DETAILED ACTION
Continued Examination Under 37 CFR 1.114
1. Continued Examination Under 37 CFR 1.114A request for continued examination under 37 CFR 1.114, including the fee set forth in37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicants’ submission filed on 12/23/2025 has been entered.
Remarks
2. Pending claims for reconsideration are claims 1-19, and 21. Claims 1-6, 11-19, and 21 have been amended. Claim 20 has been cancelled.
Response to Arguments
3. Applicant's arguments filed 12/23/2025 are moot in view of new grounds of rejection.
Allowable Subject Matter
4. Claim 21 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2019/0116186 A1 to Viswanathan et al(hereafter referenced as Viswanathan) in view of Pub.No.: US 2023/0017423 A1 to Guntupalli et al (hereafter referenced as Guntupalli) in further view of Pub.No.: US 2020/0036599 A1 to Savov et al(hereafter referenced as Savov).
Regarding claim 1, Viswanathan discloses obtaining a request originating from a source network (browser to access cloud service [Fig.3/102]) function deployed in an on-premise network (enterprise data network [Fig.1/item 10]) and destined for a destination network function deployed in the cloud network(user browser to access cloud service [Fig.3] also see [Fig.4]); “determining, by the cloud proxy service(web proxy access control [Fig.1/item 106, whether the source network function is associated with an enterprise network based on a unique user device identifier extracted from the request and on the subscriber account mappings”(web proxy access control [Fig.1/item 106]), “and blocking the request from propagating to the destination network function based on determining that the source network function is not associated with the particular enterprise network.”(ICAP server 32 sends the ICAP response to the web proxy 14. If the policy enforcement result is “allow,” then ICAP server sends an ICAP response with ‘OK’ (status code 200) status. If the policy enforcement result is “block,” then ICAP server sends an ICAP response with ‘FORBIDDEN’ (status code 403) status [par.0041]).
Viswanathan does not explicitly disclose “wherein the unique user device identifier is indicative of a particular enterprise network among a plurality of enterprise networks; providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network.”
However, Guntupalli in an analogous art discloses “wherein the unique identifier is indicative of a particular enterprise network among a plurality of enterprise networks” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network”(customer in this context is generally an enterprise network that is using a service provider to manage a dedicated private 5G network allocated for use by the enterprise network Guntupalli [par.0019]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy with Guntupalli’s mobile deployment within networks in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, and both are from the same field of endeavor.
Neither Viswanathan nor Guntupali explicitly disclose “a method performed by a cloud proxy service hosted in the cloud network comprising: provisioning user devices by storing, in a mapping cache deployed in the cloud network, subscriber and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong;”
However, Savov in an analogous art discloses “a method performed by a cloud proxy service hosted in the cloud network (the proxy 450 forwards communication traffic from within the VA 320 and / or between VA’s 320 , 322 , 324 of FIG . 3 Savov[par.0074]) also see proxy server 450 Savov[Fig.4]) comprising: provisioning user devices by storing (FIG . 4 illustrates an example implementation of a virtual appliance including subscription and provisioning functionality Savov[par.0009]), in a mapping cache 1813 (cache Savoy[par.0166]) deployed in the cloud network, subscriber (register component adaptor configuration Savov[Fig.10/item 1002]) and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong”(retrieve adaptor configuration using identifier [Fig.10/item 1008]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy and Guntupalli’s mobile deployment within networks with Savov’s custom interface within a cloud management system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, Savov discloses a cloud management system and all are from the same field of endeavor.
Regarding claim 2 in view of claim 1, the references combined disclose “wherein determining whether the source network function is associated with the particular enterprise network includes: extracting the unique user device identifier from the request; and determining whether the unique user device identifier matches a subscriber and account mapping for the particular enterprise network stored in the mapping cache deployed in the cloud network.” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047] also see some of the disclosed embodiments provide protocol elements that include a tenant identifier when passing information between tenant specific components Guntupalli [par.0021]);
Regarding claim 3 in view of claim 2, the references combined disclose “wherein determining whether the source network function is associated with the particular enterprise network further includes: based on determining that the unique user device identifier is not stored in the mapping cache, providing, to a master datastore that stores master database subscriber and account mappings(basic blueprint 126 generated by the example topology generator is utilized as a data store Savov[par.0053]) , a golden path request that includes the unique user device identifier” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “and determining whether the unique user device identifier is stored in the master datastore for an account associated with the particular enterprise network” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047] also see some of the disclosed embodiments provide protocol elements that include a tenant identifier when passing information between tenant specific components Guntupalli [par.0021]).
