Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to Applicant’s Amendment filed on January 6, 2026. Of prior claims 1-30: claims 1-4, 7-12, 15-20, 23-27 and 29-30 were amended; claims 1, 9, 17 and 25, are independent claims. Accordingly, claims 1-30 remain pending, and have been examined in this application.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on January 6, 2026, has been entered.
Response to Arguments
The Examiner acknowledges Applicant’s 35 U.S.C. § 112(f) (or 35 U.S.C. § 112, sixth paragraph) claim interpretation comments.
Applicants’ arguments in the instant Amendment, filed on December 15, 2025, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “However, Applicant submits that Gutierrez fails to disclose the features "applying weights to outputs of the one or more misbehavior detection mechanisms corresponding to the indications ofV2X communication behavior, wherein the weights are based on an importance of misbehavior detected by a respective misbehavior detection mechanism," as recited in amended claim 1.
…However, there is no discussion in Gutierrez of applying weights to outputs based on "an importance of misbehavior detected by a respective misbehavior detection mechanism," as claimed. Rather, Gutierrez describes weights being applied based on other, unrelated, factors."
The Examiner disagrees with Applicant. More particularly, “Importance” is an inherent part of “weighting”, e.g., Collins on-line dictionary (collinsdictionary.com/us/dictionary/english/weighting) defines “weighting” as: “A weighting is a value given to something according to how important or significant it is.”; Guitierrez provides a number of differing weighting examples: Guiterrez para. [0160], “if a source of an observation was not recently trained, the model may …weight the output based on a determined validity of the training in relation to sources of other observations.” [NOTE: in this Guiterrez example, a freshness of training is of importance, in which more recent training receives higher weighting, and less recent training receives lower weighting.]; Gutierrez para. [0041], " The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.''; [NOTE: “Reliability” and/or “accuracy” are of importance.]).”
Applicant’s arguments: “Additionally, Gutierrez fails to describe the claim features "aggregating, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanisms and based on a second type of aggregation, a second subset of the weighted outputs from the one or more misbehavior detection mechanisms to determine that a threshold of misbehavior detection mechanisms detect the indications of V2X communications misbehavior," as recited in amended claim 1.
…at best, Gutierrez describes weighting of outputs of a "combination of two or more subsystems." Assigning weights to outputs or combinations of subsystems fails to amount to the claimed features involving "types of aggregation" and "subset[s} of weighted outputs." Gutierrez is silent on disclosures that amount to these claim features.”
The Examiner disagrees with Applicant. More particularly, the “subset” feature of Applicant’s claim limitations of “aggregating, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanisms” is being broadly interpreted as including a “subset” having only one item or having multiple items. Further, the “from the one or more misbehavior detection mechanisms” feature is being broadly interpreted as including only one weighted output (e.g., from a single detection mechanism) or multiple weighted outputs (e.g., from a single detection mechanism and/or from multiple differing detection mechanisms). Accordingly, the following disclosure portions of Guiterrez meet such highlighted claim limitations: Gutierrez para. [0038], “The combined layer IDS may combine outputs from intrusion detectors and/or IDSs in one or more different ways to determine whether suspicious activity represents an intrusion”; Gutierrez para. [0101], “The first inter-layer IDS and the attack characterization logic circuitry 488 may receive the outputs from the voltage FP IDS 451 and the MTS IDS 493. The first inter-layer IDS may combine the outputs….”; Guiterrez para. [0041], “for a weighted voting, the combined layer IDS may multiply the physical layer IDS output (e.g., probability) by 0.3, multiple the message layer IDS output by 0.3, and multiply the context layer IDS output by 0.4. The combined layer IDS may sum the weighted outputs (e.g., probabilities) and compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”; Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”
Claim Interpretation - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(f):
(f) ELEMENT IN CLAIM FOR A COMBINATION.—An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term "means" or "step" or a term used as a substitute for "means" that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term "means" or "step" or the generic placeholder is modified by functional language, typically, but not always linked by the transition word "for" (e.g., "means for") or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term "means" or "step" or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word "means" (or "step") in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Absence of the word "means" (or "step") in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word "means" (or "step") are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word "means" (or "step") are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-6, 8-14, 16-22, 24-28 and 30 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Gutierrez et al. (“Gutierrez”; US20200143053A1).
