DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The preliminary amendment filed 5/29/2025 has been entered. Claims 16-19 have been added. Claims 1-19 are pending and are examined herein.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a log acquisition unit”, “a vehicle state information acquisition unit”, “a storage unit”, “a false positive log determination unit”, “an output unit” coupled with functional language “acquiring one or more security event logs..”, “acquiring vehicle state information…”, “storing a false positive confirmation rule…”, “determining…”, “controlling …output…” in claim 1, 7, 10 and 12.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph limitation: Fig. 6 illustrates log acquisition unit 101, vehicle state information acquisition unit 102, storage unit 103, false positive log determination unit 105, an output unit 107 [¶ 0052].
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 6, 8-12 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over US 2024/0045970 (Morita et al.) in view of US 2019/0286948 (Sathyanarayana et al.), and further in view of US 2024/0146746 (Bhatia et al.).
Regarding Claim 1, Morita teaches a log analysis device comprising: a log acquisition unit (Fig. 1, the analysis device 1 includes a log collecting unit 12) acquiring one or more security event logs indicating abnormalities detected by a security sensor of an electronic control device mounted on a vehicle ([¶¶ 0036-0037], The analysis device 1 collects information (for example, information from which an anomalous state can be determined) from each of the in-vehicle devices 3 …the analysis device 1 may collect not only logs from the in-vehicle devices 3 but also logs detected by itself and store them. …analyzes presence or absence of information indicating anomaly [i.e., abnormalities] in the information collected from the in-vehicle devices [¶ 0046], the log collecting unit 12 collects monitoring result of each of the in-vehicle devices 3 …The monitoring results are collected as, for example, log information);
an output unit controlling the confirmed false positive log not to be output while outputting the estimated false positive log ([¶¶ 0066-0067], the attack detection determination unit 17 can determine whether to output the anomaly notification, based on a result of the determination whether an anomaly has occurred in each of the in-vehicle devices …making the determination to output the anomaly notification made by the attack detection determination unit 17 corresponds to the determination that either of the vehicle 50 and the in-vehicle device 3 is under attack. Further, making the determination not to output the anomaly notification by the attack detection determination unit 17 corresponds to making a determination that either of the vehicle 50 and the in-vehicle device 3 is …likely to be attacked [i.e., false positive]) together with flag information indicating that the security event log being determined as the estimated false positive log ([¶ 0070] the anomaly notification may include information based on the vehicle log information, the vehicle situation information, and the situation determination result. Further, the anomaly notification may include information [implicitly, flag information] indicating that an attack has been detected).
While Morita teaches a vehicle state information acquisition unit acquiring vehicle state information indicating …state of the vehicle ( [¶ 0043] The situation determination result 105 indicating the state of the vehicle based on the vehicle situation information), however, Morita does not explicitly teach, but Sathyanarayana teaches vehicle state information indicating an internal state or an external state of the vehicle ([Abstract], extracting interior activity data …determining an interior event based on the interior activity data; …extracting exterior activity data …determining an exterior event based on the exterior activity data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Sathyanarayana's dual-stream state-information extraction into Morita, because such incorporation would predictably improve Morita’s ability to distinguish true incidents by supplying additional contextual vehicle state information (internal and external), thereby enhancing anomaly detection accuracy.