Regarding claim 4 in view of claim 1, the references combined disclose ”wherein the unique user device identifier is an international mobile subscriber identity (IMSI) for a user device which is associated with the particular enterprise network” (mapping 208A also maps the tenant identifier 209A to a protocol data unit (PDU) session identifier, discussed in more detail below. In various embodiments, a UE may be identified using any combination of an International Mobile Subscriber Identity (IMSI) Guntupalli [par.0037]).
Regarding claim 5 in view of claim 1, the references combined disclose “wherein: provisioning includes obtaining a provisioning request for provisioning a subscriber identity module (SIM)”(the UDM instance 260 maintains subscriber identity module (SIM) credentials for each end user device (e.g. UE) associated with a particular tenant Guntupalli [par.0035]) ; “extracting the unique user device identifier from the provisioning request; and storing the unique user device identifier in association with an account identifier of the particular enterprise network in the mapping cache for validating signaling traffic from one or more on-premise networks.”(a service provider may on-board the SIMs, and the CP 104 then uses that information for authentication Guntupalli [par.0035]).
Regarding claim 6 in view of claim 5, the references combined disclose “wherein the mapping cache is a distributed cache hosted in the cloud network and further comprising: determining, by the cloud proxy service, that the unique user device identifier is stored in the distributed cache” (a service provider may on-board the SIMs, and the CP 104 then uses that information for authentication Guntupalli [par.0035]).
Regarding claim 7 in view of claim 1, the references combined disclose “wherein the source network function and the destination network function are functions of a private fifth-generation network as a service (private 5GaaS)” (system 100 may be implemented to facilitate a 5G-as-a-Service (5GaaS) offering Guntupalli [par.0026]).
Regarding claim 8 in view of claim 1, the references combined disclose “wherein the source network function and the destination network function are functions of a fourth-generation network as a service (4GaaS)”(Networks through which communications propagate can use any suitable technologies for communications including wireless communications (e.g., fourth generation (4G)/fifth generation (5G)/next generation (nG) Guntupalli [par.0086]).
Regarding claim 9 in view of claim 1, the references combined disclose “ further comprising: establishing a connectivity providing service using a plurality of network functions that include the source network function and the destination network function”( tenant is associated with a destination of the data. (UPF reads configuration and determines tenant ID Guntupalli [Fig.6]) “wherein the plurality of network functions are deployed in the cloud network and in the on-premise network and wherein the cloud network hosts a device management service that includes one or more of: a data management function, an authentication server function, a charging function, or a home subscriber server” (i.e., plurality of network function [Fig.2/item 202]) being deployed within the network in which a combined Access and Mobility Management Function (AMF) and a Session Management Function (SMF). The CP 104 is in communication with components of the system 100 that are specific to particular tenants [par.0026]).
Regarding claim 10 in view of claim 1, the references combined disclose “wherein obtaining the request originating from the source network function deployed in the on-premise network includes: intercepting, by the cloud proxy service hosted in the cloud network, the request, to validate signaling traffic from the source network function.” (i.e., plurality of network function [Fig.2/item 202]) being deployed within the network in which a combined Access and Mobility Management Function (AMF) and a Session Management Function (SMF). The CP 104 is in communication with components of the system 100 that are specific to particular tenants [par.0026]).
