DETAILED ACTION
The following is a Final Office action in response to applicants’ amendment and remarks filed on 09/20/2022.  Claims 1, 2, 6-8, 16, and 17 have been amended, and Claims 12-15 have been canceled.  Therefore, Claims 1-11, 16, and 17 are currently pending and have been considered as follows.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
In view of applicants’ amendment to Claims 2, 6-8 and 17, the 35 U.S.C. 112(b) rejection of Claims 2, 6-8, and 17 is withdrawn.
In view of applicants’ amendment to Claim 1, the claim interpretation under 35 U.S.C. 112(f) is hereby withdrawn.  Therefore, amended Claim 1 and dependent Claims 2-11 do not invoke 35 U.S.C. 112(f).
Applicants’ amendment of independent Claims 1, 16, and 17 regarding addition of the new limitations “a corresponding threshold value is independently set for each anomaly location… the threshold value corresponding to the anomaly location” has changed the scope of the claimed invention.  Therefore, applicants’ remarks filed 09/20/2022 have been fully considered but are moot because the amendment has necessitated new ground(s) of rejection where applicants’ arguments do not apply to the updated reference(s) for any teaching or matter specifically challenged in the argument.
Regarding page 9 of the remarks filed 09/20/2022, applicants’ argued that “Galula et al. fails… to teach or suggest setting different threshold values for each anomaly location, as recited by claim 1”, but it is noted that the features upon which applicants rely (i.e., setting different threshold values for each anomaly location) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Claim 1 (and related independent claims) only recite a single “anomaly location”, and under the broadest reasonable interpretation, the amended limitation “a corresponding threshold value is independently set for each anomaly location” would mean there could only be one threshold value being set for one anomaly location.  Applicants’ claimed inventive scope covers embodiments where only a single threshold value is set for a single anomaly location.  Nothing in the claims positively recite a plurality of anomaly locations nor different threshold values.  For at least these reasons, Galula does teach “the at least one processor is further configured to determine to implement countermeasures when the anomaly amount is equal to or greater than the threshold value corresponding to the anomaly location” (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]).    
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-8 and 11 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter.
Amended independent Claim 1 recites “A security management device comprising at least one processor configured to…”, but the broadest reasonable interpretation of “processor” includes entirely software embodiments (e.g. software engine, application/code, and/or virtual processor (vCPU)) in light of applicants’ specification which does not expressly define the scope of “processor” to be exclusively limited to hardware embodiments.  Therefore, the device of Claim 1 fails to limit applicants’ invention to only that which is tied to a particular machine or hardware and results in a claim which could constitute entirely software per se which does not fall within any of the statutory classes of invention (i.e. process, machine, article of manufacture, or composition of matter).  Because the full scope of Claim 1 as properly read in light of the specification encompass non-statutory subject matter, Claim 1 is rejected under 35 U.S.C. § 101 for reciting non-patentable subject matter.  
Dependent Claims 2-8 and 11, which depend upon Claim 1, are also rejected under 35 U.S.C. § 101 because they do not recite additional limitations that would bring them in conformance under 35 U.S.C. § 101 as statutory subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-11, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over GALULA et al. (US 20160381067 A1, hereinafter Galula) in view of Shields et al. (US 20180076955 A1, hereinafter Shields).
As to Amended Claim 1:
Galula discloses a security management device (e.g. Galula “A system and method according to some embodiments of the invention may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security or proper function of a system and/or a network. In some embodiments and as described, one or more computing devices may be used in order to enforce security in network. For example, a system according to some embodiments may include one or more computing devices 100 as described herein” [0036]; [0037]; [0038]) comprising at least one processor (e.g. Galula computing device’s controller, processor CPU, etc. [0037]; security enforcement units SEU [0038]) configured to:
manage an anomaly location of an anomaly (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]) in a system in which electronic controllers are connected through a network (e.g. Galula “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
determine whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
output an instruction based on a determination result about whether or not to implement countermeasures (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]), wherein;
the at least one processor is further configured to determine to implement countermeasures when the anomaly amount is equal to or greater than the threshold value corresponding to the anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]);
But Galula does not specifically disclose:
a corresponding threshold value is independently set for each anomaly location.
