Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsDENSO CORPORATION › 18776308
Last updated: April 19, 2026
Application No. 18/776,308

ATTACK ANALYSIS DEVICE, ATTACK ANALYSIS METHOD, AND STORAGE MEDIUM

Non-Final OA §103§112
Filed
Jul 18, 2024
Examiner
LIU, ZHE
Art Unit
2493
Tech Center
2400 — Computer Networks
Assignee
DENSO CORPORATION
OA Round
1 (Non-Final)
71%
Grant Probability
Favorable
1-2
OA Rounds
3y 2m
To Grant
99%
With Interview

Interview Optional

+59.0% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 136 resolved cases, 2023–2026

Examiner Intelligence

LIU, ZHE View full profile →
Grants 71% — above average
71%
Career Allow Rate
96 granted / 136 resolved
+12.6% vs TC avg
Strong +59% interview lift
Without
With
+59.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
23 currently pending
Career history
159
Total Applications
across all art units

Statute-Specific Performance

§101
5.3%
-34.7% vs TC avg
§103
59.6%
+19.6% vs TC avg
§102
5.0%
-35.0% vs TC avg
§112
23.5%
-16.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 136 resolved cases

Office Action

§103 §112
DETAILED ACTION The following claims are pending in this office action: 1-15 Claims 1, 14 and 15 are independent claims. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings The drawings filed on 07/18/2024 are accepted. Information Disclosure Statement The information disclosure statements (IDS) submitted on 07/18/2024 and 07/07/2025 have been considered. The submissions are in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed 07/18/2024 and 07/07/2025 are attached to the instant Office action. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. Claims 1-2 invoke 112(f). The following is a list of non-structural generic placeholders that may invoke 35 U.S.C. 112(f): "mechanism for," "module for," "device for," "unit for," "component for," "element for," "member for," "apparatus for," "machine for," or "system for." See MPEP 2181 Sec. I. The claim limitations use the generic placeholder “unit.” The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder (unit) that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations include: a log acquisition unit acquiring a security log (claim 1); an attack estimation unit estimating the attack (claim 1); an attack estimation accuracy analysis unit analyzing an estimation accuracy of the attack (claim 1); an output unit outputting attack information; and a reference attack factor information estimation unit estimating ... reference attack factor information (claim 2). Attack analysis device is interpreted to be non-limiting preamble. Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. No structure is disclosed for the respective units claimed. Para. 0189-0190 explains embodiments of the attack analysis device may be configured as a component and examples of component include a microcomputer. However, there is nothing linking “unit” to “component”, a computer, processor, or any other structure. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. With respect to claims 1-13 the claim limitations : a log acquisition unit acquiring a security log (claim 1); an attack estimation unit estimating the attack (claim 1); an attack estimation accuracy analysis unit analyzing an estimation accuracy of the attack (claim 1); an output unit outputting attack information; and a reference attack factor information estimation unit estimating ... reference attack factor information (claim 2) invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is silent as to the corresponding structure of each of the units recited in the claims. Therefore, the claims 1-13 are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5, 8-12 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Galula et al. (US Pub. 2018/0351980) (hereinafter “Galula”) in view of Sharifi Mehr (US Patent No. 10,812,521) (hereinafter “Sharifi Mehr”). As per claim 1, Galula teaches an attack analysis device analyzing an attack on an electronic control system mounted on a moving object, the attack analysis device comprising: ([Galula, para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”) a log acquisition unit acquiring a security log ([Galula, para. 0107] “DCUs 221 [log acquisition unit] ... collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”) an attack abnormality relationship information storage storing attack abnormality relationship information indicating a relationship ([Galula, para. 0024] “storage system [attack abnormality relationship information storage] may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs; and ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”) an attack estimation unit estimating the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 [an attack estimation unit] may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”) an output unit outputting attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message [an output unit] ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”) Galula does not clearly teach an attack estimation accuracy analysis unit analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and an output unit outputting estimation accuracy information, which indicates the estimation accuracy of the attack. However, Sharifi Mehr teaches an attack estimation accuracy analysis unit analyzing an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; and ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”) an output unit outputting estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI [output unit] including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include an attack estimation accuracy analysis unit analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and an output unit outputting estimation accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14) As per claim 2, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach a reference attack factor information estimation unit estimating, based on the context data, reference attack factor information that indicates factor information of the attack related to the context data, wherein the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on the reference attack factor information. However, Sharifi Mehr teaches a reference attack factor information estimation unit ([Sharifi Mehr, col. 26, ln. 44-58] “the operations ... are performed under the control of one or more computer systems”) estimating, based on the context data, reference attack factor information ([col. 27, ln. 11-23] “identifying, [estimating] based on the device profile data, [based on the context data] one or more security threat facilitators ... each of the one or more security threat facilitators represents a potential security threat vector [reference attack factor information]... based on the device activity data [based on the context data], one or more security threat indicators ... each of the one or more security threat indicators represents evidence of a potential security attack [reference attack factor information]”) that indicates factor information of the attack related to the context data, ([col. 3, ln. 3 to col. 4, ln. 2] “factors [factor information] that are used to calculate [indicate] the ... breach [attack related to the context data] ... the identified facilitators and indicators”) wherein the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on the reference attack factor information. ([Sharifi Mehr, col. 27, ln. 37-41] “calculating, [analyzing by the attack estimation accuracy analysis unit – see col. 26, ln. 57-58: “performed by an IoT security service”] based on the one or more security threat facilitators and the one or more security threat indicators [the reference attack factor information], a breach likelihood score [estimation accuracy of the attack received by the electronic