Regarding claim 11, Viswanathan discloses “an apparatus comprising: a memory; a network interface configured to enable network communications; obtaining, by a cloud proxy service(web proxy [Fig.1]),, a request originating from a source network(browser to access cloud service [Fig.3/102]) function deployed in an on-premise network (enterprise data network [Fig.1/item 10]) and destined for a destination network function deployed in a cloud network”(user browser to access cloud service [Fig.3] also see [Fig.4]); determining, by the cloud proxy service(web proxy access control [Fig.1/item 106]) , whether the source network function is associated with an enterprise network based on a unique identifier extracted from the request(web proxy access control [Fig.1/item 106]), and blocking the request from propagating to the destination network function based on determining that the source network function is not associated with the particular enterprise network” (ICAP server 32 sends the ICAP response to the web proxy 14. If the policy enforcement result is “allow,” then ICAP server sends an ICAP response with ‘OK’ (status code 200) status. If the policy enforcement result is “block,” then ICAP server sends an ICAP response with ‘FORBIDDEN’ (status code 403) status [par.0041]).
Viswanathan does not explicitly disclose “wherein the unique identifier is indicative of a particular enterprise network among a plurality of enterprise networks; providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network
However, Guntupalli in an analogous art discloses “wherein the unique identifier is indicative of a particular enterprise network among a plurality of enterprise networks” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network”(customer in this context is generally an enterprise network that is using a service provider to manage a dedicated private 5G network allocated for use by the enterprise network Guntupalli [par.0019]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy with Guntupalli’s mobile deployment within networks in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, and both are from the same field of endeavor.
Neither Viswanathan nor Guntupali explicitly disclose “and a processor, wherein the processor is configured to perform operations comprising: by a cloud proxy service hosted in the cloud network comprising: provisioning user devices by storing, in a mapping cache deployed in the cloud network, subscriber and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong;”
However, Savov in an analogous art discloses “and a processor, wherein the processor is configured to perform operations comprising: by a cloud proxy service hosted in the cloud network (the proxy 450 forwards communication traffic from within the VA 320 and / or between VA’s 320 , 322 , 324 of FIG . 3 Savov[par.0074]) also see proxy server 450 Savov[Fig.4]) comprising: provisioning user devices by storing (FIG . 4 illustrates an example implementation of a virtual appliance including subscription and provisioning functionality Savov[par.0009]), in a mapping cache 1813 (cache Savoy[par.0166]) deployed in the cloud network, subscriber (register component adaptor configuration Savov[Fig.10/item 1002]) and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong”(retrieve adaptor configuration using identifier [Fig.10/item 1008]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy and Guntupalli’s mobile deployment within networks with Savov’s custom interface within a cloud management system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, Savov discloses a cloud management system and all are from the same field of endeavor.
Regarding claim 12 in view of claim 11, the references combined disclose “wherein the processor is configured to determine whether the source network function is associated with the particular enterprise network by: extracting the unique user device identifier from the request; and determining whether the unique user device identifier matches a subscriber and account mapping that includes an account identifier for the particular enterprise network stored in the mapping cache deployed in the cloud network” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]);
Regarding claim 13 in view of claim 12, the references combined disclose “wherein the processor is configured to determine whether the source network function is associated with the particular enterprise network further by: based on determining that the unique user device identifier is not stored in the mapping cache, providing, to a master datastore that stores master database subscriber and account mappings, a golden path request that includes the unique user device identifier” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “and determining whether the unique user device identifier is stored in the master datastore for an account associated with the particular enterprise network” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]);
Regarding claim 14 in view of claim 11, the references combined disclose “wherein the unique user device identifier is an international mobile subscriber identify identity (MSI) using which a subscriber for a user device is associated with the particular enterprise network” (mapping 208A also maps the tenant identifier 209A to a protocol data unit (PDU) session identifier, discussed in more detail below. In various embodiments, a UE may be identified using any combination of an International Mobile Subscriber Identity (IMSI) Guntupalli [par.0037]).
Regarding claim 15 in view of claim 11, the references combined disclose “wherein the processor is further configured to perform: provisioning includes obtaining a provisioning request for provisioning a subscriber identity module (SIM)” ( the UDM instance 260 maintains subscriber identity module (SIM) credentials for each end user device (e.g. UE) associated with a particular tenant Guntupalli [par.0035]); “extracting the unique user device identifier from the provisioning request; and storing the unique user device identifier in association with an account identifier of the particular enterprise network in the mapping cache for validating signaling traffic from one or more on-premise networks” (a service provider may on-board the SIMs, and the CP 104 then uses that information for authentication Guntupalli [par.0035]).
