DETAILED ACTION
Claims 1-15, 18-20 are currently pending and have been examined in this application. Claims 16-17, 21-22 are Canceled.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the “request for continued examination” filed 01/20/2026.
Claim Objections
Claims 11, 15 objected to because of the following informalities:
Claim 11: Amend to correct typographical error.
“…send both the first set of signal data and the second set of signal data to a remote server,[[ ,]] wherein…”
Claim 15: Amend to correct typographical error.
“…wherein finding the correlations includes…”
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3-15, 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Guajardo Merchan (US20210194921) in view of Troncoso (“PriPAYD: Privacy-Friendly Pay-As-You-Drive Insurance”) further in view of Bridges (US20220374515).
Claim 1:
Guajardo Merchan explicitly teaches:
A computer-implemented method, comprising: receiving a first set of an in-vehicle network signal data indicative of in-vehicle network traffic of an in-vehicle network in a controlled environment;
(Guajardo Merchan) – “According to another embodiment, a computer-implement method includes defining a fingerprint that includes a baseline measurement of one or more physical attributes of at least a separate processor during an enrollment period of the system, receiving a runtime measurement from a sensor regarding the one or more physical attributes of at least the separate processor during runtime, comparing the runtime measurement of the physical attribute to the fingerprint, and in response to the measurement exceeding a threshold, executing a countermeasure operation against software ran by the separate processor.” (Para 0004)
“The IDS or IPDS may also work with other measurements or characteristics to improve the detection for measurements. For example, additional measurements may include the frequency of messages classified according to message IDs, the time interval between successive same messages, etc. Furthermore, the network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages… Furthermore, remote attestation capabilities could be added, which would allow the network IDS to send challenges that trigger a sequence of functions which are fingerprinted via power/timing and these fingerprints are sent with a response that are verified.” (Para 0011)
“The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
Examiner Note: The limitation “signal data indicative of in-vehicle network traffic” is recited with a high degree of generality. “Signal data” covers a wide variety of different types of data and signals. “Indicative of” means that the signal data may be either directly or indirectly related to the network traffic.
finding correlations associated with the first set of in-vehicle signal data and storing the correlations in a correlation list that is indicative of communication characteristic amongst signals in the first set of in-vehicle signal data,
(Guajardo Merchan) – “The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“The network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages.” (Para 0026)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
Examiner Note: Per BRI, Log corresponds with correlation list.
sending the correlation list to a first remote server [associated with a service agency];
(Guajardo Merchan) – “At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
“At step 309, the signature, fingerprint, and associated public key may be stored in memory.” (Para 0031)
“the measurement could be transmitted to a gateway/network Intrusion Detection System (IDS) or Intrusion Detection and Prevention System (IDPS) residing locally in the car or remotely in a central server collecting all measurements.” (Para 0011)
Examiner Note: Bracketed text not explicitly taught by primary reference, but is taught by non-primary reference later in the rejection. This notation convention will be applied throughout the rejection.
receiving, [via an OBD-II port], a second set of in-vehicle network signal data indicative of in-vehicle traffic of the in-vehicle network during normal vehicle operation, wherein receiving the second set of in-vehicle network signal data is ;
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
sending the second set of in-vehicle network signal data to a second remote server [associated with the service agency]; and
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
in response to comparing the correlation list and the second set of in-vehicle network signal data, and the comparison indicating communication characteristics exceeding a threshold amount of change, outputting an alert indicating tampering associated with the second set of in-vehicle signal data for a duration of time and [identifying a cost associated with the tampering utilizing the second set of in-vehicle network signal data].
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 405 the system may determine if the measurement is outside of a predefined threshold. While the baseline measurement may be performed during enrollment, the system may compare the new measurement to be compared using a distance measure of choice. The distance measure may include Hamming distance, Euclidean distance, Least Squares, etc. Based on the distance result and comparison to a threshold, the system may the decide if the software has been tampered with.” (Para 0034)
“At step 409, the system may activate a countermeasure if it is determined that an anomaly has been detected. The system may thus trigger further actions. Such actions may include kill, delay, or modify a process. The system may also send a message our output a notification to a user notifying them of a threat.” (Para 0036)
Guajardo Merchan does not explicitly teach:
wherein the in-vehicle network signal data includes decoded controller area network (CAN) data generated from CAN message frames;…wherein finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients include pairwise Pearson correlation coefficients between a plurality of CAN training data signals … associated with a service agency … via an OBD-II port … associated with the service agency… identifying a cost associated with the tampering utilizing the second set of in-vehicle network signal data
Troncoso, in the same field of endeavor of vehicle tamper detection, teaches:
associated with a service agency … associated with the service agency …identifying a cost associated with the tampering utilizing the second set of in-vehicle network signal data
(Troncoso) - “Detection of the black box’s inputs tampering. Even if the insurance company can verify the authenticity of the data and can trust the black box for correctness, once the box is
installed in the car, the company has no control over its environment. A malicious client may try to take advantage of the situation and tamper with the incoming and/or outgoing signals (GPS, GSM, etc.) to reduce the final premium… The first approach assumes that the insurance company has knowledge of the car odometer value (as we argued in Section 2 for Polis Direct [20] and Corona Direct [19], this is not sensitive datum, as it is only aggregated data and does not reveal the location of the car). The total number of kilometers driven is also computed from the GPS signal information when calculating the premium and stored in the black box. This value is sent along with the billing information to the back office at the end of each billing period. Then, in regular inspections, the insurance company can check that the value computed from the GPS signal corresponds to the one captured by the odometer. In case these values considerably differ, the insurer can infer an attempt of cheating in the client side has happened and act in consequence (e.g., charging the client with a higher premium than the one he would obtain without cheating, according to the terms of the contract).” (Pg. 748, Right Column)
Examiner Note: Insurance company corresponds with service agency.
