DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 12/11/2025 has been placed of record in the file.
Claims 1 and 13 have been amended.
Claims 1-20 are pending.
The applicant’s arguments with respect to claims 1-20 have been fully considered but they are not persuasive as discussed below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4 and 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Terazawa et al. (U.S. Patent Application Publication Number 2020/0220888), hereinafter referred to as Terazawa, in view of Torisaki et al. (U.S. Patent Application Publication Number 2020/0053112), hereinafter referred to as Torisaki.
Terazawa disclosed techniques for anomaly detection in an in-vehicle network. In an analogous art, Torisaki also disclosed techniques for anomaly detection in an in-vehicle network.
Regarding claim 1, Terazawa discloses an intrusion monitoring system, comprising: a first monitoring device deployed in a controller area network (CAN), a second monitoring device deployed in an Ethernet network, and a first control device, both of the first monitoring device and the second monitoring device are connected to the first control device (paragraph 95, Ethernet-CAN gateway checks packets for anomaly determinations); wherein: the first monitoring device is configured to obtain first CAN reporting information on data traffic in the system and transmit the first CAN reporting information to the first control device, wherein the data traffic in the system is from the CAN to the Ethernet network or from the Ethernet network to the CAN (paragraph 101, checks CAN ID and data field value of CAN frames); the second monitoring device is configured to obtain second Ethernet reporting information on the data traffic and transmit the second Ethernet reporting information to the first control device (paragraph 98, checks source information of Ethernet packet); and the first control device is configured to receive the first CAN reporting information from the first monitoring device and the second Ethernet reporting information from the second monitoring device, and determine whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information (paragraphs 102-103, determines whether packet has anomaly).
Terazawa does not explicitly state wherein the first CAN reporting information comprises a frequency of a given packet in the data traffic, wherein the second Ethernet reporting information comprises a frequency of a given packet in the data traffic, and determining, by evaluating the frequency of the given packet from the first CAN reporting information and the frequency of the given packet from the second Ethernet reporting information, whether the data traffic is an attack. However, monitoring data traffic in such a fashion was well known in the art as evidenced by Torisaki. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Terazawa by adding the ability that the first CAN reporting information comprises a frequency of a given packet in the data traffic, that the second Ethernet reporting information comprises a frequency of a given packet in the data traffic, and for determining, by evaluating the frequency of the given packet from the first CAN reporting information and the frequency of the given packet from the second Ethernet reporting information, whether the data traffic is an attack as provided by Torisaki (see paragraph 136, logs frame information including frequency of frame reception, and paragraph 140, performs anomaly detection based on received frame information, and paragraph 192, network may include CAN and Ethernet). One of ordinary skill in the art would have recognized the benefit that monitoring an in-vehicle network in this way would assist in providing more immediate and appropriate processing for anomalies (see Torisaki, paragraph 7).
Regarding claim 2, the combination of Terazawa and Torisaki discloses wherein the data traffic in the system is from the CAN to the Ethernet network; the first monitoring device is configured to process the data traffic to generate first CAN reporting information, transmit the first CAN reporting information to the first control device, and pass the processed data traffic to the second monitoring device; the second monitoring device is configured to receive the processed data traffic from the first monitoring network, process the processed data traffic to generate the second Ethernet reporting information and transmit the second Ethernet reporting information to the first control device; and the first control device is configured to receive the first CAN reporting information from the first monitoring device and the second Ethernet reporting information from the second monitoring device, and determine whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information (Terazawa, paragraph 71, data transferred from CAN network to Ethernet network).
Regarding claim 3, the combination of Terazawa and Torisaki discloses wherein the data traffic in the system is from the Ethernet network to the CAN; the second monitoring device is configured to process the data traffic to generate second Ethernet reporting information, and transmit the second Ethernet reporting information to the first control device and pass the processed data traffic to the first monitoring device; the first monitoring device is configured to receive the processed data traffic from the second monitoring network, process the processed data traffic to generate the first CAN reporting information and transmit the first CAN reporting information to the first control device; and the first control device is configured to receive the first CAN reporting information from the first monitoring device and the second Ethernet reporting information from the second monitoring device, and determine whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information (Terazawa, paragraph 71, data transferred from Ethernet network to CAN network).
