INTELLIGENT SECURITY FOR ZERO TRUST IN MOBILE NETWORKS WITH SECURITY PLATFORMS USING A DIAMETER PROTOCOL OR A RADIUS PROTOCOL

§103 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The following is a Final Office action in response to communications received on 12/18/2025. Terminal Disclaimer The terminal disclaimer filed on 12/16/2025 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of any patent granted on Application Number 18/525342 has been reviewed and is accepted. The terminal disclaimer has been recorded. Response to Amendment Claims 2, 13, 17, and 20 have been cancelled. Claims 1, 8-11, 14, 16, and 19 have been amended. Claims 1, 3-12, 14-16, and 18-19 have been examined. The double patenting rejection of the claims over the claims of co-pending application 18/525342 is withdrawn in light of the terminal disclaimer. Applicant’s arguments with respect to claims 1, 16, and 19 regarding the new limitations: “wherein the determining of the meta information comprises to: extract the meta information from the Radius protocol and/or the Diameter protocol, wherein the meta information includes the following: subscriber-ID, equipment-ID, and User Equipment (UE) IP, wherein the subscriber-ID includes one or more of the following: International Mobile Subscription Identity (IMSI) and/or Subscription Permanent Identifier (SUPI), wherein the equipment-ID includes one or more of the following: International Mobile Equipment Identity (IMEI) and/or Permanent Equipment Identifier (PEI), wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE, and Access Point Name (APN)”, have been considered but are moot in view of the new ground of rejection presented in the current office action. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 3-12, 14-16, and 18-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11979746 in view of US 20190253389 to Verma et al (hereinafter Verma) and US 20130322327 to Jorgensen et al (hereinafter Jorgensen). Instant application U.S. Patent No. 11979746 1. (Currently Amended) A system, comprising: a processor configured to: monitor network traffic on a mobile network at a Security Platform to identify a new session, wherein the Security Platform is located at a perimeter of the mobile network; determine meta information associated with the new session by extracting the meta information from the network traffic via one or more interfaces, wherein the network traffic includes one or more of the following: a Radius protocol and a Diameter protocol, wherein the determining of the meta information comprises to: extract the meta information from the Radius protocol and/or the Diameter protocol, wherein the meta information includes the following: subscriber-ID, equipment-ID, and User Equipment (UE) IP, wherein the subscriber-ID includes one or more of the following: International Mobile Subscription Identity (IMSI) and/or Subscription Permanent Identifier (SUPI), wherein the equipment-ID includes one or more of the following: International Mobile Equipment Identity (IMEI) and/or Permanent Equipment Identifier (PEI), wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE, and Access Point Name (APN); and enforce a security policy on the new session at the Security Platform based on the meta information to apply context-based security in the mobile network; and a memory coupled to the processor and configured to provide the processor with instructions. 6. (Original) The system recited in claim 1, wherein the meta information includes International Mobile Subscription Identity (IMSI) information. 8. (Currently Amended) The system recited in claim 1, wherein the meta information includes the IMEI information and the PEI information. 9. (Currently Amended) The system recited in claim 1, wherein the meta information includes Single Network Slice Selection Assistance Information (S-NSSAI) information. 10. (Currently Amended) The system recited in claim 1, wherein the meta information includes Data Network Name (DNN) information. 11. (Currently Amended) The system recited in claim 1, wherein the meta information includes Radio Access Technology (RAT) Type information. 12. (Original) The system recited in claim 1, wherein the meta information includes user location information. 1. A system, comprising: a processor configured to: monitor network traffic in a core mobile network using a security platform executed on a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications; extract meta information associated with the new session using the security platform executed on the network element in the core mobile network; claim 7: The system recited in claim 1, wherein the meta information includes subscriber identity and/or equipment identity information. Claim 8: The system recited in claim 1, wherein the meta information includes access point name (APN) and/or data network name (DNN) information. claim 1: apply selective intelligent enforcement using the security platform if the extracted meta information associated with the new session matches a selective intelligent enforcement policy, …; and a memory coupled to the processor and configured to provide the processor with instructions. 7. The system recited in claim 1, wherein the meta information includes subscriber identity and/or equipment identity information. 7. The system recited in claim 1, wherein the meta information includes subscriber identity and/or equipment identity information. 