DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/07/2022 has been entered.
 
This office action is a response to remarks filed 11/07/2022, wherein claims 1 – 20 are pending and ready for examination.  
Response to Arguments
Applicant's arguments filed 11/07/2022 have been fully considered but they are not persuasive. 
Interview Summary
Applicant Asserts: Initially, Applicants wish to thank Examiner William B. Jones for granting and attending the telephone interview with Morey Wildes, Reg. No. 36,968, and Gad Ben-Gera on November 3, 2022. During the interview, the rejection of independent claim 1 was
discussed, as was the prior art citation of Ruvio (full citation below). No agreement was reached, although a potential path for allowance based upon disclosures in the specification was discussed. Applicants expressed an intent to withdraw the appeal in favor of continued prosecution along this potential path for allowance.

Examiner Response:  The Examiner thanks applicant representative for working to advance the prosecution of this application.  The parties met and discussed the merits of Ruvio in light of anticipated amendments.  The Examiner has carefully considered applicant amendments in light of the prior art of record.

Claim Rejections
	35 USC § 102 Rejections

	Applicant Asserts: Ruvio does not operate on a fleet level; rather, Ruvio operates only on a specific vehicle. Ruvio compares data received from a specific vehicle to data known to be normal for that specific vehicle, and, upon detecting a mismatch between received data and data that is known to be “normal”, Ruvio determines that a malicious activity is changing sensor data of the specific vehicle before the data is sent out from the specific vehicle.

	Examiner Response: Ruvio at location [0088] teaches vehicle 501 sends data to a third party server 513 over network 514. For example, vehicle 501 may send out the data to server 513 of an insurance company that requires insured vehicles to transmit safety data.  Here, the claimed ‘fleet level’ is taught by Ruvio as ‘insured vehicles’ since there is more than one vehicle(s) being served by server 513 and the vehicles are related by having the same insurer.  Hence, the insurer has a fleet of insured vehicles requiring the transmission of safety data.

Applicant Asserts:  Moreover, because Ruvio does not operate on a fleet of vehicles, Ruvio does not disclose or suggest sending data from a set of sensors units installed in a respective set of vehicles to “a server included in a securely operations center (SOC) managing cyber-security of the fleet”.   In contrast, as described in the present Application, correlation of data from a plurality of vehicles in a fleet enables identifying events that occurred at the same time in a plurality of vehicles in the fleet (see paragraph [0067] of the application as filed), and/or identifying the same IP addresses or domain name serves (DNSs) are used by a plurality of vehicles (see paragraph [0060] of the application as filed. 



Applicant, therefore, respectfully submits that Ruvio does not teach or suggest each and every element of amended independent claims 20. In light of the above discussion, Applicant requests that the Examiner withdraw the 35 U.S.C. § 102(a)(1) rejection of amended independent claim 20.

Examiner Response: In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., identifying IP address) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

	35 USC § 103 Rejections
Applicant Asserts: However, Holzhauer is also silent as to the above-recited elements of amended independent claim 20. While amended independent claims 1 and 9 include limitations different from amended independent claim 20, the above arguments with respect to amended independent claim 20 apply to amended independent claims 1 and 9 as well, such that amended independent claims 1 and 9 are therefore allowable over the combination of Ruvio and Holzhauer. Each of claims 2-8 and 10-19 depends from one of amended independent claims 1 and 9, and is thus likewise allowable.  In light of the above discussion, Applicant requests that the Examiner withdraw the 35 U.S.C. § 103 rejection of claims 1-19.
          Examiner Response:  Applicant arguments are based on allegations that Ruvio does not teach a cybersecurity fleet.  The Examiner differs and incorporates the previous response to the assertion that Ruvio does not teach a fleet as referenced by the Examiner under the 35 USC 102 rejection of Claim 20, below.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.



Claim 20 is rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ruvio; Guy et al, US 20190036946 (corresponding to PCT/IL2016/051033), March 19, 2018, hereafter referred to as Ruvio.