Per claim 1, Gutierrez teaches a method (Gutierrez FIG. 19A) performed by a processor (Gutierrez para. [0003], “may include a processor and software that executes on the processor to cause that ECU to perform the desired operations or vehicle functions.”) of a vehicle-to-everything (V2X) communication system of a vehicle (Gutierrez para. [0055}, “The introduction of V2X into the vehicle network provides a substantial new attack vector for malicious actors”), comprising:
detecting, from the V2X communications from one or more additional vehicles and via one or more misbehavior detection mechanisms, indications of V2X communications misbehavior associated with inaccurate or false information in the V2X communications from at least one vehicle of the additional vehicles (Gutierrez para. [0035], “may monitor intrusion detectors and/or IDSs on two different layers. For instance, an inter-layer IDS may monitor a voltage fingerprint IDS for a first ECU on the physical layer and a message time series IDS for a second ECU on the message layer. The voltage fingerprint IDS may detect and report suspicious activity from a first ECU and the inter-layer IDS may monitor the message time series IDS on the message layer for corresponding suspicious activity on the message layer.”; Guiterrez para. [0006], “intrusion detectors may output an indication of the anomalous behavior even though the behavior might be temporary and relate to, e.g., an anomalous external factor”);
applying weights to outputs of the one or more misbehavior detection mechanisms corresponding to the indications of V2X communication behavior (Gutierrez para. [0041], "Weighted voting may assign weights to the outputs from intrusion detectors and/or IDSs of a selected subsystem, of a combination of two or more subsystems, and/or of all subsystems. The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.”), wherein the weights are based on an importance of misbehavior detected by a respective misbehavior detection mechanism ([NOTE:”Importance” is an inherent part of “weighting”, e.g., Collins on-line dictionary (collinsdictionary.com/us/dictionary/english/weighting) defines “weighting” as: “A weighting is a value given to something according to how important or significant it is.”; Guitierrez provides a number of differing examples:Guiterrez para. [0160], “if a source of an observation was not recently trained, the model may …weight the output based on a determined validity of the training in relation to sources of other observations.”; Gutierrez para. [0041], " The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.''; [NOTE: Using “accuracy” as an example, a “weighted accuracy output” of greater than 50 percent or 70 percent is being interpreted as being based on a highly-weighted, applied “intrusion-type” weighting, whereas an output of less than 50 percent or 70 percent is being interpreted as being based on a lower-weighted, applied “non-intrusion-type” weighting.]);
aggregating, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanisms and based on a second type of aggregation, a second subset of the weighted outputs from the one or more misbehavior detection mechanisms (Gutierrez para. [0038], “The combined layer IDS may combine outputs from intrusion detectors and/or IDSs in one or more different ways to determine whether suspicious activity represents an intrusion”; Gutierrez para. [0101], “The first inter-layer IDS and the attack characterization logic circuitry 488 may receive the outputs from the voltage FP IDS 451 and the MTS IDS 493. The first inter-layer IDS may combine the outputs….”) to determine that a threshold of misbehavior mechanisms detect the indications of V2X communications misbehavior (Guiterrez para. [0041], “for a weighted voting, the combined layer IDS may multiply the physical layer IDS output (e.g., probability) by 0.3, multiple the message layer IDS output by 0.3, and multiply the context layer IDS output by 0.4. The combined layer IDS may sum the weighted outputs (e.g., probabilities) and compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”; Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”);
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs and based on the threshold having been achieved (Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack)…”; Gutierrez para. [0039], “A majority vote may combine outputs from intrusion detectors”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
transmitting a misbehavior report to an external device via the V2X communication system (Gutierrez para. [0035], “may detect and report suspicious activity from a first ECU”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack) and may output an indication that the suspicious activity is an attack based on the combination of the outputs to the attack characterization logic circuitry 488.”) or taking a responsive action in response to determining that a misbehavior condition exists (Gutierrez para. [0065], “In the case that detection and attacker characterization logic circuitry 250 identifies an anomaly or intrusion, generates an attack characterization or profile and may pass to the attack profile to a forensic logging and/or recovery system to log anomalies and/or to take appropriate remedial action, such as restarting an ECU, redirecting ECU operations to a backup ECU, warning an operator of the vehicle, querying an outside security vendor via the communications interface 232, and possibly forcing the vehicle to a safe resting position until the anomaly can be resolved and the vehicle can again be operated safely.”).
Per claim 2, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises determining whether any of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0192], “to combine observations of the one or more control units at the one or more observation layers; and to determine, based on a combination of the observations, that one or more of the observations represent an intrusion” ; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 3, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises determining whether any one of a subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 4, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises aggregating misbehavior indications output from multiple misbehavior detection mechanisms (Gutierrez Abstract “Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems.”; Gutierrez para. [0018], “FIG. 13 depicts another embodiment of a combined layer IDS to combine outputs from three MTS IDSs with different size (time frame) windows with an output from a physical layer voltage FP”; Gutierrez para. [0028], “establishing one or more combined layer intrusion detection systems (IDSs) such as one or more intra-layer IDSs, one or more inter-layer IDSs, and/or one or more global IDSs. A combined layer IDS, as discussed herein, may combine information from more than one intrusion detector to advantageously, e.g., increase the confidence or reliability of detection of an intrusion, increase the accuracy of a detection of an intrusion, and/or reduce latency associated with detection of an intrusion”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para. [0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 5, Gutierrez discloses the method of claim 4. Gutierrez further discloses a method wherein determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications comprises determining that a reportable or actionable misbehavior condition exists in response to a majority of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para.[0039], “A majority vote may combine outputs from intrusion detectors and/or IDSs with two or more intra-layer and/or inter-layer perspectives. For example, if a physical layer intrusion detector and/or IDS indicates suspicious activity, the combined layer IDS may count the output as a vote, determine outputs (as votes) of other intrusion detectors and/or IDSs that may detect related activity, and determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 6, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to the weighted outputs of the one or more misbehavior detection mechanisms exceeding a threshold (Gutierrez para. [0041], “The combined layer IDS may …compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”).
Per claim 8, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises determining a number of events classified as an attack or misbehavior indications output by each of a plurality of misbehavior detection mechanisms within a window of time or set number of events (Gutierrez para.[0084], “The message layer IDSs 492 may include a message time series (MTS) IDS 493 to monitor a sequence of messages transmitted by the ECU 404 or a group of ECUs including the ECU 404. In many embodiments, the MTS IDS 493 may establish one or more windows of time (or time periods) during which the MTS IDS 493 captures a sequence of messages on the IVN bus.”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to determining that the number of events classified as an attack or misbehavior indications output by any one of the one or more misbehavior detection mechanisms within the window of time or set number of events exceeds a threshold (Gutierrez para.[0085], “The MTS IDS 493 may determine a deviation between the observed sequence of messages and the predicted sequence of messages and compare the deviation to a threshold deviation to determine whether the observed sequence of messages represent suspicious activity. If the observed sequence of messages represents suspicious activity, the MTS IDS 493 may transmit a message to the detection logic circuitry via the IVN bus 470 or the detection logic communications medium 475.”).