via an OBD-II port
(Troncoso) – “Two companies, AVIVA (Canada) and Progressive Casualty Insurance (US), supply devices (Autograph [41] in the first case, and TripSense [27] and MyRate [42] in the second) that can be easily connected by the user to the On Board Diagnostics II (OBDII) port of the car. This device collects: trip start and end time, miles driven, duration of trip, number of sudden starts and stops, and time and date of each connection/disconnection to the OBDII port. These data can be seen by the client in a personal computer and can be exchanged for discounts if sent to the insurer.” (Pg 744 Left Column)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Troncoso does not explicitly teach:
wherein the in-vehicle network signal data includes decoded controller area network (CAN) data generated from CAN message frames;…wherein finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients include pairwise Pearson correlation coefficients between a plurality of CAN training data signals
Bridges, in the same field of endeavor of vehicle network intrusion detection, teaches:
wherein the in-vehicle network signal data includes decoded controller area network (CAN) data generated from CAN message frames
(Bridges) – “The processor of the intrusion detection system can be configured to decode CAN test data, i.e., CAN data to be checked for attacks, in CAN data frames with the particular vehicle CAN frame ID received by the vehicle CAN interface according to the signal definition stored in memory. The processor can be configured to identify inherent relationships between timeseries signals in the decoded CAN test data. The processor can be configured to compare the identified inherent relationships between the timeseries signals in the decoded CAN test data and inherent relationships between timeseries signals from CAN training data stored in memory to detect intrusion of the vehicle CAN based on the comparison.” (Para 0021)
“The CAN intrusion detection systems of the present disclosure can leverage CAN decoding (CAN-D). In general, CAN-D emphasizes automatic reverse engineering of CAN mappings and use of those CAN mappings to decode CAN signals in real time. The present disclosure provides apparatuses, systems, and methods for tokenization and translation of vehicle controller area network data (CAN) that are vehicle agnostic. The systems and methods of the present disclosure include an algorithmic reverse engineering pipeline that exhibits state-of-the-art CAN signal extraction, and a lightweight hardware integration allowing OBD-II plugin for real-time CAN decoding.” (Para 0058)
wherein finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients include pairwise Pearson correlation coefficients between a plurality of CAN training data signals
(Bridges) – “Some other conventional approaches compute Pearson correlation matrices of geolocation-related signals (e.g., latitude, longitude, elevation, speed, heading) to estimate the state of neighboring vehicles and detect location forging misbehavior based on correlation matrices' distance.” (Para 0018)
“In general, the physical interpretation algorithm (a subprocess of CAN-D) operates by comparing each signal timeseries, s(t) to each DID trace D(t′) and making a determination as to whether they are linearly related. Because DID traces are generally sampled at a lower rate than normal CAN traffic, interpolation is utilized to estimate the signal values over the diagnostic timepoints, obtaining s(t′). The algorithm includes a regression function that regresses D(t′) onto s(t′) and finds the best linear fit, furnishing the coefficients a, b so that s(t):=as(t′)+b≈D(t′).” (Para 0213)
“FIG. 14 illustrates a representative flowchart of exemplary pattern recognition of step 1340. The learning of inherent relationships between uninterpreted timeseries signals in decoded CAN data in this exemplary embodiment include the following steps: discarding constant signals 1410, interpolating remaining signals to have the sam030e length 1420, computing pairwise Pearson correlations between the CAN training data signals 1430, computing agglomerative hierarchical clustering 1440, computing similarity between hierarchical clusterings 1450, and generating a training distribution of similarities 1460.” (Para 0276)
“Pearson correlations, sometimes referred to as Pearson correlation coefficients or Pearson product-moment correlation coefficients are generally a measure of linear correlation between two sets of data. Specifically, Pearson correlations refer to the ratio between the covariance of two variables and the product of their standard deviations. Covariance generally refers to the measure of how two random variables in a data set will change together. A positive covariance means that the two variables are positively related, and they move in the same direction and a negative covariance means the two variables are negatively related, and they move in the opposite direction. Pearson correlations are essentially normalized measurements of the covariance, such that the result has a value between −1 and 1. The measure reflects a linear correlation of variables.” (Para 0278)
“Timeseries Correlation Computation. The CAN-D intrusion detection system can be configured to compute timeseries correlations among timeseries (e.g., pairwise Pearson).” (Para 0300)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the method for intrusion detection on automotive controller area networks of Bridges. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, because “improvements to systems and methods for decoding vehicle CAN data and intrusion detection are desirable.” (Bridges Para 0019)
Claim 3:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan further teaches:
wherein the communication characteristics amongst signals includes a frequency change between types of signals in the first set.
