DETAILED ACTION
The following claims are pending in this office action: 1-18
The following claims are amended: 1-11 and 14-15
The following claims are new: 16-18
The following claims are cancelled: -
Claims 1-18 are rejected. This rejection is FINAL.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Objections and/or Rejections Withdrawn
The 35 U.S.C. 112(f) interpretations and subsequent 35 U.S.C. § 112(b) rejections to claims 1-13 are withdrawn based on the amendments.
RESPONSE TO ARGUMENTS
Applicant’s arguments in the amendment filed 04/16/2026 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment.
Applicant notes: “specifically in this regard, amended independent Claim 1 sets forth Applicant’s unique and innovative arrangement and orientation of components, reciting an attack analysis device including, in part, wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path." This limitation is disclosed by Tasaki (US Pub. 2023/0283617) as explained below and rejected accordingly.
Independent claims 14 and 15 are amended in a similar way to claim 1. The amended limitations are disclosed by Tasaki (US Pub. 2023/0283617) as explained below and rejected accordingly.
Dependent claims 2-13 and new dependent claims 16-18 depend on independent claim 1. The amended elements in the claims are disclosed by Tasaki (US Pub. 2023/0283617) as explained below, and so any additional features to the dependent claims are rejected accordingly.
Additionally, Applicant argues that a prima facie rejection has not been established. Applicant explains:
… no teaching in existence to suggest the combination of any of the cited references. As set forth in MPEP § 2142, "the key to supporting any rejection under 35 U.S.C. § 103 is the clear articulation of the reason(s) why the claimed invention would have been obvious." As the U.S. Supreme Court noted in KSR Intl. Co. v. Teleflex Inc., "the analysis supporting a rejection under 35 U.S.C. § 103 should be made explicit." 82 USPQ2d 1385, 1396 (2007). The Federal Circuit has stated that "rejections on obviousness cannot be sustained by mere conclusory statements; instead, there must be some articulated reasoning with some rational underpinning to support the legal conclusion of obviousness." In re Kahn, 441 F.3d 977 at 988, 78 USPQ2d 1329 at 1336 (Fed. Cir. 2006). In the Office Action, the Examiner's conclusory statements are insufficient to establish a prima facie rejection because no articulated reasoning with rational underpinning was given, and no explanation as to exactly how the combination or modification could have been made was provided. As a result, Applicant respectfully submits that the Examiner has failed to identify any motivation by one of ordinary skill in the art to combine or modify the art to arrive at the claimed disclosure other than the impermissible use of hindsight. (Aarguments, pg. 9)
If an Applicant disagrees with any factual findings by the Office, an effective traverse of a rejection based wholly or partially on such findings must include a reasoned statement explaining why the Applicant believes the Office has erred substantively as to the factual findings. A mere statement or argument that the Office has not established a prima facie case of obviousness will not be considered substantively adequate to rebut the rejection or an effective traverse of the rejection under 37 CFR 1.111(b). See MPEP §2141.
Here, Applicant has not provided with any reasoned statement to explain why the Applicant believes the Office has erred aside from the amendments which are disclosed by Tasaki as explained below. The non-final office action dated 01/16/2026 as well as this one below clearly provides a teaching/suggestion/motivation, cited explicitly in each of the cited prior art secondary references that a person of ordinary skill in the art would use to improve/modify the primary reference. As such Applicant’s argument that the Office has not established a prima facie case of obviousness is not considered substantively adequate to rebut the rejection or an effective traverse of the rejection, and Applicant’s additional arguments are not persuasive.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 8-12, and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Galula et al. (US Pub. 2018/0351980) (hereinafter “Galula”) in view of Sharifi Mehr (US Patent No. 10,812,521) (hereinafter “Sharifi Mehr”) and in view of Tasaki (US Pub. 2023/0283617) (hereinafter “Tasaki”).
