MOBILE DYNAMIC THIN FIREWALL FOR ADVANCED CELLULAR NETWORKS

§102 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 have been examined. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 17 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 17 uses the word “may” which makes the claims unclear and indefinite. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 16 and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20200021609 to Kuppanna et al (hereinafter Kuppanna). As per claim 16, Kuppanna teaches: A non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of operations, the operations comprising: receiving information about a subscriber device in a mobility network (Kuppanna: [0012] The sensor enforcer nodes/devices and enforcement nodes/devices may be, and in some embodiments are, firewall devices and SBC devices deployed at access points on the edge of the communication system. [0060]: Sensor 216′ is located so as to sense information concerning UE 310 and sensor 216″ is located so as to sense information concerning UE 312); communicating, to an edge node, information to establish at the edge node a local dynamic firewall for the subscriber device (Kuppanna: [0012] The sensor enforcer nodes/devices and enforcement nodes/devices may be, and in some embodiments are, firewall devices and SBC devices deployed at access points on the edge of the communication system. [0066]: sensors and sensor enforcer nodes can non-intrusively monitor, collect and provide information (e.g., call record reports (CDRs) on the Unified Communications traffic to the node(s) executing threat detection and mitigation application(s). [0067]: nodes or components of the above mentioned systems are implemented within one or more virtual machines. The containers instantiated within the virtual machines are completely dynamic); receiving, from the edge node, information about communication activities of the subscriber device (Kuppanna: [0061] As the UC flow starts, the context engine 106 becomes aware of the flow via information/data communicated to the context engine 106 from the sensors 216′ and 216″. Also, [0097]); identifying a security threat to the subscriber device, wherein the identifying the security threat is responsive to the information about communication activities of the subscriber device and information about other security threats identified in the mobility network (Kuppanna: [0103] In sub-step 1014, the first node detects one or more sets of the following traffic instances corresponding to a subscriber or a device (e.g., endpoint device): (i) mismatches in traffic characteristics corresponding to the subscriber or the device (e.g., traffic belonging to or corresponding to a single subscriber or user equipment device having average call duration (ACD) traffic characteristics indicative of an enterprise system or private branch exchange (PBX), etc. [0104] In sub-step 1016, the first node determines if the first set of traffic instances contains a set of characteristics or patterns that match a set of characteristics or patterns which are indicative of a threat of the first type.); determining a threat response for the subscriber device, wherein the threat response is intended to avoid malicious effects of the security threat to the subscriber device (Kuppanna: [0108] In step 1024, the first node notifies an operator of the communications system of the first threat. [0112]: In step 1034, in response to detecting an operator indicated action to be taken in response to the first threat of the first type, the communications system implements the operator indicated action. Step 1034 in some embodiments includes one or more of the sub-steps 1036, 1038, and 1040. In sub-step 1036, a policy change to be implemented to enforce the operator indicated action is determined. In sub-step 1038, the policy change is communicated to one or more enforcement nodes and/or sensor enforcer nodes); and communicating information about the threat response to the subscriber device (Kuppanna: [0198], [0246]: wherein said action in response to said first threat is one of the following: restrict one or more user privileges corresponding to one or more users (e.g., restrict a user's access to one or more services and/or servers based on one or more IDs (e.g., SIP identifier, IMS identifier, telephone number, address of record (AOR) corresponding to the user), revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers))). As per claim 19, Kuppanna teaches: The non-transitory machine-readable medium of claim 16, wherein the operations further comprise: retrieving a security profile for the subscriber device; and determining the threat response for the subscriber device based on the security profile (Kuppanna: [0049]: Stored in the policy element 108 database system are user defined policies, essentially the instructions that tailor the decision process of the context engine 106. The stored polices being instructions or rules used by the context engine 106 to make decisions based on data/information received from sensors in the system and generate enforcement instructions which are communicated to and enforced at one or more enforcement points in the system. [0234]: a set of characteristics learned adaptively by the application for threat detection and mitigation (e.g., by generating a traffic pattern profile for a user or device and detecting when traffic corresponding to the user or the device is not in conformance with said generated traffic pattern profile for said user or said device. [0246]: wherein said action in response to said first threat is one of the following: restrict one or more user privileges corresponding to one or more users (e.g., restrict a user's access to one or more services and/or servers based on one or more IDs (e.g., SIP identifier, IMS identifier, telephone number, address of record (AOR) corresponding to the user), revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers))). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kuppanna and US 9705914 to Di Pietro et al (hereinafter Pietro). As per claim 17, Kuppanna teaches: The non-transitory machine-readable medium of claim 16, wherein the operations further comprise: collecting threat information from available sources about possible security threats in the mobility network (Kuppanna: [0113]: In step 1042, the first node stores information about the first threat of the first type and any action taken in response to the first threat of the first type in a storage device included in the first node or coupled to the first node, e.g., memory or database storage system); and based on the threat information, identifying security threats that may affect protected devices including the subscriber device (Kuppanna: [0116] In step 1050, a second set of traffic data is processed at the first node. The second set of traffic data including information about system traffic corresponding to a second time period occurring after said first time period. [0117]: In some embodiments, step 1052 includes the sub-step of determining if the first set of traffic instances contains a set of characteristics or patterns that match a set of characteristics or patterns which are indicative of a threat of the first type and when the second set of traffic instances does contain a set of characteristics or patterns that match a set of characteristics or patterns which are indicative of a threat of the first type it determines that a second threat of the first type has been detected. [0174]-[0175]). Kuppanna does not teach: implementing a machine learning or artificial intelligence (ML/AI) function. However, Pietro teaches: implementing a machine learning or artificial intelligence (ML/AI) function (Pietro: column 7, lines 60-65: ANN based classification provides an excellent mean of detecting well-known attacks and discriminating attack-related traffic from normal traffic. In particular, once the attack behavior is described in a well labelled dataset, the ANN is able to correctly recognize it). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pietro in the invention of Kuppanna to include the above limitations. The motivation to do so would be to improve the reliability of a learning machine-based attack detection mechanism (Pietro: column 8, lines 28-29). As per claim 18, Kuppanna in view of Pietro teaches: The non-transitory machine-readable medium of claim 17, wherein the operations further comprise: receiving additional information about subsequently occurring security threats to protected devices; and updating the ML/AI function based on the additional information to maintain currency for the ML/AI function (Pietro: column 8, lines 14-30: The techniques herein allow identification of unrecognized behaviors that were not described and/or known in the training data set used to train a machine learning classifier (e.g., an ANN, etc.). If the model detects that an unexpected behavior is being observed, the associated data may be redirected to a central entity which recomputes (updates) the classifier by accounting for the new observed behavior). The examiner provides the same rationale to combine prior arts Kuppanna and Pietro as in claim 17 above. Claims 1, 2, 7, 8, 10, 11, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Kuppanna and US 20240283826 to Ganguli et al (hereinafter Ganguli). As per claim 1, Kuppanna teaches: A method, comprising: instantiating, by a processing system including a processor, a local firewall module at a network node of a mobility network, the network node providing communication services to a service area (Kuppanna: [0012] The sensor enforcer nodes/devices and enforcement nodes/devices may be, and in some embodiments are, firewall devices and SBC devices deployed at access points on the edge of the communication system. [0066]: sensors and sensor enforcer nodes can non-intrusively monitor, collect and provide information (e.g., call record reports (CDRs) on the Unified Communications traffic to the node(s) executing threat detection and mitigation application(s). [0067]: nodes or components of the above mentioned systems are implemented within one or more virtual machines. The containers instantiated within the virtual machines are completely dynamic); detecting, by the processing system, communication activity of the subscriber device (Kuppanna: [0060]: Sensor 216′ is located so as to sense information concerning UE 310 and sensor 216″ is located so as to sense information concerning UE 312); communicating, by the processing system, information about the communication activity of the subscriber device to the central firewall controller (Kuppanna: [0061] As the UC flow starts, the context engine 106 becomes aware of the flow via information/data communicated to the context engine 106 from the sensors 216′ and 216″. [0097] In step 1004, a first node of the communications system (central firewall controller), e.g., node 1 810, executing a first application for threat detection and mitigation processes a first set of