Response to Amendments
Claims 44-45, 47-48, 50-54, and 58-59 are pending.
Claims 44-45, 47-48, 50-54, and 58-59 are rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 44-45, 47-48, 50-54 and 58-59 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al (Pub. No.: US 2018/0227302 A1) in view of Grayson et al (Pub. No.: US 2021/0092645 A1) and Lear (Pub. No.: US 2021/0226995 A1).
As per claim 44, Lee discloses a method of authorization in a network node (Lee, Fig 4 for example: item 430 ‘SMF Component’), the method comprising:- receiving, from an authorization node (third-party AAA component), an authorization indication indicating that a User Equipment (UE) is authorized to access a resource (Lee, paragraph [0094] [”…Third-party AAA component 445 may provide the UE 115 subscription profile to SMF component 430. In some aspects, the third-party AAA component 445 may provide UE 115 service authorization information to the SMF component 430. In some aspects, SMF component 430 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof”], [0097]) [" ... SMF component 430 may receive an indication from the third-party AAA component 445 that the UE 115 is authorized to establish the POU session for the logical data network."]. The authorization indication can be part of one or more of the subscription profile, UE 115 service authorization information and the session policy); - receiving, from the authorization node, an access indication indicating network access parameters for the UE to access the resource (Lee, paragraph [0094]) ["Third-party AAA component 445 may provide the UE 115 subscription profile to SMF component 430. In some aspects, the third-party AAA component 445 may provide UE 115 service authorization information to the SMF component 430. In some aspects, SMF component 430 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof"]. The access indication can be part of one or more of the subscription profile, UE 115 service authorization information and the session policy);
- sending, to a further network node, a further access indication indicating the network access parameters (Lee, paragraph [0084]) ["the SMF component 305 may in response to receiving the service session request message facilitate a subscription check by transmitting the service session request message to PCF component 245-a. The PCF component 245-a may transmit an indication to the SMF component 305 based on the subscription check. The indication may identify whether the UE is authorized to establish the PDU session”]. The transmitted session request message includes the further access indication indicating the network access parameters and the further network node can be the PCF component 245-a); and- receiving updated network access parameters from the further network node (Lee, paragraph [0084]) ["The PCF component 245-a may transmit an indication to the SMF component 305 based on the subscription check. The indication may identify whether the UE is authorized to establish the PDU session”]. The indication identifying whether the UE is authorized to establish the PDU session can be the updated network access parameters)Lee does not explicitly disclose the updated network access parameters comprising the indicated network access parameters merged at the further network node with pre-existing network access parameters. However, Grayson discloses the updated network access parameters comprising the indicated network access parameters merged at the further network node with pre-existing network access parameters (Grayson, Fig 2 step 208, paragraph 0029, 0049 wherein At 208, PCF 102 combines the UE ATSSS Policy with one or more network-based policies (e.g., one or more subscription policies for the UE and/or one or more operator policies, which may be obtained from UDM 108 (not shown in FIG. 2)) to generate a combined ATSSS policy that includes one or more combined ATSSS rule(s) (or more generally, a combined access policy/rule(s)). Additional features associated with policy combining are discussed herein with reference to FIGS. 3A-3C).
Therefore, it would have it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to incorporate Grayson teachings into Lee to achieve the claimed limitations because this would have provided a way to manage multiple policies that may be applicable within mobile networking environments by combining/merging policies while avoiding conflicts which increases, efficient management of communication resources (see Grayson paragraph 0003, 0016-0017).Lee and Grayson do not explicitly disclose wherein the network access parameters comprise a Manufacturer Usage Description (MUD) file or a pointer to the MUD file. However, using MUD file is well known in the art. For example, Lear discloses wherein the network access parameters comprise a Manufacturer Usage Description (MUD) file or a pointer to the MUD file (Lear, Fig 1 and 3, paragraph 0013, 0048, wherein this disclosure describes techniques for providing manufacturer usage description (MUD) solution for installable software applications. The method includes MUD uniform resource identifiers (URIs) that could be included in the application metadata, embedded in the application binary, and/or embedded in the application code signing certificate. The MUD URIs could point to the MUD files that describe the application's network access requirements. The method further includes enabling a network policy server to discover the MUD URIs. The MUD URIs may be discovered based on extracting the MUD URIs from trusted applications and/or being provision with the set of MUD URIs for trusted applications. Further, the method includes enterprise wide policy and individual host policy for implementation of the MUD files).