Per claim 9, Gutierrez discloses a vehicle-to-everything (V2X) communication system (Gutierrez para. [0055}, “The introduction of V2X into the vehicle network provides a substantial new attack vector for malicious actors”), comprising: a processor configured with processor-executable instructions (Gutierrez para. [0003], “may include a processor and software that executes on the processor to cause that ECU to perform the desired operations or vehicle functions.”) for:
detect, from the V2X communications from one or more additional vehicles and via one or more misbehavior detection mechanisms, indications of V2X communications misbehavior associated with inaccurate or false information in the V2X communications from at least one vehicle of the additional vehicles (Gutierrez para. [0035], “may monitor intrusion detectors and/or IDSs on two different layers. For instance, an inter-layer IDS may monitor a voltage fingerprint IDS for a first ECU on the physical layer and a message time series IDS for a second ECU on the message layer. The voltage fingerprint IDS may detect and report suspicious activity from a first ECU and the inter-layer IDS may monitor the message time series IDS on the message layer for corresponding suspicious activity on the message layer.”; Guiterrez para. [0006], “intrusion detectors may output an indication of the anomalous behavior even though the behavior might be temporary and relate to, e.g., an anomalous external factor”);
apply weights to outputs of the one or more misbehavior detection mechanisms corresponding to the indications ofV2X communication behavior (Gutierrez para. [0041], "Weighted voting may assign weights to the outputs from intrusion detectors and/or IDSs of a selected subsystem, of a combination of two or more subsystems, and/or of all subsystems. The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.”), wherein the weights are based on an importance of misbehavior detected by a respective misbehavior detection mechanism ([NOTE:”Importance” is an inherent part of “weighting”, e.g., Collins on-line dictionary (collinsdictionary.com/us/dictionary/english/weighting) defines “weighting” as: “A weighting is a value given to something according to how important or significant it is.”; Guitierrez provides a number of differing examples:Guiterrez para. [0160], “if a source of an observation was not recently trained, the model may …weight the output based on a determined validity of the training in relation to sources of other observations.”; Gutierrez para. [0041], " The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.''; [NOTE: Using “accuracy” as an example, a “weighted accuracy output” of greater than 50 percent or 70 percent is being interpreted as being based on a highly-weighted, applied “intrusion-type” weighting, whereas an output of less than 50 percent or 70 percent is being interpreted as being based on a lower-weighted, applied “non-intrusion-type” weighting.]);
aggregate, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanisms and based on a second type of aggregation, a second subset of the weighted outputs from the one or more misbehavior detection mechanisms (Gutierrez para. [0038], “The combined layer IDS may combine outputs from intrusion detectors and/or IDSs in one or more different ways to determine whether suspicious activity represents an intrusion”; Guiterrez para. [0101], “The first inter-layer IDS and the attack characterization logic circuitry 488 may receive the outputs from the voltage FP IDS 451 and the MTS IDS 493. The first inter-layer IDS may combine the outputs….”) to determine that a quorum of misbehavior detection mechanisms detect the indications of V2X communications misbehavior is achieved (Guiterrez para. [0041], “for a weighted voting, the combined layer IDS may multiply the physical layer IDS output (e.g., probability) by 0.3, multiple the message layer IDS output by 0.3, and multiply the context layer IDS output by 0.4. The combined layer IDS may sum the weighted outputs (e.g., probabilities) and compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”; Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”);
determine whether a reportable or actionable misbehavior condition exists based on the aggregated weighted options and based on the threshold having been achieved (Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack”; Guiterrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack)…”; Gutierrez para. [0039], “A majority vote may combine outputs from intrusion detectors”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
transmit a misbehavior report to an external device via the V2X communication system (Gutierrez para. [0035], “may detect and report suspicious activity from a first ECU”; Guiterrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack) and may output an indication that the suspicious activity is an attack based on the combination of the outputs to the attack characterization logic circuitry 488.”) or taking a responsive action in response to determining that a misbehavior condition exists (Gutierrez para. [0065], “In the case that detection and attacker characterization logic circuitry 250 identifies an anomaly or intrusion, generates an attack characterization or profile and may pass to the attack profile to a forensic logging and/or recovery system to log anomalies and/or to take appropriate remedial action, such as restarting an ECU, redirecting ECU operations to a backup ECU, warning an operator of the vehicle, querying an outside security vendor via the communications interface 232, and possibly forcing the vehicle to a safe resting position until the anomaly can be resolved and the vehicle can again be operated safely.”).
Per claim 10, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
aggregate the first subset of the weighted outputs and the second subset of the weighted outputs by determining whether any of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs by determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0192], “to combine observations of the one or more control units at the one or more observation layers; and to determine, based on a combination of the observations, that one or more of the observations represent an intrusion”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 11, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
aggregate the first subset of the weighted outputs and the second subset of the weighted outputs by determining whether any one of a subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs by determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 12, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
aggregate the first subset of the weighted outputs and the second subset of the weighted outputs by aggregating misbehavior indications output from multiple misbehavior detection mechanisms (Gutierrez Abstract “Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems.”; Gutierrez para. [0018], “FIG. 13 depicts another embodiment of a combined layer IDS to combine outputs from three MTS IDSs with different size (time frame) windows with an output from a physical layer voltage FP”; Gutierrez para. [0028], “establishing one or more combined layer intrusion detection systems (IDSs) such as one or more intra-layer IDSs, one or more inter-layer IDSs, and/or one or more global IDSs. A combined layer IDS, as discussed herein, may combine information from more than one intrusion detector to advantageously, e.g., increase the confidence or reliability of detection of an intrusion, increase the accuracy of a detection of an intrusion, and/or reduce latency associated with detection of an intrusion”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs by determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para. [0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 13, Gutierrez discloses the V2X communication system of claim 12. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for determining that a reportable or actionable misbehavior condition exists in response to a majority of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para. [0039], “A majority vote may combine outputs from intrusion detectors and/or IDSs with two or more intra-layer and/or inter-layer perspectives. For example, if a physical layer intrusion detector and/or IDS indicates suspicious activity, the combined layer IDS may count the output as a vote, determine outputs (as votes) of other intrusion detectors and/or IDSs that may detect related activity, and determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 14, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs by determining that a reportable or actionable misbehavior condition exists in response to the weighted outputs of the one or more misbehavior detection mechanisms exceeding a threshold (Gutierrez para. [0041], “The combined layer IDS may …compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”).