traffic data including information about system traffic corresponding to a first period of time wherein one or more pieces of data in the first data set are provided by sensors and/or sensor enforcer nodes monitoring traffic in the communications system. [0102] In step 1012 shown on FIG. 10B, the first node detects, based on the first set of traffic data, a first set of traffic instances which are found to be a first threat of a first type. [0103] In sub-step 1014, the first node detects one or more sets of the following traffic instances corresponding to a subscriber or a device (e.g., endpoint device)); receiving, by the processing system, information defining a threat response from the central firewall controller, the information defining the threat response determined by the central firewall controller responsive to the communication activity of the subscriber device and additional information related to possible security threats collected by the central firewall controller (Kuppanna: [0103] In sub-step 1014, the first node detects one or more sets of the following traffic instances corresponding to a subscriber or a device (e.g., endpoint device): (i) mismatches in traffic characteristics corresponding to the subscriber or the device (e.g., traffic belonging to or corresponding to a single subscriber or user equipment device having average call duration (ACD) traffic characteristics indicative of an enterprise system or private branch exchange (PBX), etc. [0104] In sub-step 1016, the first node determines if the first set of traffic instances contains a set of characteristics or patterns that match a set of characteristics or patterns which are indicative of a threat of the first type. [0108] In step 1024, the first node notifies an operator of the communications system of the first threat. [0112]: In step 1034, in response to detecting an operator indicated action to be taken in response to the first threat of the first type, the communications system implements the operator indicated action. Step 1034 in some embodiments includes one or more of the sub-steps 1036, 1038, and 1040. In sub-step 1036, a policy change to be implemented to enforce the operator indicated action is determined. In sub-step 1038, the policy change is communicated to one or more enforcement nodes and/or sensor enforcer nodes); and modifying, by the processing system, communication activities of the subscriber device based on the information defining the threat response from the central firewall controller (Kuppanna: [0112]: In sub-step 1036, a policy change to be implemented to enforce the operator indicated action is determined. In sub-step 1040, the policy change is enforced at enforcement nodes and/or sensor enforcer nodes of the communications system. [0198], [0246]: wherein said action in response to said first threat is one of the following: restrict one or more user privileges corresponding to one or more users (e.g., restrict a user's access to one or more services and/or servers based on one or more IDs (e.g., SIP identifier, IMS identifier, telephone number, address of record (AOR) corresponding to the user), revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers))). Kuppanna does not teach: detecting, by the processing system, presence of a subscriber device in the service area; retrieving, by the processing system, a subscriber profile for the subscriber device from a central firewall controller, wherein the retrieving is responsive to the detecting the presence of the subscriber device in the service area and wherein the central firewall controller cooperates with the local firewall module to provide firewall services for the subscriber device according to the subscriber profile. However, Ganguli teaches: detecting, by the processing system, presence of a subscriber device in the service area; retrieving, by the processing system, a subscriber profile for the subscriber device from a central firewall controller, wherein the retrieving is responsive to the detecting the presence of the subscriber device in the service area and wherein the central firewall controller cooperates with the local firewall module to provide firewall services for the subscriber device according to the subscriber profile (Ganguli: [0086]: The enforcement nodes 150 establish persistent connections to the central authority 152 (central firewall controller) to download all policy configurations. When a new user connects to an enforcement node 150 (detecting presence of a subscriber device), a policy request is sent to the central authority 152 through this connection. The central authority 152 then calculates the policies that apply to that user 102 and sends the policy to the enforcement node 150 as a highly compressed bitmap. [0087] The policy can be tenant-specific and can include access privileges for users, websites and/or content that is disallowed, restricted domains, DLP dictionaries, etc. (subscriber profile)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Ganguli in the invention of Kuppanna to include the above limitations. The motivation to do so would be to implement zero trust policies (Ganguli: [0004]). As per claim 2, Kuppanna in view of Ganguli teaches: The method of claim 1, wherein the detecting communication activity of the subscriber device comprises: detecting, by the processing system, communications between the subscriber device and a core of the mobility network (Kuppanna: [0097]: The first set of traffic data includes information about system