Therefore, it would have it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to incorporate Lear teachings into Lee and Grayson to achieve the claimed limitations because this would have provided a way to provide network administrators with detailed information about a device's expected communication patterns, allowing for precise network segmentation and security policies to be applied, thus minimizing the attack surface and enhancing overall network protection for IoT devices.
As per claim 45, claim 44 is incorporated and Lee further discloses wherein the authorization indication and the access indication are received in a message from the authorization node (Lee, paragraph 0094, 0097, wherein SMF component 430 may deliver authentication message exchanges between the UE 115 and third-party AAA component 445. In some examples, the authentication message exchanges may be delivered over a SM NAS connection between the UE 115 and the SMF component 430, and over an SM NAS connection between the SMF component 430 and the third-party AAA component 445);
As per claim 47, claim 44 is incorporated and Lee further discloses wherein one or both: the further access indication forwarded to the further network node is the same as the access indication received from the authorization node; and/or the further access indication of network access parameters comprises the network access parameters or a pointer to the network access parameters (Lee, Fig 4, paragraph 0071, wherein SMF component 230 may obtain session parameters or indication of services requested (e.g., establish a subscription with an eMBB slice, IoT slice, or a mission critical slice) by UE 115. SMF component 230 may determine the session parameters based on a UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof. PCF component 245 may store the UE 115 subscription profile. As a result, PCF component 245 may provide the UE 115 subscription profile associated with the data network or the service session to SMF component 230. In some aspects, SMF component 230 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof);
As per claim 48, claim 44 is incorporated and Lee further discloses wherein the further network node comprises a Session Management Function (SMF), Access and Mobility Management Function (AMF), Policy Control Function (PCF), or User Plane Function (UPF) (Lee, paragraph [0097]) [" ... SMF component 430 may receive an indication from the third-party AAA component 445 that the UE 115 is authorized to establish the POU session for the logical data network."; the 'third-party AAA component' and 'SMF' correspond, respectively, to the 'authorization node' and 'network node' as claimed]);
As per claim 50, claim 44 is incorporated and Lee further discloses wherein the network access parameters comprise a policy for access to the resource by the UE (Lee, paragraph 0042, 0071, 0085, wherein ach network slice may be associated with a different session authorization policy based on the subscription of the UE. For example, a UE may request to establish a subscription with an eMBB slice, Internet of Things (IoT) slice, or a mission critical slice. The AMF may apply a different session authorization policy on a PDU session associated with each of the subscriptions based on one or more subscription demands (e.g., security needs such as encryption and integrity protection algorithms, and security termination points). Alternatively, each slice may be related to a different session authorization policy based on an additional authentication or authorization of a third-party AAA server that enforces session policies. n some aspects, SMF component 230 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof. SMF component 230 may transmit the session policy in a session response message to UE 115. The SMF component 305 may perform a policy decision. To perform the policy decision, SMF component 305 may obtain one or more session parameters requested by UE 115. Subsequent to obtaining the session parameters, SMF component 305 may determine session parameters based on UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof. As a result, SMF component 305 may determine a session policy for the service session request message);
As per claim 51, claim 50 is incorporated and Lee further discloses applying the policy for access to the resource by the UE (Lee, paragraph 0042, 0071, 0085, wherein ach network slice may be associated with a different session authorization policy based on the subscription of the UE. For example, a UE may request to establish a subscription with an eMBB slice, Internet of Things (IoT) slice, or a mission critical slice. The AMF may apply a different session authorization policy on a PDU session associated with each of the subscriptions based on one or more subscription demands (e.g., security needs such as encryption and integrity protection algorithms, and security termination points). Alternatively, each slice may be related to a different