(Guajardo Merchan) – “At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals. The IDS then would combine all the information to make a decision as to whether the software has been tampered with or not.” (Para 0033)
Claim 4:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations in full. Troncoso further teaches:
wherein the second set of in-vehicle signal data is retrieved from a plug-in device inserted into a diagnostic port of the vehicle, wherein the plug-in device records in-vehicle messages communicated in the vehicle.
(Troncoso) – “Two companies, AVIVA (Canada) and Progressive Casualty Insurance (US), supply devices (Autograph [41] in the first case, and TripSense [27] and MyRate [42] in the second) that can be easily connected by the user to the On Board Diagnostics II (OBDII) port of the car. This device collects: trip start and end time, miles driven, duration of trip, number of sudden starts and stops, and time and date of each connection/disconnection to the OBDII port. These data can be seen by the client in a personal computer and can be exchanged for discounts if sent to the insurer.” (Pg 744 Left Column)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “w privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Claim 5:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations in full. Troncoso further teaches:
wherein the remote agency includes an insurance agency or police agency.
(Troncoso) - “Detection of the black box’s inputs tampering. Even if the insurance company can verify the authenticity of the data and can trust the black box for correctness, once the box is
installed in the car, the company has no control over its environment. A malicious client may try to take advantage of the situation and tamper with the incoming and/or outgoing signals (GPS, GSM, etc.) to reduce the final premium… The first approach assumes that the insurance company has knowledge of the car odometer value (as we argued in Section 2 for Polis Direct [20] and Corona Direct [19], this is not sensitive datum, as it is only aggregated data and does not reveal the location of the car). The total number of kilometers driven is also computed from the GPS signal information when calculating the premium and stored in the black box. This value is sent along with the billing information to the back office at the end of each billing period. Then, in regular inspections, the insurance company can check that the value computed from the GPS signal corresponds to the one captured by the odometer. In case these values considerably differ, the insurer can infer an attempt of cheating in the client side has happened and act in consequence (e.g., charging the client with a higher premium than the one he would obtain without cheating, according to the terms of the contract).” (Pg. 748, Right Column)
Examiner Note: Insurance company corresponds with service agency.
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “w privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Claim 6:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan further teaches:
wherein the duration of time includes a start time and an end time.
(Guajardo Merchan) – “At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals. The IDS then would combine all the information to make a decision as to whether the software has been tampered with or not. The system may perform measurements that can be triggered periodically, using an external trigger, or internally at a start or end of every function that is running on the system.” (Para 0033)
Claim 7:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan further teaches:
wherein the in-vehicle network includes a Controller Area Network (CAN).
(Guajardo Merchan) – “a computer system may be, or may include, a microcontroller, an application specific circuit (ASIC), a field programmable array (FPGA), network controller (e.g., CAN bus controller), associated transceiver, system on a chip (SOC), and/or any combination thereof that may be used without an operating system.” (Para 0014)
Claim 8:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan further teaches:
wherein in response to correlations of the second set of CAN signal data being below a threshold amount, not sending an alert to a remote agency indicating tampering associated with the second set of CAN signal data.
(Guajardo Merchan) – “At step 405 the system may determine if the measurement is outside of a predefined threshold. While the baseline measurement may be performed during enrollment, the system may compare the new measurement to be compared using a distance measure of choice. The distance measure may include Hamming distance, Euclidean distance, Least Squares, etc. Based on the distance result and comparison to a threshold, the system may the decide if the software has been tampered with…If the measurement is not outside the threshold, the system may continue to monitor measurements.” (Para 0034)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“The circuit may connect each of these components by a CAN bus 209. The CAN bus 209 may be utilized to allow various ECUs or controllers in the vehicle to communicate with one another. The IDS 205 may be utilized to store a fingerprint and other secure data related to the system. The fingerprint may be used as a profile of the ECU or circuit and be utilized by the IDS to detect malicious behavior.” (Para 0023)
Claim 9:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations. Bridges further teaches:
wherein the correlations include information associated with coefficients of a linear regression model computer on the first set of CAN signal data.
(Bridges) – “Some other conventional approaches compute Pearson correlation matrices of geolocation-related signals (e.g., latitude, longitude, elevation, speed, heading) to estimate the state of neighboring vehicles and detect location forging misbehavior based on correlation matrices' distance.” (Para 0018)
“In general, the physical interpretation algorithm (a subprocess of CAN-D) operates by comparing each signal timeseries, s(t) to each DID trace D(t′) and making a determination as to whether they are linearly related. Because DID traces are generally sampled at a lower rate than normal CAN traffic, interpolation is utilized to estimate the signal values over the diagnostic timepoints, obtaining s(t′). The algorithm includes a regression function that regresses D(t′) onto s(t′) and finds the best linear fit, furnishing the coefficients a, b so that s(t):=as(t′)+b≈D(t′).” (Para 0213)
“FIG. 14 illustrates a representative flowchart of exemplary pattern recognition of step 1340. The learning of inherent relationships between uninterpreted timeseries signals in decoded CAN data in this exemplary embodiment include the following steps: discarding constant signals 1410, interpolating remaining signals to have the sam030e length 1420, computing pairwise Pearson correlations between the CAN training data signals 1430, computing agglomerative hierarchical clustering 1440, computing similarity between hierarchical clusterings 1450, and generating a training distribution of similarities 1460.” (Para 0276)
“Pearson correlations, sometimes referred to as Pearson correlation coefficients or Pearson product-moment correlation coefficients are generally a measure of linear correlation between two sets of data. Specifically, Pearson correlations refer to the ratio between the covariance of two variables and the product of their standard deviations. Covariance generally refers to the measure of how two random variables in a data set will change together. A positive covariance means that the two variables are positively related, and they move in the same direction and a negative covariance means the two variables are negatively related, and they move in the opposite direction. Pearson correlations are essentially normalized measurements of the covariance, such that the result has a value between −1 and 1. The measure reflects a linear correlation of variables.” (Para 0278)
“Timeseries Correlation Computation. The CAN-D intrusion detection system can be configured to compute timeseries correlations among timeseries (e.g., pairwise Pearson).” (Para 0300)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the method for intrusion detection on automotive controller area networks of Bridges. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, because “improvements to systems and methods for decoding vehicle CAN data and intrusion detection are desirable.” (Bridges Para 0019)
Claim 10:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan further teaches:
wherein first remote server and the second remote server are a same server or a different server.
