Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by VERMA et al. (US 2025/0031043 A1), hereinafter VERMA.
Regarding claim 1, VERMA discloses a system comprising: a processor; and a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations comprising
obtaining packet forwarding control protocol messages associated with a mobility network, the packet forwarding control protocol messages relating to data communications relating to a user equipment that is attached to the mobility network via a radio resource of the mobility network, the data communications comprising user plane traffic (implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, see ¶ 0083, 0085);
correlating the packet forwarding control protocol messages to subscriber identities or device identities to obtain correlated packet forwarding control protocol messages (a host 200 in a network gateway firewall (NGFW) entity 202, see ¶ 0060 0080. For an IMSI/SUPI to IP and/or IMEI/PEI to IP match, the security platform refers to its IMSI/SUPI to IP and/or IMEI/PEI to IP data store (e.g., implemented as a database, such as an SQL database, or another type of data store) maintained by NGFW 202. In this example implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, etc, see ¶ 0083);
determining, based on the correlated packet forwarding control protocol messages associated, if the user equipment is associated with a malicious subscriber or comprises a malicious device (a first technique for selective intelligent enforcement per location for mobile networks using a security platform, the security platform receives a first number of packets for inspection (e.g., a first few packets for a new flow) as shown at 242 for an incoming flow 246, see ¶ 0119);
in response to determining that the user equipment is associated with the malicious subscriber or comprises the malicious device, selecting an interface via which the radio resource connects to a user plane of the mobility network (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224., see ¶ 0083); and
triggering activation of an interface-located firewall on the interface to monitor data exchanged via the interface (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224, see ¶ 0083).
Regarding claim 2, VERMA discloses the mobility network comprises a fifth generation cellular network, wherein the interface comprises an N3 interface, wherein the radio resource comprises a gNodeB, and wherein the user plane traffic occurs between at least two of the gNodeB, a user plane function, or a session management function that controls the user plane function (in the 5G architecture, the User Plane Protocol stack between access network and core over backbone network over N3 interface will be based on GPRS Tunnel Protocol User Plane (GTP-U). The Control Plane NFs in the 5G system architecture shall be based on the service-based architecture, see ¶ 0041, 0044, 0045, where the network comprises of access mechanism 104, 016, 108, 101 are in communication with 5G user plane functions 114a, see ¶ 0045 and figure 1).
Regarding claim 3, VERMA discloses where the mobility network comprises a fourth generation cellular network, wherein the interface comprises an S1-U interface, wherein the radio resource comprises an eNodeB, and wherein the user plane traffic occurs between at least two of the eNodeB, a serving gateway user plane function/packet data network gateway user plane function, or a serving gateway control plane function/packet data network gateway control plane function that controls the serving gateway user plane function/packet data network gateway user plane function (container-based firewalls can similarly be implemented and configured to perform the disclosed techniques) for providing enhanced security (e.g., over various interfaces, such as SGi and/or other interfaces in a 4G/LTE core network, and N3 interface (e.g., protected by Security Platform 102a as shown in FIG. 1) and/or N6 interface (e.g., protected by Security Platform 102c as shown in FIG. 1) and/or other interfaces in a 5G core network as shown in FIG. 1) in mobile networks (e.g., 4G/LTE, 5G, and/or later mobile networks) as further described below, see ¶ 0044, … 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 4, VERMA discloses the device identities comprise an international mobile equipment identity or a subscription permanent identifier, and wherein the subscriber identities comprise an international mobile subscriber identity (the security platform checks if an IP address(es) associated with the packets match a subscriber identity (e.g., IMSI and/or SUPI) and/or an equipment identity (e.g., IMEI and/or PEI) configured in a policy (e.g., selective intelligent enforcement (SIE) policy rules configured in the policy/security policy) as shown at 220, see ¶ 0083).
Regarding claim 5, VERMA discloses wherein the interface-located firewall is configured via firewall rules to determine, based on the data communications of the user equipment via the interface, if the user equipment should be blocked from communicating with the mobility network (5G mobile network environment that includes a Security Platform at various locations as shown at 102a, 102b, and 102c (e.g., the security function(s)/platform(s) can be implemented using a firewall (FW)/Next Generation Firewall (NGFW), a network sensor acting on behalf of the firewall, or another (virtual) device/component that can implement security policies using the disclosed techniques, see ¶ 0044).