Per claim 16, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
aggregate the first subset of the weighted outputs and the second subset of the weighted outputs by determining a number of events classified as an attack or misbehavior indications output by each of a plurality of misbehavior detection mechanisms within a window of time or set number of events (Gutierrez para.[0084], “The message layer IDSs 492 may include a message time series (MTS) IDS 493 to monitor a sequence of messages transmitted by the ECU 404 or a group of ECUs including the ECU 404. In many embodiments, the MTS IDS 493 may establish one or more windows of time (or time periods) during which the MTS IDS 493 captures a sequence of messages on the IVN bus.”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs by determining that a reportable or actionable misbehavior condition exists in response to determining that the number of events classified as an attack or misbehavior indications output by any one of the one or more misbehavior detection mechanisms within the window of time or set number of events exceeds a threshold (Gutierrez para.[0085], “The MTS IDS 493 may determine a deviation between the observed sequence of messages and the predicted sequence of messages and compare the deviation to a threshold deviation to determine whether the observed sequence of messages represent suspicious activity. If the observed sequence of messages represents suspicious activity, the MTS IDS 493 may transmit a message to the detection logic circuitry via the IVN bus 470 or the detection logic communications medium 475.”).
Per claim 17, Gutierrez discloses a vehicle-to-everything (V2X) communication system of a vehicle (Gutierrez para. [0055}, “The introduction of V2X into the vehicle network provides a substantial new attack vector for malicious actors”), comprising:
means for detecting, from V2X communications from one or more additional vehicles and via one or more misbehavior detection mechanisms, indications of V2X communications misbehavior associated in inaccurate or false information in the V2X communications from at least one vehicle of the additional vehicles (Gutierrez para. [0035], “may monitor intrusion detectors and/or IDSs on two different layers. For instance, an inter-layer IDS may monitor a voltage fingerprint IDS for a first ECU on the physical layer and a message time series IDS for a second ECU on the message layer. The voltage fingerprint IDS may detect and report suspicious activity from a first ECU and the inter-layer IDS may monitor the message time series IDS on the message layer for corresponding suspicious activity on the message layer.”; Guiterrez para. [0006], “intrusion detectors may output an indication of the anomalous behavior even though the behavior might be temporary and relate to, e.g., an anomalous external factor”);
means for applying weights to outputs of the one or more misbehavior detection mechanisms corresponding to the indications of V2X communication behavior (Gutierrez para. [0041], "Weighted voting may assign weights to the outputs from intrusion detectors and/or IDSs of a selected subsystem, of a combination of two or more subsystems, and/or of all subsystems. The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.”), wherein the weights are based on an importance of misbehavior detected by a respective behavior detection mechanism ([NOTE:”Importance” is an inherent part of “weighting”, e.g., Collins on-line dictionary (collinsdictionary.com/us/dictionary/english/weighting) defines “weighting” as: “A weighting is a value given to something according to how important or significant it is.”; Guitierrez provides a number of differing examples:Guiterrez para. [0160], “if a source of an observation was not recently trained, the model may …weight the output based on a determined validity of the training in relation to sources of other observations.”; Gutierrez para. [0041], " The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.''; [NOTE: Using “accuracy” as an example, a “weighted accuracy output” of greater than 50 percent or 70 percent is being interpreted as being based on a highly-weighted, applied “intrusion-type” weighting, whereas an output of less than 50 percent or 70 percent is being interpreted as being based on a lower-weighted, applied “non-intrusion-type” weighting.]);
means for aggregating, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanisms and based on a second type of aggregation, a second subset of the weighted outputs from the one or more misbehavior detection mechanisms (Gutierrez para. [0038], “The combined layer IDS may combine outputs from intrusion detectors and/or IDSs in one or more different ways to determine whether suspicious activity represents an intrusion”; Gutierrez para. [0101], “The first inter-layer IDS and the attack characterization logic circuitry 488 may receive the outputs from the voltage FP IDS 451 and the MTS IDS 493. The first inter-layer IDS may combine the outputs….”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”) to determine that a threshold of misbehavior detection mechanisms detect the multiple indications of V2X misbehavior (Guiterrez para. [0041], “for a weighted voting, the combined layer IDS may multiply the physical layer IDS output (e.g., probability) by 0.3, multiple the message layer IDS output by 0.3, and multiply the context layer IDS output by 0.4. The combined layer IDS may sum the weighted outputs (e.g., probabilities) and compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”; Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”);
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated misbehavior indications and based on the quorum having been achieved (Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack)…”; Gutierrez para. [0039], “A majority vote may combine outputs from intrusion detectors”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
means for transmitting a misbehavior report to an external device via the V2X communication system (Gutierrez para. [0035], “may detect and report suspicious activity from a first ECU”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack) and may output an indication that the suspicious activity is an attack based on the combination of the outputs to the attack characterization logic circuitry 488.”) or taking a responsive action in response to determining that a misbehavior condition exists (Gutierrez para. [0065], “In the case that detection and attacker characterization logic circuitry 250 identifies an anomaly or intrusion, generates an attack characterization or profile and may pass to the attack profile to a forensic logging and/or recovery system to log anomalies and/or to take appropriate remedial action, such as restarting an ECU, redirecting ECU operations to a backup ECU, warning an operator of the vehicle, querying an outside security vendor via the communications interface 232, and possibly forcing the vehicle to a safe resting position until the anomaly can be resolved and the vehicle can again be operated safely.”).
