METHOD, APPARATUS, AND SYSTEM FOR USER PLANE SECURITY IN COMMUNICAITON SYSTEM

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019. This application is in response to Applicant’s Amendment filed on 19 March 2025. Claims 5 and 15 have been canceled. Claims 1-4, 6-14, and 16-20 have been amended. Claims 1-4, 6-14, and 16-20 remain pending. Information Disclosure Statement The Information Disclosure Statements respectfully submitted on 19 February 2025 has been considered by the Examiner. Response to Arguments 5. Applicant’s arguments, see pages 13-16, filed 19 March 2025, with respect to the rejection of claims 1-20 in view of Basu et al. (WO 2020260921 A2) has been fully considered, but are moot in view of the new grounds of rejection. A new grounds of rejection is hereby presented in view of Guo et al. (EP 4016949 A1) which is the English translation of (WO 2021031055 A1) for teaching newly claim limitations – “receiving, from a server, a packet including data and additional information for the data, the additional information including at least one header for the data, determining whether the data, among the data and the additional information is ciphered”. 6. In light of the previous 101 rejection for claims 1, 7, 9, 11, and 17, the Applicant has amended the claims to recite additional elements that are sufficient to amount to significantly more than the judicial exception, therefore, the claim rejection has been withdrawn. Claim Rejections - 35 USC § 103 7. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 8. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 9. Claims 1-4, 6-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Basu et al. (WO 2020260921 A2) in view of Guo et al. (EP 4016949 A1) which is the English translation of (WO 2021031055 A1). Referring to the rejection of claim 1, Basu et al. discloses a method of a network entity in a communication system, the method comprising: (See Basu et al., Fig. 5, i.e., the base station apparatus, item 500 is disclosed as the network entity) transmitting, to the UE, a downlink signal secured based on the UP security, and receiving, from the UE, an uplink signal secured based on the UP security. (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose receiving, from a server, a packet including data and additional information for the data, the additional information including at least one header for the data, determining whether the data, among the data and the additional information is ciphered. Guo et al. discloses a communication method and system. Guo et al. discloses receiving, from a server, a packet including data and additional information for the data; (See Guo et al., para. 309-312, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) Guo et al. discloses determining whether the data, among the data and the additional information is ciphered; (See Guo et al., 357, i.e., it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer) Guo et al. discloses in case that the data is ciphered, transmitting, to a user equipment (UE), a first signal configuring to apply a user plane (UP) security for the additional information. (See Guo et al., 357, i.e., when the uplink data packet is encryption-protected at the PDCP layer, the first node may not perform encryption protection on the uplink data packet, to reduce a latency of processing the uplink data packet by the first node, so as to reduce a latency of transmitting the uplink data packet between the first node and the second node) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date the claimed invention was made to combine Basu et al.’s method and system for security protection of user plane traffic modified with Guo et al.’s communication method and system. Motivation for such an implementation would enable determining secure tunnels based on the PDCP layer security status of a data packet, wherein the target secure tunnel is used to transmit the data packet. (See Guo et al., para. 316) Referring to the rejection of claims 2 and 12, (Basu et al. modified with Guo et al.) discloses performing an inspection of the packet based on at least one ciphering protocol; (See Basu et al., para. 7 and 83, i.e., the data in the packet is ciphered on the basis of a ciphering protocol (VPN, HTTPS) which is used to identity the packet inspection) and wherein whether the data is ciphered is determined based on the at least one ciphering protocol. (See Guo et al., para. 306, i.e., the secure tunnel between the IAB node and the IAB donor may be an Internet protocol security (Internet protocol security, IPsec) tunnel) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claims 3 and 13, (Basu et al. modified with Guo et al.) discloses comprising receiving, from the UE or the server, a second signal indicating whether the data is ciphered; wherein whether the data is ciphered is determined based on the second signal. (See Basu et al., para. 57, 60, and 64, i.e., receiving uplink and downlink signals carried over a 3GPP communication links wherein the base station units transmit the downlink signals as the second signal to determine if the data is integrity protected) and (See Guo et al., para. 324, 326, and 409, i.e., a security status may be considered from a perspective of integrity protection and encryption protection and the PDCP layer security status of the uplink data packet includes the following case: (1) encryption protection