Regarding claim 6, VERMA inherently discloses in response to determining that the user equipment should be blocked from communicating with the mobility network, the interface-located firewall reports a device identifier associated with the user equipment to a scrubbed IP domain service that controls the interface-located firewall (inherent feature: 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 7, VERMA disclose the scrubbed IP domain service obtains the packet forwarding control protocol messages associated with the interface, and wherein the scrubbed IP domain service sends firewall rules to the interface-located firewall to control the interface-located firewall (inherent feature: 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 8, VERMA discloses a method comprising:
obtaining packet forwarding control protocol messages associated with a mobility network, the packet forwarding control protocol messages relating to data communications relating to a user equipment that is attached to the mobility network via a radio resource of the mobility network, the data communications comprising user plane traffic (implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, see ¶ 0083, 0085);
correlating the packet forwarding control protocol messages to subscriber identities or device identities to obtain correlated packet forwarding control protocol messages (a host 200 in a network gateway firewall (NGFW) entity 202, see ¶ 0060 0080. For an IMSI/SUPI to IP and/or IMEI/PEI to IP match, the security platform refers to its IMSI/SUPI to IP and/or IMEI/PEI to IP data store (e.g., implemented as a database, such as an SQL database, or another type of data store) maintained by NGFW 202. In this example implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, etc, see ¶ 0083);
determining, based on the correlated packet forwarding control protocol messages associated, if the user equipment is associated with a malicious subscriber or comprises a malicious device (a first technique for selective intelligent enforcement per location for mobile networks using a security platform, the security platform receives a first number of packets for inspection (e.g., a first few packets for a new flow) as shown at 242 for an incoming flow 246, see ¶ 0119);
in response to determining that the user equipment is associated with the malicious subscriber or comprises the malicious device, selecting an interface via which the radio resource connects to a user plane of the mobility network (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224., see ¶ 0083); and
triggering activation of an interface-located firewall on the interface to monitor data exchanged via the interface (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224, see ¶ 0083).
Regarding claim 9, VERMA discloses the mobility network comprises a fifth generation cellular network, wherein the interface comprises an N3 interface, wherein the radio resource comprises a gNodeB, and wherein the user plane traffic occurs between at least two of the gNodeB, a user plane function, or a session management function that controls the user plane function (in the 5G architecture, the User Plane Protocol stack between access network and core over backbone network over N3 interface will be based on GPRS Tunnel Protocol User Plane (GTP-U). The Control Plane NFs in the 5G system architecture shall be based on the service-based architecture, see ¶ 0041, 0044, 0045, where the network comprises of access mechanism 104, 016, 108, 101 are in communication with 5G user plane functions 114a, see ¶ 0045 and figure 1).
Regarding claim 10, VERMA discloses where the mobility network comprises a fourth generation cellular network, wherein the interface comprises an S1-U interface, wherein the radio resource comprises an eNodeB, and wherein the user plane traffic occurs between at least two of the eNodeB, a serving gateway user plane function/packet data network gateway user plane function, or a serving gateway control plane function/packet data network gateway control plane function that controls the serving gateway user plane function/packet data network gateway user plane function (container-based firewalls can similarly be implemented and configured to perform the disclosed techniques) for providing enhanced security (e.g., over various interfaces, such as SGi and/or other interfaces in a 4G/LTE core network, and N3 interface (e.g., protected by Security Platform 102a as shown in FIG. 1) and/or N6 interface (e.g., protected by Security Platform 102c as shown in FIG. 1) and/or other interfaces in a 5G core network as shown in FIG. 1) in mobile networks (e.g., 4G/LTE, 5G, and/or later mobile networks) as further described below, see ¶ 0044, … 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 11, VERMA discloses the device identities comprise an international mobile equipment identity or a subscription permanent identifier, and wherein the subscriber identities comprise an international mobile subscriber identity (the security platform checks if an IP address(es) associated with the packets match a subscriber identity (e.g., IMSI and/or SUPI) and/or an equipment identity (e.g., IMEI and/or PEI) configured in a policy (e.g., selective intelligent enforcement (SIE) policy rules configured in the policy/security policy) as shown at 220, see ¶ 0083).
Regarding claim 12, VERMA discloses wherein the interface-located firewall is configured via firewall rules to determine, based on the data communications of the user equipment via the interface, if the user equipment should be blocked from communicating with the mobility network (5G mobile network environment that includes a Security Platform at various locations as shown at 102a, 102b, and 102c (e.g., the security function(s)/platform(s) can be implemented using a firewall (FW)/Next Generation Firewall (NGFW), a network sensor acting on behalf of the firewall, or another (virtual) device/component that can implement security policies using the disclosed techniques, see ¶ 0044).
Regarding claim 13, VERMA inherently discloses in response to determining that the user equipment should be blocked from communicating with the mobility network, the interface-located firewall reports a device identifier associated with the user equipment to a scrubbed IP domain service that controls the interface-located firewall (inherent feature: 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 14, VERMA inherently disclose the scrubbed IP domain service obtains the packet forwarding control protocol messages associated with the interface, and wherein the scrubbed IP domain service sends firewall rules to the interface-located firewall to control the interface-located firewall (inherent feature: 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 15, VERMA discloses a computer storage medium having computer-executable instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising:
obtaining packet forwarding control protocol messages associated with a mobility network, the packet forwarding control protocol messages relating to data communications relating to a user equipment that is attached to the mobility network via a radio resource of the mobility network, the data communications comprising user plane traffic (implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, see ¶ 0083, 0085);
correlating the packet forwarding control protocol messages to subscriber identities or device identities to obtain correlated packet forwarding control protocol messages (a host 200 in a network gateway firewall (NGFW) entity 202, see ¶ 0060 0080. For an IMSI/SUPI to IP and/or IMEI/PEI to IP match, the security platform refers to its IMSI/SUPI to IP and/or IMEI/PEI to IP data store (e.g., implemented as a database, such as an SQL database, or another type of data store) maintained by NGFW 202. In this example implementation, the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings can be collected by the security platform using various techniques including inspection of Packet Forwarding Control Protocol (PFCP) messages, APIs, syslog messages, etc, see ¶ 0083);
determining, based on the correlated packet forwarding control protocol messages associated, if the user equipment is associated with a malicious subscriber or comprises a malicious device (a first technique for selective intelligent enforcement per location for mobile networks using a security platform, the security platform receives a first number of packets for inspection (e.g., a first few packets for a new flow) as shown at 242 for an incoming flow 246, see ¶ 0119);
in response to determining that the user equipment is associated with the malicious subscriber or comprises the malicious device, selecting an interface via which the radio resource connects to a user plane of the mobility network (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224., see ¶ 0083); and
triggering activation of an interface-located firewall on the interface to monitor data exchanged via the interface (If the IMSI/SUPI to IP and/or IMEI/PEI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 224, see ¶ 0083).