As per claim 1, Galula teaches an attack analysis device analyzing an attack on an electronic control system mounted on a moving object, the attack analysis device comprising: ([Galula, para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”)
a computer including a memory storing a program and a processor that executes the program, the computer configured to: ([Galula, para. 0018-0019] “Computing device 100 may include ... a central processing unit processor (CPU) ... to carry out methods described herein ... by executing executable code 125 stored in memory”)
acquire a security log ([Galula, para. 0107] “DCUs 221 ... collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”)
store attack abnormality relationship information indicating a relationship ([Galula, para. 0024] “storage system may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs; and ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”)
estimate the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”)
output attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message [output] ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”)
Galula does not clearly teach analyze an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; output accuracy information, which indicates the estimation accuracy of the attack, wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Sharifi Mehr teaches analyze an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; and ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”)
output estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI [output unit] including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include analyze an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; output accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14)
Galula in view of Sharifi Mehr does not clearly teach wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Tasaki teaches wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; ([Tasaki, para. 0044] “An attack analysis device ... includes ... an attack path estimator that ... estimates an attack path in an attack on the in-vehicle network, the attack path including an entry point indicating an external communication interface that is a point of intrusion into the in-vehicle network in the attack [starting point of the attack] and an attack target indicating a control ECU [attack received by the electronic control system] that is a target of the attack [target of the attack]”)
analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and ([Tasaki, para. 0050] “the attack analysis device may further include an attack path confidence level calculator that ... calculates an attack path confidence level indicating a confidence level [estimation accuracy] of the attack path estimated by the attack path estimator being the attack path”; [para. 0203-0204] “Once the attack path confidence level is calculated, attack path confidence level calculator ... corrects the attack path confidence level [analyzing estimation accuracy of the attack path] using the number of attack paths”)
outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. ([Tasaki, para. 0127; Fig. 21] “When attack path estimator 12 has estimated the attack path, display controller 18 outputs ... in table format ... attack path estimation result table”; [para. 0208; Fig. 21] “when the attack path estimation processing is executed by attack path estimator 12 and the attack path confidence level calculation processing is executed, attack path estimation result table manager ... updates the attack path estimation result table by recording a mark for the nodes corresponding to the attack path, for each attack path estimated by attack path estimator 12, and the attack path confidence level calculated by attack path confidence level calculator 16 [information indicating the estimation accuracy of the attack path], in the attack path estimation result table”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Tasaki to include wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of allowing the attack path to be estimated more accurately and allowing a user to visually recognize the attack path. (Tasaki, para. 0048; and para. 0053)
As per claim 2, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the computer is further configured to: estimate, based on the context data, reference attack factor information that indicates factor information of the attack related to the context data, wherein the computer analyzes the estimation accuracy of the attack received by the electronic control system based on the reference attack factor information.
However, Sharifi Mehr teaches wherein the computer is further configured to: ([Sharifi Mehr, col. 26, ln. 44-58] “the operations ... are performed under the control of one or more computer systems”) estimate, based on the context data, reference attack factor information ([col. 27, ln. 11-23] “identifying, [estimating] based on the device profile data, [based on the context data] one or more security threat facilitators ... each of the one or more security threat facilitators represents a potential security threat vector [reference attack factor information]... based on the device activity data [based on the context data], one or more security threat indicators ... each of the one or more security threat indicators represents evidence of a potential security attack [reference attack factor information]”) that indicates factor information of the attack related to the context data, ([col. 3, ln. 3 to col. 4, ln. 2] “factors [factor information] that are used to calculate [indicate] the ... breach [attack related to the context data] ... the identified facilitators and indicators”)
wherein the computer analyzes the estimation accuracy of the attack received by the electronic control system based on the reference attack factor information. ([Sharifi Mehr, col. 27, ln. 37-41] “calculating, [analyzing by the computer – see col. 26, ln. 57-58: “performed by an IoT security service”] based on the one or more security threat facilitators and the one or more security threat indicators [the reference attack factor information], a breach likelihood score [estimation accuracy of the attack received by the electronic control system] indicating a likelihood that the computing device has been compromised”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above.
As per claim 3, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path.
However, Sharifi Mehr teaches the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”)
the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators [whether the communication direction information is included in the attack path – see col. 8, ln. 22-23: “the presence of ... indicators”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Tasaki with the teachings of Sharifi Mehr to include wherein the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in the attack path. One of ordinary skill in the art would have been motivated to make this modification because analysis of the channels of attacks allows security organizations to attempt to dismantle them. (Sharifi Mehr, col. 18, ln. 29-32)
As per claim 5, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data indicates a software or process of the electronic control system in which an abnormality is occurred, the attack stage is related to a predetermined software or process having a specific function, and when the attack information including the attack stage is acquired, the computer analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data.
However, Sharifi Mehr teaches wherein teach the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”)
the context data indicates ([Sharifi Mehr, col. 27, ln. 19-21] “identifying, based on the device activity data [the context data indicates], one or more security threat indicators”) a software or process of the electronic control system in which an abnormality is occurred,
the attack stage is related to a predetermined software or process having a specific function, and ([Sharifi Mehr, Table: Infiltration Indicators and Signals] security threat indicators II102 is disclosed which includes “Monitoring and identifying anomalies in ... process launches and file access” [a software or process of the electronic control system in which an abnormality is occurred] and “Process launches and crashes and associated contexts”; the same table explains the abnormality [software/process] is found in [related to] the “infiltration” stage [the attack stage] having the specific function of network service)
when the attack information including the attack stage is acquired, the computer analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device data 120 [attack information including the attack stage is acquired] ... and uses the identified ... indicators [determining the predetermined software or process is indicated by the context data – see col. 8, ln. 22-23: “the presence of ... indicators”] ... to calculate [analyze]... a breach [attack] likelihood score [estimation accuracy]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Tasaki with the teachings of Sharifi Mehr to include wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data indicates a software or process of the electronic control system in which an abnormality is occurred, the attack stage is related to a predetermined software or process having a specific function, and when the attack information including the attack stage is acquired, the computer analyzes the estimation accuracy of the attack by determining whether the predetermined software or process is indicated by the context data. One of ordinary skill in the art would have been motivated to make this modification because indicators associated with different stages allow for different weights assigned to the different indicators in calculating a breach likelihood thereby allowing identification of false positives such as when the indicator is associated with legitimate purposes. (Sharifi Mehr, col. 8, ln. 63 to col 9, ln. 23)
As per claim 8, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist.