control system] indicating a likelihood that the computing device has been compromised”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula and Sharifi Mehr for the same reasons as disclosed above. As per claim 3, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path. However, Sharifi Mehr teaches the attack information includes an attack path, which includes a start point of the attack ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path, where entry points on the IoT device are used ... ports”; [Table: Reconnaissance Indicators and Signals] security threat indicators RI101 is disclosed which includes an anomalous inbound connection of “Ports accessed”) and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators [whether the communication direction information is included in the attack path – see col. 8, ln. 22-23: “the presence of ... indicators”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path. One of ordinary skill in the art would have been motivated to make this modification because analysis of the channels of attacks allows security organizations to attempt to dismantle them. (Sharifi Mehr, col. 18, ln. 29-32) As per claim 5, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach wherein teach the attack information includes an attack stage indicating an intrusion stage of the attack, the context data indicates a software or process of the electronic control system in which an abnormality is occurred, the attack stage is related to a predetermined software or process having a specific function, and when the attack information including the attack stage is acquired, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data. However, Sharifi Mehr teaches wherein teach the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”) the context data indicates ([Sharifi Mehr, col. 27, ln. 19-21] “identifying, based on the device activity data [the context data indicates], one or more security threat indicators”) a software or process of the electronic control system in which an abnormality is occurred, the attack stage is related to a predetermined software or process having a specific function, and ([Sharifi Mehr, Table: Infiltration Indicators and Signals] security threat indicators II102 is disclosed which includes “Monitoring and identifying anomalies in ... process launches and file access” [a software or process of the electronic control system in which an abnormality is occurred] and “Process launches and crashes and associated contexts”; the same table explains the abnormality [software/process] is found in [related to] the “infiltration” stage [the attack stage] having the specific function of network service) when the attack information including the attack stage is acquired, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device data 120 [attack information including the attack stage is acquired] ... and uses the identified ... indicators [determining the predetermined software or process is indicated by the context data – see col. 8, ln. 22-23: “the presence of ... indicators”] ... to calculate [analyze]... a breach [attack] likelihood score [estimation accuracy]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include wherein teach the attack information includes an attack stage indicating an intrusion stage of the attack, the context data indicates a software or process of the electronic control system in which an abnormality is occurred, the attack stage is related to a predetermined software or process having a specific function, and when the attack information including the attack stage is acquired, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data. One of ordinary skill in the art would have been motivated to make this modification because indicators associated with different stages allow for different weights assigned to the different indicators in calculating a breach likelihood thereby allowing identification of false positives such as when the indicator is associated with legitimate purposes. (Sharifi Mehr, col. 8, ln. 63 to col 9, ln. 23) As per claim 8, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist. However, Sharifi Mehr teaches wherein the attack information includes an attack path, which includes a start point of the attack ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path, where entry points on the IoT device are used ... ports”; [Table: Reconnaissance Indicators and Signals] security threat indicators RI101 is disclosed which includes an anomalous inbound connection of “Ports accessed”) and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”) and when the communication direction information is included in the attack path, ([Sharifi Mehr, Table: Reconnaissance Indicators and Signals] the network address is included in the attack path as it is used part of an IoT attack campaign) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist. ([Col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of increasing the confidence level with which the indicators/attack is identified. (Sharifi Mehr, col. 7, ln. 49-67) As per claim 9, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach wherein the context data indicates a communication partner when the attack detected in the electronic control system is caused by a communication between the electronic control system and an external device, the attack information includes an attack stage indicating an intrusion stage of the attack, and when the attack stage is identical to a predetermined attack stage, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack based on whether the communication partner is included in a blacklist. However, Sharifi Mehr teaches wherein the context data indicates ([Sharifi Mehr, col. 27, ln. 19-21] “ identifying, based on the device activity data [the context data indicates], one or more security threat indicators”) a communication partner when the attack detected in the electronic control system is caused by a communication between the electronic control system and an external device, ([Table: Reconnaissance Indicators and Signals] “an adversary could take advantage of its access to a compromised IoT device [communication partner] to spread itself to other devices [attack detected is caused by a communication] ... identify those devices using port probes ... outbound port probes can cause global signals [a communication between the electronic control system] generated by external security monitoring systems [and an external device]”) the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”) and when the attack stage is identical to a predetermined attack stage, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack ([col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage is identical to a predetermined attack stage] ... when calculating a breach likelihood score [the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack]”) based on whether the communication partner is included in a blacklist. ([Col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula and Sharifi Mehr for the same reasons as disclosed above. As per claim 10, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a vulnerability information list. However, Sharifi Mehr teaches wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path, where entry points on the IoT device are used ... ports”; [Table: Reconnaissance Indicators and Signals] security threat indicators RI101 is disclosed which includes an anomalous inbound connection of “Ports accessed”) the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”) when the communication direction information is included in the attack path, ([Sharifi Mehr, Table: Reconnaissance Indicators and Signals] the network address is included in the attack path as it is used part of an IoT attack campaign) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a