               As to claim 20, Ruvio teaches a method - Ruvio [0029] FIG. 1C is a flowchart of a method for identification of malicious activity within one or more computing unit components installed in the vehicle from the perspective of the computing unit.  Here, the claimed ‘method’ is taught by Ruvio as ‘flowchart’) of providing cyber-security – Ruvio [0045] ... The systems and/or methods (e.g., code instructions stored in a data storage device executable by one or more processors) described herein improve an underlying process within the technical field of network security, in particular, within the technical field of security of networks installed within vehicles  Here, the claimed ‘providing cyber-security’ is taught by Ruvio as ‘improve...security of networks...vehicles’ since improving security is clearly providing security), to a fleet of vehicles - Ruvio [0088] ....vehicle 501 sends data to a third party server 513 over network 514. For example, vehicle 501 may send out the data to server 513 of an insurance company that requires insured vehicles to transmit safety data. Here, the claimed ‘fleet of vehicles’ is taught by Ruvio as ‘insured vehicles’ since there is more than one vehicle(s) having common attributes or service and being served by the same company server 513) the method comprising:
                obtaining, by a set of sensors units installed in a respective set of vehicles, data related to cyber security and sending the data to a server- Ruvio [0141] … the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified). The sensor data associated with malicious activity may be used to create a dataset of sensor data defined as associated with malicious activity. The updated statistical classifier is able to more accurately detect the presence of the malicious activity in other computing units of other vehicles.  Here, the claimed ‘obtaining’ is taught by Ruvio as ‘received’ whereas the claimed ‘units installed’ is taught by Ruvio as ‘sensor data’ because the sensor data is generated from sensors installed in the fleet vehicle.  The claimed ‘data related to cyber security’ is taught by Ruvio as ‘malicious activity’ resulting in a data set whereas the claimed ‘sending’ is taught by Ruvio as ‘the received sensor data’ since if received the data had to be sent) included in a security operations center (SOC) managing cyber-security of the fleet – Ruvio [0086] Server 512 may be implemented, for example, as a central server... Server 512 may provide services to one or more computing units 504 (acting as client terminals) by providing software as a service (SAAS), providing an application installed on computing units 504 that communicates with server 512, and/or providing functions using remote access sessions.  Here, the claimed ‘operations center’ is taught by Ruvio as ‘a central server’ whereas the claimed ‘managing cyber-security’ is taught by Ruvio as ‘provide services’ because the sensor data is generated from sensors may indicate malicious activity as further taught by Ruvio as [0042]); and 
           correlating the data from a plurality of vehicles in the fleet – Ruvio [0042] ... the analysis is performed based on a comparison between the sensor data received from the computing unit of the vehicle, and sensor data designated as normal operation received from other vehicles. Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. Here, the claimed ‘correlating’ is taught by Ruvio as ‘statistical correlation requirement’ whereas the claimed ‘plurality of vehicles’ is taught by Ruvio as ‘received from other vehicles’); and             
            identifying by the server a cyber-threat related to at least one of: a fleet and a vehicle in the fleet - Ruvio [0131] … at 414, the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified). The sensor data associated with malicious activity may be used to create a dataset of sensor data defined as associated with malicious activity. The dataset maybe used to update the statistical classifier using the sensor data and tag. The updated statistical classifier is able to more accurately detect the presence of the malicious activity in other computing units of other vehicles. Here, the claimed ‘identifying’ is taught by Ruvio as ‘using the sensor data and tag’.  The claimed ‘a vehicle in the fleet’ is taught by Ruvio as ‘sensor data and tag’ since each tag is associated with one sensor detection unit in a single vehicle in the fleet);
           based on identifying, in the data – Ruvio [0042] Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. The server architecture collects data from other vehicles, to create the sensor data designated as normal. Here, the claimed ‘identifying’ is taught by Ruvio as ‘server architecture collects data’), at least one of:                       an attribute which is common to a plurality of vehicles in the fleet – Ruvio [0005] … The foreseeable exploits of the vehicle data integrity might lead to data theft, such as: license plates and other vehicle registration data; vehicle location information. Here, the claimed ‘common attribute’ is taught by Ruvio as ‘license plates’ because all vehicles in the fleet would have a data construct labeled ‘license plates’ as an identifying attribute), and 
                       an event occurring in a plurality of vehicles in the flee – Ruvio [0110] The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag.  Here, the claimed ‘event’ is taught by Ruvio as ‘deployment of airbag’). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Ruvio, in view of Holzhauer; Daniel Francis et al, US 20180316701, November 1, 2018, hereafter referred to as Holzhauer.