However, Sharifi Mehr teaches the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”) and
when the communication direction information is included in the attack path, ([Sharifi Mehr, Table: Reconnaissance Indicators and Signals] the network address is included in the attack path as it is used part of an IoT attack campaign) computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist. ([Col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Tasaki with the teachings of Sharifi Mehr to include wherein the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a blacklist or a whitelist. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of increasing the confidence level with which the indicators/attack is identified. (Sharifi Mehr, col. 7, ln. 49-67)
As per claim 9, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula does not clearly teach wherein the context data indicates a communication partner when the attack detected in the electronic control system is caused by a communication between the electronic control system and an external device, the attack information includes an attack stage indicating an intrusion stage of the attack, and when the attack stage is identical to a predetermined attack stage, computer analyzes the estimation accuracy of the attack based on whether the communication partner is included in a blacklist.
However, Sharifi Mehr teaches wherein the context data indicates ([Sharifi Mehr, col. 27, ln. 19-21] “ identifying, based on the device activity data [the context data indicates], one or more security threat indicators”) a communication partner when the attack detected in the electronic control system is caused by a communication between the electronic control system and an external device, ([Table: Reconnaissance Indicators and Signals] “an adversary could take advantage of its access to a compromised IoT device [communication partner] to spread itself to other devices [attack detected is caused by a communication] ... identify those devices using port probes ... outbound port probes can cause global signals [a communication between the electronic control system] generated by external security monitoring systems [and an external device]”)
the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”) and when the attack stage is identical to a predetermined attack stage, the computer analyzes the estimation accuracy of the attack ([col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage is identical to a predetermined attack stage] ... when calculating a breach likelihood score [the computer analyzes the estimation accuracy of the attack]”) based on whether the communication partner is included in a blacklist. ([Col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above.
As per claim 10, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and when the communication direction information is included in the attack path, the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a vulnerability information list.
However, Sharifi Mehr teaches wherein the attack information includes an attack path, which includes a start point of the attack and a target of the attack, ([Sharifi Mehr, col. 27, ln. 21-23] “each of the one or more security threat indicators represents evidence of a potential security attack”; [col. 13, ln. 55-59] “an adversary may use ... infiltration paths for breaching an IoT device including ... a direct path, where entry points on the IoT device are used ... ports”; [Table: Reconnaissance Indicators and Signals] security threat indicators RI101 is disclosed which includes an anomalous inbound connection of “Ports accessed”)
the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”)
when the communication direction information is included in the attack path, ([Sharifi Mehr, Table: Reconnaissance Indicators and Signals] the network address is included in the attack path as it is used part of an IoT attack campaign) the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the communication direction information is included in a vulnerability information list. ([Col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device data 120 ... and uses the identified ... indicators [based on whether the communication direction information is included in a blacklist as the network address is included in a blacklist – see Table: Reconnaissance Indicators and Signals “network address in threat intelligence blacklists”] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; examiner notes a blacklist is a vulnerability information list as a blacklist identifies communication vulnerabilities for the device)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above.
As per claim 11, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Tasaki does not clearly teach wherein the context data indicates a software or process in which the abnormality is occurred, and the computer analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process indicated in a vulnerability information list is executed in the attack path.