Regarding claim 16, VERMA discloses the mobility network comprises a fifth generation cellular network, wherein the interface comprises an N3 interface, wherein the radio resource comprises a gNodeB, and wherein the user plane traffic occurs between at least two of the gNodeB, a user plane function, or a session management function that controls the user plane function (in the 5G architecture, the User Plane Protocol stack between access network and core over backbone network over N3 interface will be based on GPRS Tunnel Protocol User Plane (GTP-U). The Control Plane NFs in the 5G system architecture shall be based on the service-based architecture, see ¶ 0041, 0044, 0045, where the network comprises of access mechanism 104, 016, 108, 101 are in communication with 5G user plane functions 114a, see ¶ 0045 and figure 1).
Regarding claim 17, VERMA discloses where the mobility network comprises a fourth generation cellular network, wherein the interface comprises an S1-U interface, wherein the radio resource comprises an eNodeB, and wherein the user plane traffic occurs between at least two of the eNodeB, a serving gateway user plane function/packet data network gateway user plane function, or a serving gateway control plane function/packet data network gateway control plane function that controls the serving gateway user plane function/packet data network gateway user plane function (container-based firewalls can similarly be implemented and configured to perform the disclosed techniques) for providing enhanced security (e.g., over various interfaces, such as SGi and/or other interfaces in a 4G/LTE core network, and N3 interface (e.g., protected by Security Platform 102a as shown in FIG. 1) and/or N6 interface (e.g., protected by Security Platform 102c as shown in FIG. 1) and/or other interfaces in a 5G core network as shown in FIG. 1) in mobile networks (e.g., 4G/LTE, 5G, and/or later mobile networks) as further described below, see ¶ 0044, … 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Regarding claim 18, VERMA discloses the device identities comprise an international mobile equipment identity or a subscription permanent identifier, and wherein the subscriber identities comprise an international mobile subscriber identity (the security platform checks if an IP address(es) associated with the packets match a subscriber identity (e.g., IMSI and/or SUPI) and/or an equipment identity (e.g., IMEI and/or PEI) configured in a policy (e.g., selective intelligent enforcement (SIE) policy rules configured in the policy/security policy) as shown at 220, see ¶ 0083).
Regarding claim 19, VERMA discloses wherein the interface-located firewall is configured via firewall rules to determine, based on the data communications of the user equipment via the interface, if the user equipment should be blocked from communicating with the mobility network (5G mobile network environment that includes a Security Platform at various locations as shown at 102a, 102b, and 102c (e.g., the security function(s)/platform(s) can be implemented using a firewall (FW)/Next Generation Firewall (NGFW), a network sensor acting on behalf of the firewall, or another (virtual) device/component that can implement security policies using the disclosed techniques, see ¶ 0044).
Regarding claim 20, VERMA inherently discloses in response to determining that the user equipment should be blocked from communicating with the mobility network, the interface-located firewall reports a device identifier associated with the user equipment to a scrubbed IP domain service that controls the interface-located firewall, wherein the scrubbed IP domain service obtains the packet forwarding control protocol messages associated with the interface, and wherein the scrubbed IP domain service sends firewall rules to the interface-located firewall to control the interface-located firewall (inherent feature: 4G RAN 110 and 5G RAN 108 are in communication with 5G Core Control/Signaling Functions 118, which is in communication with 5G User Plane Functions 114b, see ¶ 0045).
Conclusion
Any response to this action should be mailed to:
The following address mail to be delivered by the United States Postal Service (USPS) only:
Mail Stop _____________
Commissioner for Patents
P. O. Box 1450
Alexandria, VA 22313-1450
or faxed to:
(571) 273-8300, (for formal communications intended for entry)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Bob A. Phunkulh whose telephone number is (571) 272-3083. The examiner can normally be reached on Monday-Thursday from 8:00 A.M. to 5:00 P.M. (first week of the bi-week) and Monday-Friday (for second week of the bi-week).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor CHARLES C. JIANG can be reach on (571) 270-7191.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/BOB A PHUNKULH/Primary Examiner, Art Unit 2412
Prosecution Insights