            As to claim 1, Ruvio teaches a system for providing cyber-security - Ruvio [0002] The present invention…relates to vehicle data communication networks and…to systems and methods for detecting malicious activity in vehicle data communication networks) to a fleet of vehicles - Ruvio [0088] ... vehicle 501 sends data to a third party server 513 over network 514. For example, vehicle 501 may send out the data to server 513 of an insurance company that requires insured vehicles to transmit safety data. Here, the claimed ‘fleet of vehicles’ is taught by Ruvio as ‘insured vehicles’ since there is more than one vehicle(s) having common attributes or service and being served by the same company server 513), the system comprising: 
              a server included in a security operations center (SOC) managing cyber-security of the fleet, the system – Ruvio [0086] Server 512 may be implemented, for example, as a central server... Server 512 may provide services to one or more computing units 504 (acting as client terminals) by providing software as a service (SAAS), providing an application installed on computing units 504 that communicates with server 512, and/or providing functions using remote access sessions.  Here, the claimed ‘a server’ is taught by Ruvio is taught by as ‘Server 512’ whereas the claimed ‘operations center’ is taught by Ruvio as ‘a central server’ whereas the claimed ‘managing cyber-security’ is taught by Ruvio as ‘provide services’ because the sensor data is generated from sensors may indicate malicious activity as further taught by Ruvio as [0042]) comprising:
              a memory - Ruvio [0066] System 500 may implement the acts of the method of FIG. 1A-C, for example, by processing unit 502A of computing unit 504A executing code instructions (optionally, malicious activity detection code 510A as described herein) stored in a program store 506A. Here, the claimed ‘memory’ is taught by Ruvio is taught by as ‘506A’; and
              a processor  - Ruvio [0066] System 500 may implement the acts of the method of FIG. 1A-C, for example, by processing unit 502A of computing unit 504A executing code instructions (optionally, malicious activity detection code 510A as described herein) stored in a program store 506A. Here, the claimed ‘processor’ is taught by Ruvio is taught by as ‘processing unit 502A’) adapted to:
              receive from a plurality of data collection units (DCUs) installed in a respective plurality of vehicles in the fleet, a plurality of reports, the reports including information collected by the DCUs and related to cyber security - Ruvio [95] Exemplary data sent out from the vehicle to the computing unit includes: insurance data, safety data, car payment systems, driver authentication data. The data sent out from the vehicle is computed from the sensor data collected by one or more sensors 522 installed in vehicle 501. Here, the claimed ‘plurality of reports’ is taught by Ruvio as ‘data sent out’ since the sensors are reporting stations sending data.  The claimed ‘the reports’ are individual and are taught by Ruvio as ‘insurance, safety, and driver authentication data’ because dataset addresses a different sensor report/message.  The claimed ‘DCUs’ is taught by Rubio as ‘sensors 522’ whereas the claimed ‘related to cybersecurity’ is taught by Ruvio as ‘safety data’. Here, the claimed ‘data collection units (DCUs)’ is taught by Ruvio as ‘multiple sensors’ whereas the claimed ‘cyber security’ is taught by Ruvio as ‘received for analysis ...malicious activity’ because analyzing data is a cybersecurity function); 
               correlating the reports from the plurality of vehicles in the fleet – Ruvio [0042] ... the analysis is performed based on a comparison between the sensor data received from the computing unit of the vehicle, and sensor data designated as normal operation received from other vehicles. Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. Here, the claimed ‘correlating’ is taught by Ruvio as ‘statistical correlation requirement’ whereas the claimed ‘plurality of vehicles’ is taught by Ruvio as ‘received from other vehicles’); and    
              identify, based on the correlation, that at least one of: the fleet and a vehicle in the fleet is under a cyber-attack – Ruvio [0066 and 0131] since at ’66 one or more functions described with reference to FIG. 1A-C may be performed by server 512, for example, by processing unit 502B of server 512 executing code instructions (optionally, malicious activity detection code 510A) stored in a program store 506B and/or data repository 508B since at ‘131 the server tags the received sensor data with a tag indicative of an association with malicious activity, (i.e., when malicious activity is identified.  Here, the claimed ‘identification’ is taught by Ruvio as ‘Fig. 1A’ since the Figure 1A depicts step 414 which updates classifier with malicious activity) based on identifying, in the reports, at least one of:                       an attribute which is common to a plurality of vehicles in the fleet – Ruvio [0128] ... The analysis may be performed by correlating the received sensor data with data defined as normal operation without malicious activity according to one or more common unified internal parameters.  Here, the claimed ‘attribute...that is common’ is taught by Ruvio as ‘common unified ... parameters’), and 
                       an event occurring in a plurality of vehicles in the fleet – Ruvio [0110] The sensor data and the data sent out by the vehicle may be time stamped, to compare data generated at the same time. The sample sizes that are compared may be compared based on time, geography, and/or events (e.g., deployment of airbag.  Here, the claimed ‘event’ is taught by Ruvio as ‘deployment of airbag’. RUVIO DOES NOT TEACH the fleet and a vehicle in the fleet is under cyber-attack, HOWEVER HOLZHAUER TEACHES the fleet and a vehicle in the fleet is under cyber-attack – Holzhauer [0065] ... an Independent System Operator ("ISO") might make predictive contingency responses based on the fleet attack information. Here, the claimed ‘fleet is under cyber-attack’ is taught by Ruvio as ‘fleet attack information’.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio Server processing unit 502 with Holzhauer’ s Independent System Operation for fleet management.  Ruvio indeed considers vehicle cyber-attacks but is silent on community-of-interest or corporal asset management of a fleet of vehicles.  With Holzhauer, Ruvio can expand security from discreet vehicles to corporal or industrially owned vehicles for greater control.  Ruvio motivation to use Holzhauer stems from the need to move from physical safety of the vehicle to the security of data and information generated by the vehicle as taught by Ruvio at location [0004]).