However, Sharifi Mehr teaches wherein the context data indicates a software or process in which the abnormality is occurred, ([Sharifi Mehr, Table: Infiltration Indicators and Signals] security threat indicators II102 is disclosed which includes “Monitoring and identifying anomalies in ... process launches and file access” [a software or process of the electronic control system in which an abnormality is occurred] and “Process launches and crashes and associated contexts”) and
the computer analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device data 120 ... and uses the identified ... indicators [determining the vulnerable software/process is executed] ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) indicated in a vulnerability information list is executed in the attack path. ([Table: Infiltration Indicators and Signals] “Exploiting known or 0-day vulnerabilities ... Monitoring and identifying ... process launches ... Signal 1: Process launches [vulnerability process is executed in the Infiltration attack path]”; [col. 26, ln. 34-35] “the IoT security service 110 ... provide ... a list of the ... indicators [indicated in a vulnerable information list]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Tasaki with the teachings of Sharifi Mehr to include wherein the context data indicates a software or process in which the abnormality is occurred, and the computer analyzes, using the context data, the estimation accuracy of the attack by determining whether a vulnerable software or process indicated in a vulnerability information list is executed in the attack path. One of ordinary skill in the art would have been motivated to make this modification because the ability to correlate and combine identified indicators/a vulnerable software process helps to not lose the value of indicators so as to not miss the security attack. (Sharifi Mehr, col. 4, ln. 14-19)
As per claim 12, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula also teaches the attack analysis device being located outside the moving object. ([Galula, Fig. 2] the server 210 [attack analysis device – see for example, para. 0055: “performing historical analysis of hacked vehicles ... sever 210 may identify vehicles in early phases of the attack” is located at a location external to the vehicle/moving object)
As per claim 14, Galula teaches an attack analysis method executed by an attack analysis device, the attack analysis device analyzing an attack on an electronic control system mounted on a moving object, ([Galula, para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”) the attack analysis device including an attack abnormality relationship information storage, which stores attack abnormality relationship information indicating a relationship ([para. 0024] “storage system [attack abnormality relationship information storage] may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs, the attack analysis method comprising: ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”)
acquiring a security log ([Galula, para. 0107] “collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”)
estimating the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”)
outputting attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”)
Galula does not clearly teach analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack, wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Sharifi Mehr teaches analyzing an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; and ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”)
outputting estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14)
Galula in view of Sharifi Mehr does not clearly teach wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Tasaki teaches wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; ([Tasaki, para. 0044] “An attack analysis device ... includes ... an attack path estimator that ... estimates an attack path in an attack on the in-vehicle network, the attack path including an entry point indicating an external communication interface that is a point of intrusion into the in-vehicle network in the attack [starting point of the attack] and an attack target indicating a control ECU [attack received by the electronic control system] that is a target of the attack [target of the attack]”)
analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and ([Tasaki, para. 0050] “the attack analysis device may further include an attack path confidence level calculator that ... calculates an attack path confidence level indicating a confidence level [estimation accuracy] of the attack path estimated by the attack path estimator being the attack path”; [para. 0203-0204] “Once the attack path confidence level is calculated, attack path confidence level calculator ... corrects the attack path confidence level [analyzing estimation accuracy of the attack path] using the number of attack paths”)
outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. ([Tasaki, para. 0127; Fig. 21] “When attack path estimator 12 has estimated the attack path, display controller 18 outputs ... in table format ... attack path estimation result table”; [para. 0208; Fig. 21] “when the attack path estimation processing is executed by attack path estimator 12 and the attack path confidence level calculation processing is executed, attack path estimation result table manager ... updates the attack path estimation result table by recording a mark for the nodes corresponding to the attack path, for each attack path estimated by attack path estimator 12, and the attack path confidence level calculated by attack path confidence level calculator 16 [information indicating the estimation accuracy of the attack path], in the attack path estimation result table”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Tasaki to include wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of allowing the attack path to be estimated more accurately and allowing a user to visually recognize the attack path. (Tasaki, para. 0048; and para. 0053)
As per claim 15, Galula teaches a computer-readable non-transitory storage medium storing an attack analysis program, ([Galula, para. 0017] “embodiments ... refer to operation(s) and/or process(es) of ... non-transitory storage medium that may store instructions to perform operations and/or processes”) the attack analysis program comprising instructions to be executed by a computer of an attack analysis device for analyzing an attack on an electronic control system mounted on a moving object, ([para. 0007] “identifying the cyber-attack based on ... analyzing or cross-referencing information in the reports [analyzing an attack] with the server”; [para. 0019] “server 210 ... include computing device 100 [attack analysis device]”; [para. 0030] “DCU 221 ... a sensor or component adapted to obtain information from electronic control units (ECUs) in a vehicle [mounted on a moving object]”; [para. 0107] “DCUs 221 ... collect information related to cyber security ... reports 133 [making the analyzing on an attack on the electronic control system mounted on a moving object]”) the attack analysis device including an attack abnormality relationship information storage, which stores attack abnormality relationship information indicating a relationship ([para. 0024] “storage system [attack abnormality relationship information storage] may include, or may be used for storing, aggregated data 131 [abnormality relationship information] ... data generated by a server ... by correlating [indicating a relationship] data in one or more of ... server logs 132, reports 133, entity codes 134 and server data 135”; [para. 0007] “identifying the cyber-attack based on ... correlating [making the relationship attack abnormality relationship]”) among (i) predicted attack information indicating an attack predicted to be received by the electronic control system, ([para. 0094] “based on data in aggregated data 131 ... an attack [attack received by the electronic control system as explained above] may be ... predicted”) (ii) predicted abnormality information indicating an abnormality predicted to occur when the electronic control system receives the predicted attack, and ([para. 0053] “Correlation may include identifying, vehicles with some of the log data being continuous ... where log data is not continuous may cause server 210 to determine an attack [electronic control system receives the predicted attack] is causing ECU's to malfunction, crash or keep rebooting [an abnormality is predicted to occur]”) (iii) predicted abnormality location information indicating a location within the electronic control system where the predicted abnormality occurs, ([para. 0094] “aggregated data 131 ... may identify [indicating] the ABS system [a location within the electronic unit] ... was not working [the predicated abnormality occurs] or the engine heat [another location within the electronic control system] was increasing rapidly [where another predicted abnormality occurs]”) the instructions of attack analysis program comprising:
acquiring a security log ([Galula, para. 0107] “collect [acquiring] information related to cyber security ... reports 133 [a security log]”) indicating an abnormality ([para. 0113] “reports 133 ... identify a cyber-attack [abnormality]”) detected in the electronic control system ([para. 0112] “reports 133 ... include ... messages sent over an in-vehicle network [the ECU – see para. 0033]”) and a location within the electronic control system where the abnormality is detected; ([para. 0111] “reports 1333 ... include ... which nodes [a location] in in-vehicle communication network [within the electronic control system where the abnormality is detected]”)
estimating the attack received by the electronic control system based on the security log and the attack abnormality relationship information; and ([Galula, para. 0094] “based on data in aggregated data 131 [based on the attack abnormality information] ... server 210 may identify ... an attack... predicted [estimating the attack received by the electronic control system]”; [para. 0108] “server 210 is adapted to aggregate reports 133 [based on the security log] ... to create aggregated data 131”)
outputting attack information, which indicates the estimated attack. ([Galula, para. 0126] “when an attack is detected ... server 210 may send a message ... including in the message any relevant information, e.g., where the attack took (or takes) place, which vehicles are or were affected and so on [attack information which indicates the estimated attack]”)
Galula does not clearly teach analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack, wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Sharifi Mehr teaches analyzing an estimation accuracy of the attack received by the electronic control system ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 analyzes the IoT device [electronic control system] data 120 ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”) based on context data included in the security log; ([col. 5, ln. 58 to col 6, ln. 2] “IoT device data 120 ... collected from IoT devices 104 ... device profile data ... device activity data [context data that provides context to the breach as per above]”; [col. 6, ln. 60-66] “the IoT device data ... represented using ... various log data formats [making the data a security log]”)
and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. ([Sharifi Mehr, col. 27, ln. 60 to col. 28, ln. 7] “the IoT security service 110 ... generate a GUI including a graph [outputting] ... representation the calculated scores... the breach likelihood score [the estimation accuracy information]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula with the teachings of Sharifi Mehr to include analyzing an estimation accuracy of the attack received by the electronic control system based on context data included in the security log; and outputting estimation accuracy information, which indicates the estimation accuracy of the attack. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of reducing alert fatigue due to false positives and guide users in security monitoring, triage and incident response activities. (Sharifi Mehr, col. 4, ln. 3-14)
Galula in view of Sharifi Mehr does not clearly teach wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path.
However, Tasaki teaches wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; ([Tasaki, para. 0044] “An attack analysis device ... includes ... an attack path estimator that ... estimates an attack path in an attack on the in-vehicle network, the attack path including an entry point indicating an external communication interface that is a point of intrusion into the in-vehicle network in the attack [starting point of the attack] and an attack target indicating a control ECU [attack received by the electronic control system] that is a target of the attack [target of the attack]”)
analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and ([Tasaki, para. 0050] “the attack analysis device may further include an attack path confidence level calculator that ... calculates an attack path confidence level indicating a confidence level [estimation accuracy] of the attack path estimated by the attack path estimator being the attack path”; [para. 0203-0204] “Once the attack path confidence level is calculated, attack path confidence level calculator ... corrects the attack path confidence level [analyzing estimation accuracy of the attack path] using the number of attack paths”)
outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. ([Tasaki, para. 0127; Fig. 21] “When attack path estimator 12 has estimated the attack path, display controller 18 outputs ... in table format ... attack path estimation result table”; [para. 0208; Fig. 21] “when the attack path estimation processing is executed by attack path estimator 12 and the attack path confidence level calculation processing is executed, attack path estimation result table manager ... updates the attack path estimation result table by recording a mark for the nodes corresponding to the attack path, for each attack path estimated by attack path estimator 12, and the attack path confidence level calculated by attack path confidence level calculator 16 [information indicating the estimation accuracy of the attack path], in the attack path estimation result table”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr with the teachings of Tasaki to include wherein: estimating the attack includes estimating an attack path of the attack received by the electronic control system, the attack path including a start point of the attack and a target of the attack; analyzing the estimation accuracy of the attack includes analyzing estimation accuracy of the attack path of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of allowing the attack path to be estimated more accurately and allowing a user to visually recognize the attack path. (Tasaki, para. 0048; and para. 0053)
As per claim 16, Galula in view of Sharifi Martin and Tasaki teaches claim 1.
Galula also teaches wherein: the electronic control system is mounted on a vehicle and includes a plurality of networks in each which a plurality of electronic control units is connected. ([Galula, para. 0031] “DCU 221 [electronic control system] may be included or embedded in an ECU in a vehicle [mounted on a vehicle]”; [para. 0033] “Vehicles [includes a plurality of networks] ... include an in-vehicle network that includes one or more electronic control units [a plurality of electronic control units]”; [para. 0086] “specific message sent ... in-vehicle networks in a plurality of vehicles [a plurality of networks] ... an indication of an attack”)
Galula in view of Sharifi Martin does not clearly teach analyzing the estimation accuracy of the attack includes analyzing the estimation accuracy of the attack path in the electronic control system including the start point, a relay point, and the target of the attack; and outputting the attack information includes outputting information indicating the estimation accuracy of the attack path including the start point, the relay point, and the target of the attack, which are in the electronic control system mounted on the vehicle.