Per claim 18, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement wherein:
means for aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises means for determining whether any of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputcomprises means for determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0192], “to combine observations of the one or more control units at the one or more observation layers; and to determine, based on a combination of the observations, that one or more of the observations represent an intrusion”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 19, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement wherein:
means for aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises means for determining whether any one of a subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted output comprises means for determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of the select subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 20, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement wherein:
means for aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises means for aggregating misbehavior indications output from multiple misbehavior detection mechanisms (Gutierrez Abstract “Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems.”; Gutierrez para. [0018], “FIG. 13 depicts another embodiment of a combined layer IDS to combine outputs from three MTS IDSs with different size (time frame) windows with an output from a physical layer voltage FP”; Gutierrez para. [0028], “establishing one or more combined layer intrusion detection systems (IDSs) such as one or more intra-layer IDSs, one or more inter-layer IDSs, and/or one or more global IDSs. A combined layer IDS, as discussed herein, may combine information from more than one intrusion detector to advantageously, e.g., increase the confidence or reliability of detection of an intrusion, increase the accuracy of a detection of an intrusion, and/or reduce latency associated with detection of an intrusion”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises means for determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para. [0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold.” ; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 21, Gutierrez discloses the V2X communication system of claim 20. Gutierrez further discloses an arrangement wherein means for determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications comprises means for determining that a reportable or actionable misbehavior condition exists in response to a majority of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para.[0039], “A majority vote may combine outputs from intrusion detectors and/or IDSs with two or more intra-layer and/or inter-layer perspectives. For example, if a physical layer intrusion detector and/or IDS indicates suspicious activity, the combined layer IDS may count the output as a vote, determine outputs (as votes) of other intrusion detectors and/or IDSs that may detect related activity, and determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 22, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement wherein:
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises means for determining that a reportable or actionable misbehavior condition exists in response to the weighted outputs of the one or more misbehavior detection mechanisms exceeding a threshold (Gutierrez para.[0041], “The combined layer IDS may …compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”).
Per claim 24, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement wherein:
means for aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises means for determining a number of events classified as an attack or misbehavior indications output by each of a plurality of misbehavior detection mechanisms within a window of time or set number of events (Gutierrez para.[0084], “The message layer IDSs 492 may include a message time series (MTS) IDS 493 to monitor a sequence of messages transmitted by the ECU 404 or a group of ECUs including the ECU 404. In many embodiments, the MTS IDS 493 may establish one or more windows of time (or time periods) during which the MTS IDS 493 captures a sequence of messages on the IVN bus.”); and
means for determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises means for determining that a reportable or actionable misbehavior condition exists in response to determining that the number of events classified as an attack or misbehavior indications output by any one of the one or more misbehavior detection mechanisms within the window of time or set number of events exceeds a threshold (Gutierrez para.[0085], “The MTS IDS 493 may determine a deviation between the observed sequence of messages and the predicted sequence of messages and compare the deviation to a threshold deviation to determine whether the observed sequence of messages represent suspicious activity. If the observed sequence of messages represents suspicious activity, the MTS IDS 493 may transmit a message to the detection logic circuitry via the IVN bus 470 or the detection logic communications medium 475.”).
Per claim 25, Gutierrez discloses a non-transitory processor-readable medium (Gutierrez para.[0168], “storage medium 2000 may include any non-transitory computer readable medium or machine-readable medium, such as an optical, magnetic or semiconductor storage”) having stored thereon processor-executable instructions configured to cause a processor (Gutierrez para. [0003], “may include a processor and software that executes on the processor to cause that ECU to perform the desired operations or vehicle functions.”) of a vehicle-to- everything (V2X) communication system (Gutierrez para. [0055}, “The introduction of V2X into the vehicle network provides a substantial new attack vector for malicious actors”) to perform operations comprising:
detecting, from V2X communications from one or more additional vehicles, via one or more misbehavior detection mechanisms, indications of V2X communications misbehavior associated with inaccurate or false information in the V2X communications from at least one vehicle of the additional vehicles (Gutierrez para. [0035], “may monitor intrusion detectors and/or IDSs on two different layers. For instance, an inter-layer IDS may monitor a voltage fingerprint IDS for a first ECU on the physical layer and a message time series IDS for a second ECU on the message layer. The voltage fingerprint IDS may detect and report suspicious activity from a first ECU and the inter-layer IDS may monitor the message time series IDS on the message layer for corresponding suspicious activity on the message layer.”; Guiterrez para. [0006], “intrusion detectors may output an indication of the anomalous behavior even though the behavior might be temporary and relate to, e.g., an anomalous external factor”);
applying weights to outputs of the one or more misbehavior detection mechanisms corresponding to the indications of V2X communication behavior (Gutierrez para. [0041], "Weighted voting may assign weights to the outputs from intrusion detectors and/or IDSs of a selected subsystem, of a combination of two or more subsystems, and/or of all subsystems. The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.”), wherein the weights are based on an importance of misbehavior detected by a respective misbehavior detection mechanism ([NOTE:”Importance” is an inherent part of “weighting”, e.g., Collins on-line dictionary (collinsdictionary.com/us/dictionary/english/weighting) defines “weighting” as: “A weighting is a value given to something according to how important or significant it is.”; Guitierrez provides a number of differing examples: Guiterrez para. [0160], “if a source of an observation was not recently trained, the model may …weight the output based on a determined validity of the training in relation to sources of other observations.”; Gutierrez para. [0041], " The weights may be based on various factors such as historical reliability and/or accuracy, heuristic reliability and/or accuracy, relative reliability and/or accuracy as compared to other inputs, and/or the like.''; [NOTE: Using “accuracy” as an example, a “weighted accuracy output” of greater than 50 percent or 70 percent is being interpreted as being based on a highly-weighted, applied “intrusion-type” weighting, whereas an output of less than 50 percent or 70 percent is being interpreted as being based on a lower-weighted, applied “non-intrusion-type” weighting.]);
aggregating, based on a first type of aggregation, a first subset of the weighted outputs from the one or more misbehavior detection mechanism and based on a second type of aggregation, a second subset of the weighted outputs from the one or more misbehavior detection mechanisms (Gutierrez para. [0038], “The combined layer IDS may combine outputs from intrusion detectors and/or IDSs in one or more different ways to determine whether suspicious activity represents an intrusion”; Gutierrez para. [0101], “The first inter-layer IDS and the attack characterization logic circuitry 488 may receive the outputs from the voltage FP IDS 451 and the MTS IDS 493. The first inter-layer IDS may combine the outputs….”) to determine that a threshold of misbehavior detection mechanisms detect the indications of V2X communications misbehavior (Guiterrez para. [0041], “for a weighted voting, the combined layer IDS may multiply the physical layer IDS output (e.g., probability) by 0.3, multiple the message layer IDS output by 0.3, and multiply the context layer IDS output by 0.4. The combined layer IDS may sum the weighted outputs (e.g., probabilities) and compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”; Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack.”);
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs and based on the threshold having been achieved (Gutierrez para. [0039], “determine whether the suspicious activity is an intrusion based on the percentage of the votes that indicate an intrusion or attack”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack)…”; Gutierrez para. [0039], “A majority vote may combine outputs from intrusion detectors”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
transmitting a misbehavior report to an external device via the V2X communication system (Gutierrez para. [0035], “may detect and report suspicious activity from a first ECU”; Gutierrez para. [0101], “The first inter-layer IDS may combine the outputs to determine whether the suspicious activity represents an intrusion (attack) and may output an indication that the suspicious activity is an attack based on the combination of the outputs to the attack characterization logic circuitry 488.”) or taking a responsive action in response to determining that a misbehavior condition exists (Gutierrez para. [0065], “In the case that detection and attacker characterization logic circuitry 250 identifies an anomaly or intrusion, generates an attack characterization or profile and may pass to the attack profile to a forensic logging and/or recovery system to log anomalies and/or to take appropriate remedial action, such as restarting an ECU, redirecting ECU operations to a backup ECU, warning an operator of the vehicle, querying an outside security vendor via the communications interface 232, and possibly forcing the vehicle to a safe resting position until the anomaly can be resolved and the vehicle can again be operated safely.”).