Morita in view of Sathyanarayana do not explicitly teach, however, Bhatia teaches a storage unit storing a false positive confirmation rule and a false positive estimation rule, wherein the false positive confirmation rule is used to determine whether the abnormalities indicated by the one or more security event logs are false positive abnormalities that are not caused by a cyberattack, and the false positive estimation rule is used to determine whether the abnormalities indicated by the one or more security event logs have possibilities of false positive abnormalities ([Fig. 2, ¶¶ 0036-0038] Endpoint Detection and Response (EDR) system is software designed to automatically protect …endpoint devices and IT assets against cyberthreats. EDR system comprises …a rule library 206 …based on predefined rules in the rules library 206 set by the security team or learned over time by machine learning algorithms, the EDR solution can automatically alert security analysts to specific threats or suspicious activities. [¶ 0044], the prediction classifies the alert either as a ‘true’ positive or a ‘false’ positive, together with a confidence level representing a degree of confidence …conversely, if the machine confidence is sufficiently high for a ‘false’ positive, the system automatically closes the alert. …When the machine confidence is not sufficiently high [i.e., implicitly, possibilities of false positive abnormalities], the system returns an alert prediction, e.g. to an analyst dashboard for the EDR alert); a false positive log determination unit determining, based on the one or more security event logs or the vehicle state information, whether each of the one or more security event logs is a confirmed false positive log, which is confirmed as a false positive log, using the false positive confirmation rule, the false positive log determination unit further determining, based on the one or more security event logs or the vehicle state information, whether each of the one or more security event logs is an estimated false positive log, which has a possibility of false positive log, using the false positive estimation rule ([¶ 0003]., implements a machine-based prediction service …In response to receipt of an alert [implicitly security log] from the EDR system, the body of the alert is analyzed to automatically detect one or more “observables” in the alert that are indicative of potentially suspicious activity. …then evaluated against a threat intelligence service, which service returns the set of observables …useful to evaluate a degree of risk that each such observable presents) [Fig. 2, ¶¶ 0036-0038] …based on predefined rules in the rules library 206 set by the security team or learned over time by machine learning algorithms, the EDR solution can automatically alert security analysts to specific threats or suspicious activities. [¶ 0044], the prediction classifies the alert either as a ‘true’ positive or a ‘false’ positive, together with a confidence level representing a degree of confidence …conversely, if the machine confidence is sufficiently high for a ‘false’ positive, the system automatically closes the alert. …When the machine confidence is not sufficiently high [i.e., implicitly, possibilities of false positive or true positive abnormalities], the system returns an alert prediction, e.g. to an analyst dashboard for the EDR alert); and an output unit controlling the confirmed false positive log not to be output while outputting the estimated false positive log ([¶ 0044], if the machine confidence is sufficiently high for a ‘false’ positive, the system automatically closes the alert. …When the machine confidence is not sufficiently high, the system returns an alert prediction [implicitly, outputting the estimated false positive], e.g. to an analyst dashboard for the EDR alert).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bhatia's confidence-based false-positive disposition mechanism into Morita’s anomaly-notification framework, because both references address the same problem of excessive false positive handling technique in which high-confidence false positives are automatically suppressed and lower-confidence prediction output with contextual information for further review. Such incorporation would predictably improve Morita’s ability to distinguish between confirmed and estimated false positive, thereby reducing unnecessary notifications and enhanced system reliability.
Regarding Claim 2, Morita in view of Sathyanarayana do not explicitly teach, however, Bhatia teaches the log analysis device according to claim 1, wherein the false positive confirmation rule refers to a rule in which a flow from a cause of abnormality to a result of abnormality is definitively determined, and the false positive estimation rule refers to a rule in which an estimation is involved in the flow from the cause of abnormality to the result of abnormality ([¶ 0044], if the machine confidence is sufficiently high for a ‘false’ positive, the system automatically closes the alert. …When the machine confidence is not sufficiently high [i.e., implicitly, possibilities of false positive abnormalities], the system returns an alert prediction, e.g. to an analyst dashboard for the EDR alert. Note: under the broadest reasonable interpretation, Bhatia’s two confidence-based decision paths are reasonably interpreted as corresponding to the claimed confirmation and estimation rules because both are rules that determine how a potential false positive is handled based on certainty of the determination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the vehicle log analysis system of Morita with the confidence-based decision rule of Bhatia in order to reduce analyst workload and alert fatigue by automatically suppressing anomaly logs determining sufficiently high confidence to be false positive, while retaining only the anomaly logs having insufficient confidence for further review together with confidence information. Such a modification would have improved the efficiency and accuracy of Morita’s anomaly notification process by reducing unnecessary notifications without discarding potentially relevant security events.
Regarding Claim 6, Morita in view of Sathyanarayana do not explicitly teach, however Bhatia teaches the log analysis device according to claim 1, wherein the false positive confirmation rule and the false positive estimation rule are updated periodically or irregularly ([¶ 0053], the system has available for prediction one or more models that were previously trained on historical data as has been described. Models are updated periodically or continuously, e.g., as the system generates predictions. a Predict operation is carried out for the current dataset using the models to generate the prediction for the current alert being processed. As noted, the prediction (whether the alert is a ‘true’ or ‘false’ positive) also includes a machine confidence in that prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bhatia’s teachings of updating the model periodically as new prediction are generated into Morita’s anomaly-determination framework, because such incorporation would predictably enhance Morita’s ability to correctly determine false positives and anomalies, represents a routine optimization in the field of cybersecurity event processing.