However, Tasaki teaches analyzing the estimation accuracy of the attack includes analyzing the estimation accuracy of the attack path in the electronic control system including the start point, ([Tasaki, para. 0202] “attack path confidence level calculator 16 calculates an average of the obtained entry point risk of the entry point [start point] ... as the attack path confidence level”) a relay point, ([para. 0079] “Gateway 29 includes IDS_K 23K and IDS_L 23L, which detect anomalies in gateway 29 [a relay point]”; [para. 0202] “attack path confidence level calculator 16 may calculate the attack path confidence level ... by dividing the number of IDSs 23 [nodes, including relay points] that detected an anomaly in the attack path by the total number of IDSs 23 in the attack path”) and the target of the attack; ([para. 0202] “attack path confidence level calculator 16 calculates an average of the ... attack target risk of the attack target [target of the attack] as the attack path confidence level”) and
outputting the attack information includes outputting information indicating the estimation accuracy of the attack path including the start point, the relay point, and the target of the attack, which are in the electronic control system mounted on the vehicle. ([Tasaki, para. 0127; Fig. 21] “When attack path estimator 12 has estimated the attack path, display controller 18 outputs ... in table format ... attack path estimation result table”; [para. 0208; Fig. 21] “when the attack path estimation processing is executed by attack path estimator 12 and the attack path confidence level calculation processing is executed, attack path estimation result table manager ... updates the attack path estimation result table by recording a mark for the nodes [including the start point/entry node, the relay point/intermediate node and the target of the attack/target node which are in the electronic control system mounted on the vehicle: see Figs 2-3] corresponding to the attack path, for each attack path estimated by attack path estimator 12, and the attack path confidence level calculated by attack path confidence level calculator 16 [information indicating the estimation accuracy of the attack path], in the attack path estimation result table”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above (increasing accuracy and allowing a user to visualize the results).
As per claim 17, Galula in view of Sharifi Martin and Tasaki teaches claim 1.
Galula in view of Sharifi Martin does not clearly teach wherein: in addition to estimating the attack path of the attack, estimating the attack further includes estimating an attack stage indicating an intrusion stage of the attack; in addition to analyzing the estimation accuracy of the attack path of the attack, analyzing the estimation accuracy of the attack further includes analyzing estimation accuracy of the attack stage of the attack; and in addition to outputting the information indicating the estimation accuracy of the attack path, outputting the attack information further includes outputting information indicating the estimation accuracy of the attack stage.
However, Tasaki teaches wherein: in addition to estimating the attack path of the attack, estimating the attack further includes estimating an attack stage indicating an intrusion stage of the attack; ([Tasaki, para. 0108] “entry point estimator 14 estimates an entry point indicating external communication [attack stage] IF 21 that is the point of intrusion [an attack stage indicating an intrusion stage of the attack] into in-vehicle network 20 in the attack on in-vehicle network 20”; [para. 0112] this is part of “estimating the attack” as “attack path estimator 12 estimates the attack path based on the entry point estimated by entry point estimator 14”)
in addition to analyzing the estimation accuracy of the attack path of the attack, analyzing the estimation accuracy of the attack further includes analyzing estimation accuracy of the attack stage of the attack; and ([Tasaki, para. 0108] “for each of the plurality of external communication IFs 21, entry point estimator 14 calculates an entry point risk, which indicates a confidence level [analyzing estimation accuracy] of that external communication IF 21 being an entry point [of the attack stage of the attack]”; [para. 0114] this is part of “analyzing the estimation accuracy of the attack” as “Based on the entry point risk of the entry point calculated by entry point estimator 14 ... attack path confidence level calculator 16 calculates an attack path confidence level”)
in addition to outputting the information indicating the estimation accuracy of the attack path, outputting the attack information further includes outputting information indicating the estimation accuracy of the attack stage. ([Tasaki, Fig. 21] The table output indicates that the External communication IF_C is the estimated entry node/external entry stage of the attack with a “risk” or accuracy of 5)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above (increasing accuracy and allowing a user to visualize the results).
As per claim 18, Galula in view of Sharifi Mehr and Tasaki teaches claim 17.
Galula in view of Sharifi Mehr does not clearly teach the attack stage is at least one of: inspection; initial intrusion; base construction; internal intrusion; and purpose accomplishment; and analyzing estimation accuracy of the attack stage of the attack includes analyzing estimation accuracy of the inspection, the initial intrusion, the base construction, the internal intrusion, or the purpose accomplishment.