(Guajardo Merchan) – “the measurement could be transmitted to a gateway/network Intrusion Detection System (IDS) or Intrusion Detection and Prevention System (IDPS) residing locally in the car or remotely in a central server collecting all measurements.” (Para 0011)
“In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself.” (Para 0033)
Claim 11:
Guajardo Merchan explicitly teaches:
A system, comprising: one or more sensors in a vehicle, the one or more sensors configured to collect a first set of signal data indicative of controller area network traffic of a CAN network in a controlled environment and a second set of signal data indicative of controller area network traffic of a CAN network during vehicle operation;
(Guajardo Merchan) – “According to another embodiment, a computer-implement method includes defining a fingerprint that includes a baseline measurement of one or more physical attributes of at least a separate processor during an enrollment period of the system, receiving a runtime measurement from a sensor regarding the one or more physical attributes of at least the separate processor during runtime, comparing the runtime measurement of the physical attribute to the fingerprint, and in response to the measurement exceeding a threshold, executing a countermeasure operation against software ran by the separate processor.” (Para 0004)
“The IDS or IPDS may also work with other measurements or characteristics to improve the detection for measurements. For example, additional measurements may include the frequency of messages classified according to message IDs, the time interval between successive same messages, etc. Furthermore, the network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages… Furthermore, remote attestation capabilities could be added, which would allow the network IDS to send challenges that trigger a sequence of functions which are fingerprinted via power/timing and these fingerprints are sent with a response that are verified.” (Para 0011)
“The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
“a computer system may be, or may include, a microcontroller, an application specific circuit (ASIC), a field programmable array (FPGA), network controller (e.g., CAN bus controller), associated transceiver, system on a chip (SOC), and/or any combination thereof that may be used without an operating system.” (Para 0014)
Examiner Note: The limitation “signal data indicative of in-vehicle network traffic” is recited with a high degree of generality. “Signal data” covers a wide variety of different types of data and signals. “Indicative of” means that the signal data may be either directly or indirectly related to the network traffic.
a processor in communication with the one or more sensors, the processor programmed to:
send both the first set of signal data and the second set of signal data to a remote server;
(Guajardo Merchan) – “A system includes a memory and a processor in communication with the memory. The processor is programmed to receive a runtime measurement from a sensor regarding the physical attribute of at least the separate processor during runtime; compare the runtime measurement of the physical attribute to a fingerprint that includes a baseline measurement of a physical attribute of at least a separate processor during an evaluation period of the system, and in response to the measurement exceeding a threshold, executing a countermeasure operation against software ran by the separate processor.” (Abstract)
“The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“The network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages.” (Para 0026)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
“At step 309, the signature, fingerprint, and associated public key may be stored in memory.” (Para 0031)
“the measurement could be transmitted to a gateway/network Intrusion Detection System (IDS) or Intrusion Detection and Prevention System (IDPS) residing locally in the car or remotely in a central server collecting all measurements.” (Para 0011)
identify correlations associated with the first set of signal data to establish a correlation list [via computing coefficients of the first set of the in-vehicle network signal data using a linear regression model];
(Guajardo Merchan) – “The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“The network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages.” (Para 0026)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
Examiner Note: Per BRI, Log corresponds with correlation list.
receiving a second set of in-vehicle network signal data indicative of in-vehicle traffic of the in-vehicle network during normal vehicle operation;
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
comparing the second set of signal data to the correlations list associated with the first set of signal data; in response to correlations of the second set of signal data exceeding a threshold defining normal operation, sending an alert [to a remote agency] indicating tampering associated with the second set of signal data.