              As to claim 2, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein identifying the cyber-attack is based on at least one of: 
              correlating information in the reports with data stored on the server - Ruvio [0105] The correlation may be performed by computing unit 504 installed at vehicle 501, and/or computing unit 504 implemented within server 512. Here, the claimed ‘correlating information’ is taught by Ruvio as ‘The correlation’ whereas the claimed ‘the server’ remains the central server ‘server 512’, which is different from ‘a server’ such as server 510A coupled to the central server); and
              correlating information in the reports with server logs - Ruvio [0005] At 408, the received sensor data is analyzed by the server. The analysis may be performed by correlating the received sensor data with data defined as normal operation without malicious activity Here, the claimed ‘correlating information’ is taught by Ruvio as ‘The correlation’) related to a communication of DCUs with the server - Ruvio [0074] Sensor data monitoring agent 520 (e.g., code instructions stored in a program store executed by one or more processors) may monitor the data outputted by sensor(s) 522, by one or more of: a splitter (or other component) to receive the data outputted by sensor(s) 522, at network(s) 501B, at TCU 501A, and/or at ECU 501C. Network 501B, TCU 501A, and/or ECU 501C may be monitored, for example, by packet sniffing code that monitors packets, network sniffing code that monitors network traffic, packet and/or network analyzer code that analyzes transmitted data, and/or other methods. whereas the claimed ‘server logs’ is taught by Ruvio as ‘analyzed by server’ since data received by the server is logged or stored for processing hence a server log. Here, the claimed ‘DCUs’ is taught by Ruvio as ‘sensor(s) 522’).

              As to claim 3, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify the cyber-attack based on  in reports from at least one of: a dealership, a service facility and a component in at least one of the vehicles - Ruvio [0050] The systems and/or methods described herein provide a unique, particular, and advanced technique of collecting and analyzing data dynamically from multiple sensors installed in the vehicle, to identify the presence of malicious activity within the vehicle network.   Here, the claimed ‘aggregating data’ is taught by Ruvio as ‘collecting and analyzing data’ whereas the claimed ‘component’ is taught by Ruvio as ‘multiple sensors installed in the vehicle’).

               As to claim 4, the combination of Ruvio and Holzhauer teaches the system of claim 1. wherein:
            the DCUs are adapted to include, in the reports, codes identifying service entities – Ruvio [0115] ... The output message may be used as a trigger for further investigation to determine whether the data is compromised by malicious activity, or another reason (e.g., error in manufacturing, program crash, data transmission errors). The investigation may be performed automatically by code (e.g., anti-malicious code software) and/or manually (e.g., by an administrator. Here, the claimed ‘reports,’ is taught by Ruvio as ‘output message’ whereas the claimed ‘codes’ is taught by Ruvio as ‘by code’.  The claimed ‘service entities’ is taught by Ruvio as ‘an administrator’ or even malicious code software); and
            the server is adapted to use the received codes to associate a service entity with a cyber threat – Ruvio [0038] ... the malicious activity is detected at a server external to the vehicle, by code instructions that perform the correlation of the sensor data (transmitted by the vehicle to the server) with the data sent out by the vehicle to the server and/or to a third party server that forwards the data sent out by the vehicle to the server. Here, the claimed ‘adapted to use’ is taught by Ruvio as ‘by code instructions’ whereas the claimed ‘associate a service entity’ is taught by Ruvio as ‘to a third party server’ since providing forwarding services).  

            As to claim 5, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to:
             classify an event based on relating the event to one or more recorded events – Ruvio [0043] … when the malicious activity is identified, the associated sensor data is tagged with a tag indicative of the association with malicious activity. The sensor data and the tag may be stored by the server and used to update a statistical classifier (or other code) to detect the presence of similar malicious activity in the computing unit of another vehicle). Here, the claimed ‘classify’ is taught by Ruvio as ‘tagged’ because the tag identifies malicious activity whereas the claimed ‘event’ is taught by Ruvio as ‘activity’ such as deployment of an airbag as further taught by Ruvio at [0082].  The claimed ‘recorded events’ is taught by Ruvio as ‘tagged with a tag’ since tagging records an association with malicious activity and sensor data); and identify a cyber-attack based on the classification – Holzhauer [0038 and 0065] since at ‘38. Abnormalities may be detected by classifying the monitored data as being “normal” or disrupted (or degraded). This decision boundary may be constructed using dynamic models and may help to enable early detection of vulnerabilities (and potentially avert catastrophic failures) since at ‘65... Fleet-wide cyber-attack decision algorithms may then be executed at S830, and warnings, local alerts, fleet-wide alerts, etc. may be output as appropriate at S840.
 Here, the claimed ‘identify’ is taught by Holzhauer as ‘detected’ since the attack has already occurred a method to mitigate the decision is required.  The claimed ‘based on the classification’ is taught by Holzhauer as ‘by decision boundary’ which is the basis of the classifying.  The rationale to incorporate Holzhauer feature into Ruvio system in claim 1 applies here in claim 5).