Regarding Claim 8, Morita in view of Sathyanarayana do not explicitly teach, however Bhatia teaches the log analysis device according to claim 1, wherein the flag information includes information indicating a level of possibility that the security event log is the estimated false positive log ( [¶ 0044], if the machine confidence is sufficiently high for a ‘false’ positive, the system automatically closes the alert. …When the machine confidence is not sufficiently high, the system returns an alert prediction [implicitly, outputting the estimated false positive], e.g. to an analyst dashboard for the EDR alert. …the prediction classifies the alert either as a ‘true’ positive or a ‘false’ positive, together with a confidence level [i.e., implicitly, a level of possibility] representing a degree of confidence of the machine-generated prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bhatia’s teachings of outputting alert with an associated confidence level into Morita’s anomaly-notification framework, because such incorporation would allow Morita to more accurately separate high-likelihood false positive from lower-likelihood events requiring further reliability.
Regarding Claim 9, Morita teaches the log analysis device according to claim 1, wherein the log analysis device is arranged outside the vehicle ([Fig. 1, ¶ 0029] The analysis device 1 …analyzes information related to the vehicle 50. …the analysis device 1 may not be mounted on the vehicle 50).
Regarding Claim 10, Morita in view of Bhatia do not explicitly teach, however, Sathyanarayana teaches The log analysis device according to claim 9, wherein the vehicle state information acquisition unit acquires, as the vehicle state information, external state information indicating an external state related to the vehicle ([Abstract], determining event data including: …sampling a second data stream within a second time window at a second sensor of the onboard vehicle system; extracting exterior activity data from the second image stream; determining an exterior event based on the exterior activity data. [¶ 0035], gather raw sensor data from …the vicinity of the vehicle (e.g., vehicle exterior, etc.). Vehicle sensor data that is collectively composed of one or more data streams preferably includes two-way video data (e.g., inward facing video camera data and outward facing video camera data), and can also include inertial data, gyroscope data, location data, routing data, kinematic data, and other suitable vehicle telemetry data (e.g., collected from an OBD II port via a suitable data connection).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Sathyanarayana's external state-information extraction into Morita, because such incorporation would predictably improve Morita’s ability to distinguish true incidents by supplying additional contextual vehicle external state information, thereby enhancing anomaly detection accuracy.
Regarding Claim 11, Morita teaches the log analysis device according to claim 1, wherein the log analysis device is mounted on the vehicle ([Fig.1, 0029], The analysis device 1 is a device that is mounted on a vehicle 50 and analyzes information related to the vehicle 50).
Regarding Claim 12, Morita in view of Bhatia do not explicitly teach, however, Sathyanarayana teaches the log analysis device according to claim 11, wherein the vehicle state information acquisition unit acquires, as the vehicle state information, internal state information indicating an internal state related to the vehicle ([Abstract], determining event data including: sampling a first data stream within a first time window at a first sensor of an onboard vehicle system coupled to a vehicle, extracting interior activity data from the first data stream; determining an interior event based on the interior activity data. [¶ 0035], gather raw sensor data from the vehicle (e.g., vehicle interior). Vehicle sensor data that is collectively composed of one or more data streams preferably includes two-way video data (e.g., inward facing video camera data and outward facing video camera data), and can also include inertial data, gyroscope data, location data, routing data, kinematic data, and other suitable vehicle telemetry data (e.g., collected from an OBD II port via a suitable data connection).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Sathyanarayana's internal state-information extraction into Morita, because such incorporation would predictably improve Morita’s ability to distinguish true incidents by supplying additional contextual vehicle internal state information, thereby enhancing anomaly detection accuracy.
Regarding Claims 14, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under the same rationale as claim1.