enabled; or (2) encryption protection disabled) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claims 4 and 14, (Basu et al. modified with Guo et al.) discloses receiving, from the UE or the server, a message including a request for the UP security. (See Guo et al., para. 471-472, i.e., a request message for the user plane security is transmitted within a PDU session of a second node wherein the second node activates a user plane security status in an RRC connection reconfiguration (RRC Connection Reconfiguration) procedure. The user plane security status may be understood as a PDCP layer security status) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claims 6 and 16, (Basu et al. modified with Guo et al.) discloses further comprising: performing an integrity protection procedure for the additional information; (See Guo et al., para. 309-312, i.e., performing an integrity protection procedure for the additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) generating information for an integrity protection, based on the integrity protection procedure; (See Basu et al., para. 83-84, i.e., generating information based on the integrity protection and ciphering of the data packets) and performing a ciphering procedure for the additional information and the information for the integrity protection, (See Basu et al., para. 84-86, i.e., performing a ciphering of integrity protection based on the results of the protected data packets) wherein the first signal is transmitted based on the ciphering procedure, wherein the information for the integrity protection includes a message authentication code-integrity (MAC-I),wherein a location of the information for the integrity protection corresponding to the data is determined based on a location of the data, and wherein the information for the integrity protection is located in front of the data in the packet (See Basu et al., para. 48-49, i.e., performing an integrity protection and ciphering wherein the integrity protection comprises a MAC-I and location of the secure user plane) and (See Guo et al., para. 323-329, i.e., the first node determines the PDCP layer security status of the uplink data packet based on whether the uplink data packet carries a MAC-I, and if the uplink data packet does not carry the MAC-I, the first node may determine that the PDCP layer security status of the uplink data packet is integrity protection disabled. If the uplink data packet carries the MAC-I, the first node may determine that the PDCP layer security status of the uplink data packet is integrity protection enabled) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claim 7, (Basu et al. modified with Guo et al.) discloses a method of a user equipment (UE) in a communication system, the method comprising: (See Basu et al., Fig. 4, i.e., the user equipment apparatus (UE), item 400 is disclosed) receiving, from the network entity, the downlink signal secured based on the UP security, and transmitting, to the network entity, the uplink signal secured based on the UP security; (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose receiving, from a server, a packet including data and additional information for the data, the additional information including at least one header for the data, determining whether the data, among the data and the additional information is ciphered. Guo et al. discloses a communication method and system. Guo et al. discloses receiving, from a network entity, a first signal configuring to apply user plane (UP) security for additional information including at least one header for data, in case that the data, among the data and the additional information, is ciphered, wherein the additional information and the data are included in a packet; (See Guo et al., para. 309-312, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) Guo et al. discloses and applying the UP security to a downlink signal and an uplink signal; (See Guo et al., 357, i.e., it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer and when the uplink data packet is encryption-protected at the PDCP layer, the first node may not perform encryption protection on the uplink data packet, to reduce a latency of processing the uplink data packet by the first node, so as to reduce a latency of transmitting the uplink data packet between the first node and the second node) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claims 8 and 18, (Basu et al. modified with Guo et al.) discloses further comprising: transmitting, to the network entity, a second signal indicating whether the data is ciphered, (See Basu et al., para. 57, 60, and 64, i.e., receiving uplink and downlink signals carried over a 3GPP communication links wherein the base station units transmit the downlink signals as the second signal to determine if the data is integrity protected) and transmitting, to the network entity, a message including a request for the UP security, (See Guo et al., para. 471-472, i.e., a request message for the user plane security is transmitted within a PDU session of a second node wherein the second node activates a user plane security status in an RRC connection reconfiguration (RRC Connection Reconfiguration) procedure. The user plane security status may be understood as a PDCP layer security status) wherein an integrity protection procedure is applied to the additional information, (See Guo et al., para. 