Regarding claim 4, the combination of Terazawa and Torisaki discloses wherein the first monitoring device and the second monitoring device are deployed in a same switch, the first control device comprises an intrusion detection system IDS and is deployed inside the switch separated from the first monitoring device and the second monitoring device (Terazawa, paragraph 70, Ethernet-CAN gateway and anomaly determiner).
Regarding claim 10, the combination of Terazawa and Torisaki discloses wherein the first control device is further configured to notify the first monitoring device and the second monitoring device of update data, wherein the update data indicates a strategy for handling a new attack; the first monitoring device is further configured to receive the update data from the first control device and perform an update operation according to the update data, and the second monitoring device is further configured to receive the update data from the first control device and perform the update operation according to the update data (Terazawa, paragraph 108, includes enabled actions for each entry in anomaly determination database).
Regarding claim 11, the combination of Terazawa and Torisaki discloses wherein the first control device is further configured to perform a preventive operation in response to determining that the data traffic is an attack (Terazawa, paragraph 86, anomaly processing).
Regarding claim 12, the combination of Terazawa and Torisaki discloses wherein the preventive operation comprises any one or more of following operations: logging of the attack; notification of the attack; initiation of a safe vehicle state process to bring the vehicle into a safe state; or, blocking of the attack (Terazawa, paragraph 86, notifying occurrence of anomaly).
Regarding claim 13, Terazawa discloses an intrusion monitoring method, applied to an intrusion monitoring system comprising a first monitoring device deployed in a controller area network (CAN), a second monitoring device deployed in an Ethernet network, and a first control device, both of the first monitoring device and the second monitoring device are connected to the first control device (paragraph 95, Ethernet-CAN gateway checks packets for anomaly determinations), wherein the method comprises: obtaining and transmitting, by the first monitoring device, first CAN reporting information on data traffic in the system to the first control device, wherein the data traffic in the system is from the CAN to the Ethernet network or from the Ethernet network to the CAN (paragraph 101, checks CAN ID and data field value of CAN frames); obtaining and transmitting, by the second monitoring device, second Ethernet reporting information on the data traffic to the first control device (paragraph 98, checks source information of Ethernet packet); and receiving, by the first control device, the first CAN reporting information from the first monitoring and the second Ethernet reporting information from the second monitoring device, and determining, by the first control device, whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information and the complete path of the attack (paragraphs 102-103, determines whether packet has anomaly).
Terazawa does not explicitly state wherein the first CAN reporting information comprises a frequency of a given packet in the data traffic, wherein the second Ethernet reporting information comprises a frequency of a given packet in the data traffic, and determining, through evaluating the frequency of the given packet from the first CAN reporting information and the frequency of the given packet from the second Ethernet reporting information, whether the data traffic is an attack. However, monitoring data traffic in such a fashion was well known in the art as evidenced by Torisaki. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Terazawa by adding the ability that the first CAN reporting information comprises a frequency of a given packet in the data traffic, that the second Ethernet reporting information comprises a frequency of a given packet in the data traffic, and for determining, through evaluating the frequency of the given packet from the first CAN reporting information and the frequency of the given packet from the second Ethernet reporting information, whether the data traffic is an attack as provided by Torisaki (see paragraph 136, logs frame information including frequency of frame reception, and paragraph 140, performs anomaly detection based on received frame information, and paragraph 192, network may include CAN and Ethernet). One of ordinary skill in the art would have recognized the benefit that monitoring an in-vehicle network in this way would assist in providing more immediate and appropriate processing for anomalies (see Torisaki, paragraph 7).
Regarding claim 14, the combination of Terazawa and Torisaki discloses wherein the data traffic in the system is from the CAN to the Ethernet network; the method further comprises: processing, by the first monitoring device, the data traffic to generate first CAN reporting information; transmitting, by the first monitoring device, the first CAN reporting information to the first control device, and passing, by the first monitoring device, the processed data traffic to the second monitoring device; receiving, by the second monitoring device, the processed data traffic from the first monitoring network; processing, by the second monitoring device, the processed data traffic to generate the second Ethernet reporting information; transmitting, by the second monitoring device, the second Ethernet reporting information to the first control device; receiving, by the first control device, the first CAN reporting information from the first monitoring device and the second Ethernet reporting information from the second monitoring device, and determining, by the first control device, whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information and the complete path of the attack (Terazawa, paragraph 71, data transferred from CAN network to Ethernet network).