vulnerability information list. ([Col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; examiner notes a blacklist is a vulnerability information list as a blacklist identifies communication vulnerabilities for the device) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula and Sharifi Mehr for the same reasons as disclosed above. As per claim 11, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach wherein the attack information includes an attack path, the context data indicates a software or process in which the abnormality is occurred, and the attack estimation accuracy analysis unit analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process indicated in a vulnerability information list is executed in the attack path. However, Sharifi Mehr teaches wherein the attack information includes an attack path, ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path”) the context data indicates a software or process in which the abnormality is occurred, ([Sharifi Mehr, Table: Infiltration Indicators and Signals] security threat indicators II102 is disclosed which includes “Monitoring and identifying anomalies in ... process launches and file access” [a software or process of the electronic control system in which an abnormality is occurred] and “Process launches and crashes and associated contexts”) and the attack estimation accuracy analysis unit analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device data 120 ... and uses the identified ... indicators [determining the vulnerable software/process is executed] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) indicated in a vulnerability information list is executed in the attack path. ([Table: Infiltration Indicators and Signals] “Exploiting known or 0-day vulnerabilities ... Monitoring and identifying ... process launches ... Signal 1: Process launches [vulnerability process is executed in the Infiltration attack path]”; [col. 26, ln. 34-35] “the IoT security service 110 ... provide ... a list of the ... indicators [indicated in a vulnerable information list]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include wherein the attack information includes an attack path, the context data indicates a software or process in which the abnormality is occurred, and the attack estimation accuracy analysis unit analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process indicated in a vulnerability information list is executed in the attack path. One of ordinary skill in the art would have been motivated to make this modification because the ability to correlate and combine identified indicators/a vulnerable software process helps to not lose the value of indicators so as to not miss the security attack. (Sharifi Mehr, col. 4, ln. 14-19) As per claim 12, Galula in view of Sharifi Mehr teaches claim 1. Galula also teaches the attack analysis device being located outside the moving object. ([Galula, Fig. 2] the server 210 [attack analysis device – see for example, para. 0055: “performing historical analysis of hacked vehicles ... sever 210 may identify vehicles in early phases of the attack” is located at a location external to the vehicle/moving object) As per claim 14, Galula teaches an attack analysis method executed by an attack analysis device, the attack analysis device analyzing an attack on an electronic control system mounted on a moving object, ([Galula, para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”) the attack analysis device including an attack abnormality relationship information storage, which stores attack abnormality relationship information indicating a relationship ([para. 0024] “storage system [attack abnormality relationship information storage] may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs, the attack analysis method comprising: ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”) acquiring a security log ([Galula, para. 0107] “collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”) estimating the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”) outputting attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”) Galula does not clearly teach analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. However, Sharifi Mehr teaches analyzing an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; and ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”) outputting estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14) As per claim 15, Galula teaches a computer-readable non-transitory storage medium storing an attack analysis program, ([Galula, para. 0017] “embodiments ... refer to operation(s) and/or process(es) of ... non-transitory storage medium that may store instructions to perform operations and/or processes”) the attack analysis program comprising instructions to be executed by a computer of an attack analysis device for analyzing an attack on an electronic control system mounted on a moving object, ([para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”) the attack analysis device including an attack abnormality relationship information storage, which stores attack abnormality relationship information indicating a relationship ([para. 0024] “storage system [attack abnormality relationship information storage] may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs, ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”) the instructions of attack analysis program comprising: acquiring a security log ([Galula, para. 0107] “collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”) estimating the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”) outputting attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”) Galula does not clearly teach analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. However, Sharifi Mehr teaches analyzing an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”) and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14) Claims 4 and 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Galula in view of Sharifi Mehr as applied to claim 2 above, and further in view of Martin et al. (US Pub 2018/0004942) (hereinafter “Martin”). As per claim 4, Galula in view of Sharifi Mehr teaches claim 2. Galula does not clearly teach wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. However, Sharifi Mehr teaches wherein the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”) the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage included in the attack information is identical to a reference attack stage] ... when calculating a breach likelihood score [the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of increasing the confidence level with which the indicators/attack is identified. (Sharifi Mehr, col. 7, ln. 49-67) Galula in view of Sharifi Mehr does not clearly teach the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information. However, Martin teaches the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information. ([Martin, para. 0058] The system [the reference attack factor information estimation unit] ... estimate a stage of this cyber attack on the network—such as initial infiltration, command and control, reconnaissance, or lateral movement stages— [a reference attack stage indicating an intrusion stage of attack] based on which threat elements of the cyber attack pattern defined in the new threat intelligence have been matched [related to] ... to network events [communication direction information – see para. 0052: “address ... datums contained in the network event”] in the network accounting log [based on the context data]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Martin to include the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of improving incident response and computer forensics by further investigating the information associated