309-312, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) wherein a ciphering procedure is applied to the additional information and information for an integrity protection, the information for the integrity protection being generated based on the integrity protection procedure, (See Guo et al., 357, i.e., it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer) wherein the first signal is transmitted based on the ciphering procedure, (See Guo et al., 357, i.e., when the uplink data packet is encryption-protected at the PDCP layer, the first node may not perform encryption protection on the uplink data packet, to reduce a latency of processing the uplink data packet by the first node, so as to reduce a latency of transmitting the uplink data packet between the first node and the second node) wherein the information for the integrity protection includes a message authentication code-integrity (MAC-I), wherein a location of the information for the integrity protection corresponding to the data is determined based on a location of the data, and wherein the information for the integrity protection is located in front of the data in the packet. (See Basu et al., para. 48-49, i.e., performing an integrity protection and ciphering wherein the integrity protection comprises a MAC-I and location of the secure user plane) and (See Guo et al., para. 323-329, i.e., the first node determines the PDCP layer security status of the uplink data packet based on whether the uplink data packet carries a MAC-I, and if the uplink data packet does not carry the MAC-I, the first node may determine that the PDCP layer security status of the uplink data packet is integrity protection disabled. If the uplink data packet carries the MAC-I, the first node may determine that the PDCP layer security status of the uplink data packet is integrity protection enabled) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claim 9, (Basu et al. modified with Guo et al.) discloses a method of a server in a communication system, the method comprising: (See Basu et al., Fig. 6, i.e., the network equipment apparatus, item 600 is disclosed as the server) wherein user plane (UP) security for the additional information is applied, in case that the data, among the data and the additional information, is ciphered (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose generating a packet including data and additional information for the data, the additional information including at least one header for the data; and transmitting, to a network entity, the generated packet including the data and the additional information. Guo et al. discloses a communication method and system. Guo et al. discloses generating a packet including data and additional information for the data, the additional information including at least one header for the data; and transmitting, to a network entity, the generated packet including the data and the additional information. (See Guo et al., para. 309-312 and 357, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer, and it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claims 10 and 20, (Basu et al. modified with Guo et al.) discloses further comprising transmitting, to the network entity, a signal indicating whether the data is ciphered; (See Guo et al., para. 532-533, i.e., an IPsec layer of the first node may send the IPsec information to an RRC layer of the first node, so that the RRC layer of the first node sends RRC signaling carrying the IPsec information) and transmitting, to the network entity, a message including a request for the UP security; (See Guo et al., para. 471-472, i.e., a request message for the user plane security is transmitted within a PDU session of a second node wherein the second node activates a user plane security status in an RRC connection reconfiguration (RRC Connection Reconfiguration) procedure. The user plane security status may be understood as a PDCP layer security status) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claim 11, (Basu et al. modified with Guo et al.) discloses a network entity in a communication system, the network entity comprising: (See Basu et al., Fig. 5, i.e., the base station apparatus, item 500 is disclosed as the network entity) a transceiver; (See Basu et al., Fig. 5, i.e., the transceiver, item 525 is disclosed) and a controller operably connected to the transceiver, the controller configured to: (See Basu et al., Fig. 5, i.e., the processor, item 505 is disclosed as the controller) transmit, to the UE, a downlink signal secured based on the UP security, and receive, from the UE, an uplink signal secured based on the UP security. (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose receiving, from a server, a packet including data and additional information for the data, the additional information including at least one header for the data, determining whether the data, among the data and the additional information is ciphered. Guo et al. discloses a communication method and system. Guo et al. discloses receive, from a server, a packet including data and additional information for the data; (See Guo et al., para. 309-312, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) Guo et al. discloses determine whether the data, among the data and the additional information is ciphered; (See Guo et al., 357, i.e., it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer) Guo et al. discloses in