However, the analogous art Shields does disclose a corresponding threshold value is independently set for each anomaly location (e.g. Shields different nodes may be configured to have differing thresholds for anomaly events and response execution Shields [0202] each node having their own physical position [0233] that is mapped [0236]; nodes could be automotive engine control modules [0029]; vehicle gateway device [0032]).  Galula and Shields are analogous art because they are from the same field of endeavor in anomaly threshold management at networked controller nodes including those used in vehicles.
(e.g. see Shields, “the functions associated with the steps or blocks may be described in terms of various nodes (e.g., the nodes 221, 222, 223), when their respective controllers or processors are actually performing the various functions” [0045]; “the diagnostic configuration device and communication nodes to be provisioned may be located in a physically secure environment (e.g., a network in an access-controlled factory environment)” [0088]; “FIG. 9 is a flowchart of a method for anomaly detection in the security groups of FIG. 7. In an embodiment, communication nodes such as the node 100 (FIG. 1), the first node 221 (FIG. 2) or the first node 710 (FIG. 7), may include an anomaly detection and response function which performs the method 900 depicted in FIG. 9. The method 900 can be used, for example, to detect communication anomalies, generate a hypothesis as to the cause of the anomaly and execute a response… An anomaly detection and response function may be located, independently in each communication node (e.g., within the first node 221)” [0189]; “the processing unit 321 may process this information by comparing the port metrics and ODSP anomaly metrics to one or more corresponding threshold values. Such threshold values may be fixed or variable. The threshold values may further be set or modified by, for example, the controller 705” [0191]; “In each of the above examples, thresholds and responses may be configured by the network operator using, for example, configuration server 210, or the controller 705. Definitions of anomaly metrics and thresholds may be loaded to each node during provisioning or after deployment. Different nodes may be configured to have differing thresholds. For example, a node may be configured to generate an anomaly event with a low threshold if the node is involved in highly sensitive communication, such as a financial transaction. A higher threshold may be established, or a simpler logical combining of metrics may be used for nodes performing less critical roles” [0202]; [0207]; [0208]; each node having their own physical position [0233]; “The collective positions can also be formatted as a physical coverage map having the positions of all of the nodes within the DSG 1240” [0236]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Galula and Shields before him or her, to modify the invention of Galula with the teachings of Shields to include a corresponding threshold value is independently set for each anomaly location as claimed because Galula provides a system and method detection and management of anomalous transmission in communication networks using thresholds (Galula [Abstract]-[0271]) which may be configured differently for different nodes having their own physical positions (Shields [0045]; [0088]; [0189]; [0191]; [0202]; [0207]; [0208]; [0233]; [0236]).  The suggestion/motivation for doing so would have been to involve multiple thresholds with different responses based on specifically positioned nodes (Shields [0200]; [0201]; [0202]).  Therefore, it would have been obvious to combine Galula and Shields to obtain the invention as specified in the instant claim(s).
As to Amended Claim 2:
Galula in view of Shields discloses the security management device according to claim 1, wherein the anomaly location is identified as a layer of a hierarchy whose reference layer is an external communication electronic controller configured to communicate with a device located outside of the system (e.g. Galula FIG. 1C “FIG. 1C that shows a schematic block diagram of components of a system 60 according to illustrative embodiments of the present invention. As shown, system 60 may include an in-vehicle CAN 61 communication network analyzed or protected by a set of SEUs (e.g., SEU similar to SEUs 40), in accordance embodiments of the present invention. FIG. 1C shows a schematic block diagram of portions of an in-vehicle communication network that may be CAN 61 and CAN 71. As shown, an in-vehicle communication network that may include two portions (e.g., CAN 61 and CAN 71) may be protected by a set of SEUs 40A, 40B, 40C and 40D that may protect the network and specific control systems included in vehicle 30” [0074]; “The control systems and/or their respective components may be connected to, for example, high-speed and medium-speed CAN buses (or other bus bars or systems as known in the art) 61 and 71. For example, medium-speed CAN bus 71 may be a class B CAN bus that operates at data transmission speeds of up to 125 kilobits per second (Kbps), to support communications between nodes, such as components of vehicle body control systems and infotainment systems that can function properly receiving and transmitting data at relatively low data transmission rates. By way of example, medium-speed CAN bus 71 is schematically shown connected to nodes that are, as shown, headlights 72, instrument display 73, environment control 74, door control 75 and rear light control 76” [0075]; [0079]; wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; external hub [0120]).