Regarding Claims 15, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under the same rationale as claim1. Examiner further notes, Morita also teaches a non-transitory tangible storage medium storing a log analysis program to be executed by at least one processor (Morita, ¶ 0032]
Regarding Claims 16 and 17, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under the same rationale as claim1. Examiner further notes, Morita also teaches a log analysis device comprising: a processor and a memory storing a program that causes the processor to perform (Morita, Fig. 1, ¶ 0032]
Regarding Claims 18, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under the same rationale as claim1. Examiner further notes, Morita also teaches a non-transitory tangible storage medium storing a program, when executed by a computer, to cause the computer to perform (Morita, ¶ 0032]
Regarding Claims 19, the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under the same rationale as claim1. Examiner further notes, Morita also teaches a system comprising: a vehicle; and a log analysis device placed outside the vehicle, wherein the vehicle includes a plurality of electronic control devices connected via a network in the vehicle, each electronic control device includes one or more security sensors each configured to detect an abnormality (Morita, Fig. 1, Vehicle 50, Analysis Device 1. Communication bus 2. Morita also teaches the analysis device 1 …analyzes information related to the vehicle 50. …the analysis device 1 may not be mounted on the vehicle 50 [¶ 0029]).
Claims 3 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over combination of Morita-Sathyanarayana-Bhatia, and further in view of US 2021/0400058 (Filonov et al.).
Regarding Claim 3, Morita teaches a security operation center (SOC) analyzes logs and makes determinations about whether events are real attacks or false detections. [¶ 0002], In the SOC, logs related to security events are collected from a vehicle, and an operator or an analyst of the SOC analyzes a situation of the vehicle …and executes a countermeasure policy. [¶ 0015], The analysis device …can appropriately output an anomaly notification by reducing false detection of an attack event. However, Morita does not explicitly teach, but Filonov teaches wherein the false positive confirmation rule is a rule that has a determination history …as the false positive log, and the false positive estimation rule is a rule that has no determination history …as the false positive log ([¶ 0007] Each of the events includes an event related to a possible violation of information security. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events [i.e., remaining security event] from the false positive to the information security incident [i.e., estimated false positive]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Filonov's changing subset of the false-positive verdicts to security incident verdicts into combined Morita-Sathyanarayana-Bhatia framework, because such incorporation would predictably enhances the combined systems by ensuring that potential dangerous events initially classified as false positive are reconsidered and escalated when warranted, thereby reducing likelihood of missing true incident.
Regarding Claim 7, Morita in view of Bhatia and Sathyanarayana do not explicitly teach, however, Filonov teaches the log analysis device according to claim 1, wherein the false positive log determination unit first determines whether each of the one or more security event logs is the confirmed false positive log, and then determines whether each of remaining security event logs excluding the security event log determined as the confirmed false positive log is the estimated false positive log ([¶ 0007] Each of the events includes an event related to a possible violation of information security. A verdict is determined for each of the events. The verdict includes: i) information security incident or ii) false positive. The verdict is false positive if the probability of a false positive for the corresponding event is greater than a first threshold. Verdicts are changed for a subset of the events [i.e., remaining security event] from the false positive to the information security incident [i.e., estimated false positive]. [¶ 0095], upon identifying the signature of computer attacks it might not be possible to confirm unambiguously a directed attack. In such case, …may determine whether the indicator of suspicious activity is an incident [i.e., estimated false positive] or a false positive).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Filonov's changing subset of the false-positive verdicts to security incident verdicts into combined Morita-Sathyanarayana-Bhatia framework, because such incorporation would predictably enhances the combined systems by ensuring that potential dangerous events initially classified as false positive are reconsidered and escalated when warranted, thereby reducing likelihood of missing true incident.
Claims 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over combination of Morita-Sathyanarayana-Bhatia, and further in view of US 7788536 (Qureshi et al.).