               As to claim 6, the combination of Ruvio and Holzhauer teaches the system of claim 5, wherein the server is adapted to identify a false positive detection based on the classification - Holzhauer [0042] Some embodiments of the algorithm may utilize feature-based learning techniques based on high fidelity physics models…detection may occur with more precision using multiple signals, making the detection more accurate with less false positives.  Here, the claimed ‘adapted to identify’ is taught by Holzhauer as ‘high fidelity models’ because it is what is used to make detection more likely whereas the claimed ‘false positive’ is taught by Holzhauer as ‘less false positives.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s tuned high fidelity equipment models that recursively reduce the rate of false positives.  Ruvio does not explicitly cite recursive iteration for reducing false positives but Holzhauer provides this feature. The incorporation of Holzhauer enables Ruvio to simultaneously monitor many different industrial assets (e.g., each containing many different sensors and other sources of data) in substantially real time thereby creating a suitable threat detection system to protect a fleet of industrial assets from cyber threats in an automatic and accurate manner).

               As to claim 7, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify previously undetected threats by correlating historical data with newly identified hacks. - Holzhauer [0050] In order to decide whether or not these signals 612, 622, 632, 642 are truly currently under attack, a historical batch with pertinent feature vector information may be kept for some duration of time. Then when an attack is detected on another signal, this batch is examined. Here, the claimed ‘adapted to identify’ is taught by Holzhauer as ‘a historical batch’ because referencing this data adapts the server to make a determination/detection.  The claimed ‘undetected threats’ is taught by Holzhauer as ‘truly currently under attack’). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s historical data to correlate new threats.  Ruvio does not explicitly cite use of historical data and trends but Holzhauer provides this feature. The incorporation of Holzhauer batch reference provides a go to reference that enhances Ruvio ability to provide solutions for decision-support).

               As to claim 8, the combination of Ruvio and Holzhauer teaches the system of claim 1, wherein the server is adapted to identify a cyber-threat based on correlating data received from a plurality of DCUs in a vehicle - Ruvio [0074] Sensor data monitoring agent 520 (e.g., code instructions stored in a program store executed by one or more processors) may monitor the data outputted by sensor(s) 522, by one or more of: a splitter (or other component) to receive the data outputted by sensor(s) 522, at network(s) 501B, at TCU 501A, and/or at ECU 501C. Network 501B, TCU 501A, and/or ECU 501C may be monitored, for example, by packet sniffing code that monitors packets, network sniffing code that monitors network traffic, packet and/or network analyzer code that analyzes transmitted data, and/or other methods. whereas the claimed ‘server logs’ is taught by Ruvio as ‘analyzed by server’ since data received by the server is logged or stored for processing hence a server log. Here, the claimed ‘DCUs’ is taught by Ruvio as ‘sensor(s) 522’).