Per claim 26, Gutierrez discloses the non-transitory processor-readable medium of claim 25. Gutierrez further discloses an arrangement wherein the stored processor-executable instructions are further configured to cause the processor of the V2X communication system to perform operations comprising:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises determining whether any or any one of a select subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0051], “the detection logic circuitry to comprise dynamic threshold logic circuitry to dynamically adjust a threshold for detection of suspicious activity by an IDS at a first layer based on a single output or a combination of outputs from at least one other IDS.”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to determining that at least one of misbehavior detection mechanisms or at least one of the select subset of the one or more misbehavior detection mechanisms outputs a misbehavior indication (Gutierrez para.[0192], “to combine observations of the one or more control units at the one or more observation layers; and to determine, based on a combination of the observations, that one or more of the observations represent an intrusion”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 27, Gutierrez discloses the non-transitory processor-readable medium of claim 25. Gutierrez further discloses an arrangement wherein the stored processor-executable instructions are further configured to cause the processor of the V2X communication system to perform operations comprising:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises aggregating misbehavior indications output from multiple misbehavior detection mechanisms (Gutierrez Abstract “Logic may implement observation layer intrusion detection systems (IDSs) to combine observations by intrusion detectors and/or other intrusion detection systems.”; Gutierrez para. [0018], “FIG. 13 depicts another embodiment of a combined layer IDS to combine outputs from three MTS IDSs with different size (time frame) windows with an output from a physical layer voltage FP”; Gutierrez para. [0028], “establishing one or more combined layer intrusion detection systems (IDSs) such as one or more intra-layer IDSs, one or more inter-layer IDSs, and/or one or more global IDSs. A combined layer IDS, as discussed herein, may combine information from more than one intrusion detector to advantageously, e.g., increase the confidence or reliability of detection of an intrusion, increase the accuracy of a detection of an intrusion, and/or reduce latency associated with detection of an intrusion”; Gutierrez para. [0041], “compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to a threshold number of the misbehavior detection mechanisms outputting misbehavior indications (Gutierrez para. [0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold.”; Gutierrez para. [0041], “If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion”).
Per claim 28, Gutierrez discloses the non-transitory processor-readable medium of claim 25. Gutierrez further discloses an arrangement wherein:
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining that a reportable or actionable misbehavior condition exists in response to the weighted outputs of the one or more misbehavior detection mechanisms exceeding a threshold (Gutierrez para.[0041], “The combined layer IDS may …compare the sum of the weighted outputs to determine a combined layer weighted output. If the combined layer weighted output is greater than a threshold, e.g., 50 percent or 70 percent, the combined layer IDS may determine that the combined layer weighted output indicates that the activities detected represent an intrusion.”).
Per claim 30, Gutierrez discloses the non-transitory processor-readable medium of claim 25. Gutierrez further discloses an arrangement wherein the stored processor-executable instructions are further configured to cause the processor of the V2X communication system to perform operations such that:
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises determining a number of events classified as an attack or misbehavior indications output by each of a plurality of misbehavior detection mechanisms within a window of time or set number of events (Gutierrez para.[0084], “The message layer IDSs 492 may include a message time series (MTS) IDS 493 to monitor a sequence of messages transmitted by the ECU 404 or a group of ECUs including the ECU 404. In many embodiments, the MTS IDS 493 may establish one or more windows of time (or time periods) during which the MTS IDS 493 captures a sequence of messages on the IVN bus.”); and
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted output comprises determining that a reportable or actionable misbehavior condition exists in response to determining that the number of events classified as an attack or misbehavior indications output by any one of the one or more misbehavior detection mechanisms within the window of time or set number of events exceeds a threshold (Gutierrez para.[0085], “The MTS IDS 493 may determine a deviation between the observed sequence of messages and the predicted sequence of messages and compare the deviation to a threshold deviation to determine whether the observed sequence of messages represent suspicious activity. If the observed sequence of messages represents suspicious activity, the MTS IDS 493 may transmit a message to the detection logic circuitry via the IVN bus 470 or the detection logic communications medium 475.”).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 7, 15, 23 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Gutierrez et al. (“Gutierrez”; US20200143053A1) in view of Friedman et al. (“Friedman”; US20100083375A1).