session authorization policy based on an additional authentication or authorization of a third-party AAA server that enforces session policies. n some aspects, SMF component 230 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof. SMF component 230 may transmit the session policy in a session response message to UE 115. The SMF component 305 may perform a policy decision. To perform the policy decision, SMF component 305 may obtain one or more session parameters requested by UE 115. Subsequent to obtaining the session parameters, SMF component 305 may determine session parameters based on UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof. As a result, SMF component 305 may determine a session policy for the service session request message);
As per claim 52, claim 44 is incorporated and Lee further discloses wherein the authorization indication and the access indication are received in response to an authorization request from the UE to the authorization node to access the resource (Lee, paragraph 0045, 0068, 0073, wherein Network device 105 may receive a session request message from UE 115 to establish a session for a logical data network. The session request message may include one or more session parameters. UE 115 may transmit a session request message to establish a session with one or more logical data networks of the group of logical data networks 225. In some examples, the session may be a PDU session with one or more of the logical data networks 225. In some aspects, UE 115 and SMF component 230 may establish a session management (SM) non-access stratum (NAS) security connection, and the UE 115 may transmit the session request message over the established SM NAS security connection. UE 115 may, additionally, integrity protect the session request message. SMF component 230 may generate an authorization token using the SMF key. In some examples, SMF component 230 may generate the authorization token based on a session request parameter. The session request parameter may be transmitted and be part of the session request message);
As per claim 53, claim 52 is incorporated and Lee further discloses forwarding the authorization request from the UE to the authorization node (Lee, paragraph 0045, 0068, 0073, wherein Network device 105 may receive a session request message from UE 115 to establish a session for a logical data network. The session request message may include one or more session parameters. UE 115 may transmit a session request message to establish a session with one or more logical data networks of the group of logical data networks 225. In some examples, the session may be a PDU session with one or more of the logical data networks 225. In some aspects, UE 115 and SMF component 230 may establish a session management (SM) non-access stratum (NAS) security connection, and the UE 115 may transmit the session request message over the established SM NAS security connection. UE 115 may, additionally, integrity protect the session request message. SMF component 230 may generate an authorization token using the SMF key. In some examples, SMF component 230 may generate the authorization token based on a session request parameter. The session request parameter may be transmitted and be part of the session request message);
As per claim 54, claim 52 is incorporated and Lee further discloses wherein: the authorization request is an Extensible Authentication Protocol (EAP) authorization request (Lee, paragraph 0097, In some examples, the SMF key may be transmitted based an extensible authentication protocol (EAP). The third-party AAA component 445 may also transmit a master session key to the SMF component 430 based on a successful EAP authentication). Lear further disclose sending the authorization request to the authorization node in a Diameter Protocol message or a Remote Authentication Dial-In User Service (RADIUS) Protocol message. However, using Diameter Protocol message or a Remote Authentication Dial-In User Service (RADIUS) Protocol message as claimed is well known in the art. For example, Schneider discloses sending the authorization request to the authorization node in a Diameter Protocol message or a Remote Authentication Dial-In User Service (RADIUS) Protocol message (Lear, paragraph 0048, wherein the standard to communicate with the AAA services is the Remote Authentication Dial-In User Service (RADIUS). In some instance, the system may encapsulate the MUD URIs in a Radius packet, and sends it to the authenticator component 212. The authenticator component 212 may passes this URI onto the MUD controller component 214.).
Therefore, it would have it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to incorporate Schneider teachings into Lee and Grayson to achieve the claimed limitations because this would have provided flexibility to support various authentication methods and simplified administration.
Claims 58-59 are rejected under the same rationale as claims 44-45, 47-54.