             As to claim 9, Ruvio teaches a method of providing fleet cyber-security to a fleet of vehicles - Ruvio [0002] The present invention…relates to vehicle data communication networks and…to systems and methods for detecting malicious activity in vehicle data communication networks) to a fleet of vehicles - Ruvio [0088] ... vehicle 501 sends data to a third party server 513 over network 514. For example, vehicle 501 may send out the data to server 513 of an insurance company that requires insured vehicles to transmit safety data. Here, the claimed ‘fleet of vehicles’ is taught by Ruvio as ‘insured vehicles’ since there is more than one vehicle(s) having common attributes or service and being served by the same company server 513), the method comprising:     
           examining, by a server included in a security operations center (SOC) managing cyber-security of the fleet - Ruvio [0041] ... The server analyzes the sensor data to identify the presence of malicious activity within the computing unit of the vehicle. The server architecture provides centralized monitoring of the integrity of computing units of multiple vehicles.   Here, the claimed ‘examining’ is taught by Rubio as ‘server analyzes’ since it examines data for malicious activity. The claimed ‘security operations center (SOC)’ is taught by Ruvio as ‘server architecture’ which includes other servers for ‘centralized monitoring’. The claimed ‘fleet’ is taught here as ‘other vehicles’), data in reports received from a plurality of data collection units (DCUs), the DCUs installed in a respective plurality of vehicles in the fleet, - Ruvio [0041] ...The sensor data is collected from one or more sensors that measure one or more parameters of the vehicle. The server analyzes the sensor data to identify the presence of malicious activity within the computing unit of the vehicle. The server architecture provides centralized monitoring of the integrity of computing units of multiple vehicles.  Here, the claimed ‘data’ is taught by Ruvio is taught by as ‘sensor data’) the reports including information related to cyber security – Ruvio [0042] ... the analysis is performed based on a comparison between the sensor data received from the computing unit of the vehicle, and sensor data designated as normal operation received from other vehicles. Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. Here, the claimed ‘reports’ is taught by Ruvio as ‘sensor data received’ whereas the claimed ‘plurality of vehicles’ is taught by Ruvio as ‘received from ‘other vehicles’.  The claimed ‘information related to cyber security’ is taught by Ruvio as ‘presence of malicious activity’);
               correlating the reports from the plurality of vehicles in the fleet – Ruvio [0042] ... the analysis is performed based on a comparison between the sensor data received from the computing unit of the vehicle, and sensor data designated as normal operation received from other vehicles. Deviation from normal (e.g., according to a statistical correlation requirement, and/or as computed by a statistical classifier) is indicative of the presence of malicious activity. Here, the claimed ‘correlating’ is taught by Ruvio as ‘statistical correlation requirement’ whereas the claimed ‘plurality of vehicles’ is taught by Ruvio as ‘received from other vehicles’.  RUVIO DOES NO TEACH and
             identifying, based on the correlation, by the server, that at least one of:
 the fleet and a vehicle in the fleet is under a cyber-attack, based on identifying, in the data, at least one of: HOWEVER, HOLZHAUER TEACHES and
             identifying, based on the correlation, by the server, that at least one of:
 the fleet and a vehicle in the fleet and a vehicle in the fleet is under cyber-attack – Holzhauer [0065] ... an Independent System Operator ("ISO") might make predictive contingency responses based on the fleet attack information. Here, the claimed ‘identifying’ is taught by Holzhauer as ‘make predictive responses’ whereas the claimed ‘the server’ is taught by Holzhauer as ‘ISO’.  The claimed ‘fleet is under cyber-attack’ is taught by Holzhauer as ‘fleet attack information’ an attribute which is common to a plurality of vehicles in the fleet -Holzhauer [0026] ... For example, the industrial fleet protection system might “over-ride” the locally determined decision boundary with a different decision boundary (e.g., based on information learned from attacks on other industrial assets). Note that the industrial asset may also transmit information to the industrial fleet protection system. This information might include, for example, an abnormal state alert, an industrial asset feature vector, an industrial asset global feature vector.  Here, the claimed ‘attribute which is common’ is taught by Holzhauer as ‘an industrial asset global feature vector’ because the vector describes a global or common feature of the fleet), and 
              an event occurring in a plurality of vehicles in the fleet - Holzhauer [0045] During eal-time detection, contiguous batches of monitoring node data may be processed by the platform 350, normalized and the feature vector extracted. The location of the vector for each signal in high-dimensional feature space may then be compared to a corresponding decision boundary (including a decision boundary dictated by the industrial fleet protection system). If it falls within the attack region, then a cyber-attack may be declared. Here, the claimed ‘event occurring’ is taught by Holzhauer as ‘real-time detection’.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Holzhauer ability to detect cyber attacks and their feature vectors in real time.  Ruvio is silent in teaching an attack is underway but is focused on analysis of sensory data to prevent malicious activity.  Holzhauer provides an immediate system for detecting that an attack is underway.  Incorporating Holzhauer with Ruvio provides for instant alert that an attack is underway thereby enhancing Ruvio’s security system.

            As to claim 10, the combination of Ruvio and Holzhauer teaches the method of claim 9, wherein identifying the cyber-attack is based on at least one of: 
              correlating information in the reports with data stored on the server - Ruvio [0105] The correlation may be performed by computing unit 504 installed at vehicle 501, and/or computing unit 504 implemented within server 512. Here, the claimed ‘correlating information’ is taught by Ruvio as ‘The correlation’ whereas the claimed ‘the server’ remains the central server ‘server 512’, which is different from ‘a server’ such as server 510A coupled to the central server); and
              correlating information in the reports with server logs - Ruvio [0005] At 408, the received sensor data is analyzed by the server. The analysis may be performed by correlating the received sensor data with data defined as normal operation without malicious activity Here, the claimed ‘correlating information’ is taught by Ruvio as ‘The correlation’) related to a communication of DCUs with the server - Ruvio [0074] Sensor data monitoring agent 520 (e.g., code instructions stored in a program store executed by one or more processors) may monitor the data outputted by sensor(s) 522, by one or more of: a splitter (or other component) to receive the data outputted by sensor(s) 522, at network(s) 501B, at TCU 501A, and/or at ECU 501C. Network 501B, TCU 501A, and/or ECU 501C may be monitored, for example, by packet sniffing code that monitors packets, network sniffing code that monitors network traffic, packet and/or network analyzer code that analyzes transmitted data, and/or other methods. whereas the claimed ‘server logs’ is taught by Ruvio as ‘analyzed by server’ since data received by the server is logged or stored for processing hence a server log. Here, the claimed ‘DCUs’ is taught by Ruvio as ‘sensor(s) 522’).