Per claim 7, Gutierrez discloses the method of claim 1. Gutierrez further discloses a method wherein:
detecting indications of V2X misbehavior via one or more misbehavior detection mechanism comprises processing received V2X information through a plurality of plausibility and consistency detectors configured to detect misbehavior conditions and output misbehavior indications to a detector selector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error”);
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises passing outputs of misbehavior indications from a selected subset of the plurality of plausibility and consistency detectors from the detector selector to a misbehavior detector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error.”);
determining whether a reportable or actionable misbehavior condition exists based on the aggregated weighted outputs comprises determining by the misbehavior detector that a reportable (Gutierrez para. [0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold”) or actionable misbehavior condition (Gutierrez para.[0099], “attack characterization logic circuitry 488 may output the attack characterization 489 to a forensic logging and/or recovery system to advantageously log the attack/anomaly and/or to facilitate an informed selection of a recovery routine.”) exists in response to misbehavior indication outputs by the selected subset of the plurality of plausibility and consistency detectors; and
the method further comprises:
determining a rate of misbehavior determinations (Gutierrez para.[0098], “IDS monitors the message ID for the ECU; and, in some embodiments, additional detail about the attack such as the percent deviation caused by the attacks from predicted behavior and the frequency of the attacks.”).
Gutierrez does not disclose a method: determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold.
However, in an analogous art, Friedman teaches an arrangement:
determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. Although the algorithm may be used to mitigate false positive, the algorithm may also be used to mitigate false negatives. To do this, the costs given as input and the score function may be altered. For example, taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled, lowering a threshold) may increase the benefit.”; Friedman para. [0057], “A threshold th. If the number of destination hosts (e.g., as determined by destination IP address) which a host contacts on the same port during a given period of time exceeds th, then the detector fires an alert.”; Friedman para. [0041], “include the benefits from removing false positive alerts or generating true alerts that are missed by a security system”);
deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold (Friedman para.[0105], “the tuning parameter selected may be disabling the port scanner detector.”; Friedman para. [0113], “false positive alerts would be missing in the history of alerts if the port scanner detector was disabled”); and
activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. … taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Gutierrez to include, as taught by Friedman, regarding: determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold. Motivation for modifying would have been to activate individual sensors in order to increase a sensitivity of the arrangement so as to mitigate false negatives, or to deactivate individual detectors in order to decrease a sensitivity of the arrangement so as to mitigate false positives (Friedman para. [0120]).
Per claim 15, Gutierrez discloses the V2X communication system of claim 9. Gutierrez further discloses an arrangement wherein the processor is further configured with processor-executable instructions for:
detecting indications of V2X misbehavior via one or more misbehavior detection mechanism by processing received V2X information through a plurality of plausibility and consistency detectors configured to detect misbehavior conditions and output misbehavior indications to a detector selector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error”);
aggregate the first subset of the weighted outputs and the second subset of the weighted outputs by passing outputs of misbehavior indications from a selected subset of the plurality of plausibility and consistency detectors from the detector selector to a misbehavior detector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error.”);
determining whether a reportable (Gutierrez para.[0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold”) or actionable misbehavior condition (Gutierrez para.[0099], “attack characterization logic circuitry 488 may output the attack characterization 489 to a forensic logging and/or recovery system to advantageously log the attack/anomaly and/or to facilitate an informed selection of a recovery routine.”) exists based on the aggregated weighted outputs by determining by the misbehavior detector that a reportable or actionable misbehavior condition exists in response to misbehavior indication outputs by the selected subset of the plurality of plausibility and consistency detectors;
determining a rate of misbehavior determinations (Gutierrez para.[0098], “IDS monitors the message ID for the ECU; and, in some embodiments, additional detail about the attack such as the percent deviation caused by the attacks from predicted behavior and the frequency of the attacks.”).
Gutierrez does not disclose a V2X communication system for determining: whether the rate of misbehavior determinations exceeds a maximum threshold or is less that a minimum threshold; deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold.
However, in an analogous art, Friedman teaches a V2X communication system to:
determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less that a minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. Although the algorithm may be used to mitigate false positive, the algorithm may also be used to mitigate false negatives. To do this, the costs given as input and the score function may be altered. For example, taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled, lowering a threshold) may increase the benefit.”; Friedman para. [0057], “A threshold th. If the number of destination hosts (e.g., as determined by destination IP address) which a host contacts on the same port during a given period of time exceeds th, then the detector fires an alert.”; Friedman para. [0041], “include the benefits from removing false positive alerts or generating true alerts that are missed by a security system”);
deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold (Friedman para.[0105], “the tuning parameter selected may be disabling the port scanner detector.”; Friedman para. [0113], “false positive alerts would be missing in the history of alerts if the port scanner detector was disabled”); and
activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold (Friedman para.[0105], “the tuning parameter selected may be disabling the port scanner detector.”; Friedman para. [0113], “false positive alerts would be missing in the history of alerts if the port scanner detector was disabled”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Gutierrez to include, as taught by Friedman, regarding a V2X communication system to: determine whether the rate of misbehavior determinations exceeds a maximum threshold or is less that a minimum threshold; deactivate one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and activate one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold. Motivation for modifying would have been to activate individual sensors in order to increase a sensitivity of the arrangement so as to mitigate false negatives, or to deactivate individual detectors in order to decrease a sensitivity of the arrangement so as to mitigate false positives (Friedman para. [0120]).