Regarding claim 16 in view of claim 15, the references combined disclose “wherein the mapping cache is a distributed cache hosted in the cloud network and the processor is further configured to perform: determining that the unique user device identifier is stored in the distributed cache” (a service provider may on-board the SIMs, and the CP 104 then uses that information for authentication Guntupalli [par.0035]).
Regarding claim 17, Viswanathan discloses One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor of a cloud proxy service hosted in a cloud network (web proxy [Fig.1/item 14]), cause the processor to execute a method comprising: obtaining a request originating from a source network function (browser to access cloud service [Fig.3/102]) deployed in an on-premise network (enterprise data network [Fig.1/item 10]) and destined for a destination network function deployed in the cloud network user browser to access cloud service [Fig.3] also see [Fig.4; determining, by the cloud proxy service(web proxy access control [Fig.1/item 106]), whether the source network function is associated with an enterprise network based on a unique user device identifier extracted from the request and on the subscriber and account mappings(web proxy access control [Fig.1/item 106]), and blocking the request from propagating to the destination network function based on determining that the source network function is not associated with the particular enterprise network” (ICAP server 32 sends the ICAP response to the web proxy 14. If the policy enforcement result is “allow,” then ICAP server sends an ICAP response with ‘OK’ (status code 200) status. If the policy enforcement result is “block,” then ICAP server sends an ICAP response with ‘FORBIDDEN’ (status code 403) status [par.0041]).
Viswanathan does not explicitly disclose “wherein the unique user device identifier is indicative of a particular enterprise network among a plurality of enterprise networks; providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network.”
However, Guntupalli in an analogous art discloses “wherein the unique identifier is indicative of a particular enterprise network among a plurality of enterprise networks” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “providing the request to the destination network function based on determining that the source network function is associated with the particular enterprise network”(customer in this context is generally an enterprise network that is using a service provider to manage a dedicated private 5G network allocated for use by the enterprise network Guntupalli [par.0019]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy with Guntupalli’s mobile deployment within networks in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, and both are from the same field of endeavor.
Neither Viswanathan nor Guntupali explicitly disclose “provisioning user devices by storing, in a mapping cache deployed in the cloud network, subscriber and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong”
However, Savov in an analogous art discloses “provisioning user devices by storing (FIG . 4 illustrates an example implementation of a virtual appliance including subscription and provisioning functionality Savov[par.0009]), in a mapping cache 1813 (cache Savoy[par.0166]) deployed in the cloud network, subscriber (register component adaptor configuration Savov[Fig.10/item 1002]) and account mappings of unique user device identifiers of the user devices of subscribers to corresponding ones of account identifiers of enterprise networks to which the user devices respectively belong”(retrieve adaptor configuration using identifier [Fig.10/item 1008]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Viswanathan’s enterprise access control and network access control policy and Guntupalli’s mobile deployment within networks with Savov’s custom interface within a cloud management system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Viswanathan teaches and enterprise system and cloud network access, Guntupalli discloses an enterprise networked system with an identifier, Savov discloses a cloud management system and all are from the same field of endeavor.
Regarding claim 18 in view of claim 17, the references combined disclose “wherein determining whether the source network function is associated with the particular enterprise network includes: extracting the unique user device identifier from the request; and determining whether the unique user device identifier matches a subscriber and account mapping that includes an account identifier for the particular enterprise network stored in the mapping cache.” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]);
Regarding claim 19 in view of claim 18, the references combined disclose “wherein determining whether the source network function is associated with the particular enterprise network further includes: based on determining that the unique user device identifier is not stored in the mapping cache, providing, to a master datastore that stores mater database subscriber and account mappings, a golden path request that includes the unique user device identifier” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]); “and determining whether the unique user device identifier is stored in the master datastore as a subscriber identifier for an account associated with the particular enterprise network” (tenant identifier is encoded in the tenant identifier field 406 as an octet string that uniquely identifies the tenant Guntupalli [par.0047]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433