               As to claim 11, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising identify the cyber-attack based on aggregating reports from at least one of: a dealership, a service facility and a component in at least one of the vehicles - Ruvio [0050] The systems and/or methods described herein provide a unique, particular, and advanced technique of collecting and analyzing data dynamically from multiple sensors installed in the vehicle, to identify the presence of malicious activity within the vehicle network.   Here, the claimed ‘aggregating data’ is taught by Ruvio as ‘collecting and analyzing data’ whereas the claimed ‘component’ is taught by Ruvio as ‘multiple sensors installed in the vehicle’).

         As to claim 12, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising: including, in the reports, codes identifying service entities – Ruvio [0115] ... The output message may be used as a trigger for further investigation to determine whether the data is compromised by malicious activity, or another reason (e.g., error in manufacturing, program crash, data transmission errors). The investigation may be performed automatically by code (e.g., anti-malicious code software) and/or manually (e.g., by an administrator. Here, the claimed ‘reports,’ is taught by Ruvio as ‘output message’ whereas the claimed ‘codes’ is taught by Ruvio as ‘by code’.  The claimed ‘service entities’ is taught by Ruvio as ‘an administrator’); and using the received codes to associate a service entity with a cyber threat - Holzhauer [0028] The threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 comprising data from sensor nodes, actuator nodes, and/or any other critical monitoring nodes (e.g., monitoring nodes MN.sub.1 through MN.sub.N), to calculate one or more “features” for each monitoring node based on the received data, and “automatically” output a threat alert signal to one or more remote monitoring devices 170 when appropriate (e.g., for display to an operator. Here, the claimed ‘received codes’ is taught by Ruvio as ‘received data’ whereas the claimed ‘service entity’ is taught by Ruvio as ‘actuator node’ since the node provides a particular enabling service to the network.  The rationale to incorporate the features of Holzhauer into Rubio in claim 9 apply here in claim 12).

           As to claim 13, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising:
            classifying, by the server, an event based on relating the event to one or more recorded events – Ruvio [0043] … when the malicious activity is identified, the associated sensor data is tagged with a tag indicative of the association with malicious activity. The sensor data and the tag may be stored by the server and used to update a statistical classifier (or other code) to detect the presence of similar malicious activity in the computing unit of another vehicle). Here, the claimed ‘classify’ is taught by Ruvio as ‘tagged’ because the tag identifies malicious activity whereas the claimed ‘event’ is taught by Ruvio as ‘activity’ such as deployment of an airbag as further taught by Ruvio at [0082].  The claimed ‘recorded events’ is taught by Ruvio as ‘tagged with a tag’ since tagging records an association with malicious activity and sensor data).; and identifying a cyber-attack based on the classification – Holzhauer [0038 and 0065] since at ‘38. Abnormalities may be detected by classifying the monitored data as being “normal” or disrupted (or degraded). This decision boundary may be constructed using dynamic models and may help to enable early detection of vulnerabilities (and potentially avert catastrophic failures) since at ‘65... Fleet-wide cyber-attack decision algorithms may then be executed at S830, and warnings, local alerts, fleet-wide alerts, etc. may be output as appropriate at S840.  
 Here, the claimed ‘identify’ is taught by Holzhauer as ‘detected’ since the attack has already occurred a method to mitigate the decision is required.  The claimed ‘based on the classification’ is taught by Holzhauer as ‘by decision boundary’ which is the basis of the classifying.  The rationale to incorporate Holzhauer feature into Ruvio system in claim 9 applies here in claim 13).

              As to claim 14, the combination of Ruvio and Holzhauer teaches the method of claim 13, comprising identifying a false positive detection based on the classification - Holzhauer [0042] ... Some embodiments of the algorithm may utilize feature-based learning techniques based on high fidelity physics models…detection may occur with more precision using multiple signals, making the detection more accurate with less false positives.  Here, the claimed ‘identifying’ is taught by Holzhauer as ‘detection’ because it is what is used to make detection more likely whereas the claimed ‘false positive’ is taught by Holzhauer as ‘less false positives.  The claimed ‘classification’ is taught by Holzhauer as ‘feature-based’ since the algorithm associates or groups data based on its characteristics or attributes.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s tuned high fidelity equipment models that recursively reduce the rate of false positives.  Reducing false positive detection based on classifications increases proficiency in identifying data security).

              As to claim 15, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising identifying previously undetected threats by correlating historical data with newly identified hacks - Holzhauer [0050] In order to decide whether or not these signals 612, 622, 632, 642 are truly currently under attack, a historical batch with pertinent feature vector information may be kept for some duration of time. Then when an attack is detected on another signal, this batch is examined. Here, the claimed ‘adapted to identify’ is taught by Holzhauer as ‘a historical batch’ because referencing this data adapts the server to make a determination/detection.  The claimed ‘undetected threats’ is taught by Holzhauer as ‘truly currently under attack’). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ruvio machine learning classifier to incorporate Holzhauer’ s historical data to correlate new threats.  Ruvio does not explicitly cite use of historical data and trends but Holzhauer provides this feature.  Ruvio would be motivated to consider Holzhauer because security in fleet vehicles becomes an even bigger concern with autonomous vehicles, and even more so with driverless cars as taught by Ruvio at location [0004]).