Per claim 23, Gutierrez discloses the V2X communication system of claim 17. Gutierrez further discloses an arrangement 23 regarding a communication system in which:
means for detecting indications of V2X misbehavior via one or more misbehavior detection mechanism comprises means for processing received V2X information through a plurality of plausibility and consistency detectors configured to detect misbehavior conditions and output misbehavior indications to a detector selector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error”);
means for aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises means for passing outputs of misbehavior indications from a selected subset of the plurality of plausibility and consistency detectors from the detector selector to a misbehavior detector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error.”);
means for determining whether a reportable (Gutierrez para.[0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold”) or actionable misbehavior condition (Gutierrez para.[0099], “attack characterization logic circuitry 488 may output the attack characterization 489 to a forensic logging and/or recovery system to advantageously log the attack/anomaly and/or to facilitate an informed selection of a recovery routine.”) exists based on the aggregated weighted outputs comprises means for determining by the misbehavior detector that a reportable or actionable misbehavior condition exists in response to misbehavior indication outputs by the selected subset of the plurality of plausibility and consistency detectors; and
the V2X communication system further comprises:
means for determining a rate of misbehavior determinations; means for determining whether the rate of misbehavior (Gutierrez para.[0098], “IDS monitors the message ID for the ECU; and, in some embodiments, additional detail about the attack such as the percent deviation caused by the attacks from predicted behavior and the frequency of the attacks.”).
Gutierrez does not disclose a communication system in which: means for determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; means for deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and means for activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold.
However, in an analogous art, Friedman teaches a communication system in which:
means for determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. Although the algorithm may be used to mitigate false positive, the algorithm may also be used to mitigate false negatives. To do this, the costs given as input and the score function may be altered. For example, taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled, lowering a threshold) may increase the benefit.”; Friedman para. [0057], “A threshold th. If the number of destination hosts (e.g., as determined by destination IP address) which a host contacts on the same port during a given period of time exceeds th, then the detector fires an alert.”; Friedman para. [0041], “include the benefits from removing false positive alerts or generating true alerts that are missed by a security system”);
means for deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold (Friedman para.[0105], “the tuning parameter selected may be disabling the port scanner detector.”; Friedman para. [0113], “false positive alerts would be missing in the history of alerts if the port scanner detector was disabled”); and
means for activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. … taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Gutierrez to include, as taught by Friedman, a communication system in which: means for determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; means for deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and means for activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold. Motivation for modifying would have been to activate individual sensors in order to increase a sensitivity of the arrangement so as to mitigate false negatives, or to deactivate individual detectors in order to decrease a sensitivity of the arrangement so as to mitigate false positives (Friedman para. [0120]).
Per claim 29, Gutierrez discloses the non-transitory processor-readable medium of claim 25. Gutierrez further discloses a non-transitory processor-readable medium wherein:
detecting indications of V2X misbehavior via one or more misbehavior detection mechanism comprises processing received V2X information through a plurality of plausibility and consistency detectors configured to detect misbehavior conditions and output misbehavior indications to a detector selector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error”);
aggregating the first subset of the weighted outputs and the second subset of the weighted outputs comprises passing outputs of misbehavior indications from a selected subset of the plurality of plausibility and consistency detectors from the detector selector to a misbehavior detector (Gutierrez para.[0116], “The voting model with selective input based on historical training of the IDSs may select outputs to combine for voting based on a determination that the historical data used to train the model is still valid or has a low margin of error.”); and
determining whether a reportable (Gutierrez para.[0161], “the detection logic circuitry may determine whether the in-vehicle system or sub-system is being attacked based on the output from the combination by comparing the output from the combination with a detection threshold. The detection logic circuitry may determine that an attack is occurring if the output from the combination meets or exceeds the detection threshold”) or actionable misbehavior condition (Gutierrez para.[0099], “attack characterization logic circuitry 488 may output the attack characterization 489 to a forensic logging and/or recovery system to advantageously log the attack/anomaly and/or to facilitate an informed selection of a recovery routine.”) exists based on the aggregated weighted outputs comprises determining by the misbehavior detector that a reportable or actionable misbehavior condition exists in response to misbehavior indication outputs by the selected subset of the plurality of plausibility and consistency detectors,
wherein the stored processor-executable instructions are further configured to cause the processor of the V2X communication system to perform operations further comprising:
determining a rate of misbehavior determinations (Gutierrez para.[0098], “IDS monitors the message ID for the ECU; and, in some embodiments, additional detail about the attack such as the percent deviation caused by the attacks from predicted behavior and the frequency of the attacks.”).
Gutierrez does not disclose a non-transitory processor-readable medium wherein:
determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold.
However, in an analogous art, Friedman teaches an arrangement:
determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. Although the algorithm may be used to mitigate false positive, the algorithm may also be used to mitigate false negatives. To do this, the costs given as input and the score function may be altered. For example, taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled, lowering a threshold) may increase the benefit.”; Friedman para. [0057], “A threshold th. If the number of destination hosts (e.g., as determined by destination IP address) which a host contacts on the same port during a given period of time exceeds th, then the detector fires an alert.”; Friedman para. [0041], “include the benefits from removing false positive alerts or generating true alerts that are missed by a security system”);
deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold (Friedman para.[0105], “the tuning parameter selected may be disabling the port scanner detector.”; Friedman para. [0113], “false positive alerts would be missing in the history of alerts if the port scanner detector was disabled”); and
activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold (Friedman para.[0120], “The algorithm may be used to increase system sensitivity and mitigate false negatives. … taking an action that increases system sensitivity (e.g. enabling an element that was previously disabled”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify Gutierrez to include, as taught by Friedman, a non-transitory processor-readable medium wherein the stored processor-executable instructions are further configured to cause the processor of the V2X communication system to perform operations of: determining whether the rate of misbehavior determinations exceeds a maximum threshold or is less than a minimum threshold; deactivating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations exceeds the maximum threshold; and activating one or more sensitive plausibility and consistency detectors in response to determining that the rate of misbehavior determinations is less than the minimum threshold. Motivation for modifying would have been to activate individual sensors in order to increase a sensitivity of the arrangement so as to mitigate false negatives, or to deactivate individual detectors in order to decrease a sensitivity of the arrangement so as to mitigate false positives (Friedman para. [0120]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul J Skwierawski whose telephone number is (571)272-2642. The examiner can normally be reached 6:00am-3:30pm weekdays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisory primary examiner (SPE) Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Paul Skwierawski/
Patent Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439