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 405 the system may determine if the measurement is outside of a predefined threshold. While the baseline measurement may be performed during enrollment, the system may compare the new measurement to be compared using a distance measure of choice. The distance measure may include Hamming distance, Euclidean distance, Least Squares, etc. Based on the distance result and comparison to a threshold, the system may the decide if the software has been tampered with.” (Para 0034)
“At step 409, the system may activate a countermeasure if it is determined that an anomaly has been detected. The system may thus trigger further actions. Such actions may include kill, delay, or modify a process. The system may also send a message our output a notification to a user notifying them of a threat.” (Para 0036)
Guajardo Merchan does not explicitly teach:
wherein the first set of signal data and the second set of signal data includes decoded controller area network (CAN) data generated from CAN message frames;… via computing coefficients of the first set of the in-vehicle network signal data using a linear regression model, wherein the coefficients include pairwise Pearson correlation coefficients between a plurality of CAN training data signals …to a remote agency
Troncoso, in the same field of endeavor of vehicle tamper detection, teaches:
to a remote agency
(Troncoso) - “Detection of the black box’s inputs tampering. Even if the insurance company can verify the authenticity of the data and can trust the black box for correctness, once the box is
installed in the car, the company has no control over its environment. A malicious client may try to take advantage of the situation and tamper with the incoming and/or outgoing signals (GPS, GSM, etc.) to reduce the final premium… The first approach assumes that the insurance company has knowledge of the car odometer value (as we argued in Section 2 for Polis Direct [20] and Corona Direct [19], this is not sensitive datum, as it is only aggregated data and does not reveal the location of the car). The total number of kilometers driven is also computed from the GPS signal information when calculating the premium and stored in the black box. This value is sent along with the billing information to the back office at the end of each billing period. Then, in regular inspections, the insurance company can check that the value computed from the GPS signal corresponds to the one captured by the odometer. In case these values considerably differ, the insurer can infer an attempt of cheating in the client side has happened and act in consequence (e.g., charging the client with a higher premium than the one he would obtain without cheating, according to the terms of the contract).” (Pg. 748, Right Column)
Examiner Note: Insurance company corresponds with remote agency.
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Troncoso does not explicitly teach:
wherein the first set of signal data and the second set of signal data includes decoded controller area network (CAN) data generated from CAN message frames;… via computing coefficients of the first set of the in-vehicle network signal data using a linear regression model, wherein the coefficients include pairwise Pearson correlation coefficients between a plurality of CAN training data signals
Bridges, in the same field of endeavor of vehicle network intrusion detection, teaches:
wherein the first set of signal data and the second set of signal data includes decoded controller area network (CAN) data generated from CAN message frames
(Bridges) – “The processor of the intrusion detection system can be configured to decode CAN test data, i.e., CAN data to be checked for attacks, in CAN data frames with the particular vehicle CAN frame ID received by the vehicle CAN interface according to the signal definition stored in memory. The processor can be configured to identify inherent relationships between timeseries signals in the decoded CAN test data. The processor can be configured to compare the identified inherent relationships between the timeseries signals in the decoded CAN test data and inherent relationships between timeseries signals from CAN training data stored in memory to detect intrusion of the vehicle CAN based on the comparison.” (Para 0021)
“The CAN intrusion detection systems of the present disclosure can leverage CAN decoding (CAN-D). In general, CAN-D emphasizes automatic reverse engineering of CAN mappings and use of those CAN mappings to decode CAN signals in real time. The present disclosure provides apparatuses, systems, and methods for tokenization and translation of vehicle controller area network data (CAN) that are vehicle agnostic. The systems and methods of the present disclosure include an algorithmic reverse engineering pipeline that exhibits state-of-the-art CAN signal extraction, and a lightweight hardware integration allowing OBD-II plugin for real-time CAN decoding.” (Para 0058)
wherein finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients includes pairwise Pearson correlation coefficients between a plurality of CAN training data signals
(Bridges) – “Some other conventional approaches compute Pearson correlation matrices of geolocation-related signals (e.g., latitude, longitude, elevation, speed, heading) to estimate the state of neighboring vehicles and detect location forging misbehavior based on correlation matrices' distance.” (Para 0018)
“In general, the physical interpretation algorithm (a subprocess of CAN-D) operates by comparing each signal timeseries, s(t) to each DID trace D(t′) and making a determination as to whether they are linearly related. Because DID traces are generally sampled at a lower rate than normal CAN traffic, interpolation is utilized to estimate the signal values over the diagnostic timepoints, obtaining s(t′). The algorithm includes a regression function that regresses D(t′) onto s(t′) and finds the best linear fit, furnishing the coefficients a, b so that s(t):=as(t′)+b≈D(t′).” (Para 0213)
“FIG. 14 illustrates a representative flowchart of exemplary pattern recognition of step 1340. The learning of inherent relationships between uninterpreted timeseries signals in decoded CAN data in this exemplary embodiment include the following steps: discarding constant signals 1410, interpolating remaining signals to have the sam030e length 1420, computing pairwise Pearson correlations between the CAN training data signals 1430, computing agglomerative hierarchical clustering 1440, computing similarity between hierarchical clusterings 1450, and generating a training distribution of similarities 1460.” (Para 0276)
“Pearson correlations, sometimes referred to as Pearson correlation coefficients or Pearson product-moment correlation coefficients are generally a measure of linear correlation between two sets of data. Specifically, Pearson correlations refer to the ratio between the covariance of two variables and the product of their standard deviations. Covariance generally refers to the measure of how two random variables in a data set will change together. A positive covariance means that the two variables are positively related, and they move in the same direction and a negative covariance means the two variables are negatively related, and they move in the opposite direction. Pearson correlations are essentially normalized measurements of the covariance, such that the result has a value between −1 and 1. The measure reflects a linear correlation of variables.” (Para 0278)
“Timeseries Correlation Computation. The CAN-D intrusion detection system can be configured to compute timeseries correlations among timeseries (e.g., pairwise Pearson).” (Para 0300)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the method for intrusion detection on automotive controller area networks of Bridges. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, because “improvements to systems and methods for decoding vehicle CAN data and intrusion detection are desirable.” (Bridges Para 0019)
Claim 12:
Guajardo Merchan in combination with the references relied upon in claim 11 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations in full. Troncoso further teaches:
wherein the system includes an external plug-in device configured to plug into a diagnostic port associated with the vehicle and records both the first set of signal data and the second set of signal data.