           As to claim 16, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising identifying a cyber-threat based on correlating data received from a plurality of DCUs in a vehicle - Ruvio [0074] Sensor data monitoring agent 520 (e.g., code instructions stored in a program store executed by one or more processors) may monitor the data outputted by sensor(s) 522, by one or more of: a splitter (or other component) to receive the data outputted by sensor(s) 522, at network(s) 501B, at TCU 501A, and/or at ECU 501C. Network 501B, TCU 501A, and/or ECU 501C may be monitored, for example, by packet sniffing code that monitors packets, network sniffing code that monitors network traffic, packet and/or network analyzer code that analyzes transmitted data, and/or other methods. whereas the claimed ‘server logs’ is taught by Ruvio as ‘analyzed by server’ since data received by the server is logged or stored for processing hence a server log. Here, the claimed ‘DCUs’ is taught by Ruvio as ‘sensor(s) 522’).

          As to claim 17, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising: including, in the reports, geolocation information; and using the geolocation information to associate a cyber threat with a location. – Ruvio [0120] Optionally, the data is categorized and/or labeled according to one or more unified internal parameters. The categories improve the ability to detect the malicious activity, by defining what is normal operation for certain conditions. telematics based insurance indicators, payment gateways indicators, location indicators, vehicle-to-vehicle communication indicators, weather, geographical location, time of day, and day of the year. Here, the claimed ‘in the reports’ in this case is taught by Ruvio as ‘data categorized and/or labeled’ which denotes formatting the report whereas the claimed ‘geolocation information’ is taught by Ruvio as ‘geographical location’ and the claimed ‘cyberthreat’ is taught by Ruvio as ‘malicious activity’).
    
          As to claim 18, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising:
            including, in the reports – Ruvio [0177] receiving at the server, from a computing unit installed in a vehicle, at least one sensor data acquired by at least one sensor associated with the vehicle.  Here, the claimed ‘in the reports’ is taught by Ruvio as ‘receiving at the server’ because data received from the vehicle is a report characterized as a first data framework taught by Ruvio in the preceding paragraph), connectivity information – Ruvio [0184] the unified internal parameters are selected from the group consisting of:  …cellular communication network indicators… home area network indicators.  Here, the claimed ‘connectivity information’ is taught by Ruvio as ‘cellular…home area network indicators’ because they indicate connection endpoints); and
                  using the connectivity information to associate a cyber-threat with a communication entity – Ruvio [0182] the method further comprises tagging the received at least one sensor data with a tag indicative of an association with malicious activity).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Ruvio, in view of Holzhauer and in further view of Dhurandhar; Amit et al, US 20140358839 A1, December 04, 2014 hereafter referred to as Dhurandhar.  

                As to claim 19, the combination of Ruvio and Holzhauer teaches the method of claim 9, comprising: including, in the reports – Ruvio [0177] receiving at the server, from a computing unit installed in a vehicle, at least one sensor data acquired by at least one sensor associated with the vehicle.  Here, the claimed ‘in the reports’ is taught by Ruvio as ‘receiving at the server’ because data received from the vehicle is a report characterized as a first data framework taught by Ruvio in the preceding paragraph), weather conditions – Ruvio [0184] the unified internal parameters are selected from the group consisting of:  …weather. RUVIO AND HOLZHAUER DOES NOT TEACH and using the weather conditions to identify false positive detection, HOWEVER DHURANDHAR TEACHES and
                  using the weather conditions to identify false positive detection  - Dhurandhar [0035] ... AMS data volumes that are often not warehoused in a way that readily support analytics; the development and use of analytics that have low false-positive rates so that utility revenue assurance teams can better allocate their revenue protection investigative and enforcement resources; and identifying, obtaining, and cleansing additional (possibly third party) data such as weather and household and demographic characteristics. These data are critical for building better analytical models of household energy use. Here, the claimed ‘weather conditions’ is taught by Dhurandhar as ‘weather characteristics’ whereas the claimed ‘false-positive detection’ is taught by Dhurandhar as ‘low false-positive rates’ since referencing AMS data may reveal false assumptions which, when incorporated into the use of analytics would yield clean data.   It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Ruvio and Holzhauer with data cleansing logic for better data accuracy since environmental factors can affect sensor reporting.  The combination of Ruvio and Holzhauer are silent on using cleansing logic and tools to ensure better accuracy.  Eliminating false positives improves security).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/WILLIAM B JONES/Examiner, Art Unit 2491
11/17/2022