Regarding claim 15, the combination of Terazawa and Torisaki discloses wherein the data traffic in the system is from the Ethernet network to the CAN; the method further comprises: processing, by the second monitoring device, the data traffic to generate second Ethernet reporting information; transmitting, by the second monitoring device, the second Ethernet reporting information to the first control device and passing, by the second monitoring device, the processed data traffic to the first monitoring device; receiving, by the first monitoring device, the processed data traffic from the second monitoring network; processing, by the first monitoring device, the processed data traffic to generate the first CAN reporting information; transmitting, by the first monitoring device, the first CAN reporting information to the first control device; receiving, by the first control device, the first CAN reporting information from the first monitoring device and the second Ethernet reporting information from the second monitoring device; and determining, by the first control device, whether the data traffic is an attack according to the first CAN reporting information and the second Ethernet reporting information and complete attack path (Terazawa, paragraph 71, data transferred from Ethernet network to CAN network).
Claims 5-9 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Terazawa in view of Torisaki, further in view of Kerstein (U.S. Patent Application Publication Number 2020/0342099).
The combination of Terazawa and Torisaki disclosed techniques for anomaly detection in an in-vehicle network. In an analogous art, Kerstein disclosed techniques for monitoring anomalies in an automotive environment. Both systems are directed toward intrusion detection in CAN networks.
Regarding claim 5, the combination of Terazawa and Torisaki does not explicitly state wherein the first control device is further configured to monitor a working status of the first monitoring device and a working status of the second monitoring device. However, managing monitoring components in such a fashion was well known in the art as evidenced by Kerstein. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Terazawa and Torisaki by adding the ability that the first control device is further configured to monitor a working status of the first monitoring device and a working status of the second monitoring device as provided by Kerstein (see paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors). One of ordinary skill in the art would have recognized the benefit that managing an automotive communication network in this way would assist in detecting, reporting on, and acting upon, anomalies in the automotive system (see Kerstein, paragraph 10).
Regarding claim 6, the combination of Terazawa and Torisaki does not explicitly state a third monitoring device connected to the first monitoring device and deployed in the CAN; wherein the first monitoring device is deployed in a first switch, and the third monitoring device is deployed in a second switch; wherein the third monitoring device is configured to generate third CAN reporting information and transmit the third CAN reporting information to the first monitoring device; and the first monitoring device is configured to obtain the first CAN reporting information according to the third CAN reporting information and transmit the first CAN reporting information to the first control device. However, distributing monitoring components across a network in such a fashion was well known in the art as evidenced by Kerstein. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Terazawa and Torisaki by adding the ability for a third monitoring device connected to the first monitoring device and deployed in the CAN; wherein the first monitoring device is deployed in a first switch, and the third monitoring device is deployed in a second switch; wherein the third monitoring device is configured to generate third CAN reporting information and transmit the third CAN reporting information to the first monitoring device; and the first monitoring device is configured to obtain the first CAN reporting information according to the third CAN reporting information and transmit the first CAN reporting information to the first control device as provided by Kerstein (see paragraph 45, multiple instances of network security device). One of ordinary skill in the art would have recognized the benefit that managing an automotive communication network in this way would assist in detecting, reporting on, and acting upon, anomalies in the automotive system (see Kerstein, paragraph 10).
Regarding claim 7, the combination of Terazawa, Torisaki, and Kerstein discloses wherein the first control device is further configured to monitor a working status of the first monitoring device, and the first monitoring device is further configured to monitor a working status of the third monitoring device (Kerstein, paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors).
Regarding claim 8, the combination of Terazawa, Torisaki, and Kerstein discloses a fourth monitoring device connected to the second monitoring device and deployed in the Ethernet network; wherein the second monitoring device is deployed in the first switch, and the fourth monitoring device is deployed in the second switch; wherein the fourth monitoring device is configured to generate fourth Ethernet reporting information and transmit the fourth Ethernet reporting information to the second monitoring device; and the second monitoring device is configured to obtain the second Ethernet reporting information according to the fourth Ethernet reporting information and transmit the second Ethernet reporting information to the first control device (Kerstein, paragraph 45, multiple instances of network security device).