(Troncoso) – “Two companies, AVIVA (Canada) and Progressive Casualty Insurance (US), supply devices (Autograph [41] in the first case, and TripSense [27] and MyRate [42] in the second) that can be easily connected by the user to the On Board Diagnostics II (OBDII) port of the car. This device collects: trip start and end time, miles driven, duration of trip, number of sudden starts and stops, and time and date of each connection/disconnection to the OBDII port. These data can be seen by the client in a personal computer and can be exchanged for discounts if sent to the insurer.” (Pg 744 Left Column)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “w privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Claim 14:
Guajardo Merchan in combination with the references relied upon in claim 11 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations in full. Troncoso further teaches:
wherein the second set of data is collected via a plug-in device connected to an OBD-II Port of the vehicle.
(Troncoso) – “Two companies, AVIVA (Canada) and Progressive Casualty Insurance (US), supply devices (Autograph [41] in the first case, and TripSense [27] and MyRate [42] in the second) that can be easily connected by the user to the On Board Diagnostics II (OBDII) port of the car. This device collects: trip start and end time, miles driven, duration of trip, number of sudden starts and stops, and time and date of each connection/disconnection to the OBDII port. These data can be seen by the client in a personal computer and can be exchanged for discounts if sent to the insurer.” (Pg 744 Left Column)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Claim 13:
Rejected based on the same rationale as Claim 9
Claim 22: Canceled
Claim 15:
Guajardo Merchan explicitly teaches:
A computer-implemented method, comprising: receiving a first set of an in-vehicle network signal data indicative of in-vehicle network traffic of an in-vehicle network in a controlled environment;
(Guajardo Merchan) – “According to another embodiment, a computer-implement method includes defining a fingerprint that includes a baseline measurement of one or more physical attributes of at least a separate processor during an enrollment period of the system, receiving a runtime measurement from a sensor regarding the one or more physical attributes of at least the separate processor during runtime, comparing the runtime measurement of the physical attribute to the fingerprint, and in response to the measurement exceeding a threshold, executing a countermeasure operation against software ran by the separate processor.” (Para 0004)
“The IDS or IPDS may also work with other measurements or characteristics to improve the detection for measurements. For example, additional measurements may include the frequency of messages classified according to message IDs, the time interval between successive same messages, etc. Furthermore, the network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages… Furthermore, remote attestation capabilities could be added, which would allow the network IDS to send challenges that trigger a sequence of functions which are fingerprinted via power/timing and these fingerprints are sent with a response that are verified.” (Para 0011)
“The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
Examiner Note: The limitation “signal data indicative of in-vehicle network traffic” is recited with a high degree of generality. “Signal data” covers a wide variety of different types of data and signals. “Indicative of” means that the signal data may be either directly or indirectly related to the network traffic.
finding correlations associated with the first set of in-vehicle signal data and storing the correlations in a correlation list that is indicative of communication characteristic amongst signals in the first set of in-vehicle signal data;
(Guajardo Merchan) – “The system may utilize an external or internal sensor to perform a device measurement of a physical property (e.g. power, timing, sound, temperature, vibration, etc.) to perform an initial baseline measurement. This measurement is used to derive a fingerprint using, for example, ML techniques, signal processing techniques or a combination thereof.” (Para 0012)
“The network transmission could be correlated with the processing by sending a signature of the processing after the transmission of critical messages.” (Para 0026)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
Examiner Note: Per BRI, Log corresponds with correlation list.
sending information indicative of the correlation list to a first remote server [associated with a service agency];
(Guajardo Merchan) – “At step 407, the system may log the potential detection. The IDS or another controller may be utilized in this process. The IDS may log the time and date of the occurrence, associated measurements of the physical attributes of the system or ECU, any software or processes that were running, any remote connections established, etc. The log may also be saved remotely. The log may be used in later processes to help identify countermeasures to any issues that occurred in the process. For example, the log may be later utilized by software developers to help create firewalls or other measures to prevent cyber-attacks. The log might include the derived fingerprint, the raw signal or signals from which the fingerprint was derived, or any other signals that are measured but are not being used for the fingerprint explicitly.” (Para 0035)
“At step 309, the signature, fingerprint, and associated public key may be stored in memory.” (Para 0031)
“the measurement could be transmitted to a gateway/network Intrusion Detection System (IDS) or Intrusion Detection and Prevention System (IDPS) residing locally in the car or remotely in a central server collecting all measurements.” (Para 0011)
Examiner Note: Bracketed text not explicitly taught by primary reference, but is taught by non-primary reference later in the rejection. This notation convention will be applied throughout the rejection.
receiving a second set of in-vehicle network signal data indicative of in-vehicle traffic of the in-vehicle network during normal vehicle operation;
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
sending the second set of in-vehicle network signal data to a second remote server [associated with the service agency]; and
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
in response to comparing the correlation list and the second set of in-vehicle network signal data, and the comparison indicating communication characteristics exceeding a threshold amount of change, outputting an alert indicating activation of a vehicle function or tampering associated with the second set of in-vehicle signal data for a duration of time, wherein the remote server is configured to [identify a cost associated with the activation of the vehicle function] or the tampering utilizing at least the second set of in-vehicle network signal data.