Response to Arguments
Applicant's arguments filed on 10/09/2025 have been fully considered but they ae not persuasive. Applicant argues in remarks:
(1) What Lear completely fails to disclose or suggest is “receiving, from the authorization node, an access indication indicating network access parameters for the UE to access the resource, the network access parameters comprising a Manufacturer Usage Description (MUD) file or a pointer to the MUD file” as recited in amended independent Claims 44 and 58. Rather, Lear states in 4 [0013] that the MUD URI is included in the application metadata and is extracted from the applications by a network policy server. However, the claimed solution, as recited in amended independent Claims 44 and 58, obtains the MUD from the authorization node, which is not taught in Lear, or Lee and Grayson, whether considered alone or in combination. As described in the Specification of the present Application, on page 8 lines 25-30, traditional MUD would have the UE provide a URL to the MUD file and that would have to be integrated somehow into existing signaling between the UE and network, i.e., changes made to the UE and protocols. The claimed approach has data or indications included in one or more existing messages, and/or furthermore may obtain network access parameters (or pointers thereto) from sources other than the UE itself. Thus, as disclosed in page 8 line 32 to page 9 line 4, in contrast to the disclosure of Lear, Applicant’s claimed solution has moved the control of network access parameters such as a MUD file to the network, and devices such as MUD devices will always have the correct MUD applied, in accordance with network policy. Lear does not describe such an arrangement nor provide its benefits.
(1) Examiner respectfully disagrees.
First, Lear alone was not used to teach “receiving, from the authorization node, an access indication indicating network access parameters for the UE to access the resource, the network access parameters comprising a Manufacturer Usage Description (MUD) file or a pointer to the MUD file”. Instead, Lear was used to show that using MUD files is well known in the art.Second, the primary reference Lee as explained in the rejection of claim 1 discloses receiving, from the authorization node, an access indication indicating network access parameters for the UE to access the resource (Lee, paragraph [0094]) ["Third-party AAA component 445 may provide the UE 115 subscription profile to SMF component 430. In some aspects, the third-party AAA component 445 may provide UE 115 service authorization information to the SMF component 430. In some aspects, SMF component 430 may determine a session policy for the requested session based on at least one of the UE 115 subscription profile, a logical data network policy, a third-party authorization, or any combination thereof"]. The access indication can be part of one or more of the subscription profile, UE 115 service authorization information and the session policy). Thus, Lee teaches access indication indicating network access parameters (one or more of the subscription profile, UE 115 service authorization information and the session policy) that are received from Third-party AAA component 445. Lee is only missing that that these access parameters comprising a Manufacturer Usage Description (MUD) file or a pointer to the MUD file. Examiner position is that since MUD files are well known in the art as shown by Lear, it would have it would have been obvious to one ordinary skill in the art before the effective filing date of the invention to modify Lee and Grayson such that the one or more of the subscription profile, UE 115 service authorization information and the session policy, provided by the AAA component 445 , include a MUD file or a pointer to the MUD file because this would have provided a way to provide network administrators with detailed information about a device's expected communication patterns, allowing for precise network segmentation and security policies to be applied, thus minimizing the attack surface and enhancing overall network protection for IoT devices.Third, Lear discloses that the AAA component (authorization node) provided MUD URIs. Looking to Fig 1 arrow 124 and/or Fig 3 arrow 306 shows MUD URIs provided by Server device(s) 102(1). Server device(s) 102(1) includes the AAA component and thus can be viewed as the authorization node. For example, Lear Fig 2, shows the Server device(s) 102(1) includes authenticator component 212. Paragraph 0048 states “The authenticator component 212 may implement functionality to provide authentication, authorization, and accounting (AAA) services. The authenticator component 212 includes handling user requests for access to computer resources and, for an enterprise networks, provides AAA services. The AAA services typically interacts with network access and gateway servers and with databases and directories containing user information. The standard to communicate with the AAA services is the Remote Authentication Dial-In User Service (RADIUS). In some instance, the system may encapsulate the MUD URIs in a Radius packet, and sends it to the authenticator component 212. The authenticator component 212 may passes this URI onto the MUD controller component 214.”
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMZA N ALGIBHAH whose telephone number is (571)270-7212. The examiner can normally be reached 7:30 am - 3:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wing Chan can be reached at (571) 272-7493. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HAMZA N ALGIBHAH/Primary Examiner, Art Unit 2441