with the stage of the cyber attack. (Martin, para. 0019; para. 0063) As per claim 6, Galula in view of Sharifi Mehr teaches claim 2. Galula does not clearly wherein teach the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication amount or an error type, the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication amount or the error type, as the reference attack factor information, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. However, Sharifi Mehr teaches wherein the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”) the context data includes communication amount or an error type, and ([Sharifi Mehr, col. 12, ln. 6-9] “The following table lists ... example signals used to identify [context data] ... indicators”; [Table: Reconnaissance Indicators and Signals] “Volume of network inbound/outbound traffic”) a reference attack stage indicating an intrusion stage of attack related to the communication amount or the error type; ([Sharifi Mehr, col. 12, ln. 6-9] “The ... table lists ... indicators [communication amount or the error type] related to the reconnaissance stage [a reference attack stage indicating an intrusion stage of attack]”) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [attack estimation accuracy analysis unit] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage included in the attack information is identical to a reference attack stage] ... when calculating a breach likelihood score [the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula and Sharifi Mehr for the same reasons as disclosed above. Galula in view of Sharifi Mehr does not clearly teach the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack, as the reference attack factor information. However, Martin teaches the reference attack factor information estimation unit estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack, as the reference attack factor information. ([Martin, para. 0058] The system [the reference attack factor information estimation unit] ... estimate a stage of this cyber attack on the network—such as initial infiltration, command and control, reconnaissance, or lateral movement stages— [a reference attack stage indicating an intrusion stage of attack] based on which threat elements of the cyber attack pattern defined in the new threat intelligence have been matched [related to] ... to network events in the network accounting log [based on the context data]”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi and Martin for the same reasons as disclosed above. As per claim 7, Galula in view of Sharifi Mehr teaches claim 2. Galula does not clearly teach wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, the context data includes time information related to a time when the security log is generated or transmitted, the reference attack factor information estimation unit estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. However, Sharifi Mehr teaches wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack. ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path, where entry points on the IoT device are used ... ports”; [Table: Reconnaissance Indicators and Signals] security threat indicators RI101 is disclosed which includes an anomalous inbound connection of “Ports accessed”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula and Sharifi Mehr for the same reasons as disclosed above. Galula in view of Sharifi Mehr does not clearly teach the context data includes time information related to a time when the security log is generated or transmitted, the reference attack factor information estimation unit estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. However, Martin teaches teach the context data includes time information related to a time when the security log is generated or transmitted, ([Martin, para. 0055] “the system records network traffic [the log is generated or transmitted] ... an event timestamp [time information related to a time when the log is generated or transmitted] as network traffic data in the network accounting log [the security log]”; [para. 0054] “timestamps of these network events ... a degree to which network events ... match a cyber attack [making the time context data]”) the reference attack factor information estimation unit estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and ([Martin, para. 0023] “pattern matching techniques in Block ... S140 [reference attack factor information estimation unit] to identify [estimate] various elements [reference attack factor information] in the network accounting log [indicated by the security log] that match IOC values [abnormalities that are occurred] ... event sequence or timeline [a reference abnormality occurrence order]”; [para. 0054] the timeline is determined based on the time in the log/context data and so is based on the context data) the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. ([Martin, para. 0054] “The system [attack estimation accuracy analysis unit] ... to calculate [comparing] a degree of temporal alignment between singular network events in the network accounting log [a reference abnormality order] and threat elements defined in the new threat intelligence [an abnormality occurrence order estimated from the attack path]... then merge [analyzes] this ... into a confidence score [estimation accuracy of the attack] that represents a degree to which network events stored in the network accounting log match a cyber attack”) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Martin to include the context data includes time information related to a time when the security log is generated or transmitted, the reference attack factor information estimation unit estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and the attack estimation accuracy analysis unit analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of requiring limited processing time and power by the system while also maintaining a high degree of accuracy in detection to detect threats in substantially real-time. (Martin, para. 0015) Claims 13 are rejected under 35 U.S.C. 103 as being unpatentable over Galula in view of Sharifi Mehr as applied to claims 1 above, and further in view of Atobe (US Pub. 2021/0352091) (hereinafter “Atobe”). As per claim 13, Galula in view of Sharifi Mehr teaches claim 1. Galula does not clearly teach the attack analysis device being mounted on the moving object. However, Atobe teaches the attack analysis device being mounted on the moving object. ([Atobe, para. 0119] “The attack judgement unit 120 [attack analysis device] receives the log data set, performs attack judgement based on the log data set, and gives notice of a judgement result”; [Fig. 1] the attack judgement unit 120 is within the vehicle and so is mounted on the vehicle) It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Atobe to include the attack analysis device being mounted on the moving object. One of ordinary skill in the art would have been motivated to make this modification because such a technique would make it possible to continuously perform attack detection in case the log data cannot be sent to a remote/outside device. (Atobe, para. 0015) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Kang et al. (US Pub. 2018/0357417) predicting a hacking attack on an ECU based on logged system calls using an attack analysis device. Aoki et al. (US Pub. 2024/0223602) discloses detecting a stage of an attack using an activity log of the computer system. Nagara et al. (US Pub. 2022/0019661) discloses logging the status of an ECU and a log analyzer that detects attacks based on the log information. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634. The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000. /ZHE LIU/Examiner, Art Unit 2493
Read full office action