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
“At step 405 the system may determine if the measurement is outside of a predefined threshold. While the baseline measurement may be performed during enrollment, the system may compare the new measurement to be compared using a distance measure of choice. The distance measure may include Hamming distance, Euclidean distance, Least Squares, etc. Based on the distance result and comparison to a threshold, the system may the decide if the software has been tampered with.” (Para 0034)
“At step 409, the system may activate a countermeasure if it is determined that an anomaly has been detected. The system may thus trigger further actions. Such actions may include kill, delay, or modify a process. The system may also send a message our output a notification to a user notifying them of a threat.” (Para 0036)
Guajardo Merchan does not explicitly teach:
where finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients includes pairwise Pearson correlation coefficients between a plurality of CAN training data signals…associated with a service agency … wherein the second set of data is collected via a plug-in device connected to a diagnostic port of a vehicle…associated with the service agency… identify a cost associated with the activation of the vehicle function
Troncoso, in the same field of endeavor of vehicle tamper detection, teaches:
associated with a service agency … associated with the service agency … identify a cost associated with the activation of the vehicle function
(Troncoso) - “Detection of the black box’s inputs tampering. Even if the insurance company can verify the authenticity of the data and can trust the black box for correctness, once the box is
installed in the car, the company has no control over its environment. A malicious client may try to take advantage of the situation and tamper with the incoming and/or outgoing signals (GPS, GSM, etc.) to reduce the final premium… The first approach assumes that the insurance company has knowledge of the car odometer value (as we argued in Section 2 for Polis Direct [20] and Corona Direct [19], this is not sensitive datum, as it is only aggregated data and does not reveal the location of the car). The total number of kilometers driven is also computed from the GPS signal information when calculating the premium and stored in the black box. This value is sent along with the billing information to the back office at the end of each billing period. Then, in regular inspections, the insurance company can check that the value computed from the GPS signal corresponds to the one captured by the odometer. In case these values considerably differ, the insurer can infer an attempt of cheating in the client side has happened and act in consequence (e.g., charging the client with a higher premium than the one he would obtain without cheating, according to the terms of the contract).” (Pg. 748, Right Column)
Examiner Note: Insurance company corresponds with service agency.
wherein the second set of data is collected via a plug-in device connected to a diagnostic port of a vehicle
(Troncoso) – “Two companies, AVIVA (Canada) and Progressive Casualty Insurance (US), supply devices (Autograph [41] in the first case, and TripSense [27] and MyRate [42] in the second) that can be easily connected by the user to the On Board Diagnostics II (OBDII) port of the car. This device collects: trip start and end time, miles driven, duration of trip, number of sudden starts and stops, and time and date of each connection/disconnection to the OBDII port. These data can be seen by the client in a personal computer and can be exchanged for discounts if sent to the insurer.” (Pg 744 Left Column)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the Pay-As-You-Drive insurance model of Troncoso. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, so that “privacy can be obtained at a very reasonable extra cost.” (Troncoso Abstract)
Troncoso does not explicitly teach:
where finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients includes pairwise Pearson correlation coefficients between a plurality of CAN training data signals
Bridges, in the same field of endeavor of vehicle network intrusion detection, teaches:
where finding the correlations includes computing coefficients of the first set of the in-vehicle network signal data in a linear regression model, wherein the coefficients includes pairwise Pearson correlation coefficients between a plurality of CAN training data signals
(Bridges) – “Some other conventional approaches compute Pearson correlation matrices of geolocation-related signals (e.g., latitude, longitude, elevation, speed, heading) to estimate the state of neighboring vehicles and detect location forging misbehavior based on correlation matrices' distance.” (Para 0018)
“In general, the physical interpretation algorithm (a subprocess of CAN-D) operates by comparing each signal timeseries, s(t) to each DID trace D(t′) and making a determination as to whether they are linearly related. Because DID traces are generally sampled at a lower rate than normal CAN traffic, interpolation is utilized to estimate the signal values over the diagnostic timepoints, obtaining s(t′). The algorithm includes a regression function that regresses D(t′) onto s(t′) and finds the best linear fit, furnishing the coefficients a, b so that s(t):=as(t′)+b≈D(t′).” (Para 0213)
“FIG. 14 illustrates a representative flowchart of exemplary pattern recognition of step 1340. The learning of inherent relationships between uninterpreted timeseries signals in decoded CAN data in this exemplary embodiment include the following steps: discarding constant signals 1410, interpolating remaining signals to have the sam030e length 1420, computing pairwise Pearson correlations between the CAN training data signals 1430, computing agglomerative hierarchical clustering 1440, computing similarity between hierarchical clusterings 1450, and generating a training distribution of similarities 1460.” (Para 0276)
“Pearson correlations, sometimes referred to as Pearson correlation coefficients or Pearson product-moment correlation coefficients are generally a measure of linear correlation between two sets of data. Specifically, Pearson correlations refer to the ratio between the covariance of two variables and the product of their standard deviations. Covariance generally refers to the measure of how two random variables in a data set will change together. A positive covariance means that the two variables are positively related, and they move in the same direction and a negative covariance means the two variables are negatively related, and they move in the opposite direction. Pearson correlations are essentially normalized measurements of the covariance, such that the result has a value between −1 and 1. The measure reflects a linear correlation of variables.” (Para 0278)
“Timeseries Correlation Computation. The CAN-D intrusion detection system can be configured to compute timeseries correlations among timeseries (e.g., pairwise Pearson).” (Para 0300)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the method for intrusion detection on automotive controller area networks of Bridges. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, because “improvements to systems and methods for decoding vehicle CAN data and intrusion detection are desirable.” (Bridges Para 0019)
Claim 16: Canceled
Claim 17: Canceled
Claim 18:
Rejected based on the similar rationale as Claim 4
Claim 19:
Guajardo Merchan in combination with the references relied upon in claim 15 teach those respective limitations. Guajardo Merchan further teaches:
wherein the comparing of the correlation list and the second set of in-vehicle network signal data occurs at the remote server.