Regarding claim 9, the combination of Terazawa, Torisaki, and Kerstein discloses wherein the first control device is further configured to monitor a working status of the second monitoring device, and the second monitoring device is further configured to monitor a working status of the fourth monitoring device (Kerstein, paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors).
Regarding claim 16, the combination of Terazawa and Torisaki does not explicitly state monitoring, by the first control device, a working status of the first monitoring device and a working status of the second monitoring device. However, managing monitoring components in such a fashion was well known in the art as evidenced by Kerstein. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Terazawa and Torisaki by adding the ability for monitoring, by the first control device, a working status of the first monitoring device and a working status of the second monitoring device as provided by Kerstein (see paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors). One of ordinary skill in the art would have recognized the benefit that managing an automotive communication network in this way would assist in detecting, reporting on, and acting upon, anomalies in the automotive system (see Kerstein, paragraph 10).
Regarding claim 17, the combination of Terazawa and Torisaki does not explicitly state generating, by a third monitoring device, third CAN reporting information, wherein the third monitoring device is connected to the first monitoring device and deployed in the CAN, the first monitoring device is deployed in a first switch, and the third monitoring device is deployed in a second switch; transmitting, by the third monitoring device, the third CAN reporting information to the first monitoring device; obtaining, by the first monitoring device, the first CAN reporting information according to the third CAN reporting information; and transmitting, by the first monitoring device, the first CAN reporting information to the first control device. However, distributing monitoring components across a network in such a fashion was well known in the art as evidenced by Kerstein. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Terazawa and Torisaki by adding the ability for generating, by a third monitoring device, third CAN reporting information, wherein the third monitoring device is connected to the first monitoring device and deployed in the CAN, the first monitoring device is deployed in a first switch, and the third monitoring device is deployed in a second switch; transmitting, by the third monitoring device, the third CAN reporting information to the first monitoring device; obtaining, by the first monitoring device, the first CAN reporting information according to the third CAN reporting information; and transmitting, by the first monitoring device, the first CAN reporting information to the first control device as provided by Kerstein (see paragraph 45, multiple instances of network security device). One of ordinary skill in the art would have recognized the benefit that managing an automotive communication network in this way would assist in detecting, reporting on, and acting upon, anomalies in the automotive system (see Kerstein, paragraph 10).
Regarding claim 18, the combination of Terazawa, Torisaki, and Kerstein discloses monitoring, by the first control device, a working status of the first monitoring device, and monitoring, by the first monitoring device, a working status of the third monitoring device (Kerstein, paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors).
Regarding claim 19, the combination of Terazawa, Torisaki, and Kerstein discloses generating, by a fourth monitoring device, fourth Ethernet reporting information, wherein the fourth monitoring device is connected to the second monitoring device and deployed in the Ethernet network, the second monitoring device is deployed in the first switch, and the fourth monitoring device is deployed in the second switch; transmitting, by the fourth monitoring device, the fourth Ethernet reporting information to the first monitoring device; obtaining, by the second monitoring device, the second Ethernet reporting information according to the fourth Ethernet reporting information; transmitting, by the second monitoring device, the second Ethernet reporting information to the first control device (Kerstein, paragraph 45, multiple instances of network security device).
Regarding claim 20, the combination of Terazawa, Torisaki, and Kerstein discloses monitoring, by the first control device, a working status of the second monitoring device, and monitoring, by the second monitoring device, a working status of the fourth monitoring device (Kerstein, paragraph 15, polls diagnostic communication managers for intrusion anomalies identified by security monitors).
Response to Arguments
In the remarks, the applicant has argued that the combination of Terazawa and Torisaki fails to disclose the newly added claim limitations. However, the prior art is seen to teach these limitations. The applicant is directed to the new citation to Torisaki in the above rejection. As can be seen, Torisaki performs anomaly detection based on the received frame information, where the frame information has been shown to include the frame frequency information. To the applicant’s argument in the remarks about the “reporting information of both networks,” it is noted that Terazawa has already been shown to consider traffic information for both CAN and Ethernet data. Further, the previously cited paragraph 192 of Torisaki states that Torisaki’s in-vehicle network may be a combination of networks including CAN and Ethernet. As such, Torisaki teaches logging frame information from such a combination of networks and using the frame information in anomaly detection.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493