the type of the instruction is a safe instruction and the processing tactics for the instruction is running, in case that the maximum similarity value corresponding to the instruction is less than a lower limit of the preset similarity range (paragraph 146, transfer performed for normal message); and determining that the type of the instruction is a suspicious instruction, and the processing tactics is to make a second determination on the suspicious instruction, in case that the maximum similarity value corresponding to the instruction is less than the upper limit of the preset similarity range and greater than or equal to the lower limit of the preset similarity range (paragraph 225, additional determination made for gray message).
Regarding claim 14, Maeda discloses wherein the at least one processor is further enabled to implement operation comprising: acquiring an external data set, wherein the external data set comprises at least one of following information: information collected by an on-board infotainment system IVI, information collected by an on-board T-BOX and information collected by a CAN gateway; and preprocessing the external data set to acquire a standardized instruction set (paragraph 61, gateway for transferring messages, and paragraph 3, CAN standard).
Regarding claim 15, Maeda discloses an apparatus for defending against attacks, comprising at least one processor; and a memory communicatively connected with the at least one processor; wherein, the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the processor to implement the method of claim 6 (paragraph 53, processor and memory).
Regarding claim 16, Maeda discloses wherein the at least one processor is further enabled to implement operations comprising: determining entry information, indication information, and impact information on a vehicle corresponding to the suspicious instruction according to the source data corresponding to the suspicious instruction and the associated data of the source data; and determining the attack analysis result of the suspicious instruction according to entry information, the indication information and the impact information on the vehicle corresponding to the suspicious instruction (paragraph 129, determines whether message matches communication pattern of attack message, and paragraph 98, derives and identifies communication patterns).
Regarding claim 17, Maeda discloses wherein the at least one processor is further enabled to implement operations comprising: generating update information according to the attack analysis result of the at least one suspicious instruction, and the update information comprises update contents of an attack behavior knowledge base and/or update contents of a scanning module in the on-board terminal; and sending the update information to the on-board terminal (paragraph 93, stores information related to attack messages).
Regarding claim 18, Maeda discloses wherein the at least one processor is further enabled to implement operations comprising: acquiring a chained data set of at least one on-board component before the processing module generates the update information according to the attack analysis result of the at least one suspicious instruction, wherein the chained data set comprises: source data collected by the on-board component and associated data of the source data; and establishing an attack behavior knowledge base model of each on-board component based on the chained data set of the each on-board component, and quantifying the attack behavior knowledge base model of the at least one on-board component so as to acquire the attack behavior knowledge base that comprises at least one attack instruction; and sending the attack behavior knowledge base to the on-board terminal (paragraph 165, model used as communication pattern for determination).
Regarding claim 19, Maeda discloses a non-transitory computer-readable storage medium having computer instructions stored thereon, wherein the computer instructions are used for causing a computer to execute the method of claim 1 (paragraph 55, non-transitory computer-readable recording medium stores program).
Regarding claim 20, Maeda discloses a non-transitory computer-readable storage medium having computer instructions stored thereon, wherein the computer instructions are used for causing a computer to execute the method of claim 6 (paragraph 55, non-transitory computer-readable recording medium stores program).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 4, 12, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Maeda in view of Zhang et al. (U.S. Patent Application Publication Number 2015/0150124) as cited on the applicant’s IDS dated 11/8/2021, hereinafter referred to as Zhang.
Maeda disclosed techniques for detecting unauthorized activity in an onboard network system.  In an analogous art, Zhang disclosed techniques for defending against threats to an on-board computer system.  Both systems are directed toward detecting and protecting against attacks on a vehicle.
Regarding claim 3, Maeda discloses wherein, after the determining that the type of the instruction is a suspicious instruction, the method further comprises: determining a data set corresponding to the suspicious instruction, wherein the data set comprises: source data corresponding to the suspicious instruction, associated data of the source data, and a vehicle inspection report (paragraph 224, gray message and information related to gray message, and paragraph 226, state of vehicle); receiving an attack analysis result of the suspicious instruction, wherein the attack analysis result is determined through analyzing the chained data corresponding to the suspicious instruction based on the data set; and determining whether the type of the suspicious instruction is the illegal instruction or the safe instruction according to the attack analysis result of the suspicious instruction (paragraph 227, makes additional determination based on multiple message as system of data).
Maeda does not explicitly state sending the data set to a cloud server, and receiving the attack analysis result of the suspicious instruction from the cloud server, wherein the attack analysis result is determined by the cloud server.  However, utilizing a cloud server in such a fashion was well known in the art as evidenced by Zhang.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Maeda by adding the ability for sending the data set to a cloud server, and receiving the attack analysis result of the suspicious instruction from the cloud server, wherein the attack analysis result is determined by the cloud server as provided by Zhang (see paragraph 51, on-board module transmits data to Security Cloud and receives results of analysis).  One of ordinary skill in the art would have recognized the benefit that providing for attack analysis at a cloud server would assist in detecting attacks and ensuring proper functioning of a vehicle (see Zhang, paragraph 3).
Regarding claim 4, the combination of Maeda and Zhang discloses receiving update information sent by the cloud server, wherein the update information comprises update contents of the attack behavior knowledge base and/or update contents of a scanning module in an on-board terminal; updating, according to the update information, the attack behavior knowledge base and/or the scanning module in the on-board terminal (Maeda, paragraph 93, stores information related to attack messages, and Zhang, paragraph 47, Security Cloud provides updated threat information to on-board module).
Regarding claim 12, Maeda discloses wherein the at least one processor is further enabled to implement operations comprising: determining a data set corresponding to the suspicious instruction after the type of the instruction is determined as the suspicious instruction, and the data set comprises: source data corresponding to the instruction, associated data of the source data and a vehicle inspection report (paragraph 224, gray message and information related to gray message, and paragraph 226, state of vehicle); receiving an attack analysis result of the suspicious instruction, wherein the attack analysis result is determined by analyzing chained data corresponding to the suspicious instruction based on the data set; and determining that the type of the suspicious instruction is the illegal instruction or the safe instruction according to the attack analysis result of the suspicious instruction (paragraph 227, makes additional determination based on multiple message as system of data).
Maeda does not explicitly state sending the data set to a cloud server, and receiving the attack analysis result of the suspicious instruction from the cloud server.  However, utilizing a cloud server in such a fashion was well known in the art as evidenced by Zhang.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Maeda by adding the ability for sending the data set to a cloud server, and receiving the attack analysis result of the suspicious instruction from the cloud server as provided by Zhang (see paragraph 51, on-board module transmits data to Security Cloud and receives results of analysis).  One of ordinary skill in the art would have recognized the benefit that providing for attack analysis at a cloud server would assist in detecting attacks and ensuring proper functioning of a vehicle (see Zhang, paragraph 3).
Regarding claim 13, the combination of Maeda and Zhang discloses wherein the at least one processor is further enabled to implement operations comprising: receiving update information sent by the cloud server, and the update information comprises update contents of the attack behavior knowledge base and/or update contents of a scanning module in an on-board terminal; and updating the attack behavior knowledge base and/or the scanning module in the on-board terminal according to the update information (Maeda, paragraph 93, stores information related to attack messages, and Zhang, paragraph 47, Security Cloud provides updated threat information to on-board module).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Yan et al. (U.S. Patent Application Publication Number 2016/0021127) disclosed techniques for detecting potential security attacks against a vehicle networking through an OBD-II port.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493