(Guajardo Merchan) – “FIG. 4 discloses a flow chart illustrating the runtime period for a system according to an embodiment. At step 401, the system may perform measurements of the system. The measurements may include measurements to any physical attributes of the device. The measurements may be performed at specified intervals. Thus, the measurements may be taken at specified intervals when certain software, processes, or operations are being performed or even halted. The intervals may be at varied time frames or periods as well.” (Para 0032)
“At step 403, the system may compare the measurement to the fingerprint. Thus, the system may derive a run-time fingerprint that is utilized to compare to the fingerprint from the enrollment phase. The system may utilize the IDS for the comparison to the measurements to the fingerprint. In another embodiment, the system may send the information to a remote server for verification, rather than verifying on the system or device itself. In another embodiment, the IDS (locally running in the car or remote in a backend), receives the fingerprint and combines the fingerprint information with other information not related to the fingerprint but related to the expected normal operation of the system under surveillance. This expected normal operation can include (but is not limited to) expected values of signals transmitted, expected arrival times or frequency of periodic signals.” (Para 0033)
Claim 20:
Rejected based on the same rationale as Claim 7
Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Guajardo Merchan (US20210194921) in view of Troncoso (“PriPAYD: Privacy-Friendly Pay-As-You-Drive Insurance”) further in view of Bridges (US20220374515) further in view of Nicholas (US20190354914).
Claim 2:
Guajardo Merchan in combination with the references relied upon in claim 1 teach those respective limitations. Guajardo Merchan does not explicitly teach the following limitations. However, Nicholas, in the same field of endeavor of vehicle signals, teaches:
wherein the communication characteristics amongst signals includes a rate of change between types of signals in the first set.
(Nicholas) - “The function of defining a precursor analysis model may take various other forms as well. For instance, in addition (or in alternative) to the data described above, the precursor analysis model may be defined to receive other data related to asset operation as inputs. As a specific example, the precursor analysis model may receive data inputs known as “features,” which are derived from data generated at the asset-related data sources (e.g., the signal data for the asset 106). Features may take various forms, examples of which may include an average or range of sensor values that were historically measured when a failure occurred, an average or range of sensor-value gradients (e.g., a rate of change in sensor measurements) that were historically measured prior to an occurrence of a failure, a duration of time between failures (e.g., an amount of time or number of data-points between a first occurrence of a failure and a second occurrence of a failure), and/or one or more failure patterns indicating sensor measurement trends around the occurrence of a failure.” (Para 0149)
Therefore, it would be obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the system for network intrusion detection of Guajardo Merchan with the predictive model of Nicholas. One of ordinary skill in the art would have been motivated to make these modifications, with a reasonable expectation of success, because “the local data analytics platform may reduce the cost and/or delay of training and/or executing the predictive model, and may also improve the reliability and/or accuracy of certain predictive models, among other advantages.” (Nicholas Para 0006)
Claim 21: Canceled
Response to Arguments
The 35 U.S.C. 112 rejection mailed 10/21/2025 has been withdrawn because the “amendment” and “remarks” filed 01/20/2026 satisfactorily overcome this rejection.
The claim objection mailed 10/21/2025 has been withdrawn because the “amendment” and “remarks” filed 01/20/2026 satisfactorily overcome this objection.
Applicant's arguments with respect to the 35 U.S.C. 103 rejection filed 10/21/2025 have been fully considered but they are not persuasive. Rejection has been updated to reflect amended language.
Specifically, all claims are now rejected further in view of Bridges as necessitated by amendment. Examiner maintains that Bridges resolves any deficiency of the previously applied prior art as evidenced in the above rejection rationale.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Examiner has clearly noted a rationale for combining the references of Guajardo Merchan and Troncoso (so that “privacy can be obtained at a very reasonable extra cost.”). Applicant fails to address this motivation.
Examiner maintains that, when taken per broadest reasonable interpretation as elaborated in the Examiner notes in the rejection rationale, the prior art relied upon above teaches each and every claimed limitation.
As such, all remaining claims remain rejected over 35 U.S.C. 103.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
La Marca (US20190182280) teaches a similar method for recognizing anomalies in a data stream.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID RUBEN PEDERSEN whose telephone number is (571)272-9696. The examiner can normally be reached M-Th: 07:00 -16:00 Eastern.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ramon Mercado can be reached on (571) 270-5744. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DAVID RUBEN PEDERSEN/Examiner, Art Unit 3658