6. The system recited in claim 1, wherein the meta information includes network slice information. 8. The system recited in claim 1, wherein the meta information includes access point name (APN) and/or data network name (DNN) information. 10. The system recited in claim 1, wherein the meta information includes radio access technology (RAT) information. 9. The system recited in claim 1, wherein the meta information includes location information. In claim 1, U.S. Patent No. 11979746 does not teach: wherein the Security Platform is located at a perimeter of the mobile network; wherein the network traffic includes one or more of the following: a Radius protocol and a Diameter protocol, wherein the determining of the meta information comprises to: extract the meta information from the Radius protocol and/or the Diameter protocol; and wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE. However, Verma teaches: wherein the Security Platform is located at a perimeter of the mobile network (Verma: [0064]: communications can be monitored using security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shown in FIG. 1B (e.g., the security platforms can be located at various locations/interfaces within EPC 170). As seen in fig. 1B, security platforms 156A and 156B are located at the perimeter of the EPC 170); wherein the network traffic includes one or more of the following: a Radius protocol and a Diameter protocol, wherein the determining of the meta information comprises to: extract the meta information from the Radius protocol and/or the Diameter protocol (Verma: [0053]: the security platform (e.g., a next generation firewall (NGFW)) monitors Diameter signaling traffic. [0076]: In one embodiment, various information/parameters, such as further described below, can be extracted from such Diameter messages/session traffic based on a security policy. [0078]: For example, the security platform can monitor GTP-C messages and extract the location, hardware identity (e.g., IMEI), subscriber identity (e.g., IMSI), and/or radio access technology (RAT) from the Create Session Request message). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Verma in the invention of U.S. Patent No. 11979746 to include the above limitations. The motivation to do so would be to apply a security policy based on the extracted/monitored information and/or in combination with packet content inspection of Diameter network protocol traffic (Verma: [0076]). And, Jorgensen teaches: wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE (Jorgensen: [0053]: DRA 142 may be an intelligent Diameter Routing Agent. [0121] Method 900 may begin in step 905 and proceed to step 910 where the DRA may identify one or more subscriber identifiers carried by the received Diameter message. For example, the DRA may extract an IPv4 address, and IPv6 address, and an APN from the Diameter message. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an IPv6 address includes an IPv6 prefix. Also, [0058]-[0061]); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Jorgensen in the invention of U.S. Patent No. 11979746 in view of Verma to include the above limitations. The motivation to do so would be to enable robust and dynamic handling of various Diameter messages at a diameter routing agent (Jorgensen: [0129]).. Claim Objections Claims 1, 16, and 19 are objected to because of the following informalities: the claims recite: subscriber-ID, equipment-ID, and User Equipment (UE) IP. Expanded versions of “ID” and “IP” are missing. Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 1, 3-6, 11, 12, 14-16, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20190253389 to Verma et al (hereinafter Verma) and US 20130322327 to Jorgensen et al (hereinafter Jorgensen). As per claim 1, 16, and 19, Verma teaches: A system, comprising: a processor configured to: monitor network traffic on a mobile network at a Security Platform to identify a new session, wherein the Security Platform is located at a perimeter of the mobile network (Verma: [0040]: the security platform is configured to monitor traffic in the mobile core/service provider's core network. [0064]: communications can be monitored using security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shown in FIG. 1B (e.g., the security platforms can be located at various locations/interfaces within EPC 170). As seen in fig. 1B, security platforms 156A and 156B are located at the perimeter of the EPC 170. [0077] As shown in FIG. 2B, a Create Session Request message is sent from MME 252 to SGW 254 as shown at 260 and then from SGW 254 to PGW 256 as shown at 262. [0168]: Flow 708 identifies the packets as being part of a new session and creates a new session flow); determine meta information associated with the new session by extracting the meta information from the network traffic via one or more interfaces, wherein the network traffic includes one or more of the following: a Radius protocol and a Diameter protocol (Verma: [0053]: the security platform (e.g., a next generation firewall (NGFW)) monitors Diameter signaling traffic. [0076] Referring to FIG. 2B, various Diameter messages are sent from MME 252 to Home Subscriber Server (HSS) 258 and Equipment Identity Register (EIR) 274, as well as between PGW 256 and PCRF 276 as shown at 264. In one embodiment, various information/parameters (meta information), such as further described below, can be extracted from