However, Tasaki teaches the attack stage is at least one of: inspection; initial intrusion; base construction; internal intrusion; (Examiner interprets “at least one of” to mean that one of the elements in the list is required to be disclosed for the limitation to be met, however all the limitations are disclosed; [Tasaki, para. 0091] “As illustrated in Fig. 5, the external communication event list is a table which, for each of external communication events indicating communication events between in-vehicle network 20 and the exterior, associates a classification [stage] of the external communication event, a risk and a sub-risk indicating a degree of risk of a cyber attack stemming from that external communication event [making the event an attack stage]”; [Fig. 5] The figure lists “Establishment of external communication” an inspection and initial intrusion stage, and “Internal software upgrade” a base construction stage and internal intrusion stage) and purpose accomplishment; and ([para. 0097] “As illustrated in FIG. 7, the vehicle control event list is a table which, for each vehicle control event indicating a vehicle control event performed by vehicle 30, associates the classification [stage] of that vehicle control event ... indicating ... if that vehicle control event is the result of a cyber attack [purpose accomplishment]”; [Fig. 5] The figure lists “Vehicle function” as a classification which an attacker locks/unlocks the door of the vehicle)
analyzing estimation accuracy of the attack stage of the attack includes analyzing estimation accuracy of the inspection, the initial intrusion, the base construction, the internal intrusion, or the purpose accomplishment. (Examiner interprets “includes” “or” to mean that one of the elements in the list must be disclosed in order for the limitation to be disclosed; [Tasaki, para. 0048] “risk indicating a confidence level [accuracy] of ... an attack target risk”; [Fig. 21] The figure shows the classification/attack stage “Entry node” is analyzed to have a risk/accuracy of 4/5 depending on the specific node and the attack stage “Target node” is analyzed to have a risk/accuracy of 4/5 depending on the specific node)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above (increasing accuracy and allowing a user to visualize the results).
Claims 4 and 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Galula in view of Sharifi Mehr and Tasaki as applied to claim 2 above, and further in view of Martin et al. (US Pub 2018/0004942) (hereinafter “Martin”).
As per claim 4, Galula in view of Sharifi Mehr and Tasaki teaches claim 2.
Galula does not clearly teach wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information, and computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage.
However, Sharifi Mehr teaches wherein the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”)
the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and ([Sharifi Mehr, col. 9, ln. 63 to col. 10, ln. 1] “a reconnaissance stage 302 ... actions taken by attackers to identify target IoT devices”; [Table: Reconnaissance Indicators and Signals] “The following signals [the context data/security threat indicators] ... used to identify [enables estimation of] unexpected or anomalous inbound connections [a transmission source/destination] ... Signal 10 ... Relations to network address [communication direction information that enables identification/estimation of the inbound connections/transmission]”)
the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage included in the attack information is identical to a reference attack stage] ... when calculating a breach likelihood score [computer analyzes the estimation accuracy of the attack]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Tasaki with the teachings of Sharifi Mehr to include wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication direction information that enables estimation of a transmission source or a transmission destination, and the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of increasing the confidence level with which the indicators/attack is identified. (Sharifi Mehr, col. 7, ln. 49-67)
Galula in view of Sharifi Mehr and Tasaki does not clearly teach the computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information.
However, Martin teaches computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information. ([Martin, para. 0058] The system [the computer] ... estimate a stage of this cyber attack on the network—such as initial infiltration, command and control, reconnaissance, or lateral movement stages— [a reference attack stage indicating an intrusion stage of attack] based on which threat elements of the cyber attack pattern defined in the new threat intelligence have been matched [related to] ... to network events [communication direction information – see para. 0052: “address ... datums contained in the network event”] in the network accounting log [based on the context data]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr and Tasaki with the teachings of Martin to include the computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication direction information, as the reference attack factor information. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of improving incident response and computer forensics by further investigating the information associated with the stage of the cyber attack. (Martin, para. 0019; para. 0063)
As per claim 6, Galula in view of Sharifi Mehr and Tasaki teaches claim 2.
Galula does not clearly teach wherein the attack information includes an attack stage indicating an intrusion stage of the attack, the context data includes communication amount or an error type, the computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack related to the communication amount or the error type, as the reference attack factor information, and the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage.
However, Sharifi Mehr teaches wherein the attack information includes an attack stage indicating an intrusion stage of the attack, ([Sharifi Mehr, col. 9, ln. 53-56] “IoT kill chain used to model security attacks ... kill chain 302 includes several stages”)
the context data includes communication amount or an error type, and ([Sharifi Mehr, col. 12, ln. 6-9] “The following table lists ... example signals used to identify [context data] ... indicators”; [Table: Reconnaissance Indicators and Signals] “Volume of network inbound/outbound traffic”)
a reference attack stage indicating an intrusion stage of attack related to the communication amount or the error type; ([Sharifi Mehr, col. 12, ln. 6-9] “The ... table lists ... indicators [communication amount or the error type] related to the reconnaissance stage [a reference attack stage indicating an intrusion stage of attack]”)
the computer analyzes the estimation accuracy of the attack received by the electronic control system based on whether the attack stage included in the attack information is identical to the reference attack stage. ([Sharifi Mehr, col. 7, ln. 8-14] “the IoT security service 110 [computer] analyzes the IoT device [electronic control system] data 120 ... and uses the identified ... indicators ... to calculate ... a breach [attack] likelihood score [estimation accuracy]”; col. 9, ln. 20-23] “an indicator that is associated with the reconnaissance stage [when the attack stage included in the attack information is identical to a reference attack stage] ... when calculating a breach likelihood score [the computer analyzes the estimation accuracy of the attack]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr and Tasaki for the same reasons as disclosed above.