Prosecution Timeline

Jul 18, 2024
Application Filed
Jan 09, 2026
Non-Final Rejection — §103, §112
Mar 27, 2026
Applicant Interview (Telephonic)
Mar 27, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

18/512,149
Patent 12602469
FUSE BASED REPLAY PROTECTION WITH AGGRESSIVE FUSE USAGE AND COUNTERMEASURES FOR FUSE VOLTAGE CUT ATTACKS
2y 5m to grant Granted Apr 14, 2026
18/355,825
Patent 12585764
MALICIOUS BEHAVIOR DETECTION AND MITIGATION IN A DOCUMENT EXECUTION ENVIRONMENT
2y 5m to grant Granted Mar 24, 2026
17/711,768
Patent 12572644
MICRO-ENCLAVES FOR INSTRUCTION-SLICE-GRAINED CONTAINED EXECUTION OUTSIDE SUPERVISORY RUNTIME
2y 5m to grant Granted Mar 10, 2026
18/163,488
Patent 12572649
METHOD FOR PROTECTION FROM CYBER ATTACKS TO A VEHICLE BASED UPON TIME ANALYSIS, AND CORRESPONDING DEVICE
2y 5m to grant Granted Mar 10, 2026
17/443,464
Patent 12566851
DETECTING AND ASSESSING EVIDENCE OF MALWARE INTRUSION
2y 5m to grant Granted Mar 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
71%
Grant Probability
99%
With Interview (+59.0%)
3y 2m
Median Time to Grant
Low
PTA Risk
Based on 136 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month