As to Claim 3:
Galula in view of Shields discloses the security management device according to claim 1, wherein the anomaly location is identified as a set of the electronic controllers having a specific function (e.g. Galula ECUs of various control systems for engine control, suspension control, traction control, gearbox control, etc. [0077]; “a context may be related to an in-vehicle network (e.g., an intrusion to the network was detected) and a context may be related to nodes attached to an in-vehicle network (e.g., a fault in, or malfunction of, a node or component attached to the in-vehicle network detected). A context may be a combination of contexts or a complex context. For example, with respect to table 590, if a vehicle is accelerating and the engine is running then a combined or complex context as defined and used by an SEU 40 may be “A/B”. For example, a context of “A/B” may be treated, or identified, by an embodiment, as normal while a context of “A” without “B” may indicate an anomaly or even real danger” [0127]; “a plurality of ECUs connected to an in-vehicle network; receive a data communication associated with one of the ECUs; compare, the received data communication with the behavior model or examine the received data communication with respect to the behavior model; determine, based on the comparing or examination, whether or not the received data communication complies with the behavior model; and, if the data communication does not comply with the model then perform, at least one action related to the message” [0203]).


As to Claim 4:
Galula in view of Shields discloses the security management device according to claim 1, wherein the anomaly amount is a number of times the anomaly occurred (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Claim 5:
Galula in view of Shields discloses the security management device according to claim 1, wherein the anomaly amount is (i) a time length for which the anomaly continued, (ii) a size of abnormal data, or (iii) a number of abnormal data (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Amended Claim 6:
Galula in view of Shields discloses the security management device according to claim 1, wherein the threshold values are smaller as the corresponding anomaly location is farther from an external communication electronic controller (e.g. Galula  wireless communication interface for entities outside of or external to the in-vehicle communication network [0085]; “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120] where applicants’ Claim 1 only supports a single threshold value since only one anomaly location is recited).
As to Amended Claim 7:
Galula in view of Shields discloses the security management device according to claim 1, wherein the system is mounted on a moving object (e.g. Galula FIG. 1B components in-vehicle [0038]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]),  and the threshold value for the anomaly location that is any one of the electronic controllers for controlling a component of the moving object is the smallest (e.g. Galula “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Amended Claim 8:
Galula in view of Shields discloses the security management device according to claim 1, wherein the threshold value for the anomaly location that is a communication line between the electronic controllers is smaller than the threshold value for another anomaly location that is the electronic controller (e.g. Galula “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]).
As to Claim 9:
Galula in view of Shields discloses the security management device according to claim 1, wherein the security management device is provided in one or more electronic controllers in the system (e.g. Galula “Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “For example, the components shown in FIG. 1B, e.g., on board, or in-vehicle, security enforcement units (SEUs) 40 (as further described herein) may be, or may include components of, computing device 100. For example, by executing executable code 125 stored in memory 120, controller 105, e.g., when included in a security enforcement unit as described, may be configured to carry out a method of enforcing security, signal analysis and/or cyber-security” [0038]; “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]).
As to Claim 10:
Galula in view of Shields discloses the security management device according to claim 1, wherein the security management device is provided in one or both of a central electronic controller and an external communication electronic controller (e.g. Galula “Computing device 100 may include a controller 105 that may be, for example, a central processing unit processor (CPU), a chip or any suitable computing or computational device, an operating system 115, a memory 120, executable code 125, a storage system 130 that may include a model 136, input devices 135 and output devices 140. Controller 105 (or one or more controllers or processors, possibly across multiple units or devices) may be configured to carry out methods described herein, and/or to execute or act as the various modules, units, etc. More than one computing device 100 may be included in, and one or more computing devices 100 may act as the components of, a system according to embodiments of the invention” [0037]; “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120]).