such Diameter messages/session traffic based on a security policy. [0076]-[0077]), wherein the determining of the meta information comprises to: extract the meta information from the Radius protocol and/or the Diameter protocol, wherein the meta information includes the following: subscriber-ID, equipment-ID, and User Equipment (UE) IP, wherein the subscriber-ID includes one or more of the following: International Mobile Subscription Identity (IMSI) and/or Subscription Permanent Identifier (SUPI), wherein the equipment-ID includes one or more of the following: International Mobile Equipment Identity (IMEI) and/or Permanent Equipment Identifier (PEI) (Verma: [0078]: For example, the security platform can monitor GTP-C messages and extract the location, hardware identity (e.g., IMEI), subscriber identity (e.g., IMSI), and/or radio access technology (RAT) from the Create Session Request message), and enforce a security policy on the new session at the Security Platform based on the meta information to apply context-based security in the mobile network (Verma: [0040]: the security platform can be configured to dynamically apply security policy per IP flow for wireless devices by monitoring signaling traffic. [0168]: policy enforcement (e.g., policies can include one or more rules, which can be specified using domain and/or host/server names, and rules can apply one or more signatures or other matching criteria or heuristics, such as for security policy enforcement for subscriber/IP flows on service provider networks based on various extracted parameters/information from monitored GTP-C messages and/or packet content inspection of monitored GTP-U, SCTP, Diameter over SCTP, SIGTRAN, SCCP, and/or layer 7/application layer signaling traffic, including CAP, MAP, and/or INAP traffic as disclosed herein) is applied as described herein. [0202] At 1108, enforcing the security policy using the security platform is performed); and a memory coupled to the processor and configured to provide the processor with instructions (Verma: [0025]: a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor). Verma does not teach: wherein the meta information includes the following: User Equipment (UE) IP, wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE, and Access Point Name (APN). However, Jorgensen teaches: wherein the meta information includes the following: User Equipment (UE) IP, wherein the UE IP includes IPv4 address of UE, IPv6 Prefix assigned to UE, and Access Point Name (APN) (Jorgensen: [0053]: DRA 142 may be an intelligent Diameter Routing Agent. [0121] Method 900 may begin in step 905 and proceed to step 910 where the DRA may identify one or more subscriber identifiers carried by the received Diameter message. For example, the DRA may extract an IPv4 address, and IPv6 address, and an APN from the Diameter message. It was well known to one of ordinary skill in the art before the effective filing date of the claimed invention that an IPv6 address includes an IPv6 prefix. Also, [0058]-[0061]); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Jorgensen in the invention of Verma to include the above limitations. The motivation to do so would be to enable robust and dynamic handling of various Diameter messages at a diameter routing agent (Jorgensen: [0129]). As per claims 3 and 18, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the Security Platform is located at the one or more interfaces at the perimeter of the mobile network (Verma: [0064]: communications can be monitored using security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shown in FIG. 1B (e.g., the security platforms can be located at various locations/interfaces within EPC 170). As seen in fig. 1B, security platforms 156A and 156B are located at the perimeter of the EPC 170). As per claim 4, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the Security Platform is located at the one or more interfaces at the perimeter of the mobile network selected from one or more of the following interfaces: SGi, N6,Gx, Gy, and Sd (Verma: [0064]: communications can be monitored using security platforms 152, 156A, 156B, 156C, 156D, 156E, 156F, and/or 156G as shown in FIG. 1B (e.g., the security platforms can be located at various locations/interfaces within EPC 170). [0198] The process begins at 1102. At 1102, monitoring Diameter protocol traffic (e.g., the Diameter protocol refers to an Authentication, Authorization, and Accounting (AAA) protocol, and Diameter applications such as S6a/S6d, S9, Gx extend the functionality of Diameter base protocol for mobile network specific use cases) on a service provider network at a security platform is performed). As per claim 5, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the meta information includes User Equipment (UE) IP information (Verma: [0045] In one embodiment, a security platform (e.g., a firewall, a network sensor acting on behalf of the firewall, or another device/component that can implement security policies) is configured to use existing 3GPP to dynamically apply security policies (e.g., granular security policies, which can be applied per subscriber (e.g., IMSI)/IP in real-time, per mobile device (e.g., IMEI)/IP in real-time). As per claim 6, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the meta information includes International Mobile Subscription Identity (IMSI) information (Verma: [0068]: extract the subscriber identity (e.g., IMSI)). As per claim 11, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the meta information includes Radio Access Technology (RAT) Type information (Verma: [0068]: extract the radio access technology (RAT)). As per claim 12, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the meta information includes user location information (Verma: [0068]: extract the location). As per claim 14, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the Security Platform is configured with a plurality of security policies to apply vulnerability protection, intrusion prevention, antivirus, antispyware, Domain Name System (DNS) security, denial of service (DoS) protection, and/or cloud-based security (Verma: [0039]: the disclosed techniques facilitate applying security policies based on an application, IP address, content ID, subscriber location,… to solve signaling security problems and facilitate enhanced security on service provider networks (e.g., throttling specific messages/traffic to prevent/mitigate denial of service (DoS) attacks or to counter other attacks/vulnerabilities in one or more signaling protocols), and/or any combination thereof using next generation firewalls on service provider networks). As per claim 15, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the processor is further configured to: block the new session from accessing a resource based on the security policy (Verma: [0202]: For example, the security platform can block a message filtered in the Diameter protocol traffic or a lower/higher layer of signaling traffic based on the security policy). Claims 7-10 are rejected under 35 U.S.C. 103 as being unpatentable over Verma in view of Jorgensen as applied to claim 1 above, and further in view of prior art of record US 20200128399 to Verma et al (hereinafter Verma’399). As per claim 7, Verma in view of Jorgensen does not teach the limitations of claim 7. However, Verma’399 teaches: wherein the meta information includes Subscription Permanent Identifier (SUPI) information (Verma’399: [0059]: using a security platform by parsing HTTP/2 messages to extract the Subscription Permanent Identifier (SUPI) information in mobile networks for service providers). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Verma’399 in the invention of Verma in view of Jorgensen to include the new limitations. The motivation to do so would be to provide service-based security per Subscription Permanent Identifier (SUPI) in mobile networks (Verma’399: [0065]). As per claim 8, Verma in view of Jorgensen teaches: The system recited in claim 1, wherein the meta information includes the IMEI information (Verma: [0068]: extract the hardware identity (e.g., IMEI)). Verma in view of Jorgensen does not teach: wherein the meta information includes the PEI information. However, Verma’399 teaches: wherein the meta information includes the PEI information (Verma’399: [0072]. [0147]: In one embodiment, the disclosed techniques perform inspection of signaling/control traffic in service provider networks, such as HTTP/2 traffic, to extract information exchanged in the HTTP/2 traffic (e.g., parameters, such as …, Permanent Equipment Identifier (PEI), etc.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Verma’399 in the invention of Verma in view of Jorgensen to include the new limitations. The motivation to do so would be to provide service-based security per Permanent Equipment Identifier (PEI) (Verma’399: [0069]). As per claim 9, Verma in view of Jorgensen does not teach the limitations of claim 9. However, Verma’399 teaches: wherein the meta information includes Single Network Slice Selection Assistance Information (S-NSSAI) information (Verma’399: [0146]: the security platform can monitor these messages and extract the Nsmf_PDUSession_CreateSMContext Request message and/or other messages to obtain network slice information (e.g., S-NSSAI). [0147]: In one embodiment, the disclosed techniques perform inspection of signaling/control traffic in service provider networks, such as HTTP/2 traffic, to extract information exchanged in the HTTP/2 traffic (e.g., parameters, such as Network Slice information, etc.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Verma’399 in the invention of Verma in view of Jorgensen to include the new limitations. The motivation to do so would be to provide network slice-based security in mobile networks (Verma’399: [0039]). As per claim 10, Verma in view of Jorgensen does not teach the limitations of claim 10. However, Verma’399 teaches: wherein the meta information includes Data Network Name (DNN) information (Verma’399: [0087]: using a security platform by parsing HTTP/2 messages to extract the Data Network Name (DNN) information in mobile networks for service providers. [0147]: In one embodiment, the disclosed techniques perform inspection of signaling/control traffic in service provider networks, such as HTTP/2 traffic, to extract information exchanged in the HTTP/2 traffic (e.g., parameters, such as …, Data Network Name (DNN), etc.). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Verma’399 in the invention of Verma to include the above limitations. The motivation to do so would be to provide service-based security per Data Network Name (DNN) in mobile networks (Verms’399: [0093]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MADHURI R. HERZOG Primary Examiner Art Unit 2438 /MADHURI R HERZOG/Primary Examiner, Art Unit 2438