Galula in view of Sharifi Mehr and Tasaki does not clearly teach the computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack, as the reference attack factor information.
However, Martin teaches the computer estimates, based on the context data, a reference attack stage indicating an intrusion stage of attack, as the reference attack factor information. ([Martin, para. 0058] The system [the computer] ... estimate a stage of this cyber attack on the network—such as initial infiltration, command and control, reconnaissance, or lateral movement stages— [a reference attack stage indicating an intrusion stage of attack] based on which threat elements of the cyber attack pattern defined in the new threat intelligence have been matched [related to] ... to network events in the network accounting log [based on the context data]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Galula, Sharifi Mehr, Tasaki and Martin for the same reasons as disclosed above.
As per claim 7, Galula in view of Sharifi Mehr and Tasaki teaches claim 2.
Galula in view of Sharifi Mehr and Tasaki does not clearly teach wherein the context data includes time information related to a time when the security log is generated or transmitted, the computer estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and computer analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order.
However, Martin teaches the context data includes time information related to a time when the security log is generated or transmitted, ([Martin, para. 0055] “the system records network traffic [the log is generated or transmitted] ... an event timestamp [time information related to a time when the log is generated or transmitted] as network traffic data in the network accounting log [the security log]”; [para. 0054] “timestamps of these network events ... a degree to which network events ... match a cyber attack [making the time context data]”)
the computer estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and ([Martin, para. 0023] “pattern matching techniques in Block ... S140 [computer] to identify [estimate] various elements [reference attack factor information] in the network accounting log [indicated by the security log] that match IOC values [abnormalities that are occurred] ... event sequence or timeline [a reference abnormality occurrence order]”; [para. 0054] the timeline is determined based on the time in the log/context data and so is based on the context data)
the computer analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. ([Martin, para. 0054] “The system [computer] ... to calculate [comparing] a degree of temporal alignment between singular network events in the network accounting log [a reference abnormality order] and threat elements defined in the new threat intelligence [an abnormality occurrence order estimated from the attack path]... then merge [analyzes] this ... into a confidence score [estimation accuracy of the attack] that represents a degree to which network events stored in the network accounting log match a cyber attack”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr and Tasaki with the teachings of Martin to include wherein the context data includes time information related to a time when the security log is generated or transmitted, the computer estimates, based on the context data, a reference abnormality occurrence order in which abnormalities indicated by the security log are occurred, as the reference attack factor information, and computer analyzes the estimation accuracy of the attack by comparing an abnormality occurrence order estimated from the attack path with the reference abnormality occurrence order. One of ordinary skill in the art would have been motivated to make this modification because such a technique would provide the benefit of requiring limited processing time and power by the system while also maintaining a high degree of accuracy in detection to detect threats in substantially real-time. (Martin, para. 0015)
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Galula in view of Sharifi Mehr and Tasaki as applied to claims 1 above, and further in view of Atobe (US Pub. 2021/0352091) (hereinafter “Atobe”).
As per claim 13, Galula in view of Sharifi Mehr and Tasaki teaches claim 1.
Galula in view of Sharifi Mehr and Tasaki does not clearly teach the attack analysis device being mounted on the moving object.
However, Atobe teaches the attack analysis device being mounted on the moving object. ([Atobe, para. 0119] “The attack judgement unit 120 [attack analysis device] receives the log data set, performs attack judgement based on the log data set, and gives notice of a judgement result”; [Fig. 1] the attack judgement unit 120 is within the vehicle and so is mounted on the vehicle)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Galula in view of Sharifi Mehr and Tasaki with the teachings of Atobe to include the attack analysis device being mounted on the moving object. One of ordinary skill in the art would have been motivated to make this modification because such a technique would make it possible to continuously perform attack detection in case the log data cannot be sent to a remote/outside device. (Atobe, para. 0015)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Takeuchi et al. (US Pub. 2024/0223581) discloses detecting an attack path including a first ECU and a second ECU, and the first ECU being the entry point as a start point of the attack, the second ECU being the ECU that can be the attack target as an end point of the attack.
Yanagidani et al. (US Pub. 2025/0301006) discloses an attack path that includes an ADAS to an ECU and a gateway where trend values which are attack predictors are used to determine the more likely target of an attack.
Cheng et al. (US Patent No. 12,542,797) discloses performing an vehicle end-to-end attack path analysis to identify one or more ECUs that are along the attack path where the attack path includes ECUs and Gateways and a threat score may be generated based at least on the ECUs in the attack path.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634. The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/ZHE LIU/Examiner, Art Unit 2493