As to Claim 11:
Galula in view of Shields discloses the security management device according to claim 1, wherein the security management device is provided outside the system (e.g. Galula “Several SEUs, each installed in a different network may be linked together by at least one common external hub. The hub may orchestrate and manage the parameters of the SEUs in all these networks. For example, several vehicles in a fleet may all be communicating with the same hub, which may issue configuration updates to all the SEUs in the fleet. The hub may be cloud based” [0120]).
As to Amended Claim 16:
Galula discloses a security management method (e.g. Galula “A system and method according to some embodiments of the invention may include or use one or more computing devices in order to detect or identify security threats, detect or identify events or states that may jeopardize the security or proper function of a system and/or a network. In some embodiments and as described, one or more computing devices may be used in order to enforce security in network. For example, a system according to some embodiments may include one or more computing devices 100 as described herein” [0036]; [0037]; [0038]) comprising:
acquiring an anomaly location of an anomaly in a system in which a plurality of electronic controllers are connected through a network (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
determining whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
outputting an instruction based on a determination result in the determining (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]), wherein;
the security management method further comprises determining to implement countermeasures when the anomaly amount is equal to or greater than the threshold value corresponding to the anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]);
But Galula does not specifically disclose:
a corresponding threshold value is independently set for each anomaly location.
However, the analogous art Shields does disclose a corresponding threshold value is independently set for each anomaly location (e.g. Shields different nodes may be configured to have differing thresholds for anomaly events and response execution Shields [0202] each node having their own physical position [0233] that is mapped [0236]; nodes could be automotive engine control modules [0029]; vehicle gateway device [0032]).  Galula and Shields are analogous art because they are from the same field of endeavor in anomaly threshold management at networked controller nodes including those used in vehicles.
(e.g. see Shields, “the functions associated with the steps or blocks may be described in terms of various nodes (e.g., the nodes 221, 222, 223), when their respective controllers or processors are actually performing the various functions” [0045]; “the diagnostic configuration device and communication nodes to be provisioned may be located in a physically secure environment (e.g., a network in an access-controlled factory environment)” [0088]; “FIG. 9 is a flowchart of a method for anomaly detection in the security groups of FIG. 7. In an embodiment, communication nodes such as the node 100 (FIG. 1), the first node 221 (FIG. 2) or the first node 710 (FIG. 7), may include an anomaly detection and response function which performs the method 900 depicted in FIG. 9. The method 900 can be used, for example, to detect communication anomalies, generate a hypothesis as to the cause of the anomaly and execute a response… An anomaly detection and response function may be located, independently in each communication node (e.g., within the first node 221)” [0189]; “the processing unit 321 may process this information by comparing the port metrics and ODSP anomaly metrics to one or more corresponding threshold values. Such threshold values may be fixed or variable. The threshold values may further be set or modified by, for example, the controller 705” [0191]; “In each of the above examples, thresholds and responses may be configured by the network operator using, for example, configuration server 210, or the controller 705. Definitions of anomaly metrics and thresholds may be loaded to each node during provisioning or after deployment. Different nodes may be configured to have differing thresholds. For example, a node may be configured to generate an anomaly event with a low threshold if the node is involved in highly sensitive communication, such as a financial transaction. A higher threshold may be established, or a simpler logical combining of metrics may be used for nodes performing less critical roles” [0202]; [0207]; [0208]; each node having their own physical position [0233]; “The collective positions can also be formatted as a physical coverage map having the positions of all of the nodes within the DSG 1240” [0236]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Galula and Shields before him or her, to modify the invention of Galula with the teachings of Shields to include a corresponding threshold value is independently set for each anomaly location as claimed because Galula provides a system and method detection and management of anomalous transmission in communication networks using thresholds (Galula [Abstract]-[0271]) which may be configured differently for different nodes having their own physical positions (Shields [0045]; [0088]; [0189]; [0191]; [0202]; [0207]; [0208]; [0233]; [0236]).  The suggestion/motivation for doing so would have been to involve multiple thresholds with different responses based on specifically positioned nodes (Shields [0200]; [0201]; [0202]).  Therefore, it would have been obvious to combine Galula and Shields to obtain the invention as specified in the instant claim(s).