Regarding Claim 4, Morita in view of Bhatia and Sathyanarayana do not explicitly teach, however, Qureshi teaches the log analysis device according to claim 1, wherein, in each of the false positive confirmation rule and the false positive estimation rule, one or more rule items are set for one cause of abnormality occurrence (([C.37:L.15-22] A logic rule or simply "rule" is a logical formula composed of predicates, logical operators (such as AND, OR, THEN, etc.), mathematical operators (such as less than, difference, sum, etc.), free variables, and constants. The formula describes how to recognize problems. A "predicate" is a rule component that represents the existence of a single concept. [C.37:L.58 – C.38:L.4] A predicate's "contribution" is the importance of the predicate in a rule, relative to all of the other predicates in that rule. A predicate's "need" can have two states: "required" and "optional". A "required predicate" of a rule is a predicate that must be true in order for the rule to make sense and be true. If the predicate is true then the "true" evaluation of the rule will have higher confidence. A predicate's "significance" is used to calculate whether a non-unit confidence rule triggering is a false positive. [C.41, Table 3], if a rule triggers with non-unit confidence and all its predicates have lower than a threshold significance then the rule is deemed a false positive. [C.46:L.64 – C.47:L.6] Problem Logic cannot detect a problem unless there is a rule for it, and that rule can be analyzed to reveal what metrics and queries can be run to feed all relevant atomic formulae into Problem Logic. This means that the Problem Logic will not be able to take a random series of features and correlate them, unless there is a rule that defines the correlation relationship among them. The RCA module can correlate rule matches (i.e., "problems") and random features to application model components that may require attention.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Qureshi's predicates-level significance analysis into combined Morita-Sathyanarayana-Bhatia framework, because such incorporation would predictably improve the system’s ability to classify logs as confirmed or estimated false positives by providing a structured method for determining whether rule trigger is meaningful or spurious.
Regarding Claim 5, Morita in view of Bhatia and Sathyanarayana do not explicitly teach, however, Qureshi teaches the log analysis device according to claim 4, wherein, in the false positive estimation rule, when (i) more than one rule items are set for one cause of abnormality occurrence and (ii) at least a predetermined number of the rule items out of all of the rule items are simultaneously satisfied, the false positive estimation rule is determined to be satisfied ([C.37:L.15-22] A logic rule or simply "rule" is a logical formula composed of predicates, logical operators (such as AND, OR, THEN, etc.), mathematical operators (such as less than, difference, sum, etc.), free variables, and constants. The formula describes how to recognize problems. A "predicate" is a rule component that represents the existence of a single concept. [C.37:L.61- C.38:L.4] A "required predicate" of a rule is a predicate that must be true in order for the rule to make sense and be true. Typically, most predicates are required. An "optional predicate" of a rule is a predicate that need not be true for the rule to be true. If the predicate is true then the "true" evaluation of the rule will have higher confidence. A predicate's "significance" is used to calculate whether a non-unit confidence rule triggering is a false positive. [C.73:L.1-3] encoder preferably identifies the logic of the rule and encodes the rule using all the predicates and the logical connectives).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Qureshi's predicates-level significance analysis into combined Morita-Sathyanarayana-Bhatia framework, because such incorporation would predictably improve the system’s ability to classify logs as confirmed or estimated false positives by providing a structured method for determining whether rule trigger is meaningful or spurious.
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over combination of Morita-Sathyanarayana-Bhatia, and further in view of US 2021/0226973 (Hirano et al.).
Regarding Claim 13, Morita in view of Bhatia and Sathyanarayana do not explicitly teach, however, Hirano teaches The log analysis device according to claim 1, wherein a part of the log analysis device is arranged, as a first log analysis device, in the vehicle and remaining part of the log analysis device is arranged, as a second log analysis device, outside the vehicle ([¶ 0073] In FIG. 1, vehicle log analysis system 100 is constituted by vehicle log analysis server 20 and vehicle 200, and vehicle log analysis server 20 and vehicle 200 are connected over external network 50. [¶ 0084] Vehicle log analysis server 20 is a server, located outside vehicle 200, which receives the vehicle log from vehicle, analyzes the received vehicle log, and detects a security threat, i.e., detects an anomaly in vehicle 200. [¶¶ 0086-0087] As illustrated in FIG. 2, vehicle log transmission device 10 includes vehicle log obtainer 110. … Vehicle log obtainer 110 obtains the vehicle log, which includes a plurality of pieces of data pertaining to operations of vehicle 200).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Hirano's teachings of vehicle-analysis system that includes both an in-vehicle component and an external vehicle-log analysis server into combined Morita-Sathyanarayana-Bhatia framework, because such incorporation would predictably improve the combined system’s ability to perform more accurate analysis that cannot be efficiently performed only on limited in-vehicle hardware.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD YOUSUF A MIAN whose telephone number is (571)272-9206. The examiner can normally be reached Monday-Friday 9am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached at 571-272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMAD YOUSUF A. MIAN/ Examiner, Art Unit 2457
/ARIO ETIENNE/ Supervisory Patent Examiner, Art Unit 2457