case that the data is ciphered, transmit, to a user equipment (UE), a first signal configuring to apply a user plane (UP) security for the additional information. (See Guo et al., 357, i.e., when the uplink data packet is encryption-protected at the PDCP layer, the first node may not perform encryption protection on the uplink data packet, to reduce a latency of processing the uplink data packet by the first node, so as to reduce a latency of transmitting the uplink data packet between the first node and the second node) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claim 17, (Basu et al. modified with Guo et al.) discloses a user equipment (UE) in a communication system, the UE comprising: (See Basu et al., Fig. 4, i.e., the user equipment apparatus (UE), item 400 is disclosed) a transceiver; (See Basu et al., Fig. 4, i.e., the transceiver, item 425 is disclosed) and a controller operably connected to the transceiver, the controller configured to: (See Basu et al., Fig. 4, i.e., the processor, item 405 is disclosed as the controller) receive, from the network entity, the downlink signal secured based on the UP security, and transmit, to the network entity, the uplink signal secured based on the UP security; (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose receiving, from a server, a packet including data and additional information for the data, the additional information including at least one header for the data, determining whether the data, among the data and the additional information is ciphered. Guo et al. discloses a communication method and system. Guo et al. discloses receive, from a network entity, a first signal configuring to apply user plane (UP) security for additional information including at least one header for data, in case that the data, among the data and the additional information, is ciphered, wherein the additional information and the data are included in a packet; (See Guo et al., para. 309-312, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer) Guo et al. discloses and apply the UP security to a downlink signal and an uplink signal; (See Guo et al., 357, i.e., it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer and when the uplink data packet is encryption-protected at the PDCP layer, the first node may not perform encryption protection on the uplink data packet, to reduce a latency of processing the uplink data packet by the first node, so as to reduce a latency of transmitting the uplink data packet between the first node and the second node) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Referring to the rejection of claim 19, (Basu et al. modified with Guo et al.) discloses a server comprising: (See Basu et al., Fig. 6, i.e., the network equipment apparatus, item 600 is disclosed as the server) a transceiver; (See Basu et al., Fig. 6, i.e., the transceiver, item 625 is disclosed) and a controller operably connected to the transceiver, the controller configured to: (See Basu et al., Fig. 6, i.e., the processor, item 605 is disclosed as the controller) wherein user plane (UP) security for the additional information is applied, in case that the data, among the data and the additional information, is ciphered (See Basu et al., para. 44-45, 83, and 123, i.e., sending a downlink signal and uplink signal disclosed as first and second signals to the UE indicating that the user plane (UP) security activation indicates the activation of user plane integrity protection and ciphering for each DRB according to the security policy and the data protection policy indicates that asymmetric integrity protection is to be applied to user plane traffic in one of: an uplink direction and a downlink direction. In certain embodiments, the data protection policy indicates that the pattern is to be applied to user plane traffic in an uplink direction and/or a downlink direction) Basu et al. fails to explicitly disclose generating a packet including data and additional information for the data, the additional information including at least one header for the data; and transmitting, to a network entity, the generated packet including the data and the additional information. Guo et al. discloses a communication method and system. Guo et al. discloses generate a packet including data and additional information for the data, the additional information including at least one header for the data; and transmit, to a network entity, the generated packet including the data and the additional information. (See Guo et al., para. 309-312 and 357, i.e., the server receives a packet that includes data and additional information which is disclosed as the PDU header to data and the SDAP header corresponding to the lower layer. This allows the SDAP header to be added to the packet received from the PDU and transfer to the PDCP corresponding to a lower layer, and it may be understood that when the PDCP layer security status of the uplink data packet is encryption protection enabled, it indicates that the uplink data packet is encrypted at a PDCP layer) The rationale for combining Basu et al. in view of Guo et al. is the same as claim 1. Conclusion 10. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871. The examiner can normally be reached IFP M-F 8am-4:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /COURTNEY D FIELDS/Examiner, Art Unit 2436 June 16, 2025 /SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436