As to Amended Claim 17:
Galula discloses a computer program product stored on a non-transitory computer readable medium and comprising instructions configured to (e.g. Galula “providing security to an in-vehicle communication network may include a non-transitory computer readable medium or computer storage medium (e.g., memory 120 or memory 45) including instructions (e.g., executable code 125) that, when executed by at least one processor (e.g., controller 105), cause the at least one processor to perform methods” [0133], when executed by a security management device, cause the security management device to:
acquire an anomaly location of an anomaly in a system in which a plurality of electronic controllers are connected through a network (e.g. Galula “an SEU may determine a component connected to an in-vehicle communication network is malfunctioning… an SEU may identify faulty components on a network. In some embodiments, an SEU may generate an indication related to a malfunctioning component, e.g., generate or raise an alert as described” [0213]; “a system may include or may be, for example, a plurality of components that include a respective plurality of central processing units, e.g., a plurality of SEUs as described, a plurality of SEUs embedded in an on board, or in-vehicle, system or network, a plurality of chips, FPGAs or SOCs, a plurality of computer or network devices, or any other suitable computing device” [0044]; ECUs on high-speed CAN bus [0077]; in-vehicle network [0078]), and an anomaly amount in the anomaly location (e.g. Galula “level of confidence that an anomaly was indeed detected may be dependent on a combination factors, e.g., the node who sent the relevant message, the type of message, the message ID and/or the specific method used for detecting the anomaly. For example, the number of messages for which a threshold related to content was breached, e.g., the number of sequential (or back-to-back) of messages in which a content related was threshold may be used in order to determine a confidence level” [0215]; “A device in an embodiment (e.g., an SEU 40) may calculate a confidence level or value of a message being related to an anomaly based on a ratio of anomalous message (or breaches or violations of thresholds) to a time period” [0216]; “For example, based on data in a model, an SEU may identify or determine an anomaly if more than five (“5”) counter mismatches are detected during a ten (“10”) seconds time period in messages received from traction control unit 64 and may identify or determine an anomaly if more than seven (“7”) counter mismatches are detected, during a ten (“10”) seconds time period, in messages received from anti-skid braking unit 66. Accordingly, identifying or determining an anomaly based on a mismatch rate may further be based on a source or a message or an ID” [0230]; “if over a time period of 10 seconds as measured by an SEU, a set of timestamps in received messages represents a time period of 30 seconds (e.g., the difference between the last and first timestamps in the set is 30) then the SEU may determine that one or more of the received messages is anomalous, e.g., injected into a network by an attacker” [0243]);
determine whether or not to implement countermeasures against the anomaly based on the anomaly location and the anomaly amount (e.g. Galula “If one or more of the counts or counters exceeds its respective maximum then, as shown by block 535, a flow may include generating an alert that a number of detected anomalies requires attention and/or undertake any, or any combination of more than one, of various response actions to log and/or report the anomalies, and or, to mitigate, and/or control an effect that the anomalous messages MSG(IDn) or their cause may have on vehicle 30 and/or on an in-vehicle network” [0105]; “an SEU may determine a message related to an anomaly based on a confidence level. In some embodiments, an SEU may select whether or not to perform an action and/or select an action to be performed based on a confidence level that may be determined with respect to an identification of an anomaly” [0214]; [0233]; [0235]; “An SEU may select, per ID, whether or not to perform an action based on a confidence level or value. For example, based on data in a model, an SEU may take no action if incompliance with a model is identified with a confidence level or value of 0.3 for messages with ID seven (“7”) but may alert or disconnect a node from a network, if incompliance the same confidence level of 0.3, for messages with ID six (“6”) is detected” [0236]); and
output an instruction based on the determination result about whether or not to implement countermeasures (e.g. Galula “an SEU may perform one or more actions, e.g., the SEU may isolate a portion of the network from the rest of the in-vehicle communication network in order to isolate the source of the message” [0213]; “Upon, or based on identifying an anomaly or a message related to an anomaly, e.g., an anomaly related to content as described, an SEU may select to perform one or more actions, e.g., disable a component connected to a network, activate a component connected to the network, block a message, delay a message, limit a frequency of a message type, log a message and/or generate an alert” [0216]; “An action may be selected based on a confidence level or value… may generate an alert if an anomaly… may disconnect from a network the node that sends the messages with the specific ID” [0237]), wherein;
the instructions are further configured to cause the security management device to determine to implement countermeasures when the anomaly amount is equal to or greater than the threshold value corresponding to the anomaly location (e.g. Galula “As shown by decision block 551, a flow may include determining whether or not the total count for MSGΔ(IDn) is equal to, or greater than, a maximum value stored in a CMxMSGΔ(IDn) counter, and, if it is then, as shown by block 553, a flow may include raising an alarm and/or undertakes one or more response actions such as optionally those noted with respect to block 535” [0108]; threshold value [0113]; [0123]);
But Galula does not specifically disclose:
a corresponding threshold value is independently set for each anomaly location.
However, the analogous art Shields does disclose a corresponding threshold value is independently set for each anomaly location (e.g. Shields different nodes may be configured to have differing thresholds for anomaly events and response execution Shields [0202] each node having their own physical position [0233] that is mapped [0236]; nodes could be automotive engine control modules [0029]; vehicle gateway device [0032]).  Galula and Shields are analogous art because they are from the same field of endeavor in anomaly threshold management at networked controller nodes including those used in vehicles.
(e.g. see Shields, “the functions associated with the steps or blocks may be described in terms of various nodes (e.g., the nodes 221, 222, 223), when their respective controllers or processors are actually performing the various functions” [0045]; “the diagnostic configuration device and communication nodes to be provisioned may be located in a physically secure environment (e.g., a network in an access-controlled factory environment)” [0088]; “FIG. 9 is a flowchart of a method for anomaly detection in the security groups of FIG. 7. In an embodiment, communication nodes such as the node 100 (FIG. 1), the first node 221 (FIG. 2) or the first node 710 (FIG. 7), may include an anomaly detection and response function which performs the method 900 depicted in FIG. 9. The method 900 can be used, for example, to detect communication anomalies, generate a hypothesis as to the cause of the anomaly and execute a response… An anomaly detection and response function may be located, independently in each communication node (e.g., within the first node 221)” [0189]; “the processing unit 321 may process this information by comparing the port metrics and ODSP anomaly metrics to one or more corresponding threshold values. Such threshold values may be fixed or variable. The threshold values may further be set or modified by, for example, the controller 705” [0191]; “In each of the above examples, thresholds and responses may be configured by the network operator using, for example, configuration server 210, or the controller 705. Definitions of anomaly metrics and thresholds may be loaded to each node during provisioning or after deployment. Different nodes may be configured to have differing thresholds. For example, a node may be configured to generate an anomaly event with a low threshold if the node is involved in highly sensitive communication, such as a financial transaction. A higher threshold may be established, or a simpler logical combining of metrics may be used for nodes performing less critical roles” [0202]; [0207]; [0208]; each node having their own physical position [0233]; “The collective positions can also be formatted as a physical coverage map having the positions of all of the nodes within the DSG 1240” [0236]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Galula and Shields before him or her, to modify the invention of Galula with the teachings of Shields to include a corresponding threshold value is independently set for each anomaly location as claimed because Galula provides a system and method detection and management of anomalous transmission in communication networks using thresholds (Galula [Abstract]-[0271]) which may be configured differently for different nodes having their own physical positions (Shields [0045]; [0088]; [0189]; [0191]; [0202]; [0207]; [0208]; [0233]; [0236]).  The suggestion/motivation for doing so would have been to involve multiple thresholds with different responses based on specifically positioned nodes (Shields [0200]; [0201]; [0202]).  Therefore, it would have been obvious to combine Galula and Shields to obtain the invention as specified in the instant claim(s).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Sargent (US 20080250128 A1) is cited for different anomaly thresholds for different time zones.
Maeda et al. (US 20120166142 A1) is cited for anomaly detection using rules to set sensors value comparison thresholds.
YAN et al. (US 20160019389 A1) is cited for detecting potential security attacks against vehicle networks through OBD-II CAN messages.
Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

12.06.2022