traffic corresponding to the first period of time such as for example, call detail records, application level protocol specific information (e.g., Session Initiation Protocol information), and data link layer and physical layer information about the communications system and its communications network links generated by the sensors and/or sensor enforcer nodes over the first time period). As per claim 7, Kuppanna in view of Ganguli teaches: The method of claim 1, comprising: receiving, by the processing system, profile updates for the subscriber profile; and updating, by the processing system, the subscriber profile based on the profile updates (Ganguli: [0087] The policy can be tenant-specific and can include access privileges for users, websites and/or content that is disallowed, restricted domains, DLP dictionaries, etc. Once downloaded, a tenant's policy is cached until a policy change is made in the management system 120. When this happens, all of the cached policies are purged, and the enforcement nodes 150 request the new policy when the user 102 next makes a request. In an embodiment, the enforcement node 150 exchange “heartbeats” periodically, so all enforcement nodes 150 are informed when there is a policy change). The examiner provides the same rationale to combine prior arts Kuppanna and Ganguli as in claim 1 above. As per claim 8, Kuppanna in view of Ganguli teaches: The method of claim 7, comprising: modifying, by the processing system, the firewall services based on the profile updates (Ganguli: [0087]: When this happens, all of the cached policies are purged, and the enforcement nodes 150 request the new policy when the user 102 next makes a request, i.e., the new policy will be applied to future requests). The examiner provides the same rationale to combine prior arts Kuppanna and Ganguli as in claim 1 above. As per claim 10, Kuppanna in view of Ganguli teaches: The method of claim 1, wherein the modifying the communication activities of the subscriber device comprises: blocking, by the processing system, access to a suspected network location by the subscriber device to prevent a malware attack on the subscriber device (wherein said action in response to said first threat is one of the following: restrict one or more user privileges corresponding to one or more users (e.g., restrict a user's access to one or more services and/or servers based on one or more IDs (e.g., SIP identifier, IMS identifier, telephone number, address of record (AOR) corresponding to the user), revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers)). As per claim 11, Kuppanna teaches: A device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: instantiating a local dynamic firewall module at a network node of a mobility network, the local dynamic firewall module providing firewall services to a firewall service area (Kuppanna: [0012] The sensor enforcer nodes/devices and enforcement nodes/devices may be, and in some embodiments are, firewall devices and SBC devices deployed at access points on the edge of the communication system. [0066]: sensors and sensor enforcer nodes can non-intrusively monitor, collect and provide information (e.g., call record reports (CDRs) on the Unified Communications traffic to the node(s) executing threat detection and mitigation application(s). [0067]: nodes or components of the above mentioned systems are implemented within one or more virtual machines. The containers instantiated within the virtual machines are completely dynamic); detecting communication activity of a subscriber device (Kuppanna: [0060]: Sensor 216′ is located so as to sense information concerning UE 310 and sensor 216″ is located so as to sense information concerning UE 312); communicating information about the communication activity of the subscriber device to a central firewall controller (Kuppanna: [0061] As the UC flow starts, the context engine 106 becomes aware of the flow via information/data communicated to the context engine 106 from the sensors 216′ and 216″. [0097] In step 1004, a first node of the communications system (central firewall controller), e.g., node 1 810, executing a first application for threat detection and mitigation processes a first set of traffic data including information about system traffic corresponding to a first period of time wherein one or more pieces of data in the first data set are provided by sensors and/or sensor enforcer nodes monitoring traffic in the communications system. [0102] In step 1012 shown on FIG. 10B, the first node detects, based on the first set of traffic data, a first set of traffic instances which are found to be a first threat of a first type. [0103] In sub-step 1014, the first node detects one or more sets of the following traffic instances corresponding to a subscriber or a device (e.g., endpoint device), i.e., the sensors and/or sensor enforcer nodes detect and send traffic that includes traffic corresponding to a subscriber device to the first node); receiving, from the central firewall controller, information defining a threat response, the information defining the threat response determined by the central firewall controller responsive to the communication activity of the subscriber device, a subscriber profile associated with the subscription to the firewall services, and additional information related to possible security threats detected by the central firewall controller (Kuppanna: [0103] In sub-step 1014, the first node detects one or more sets of the following traffic instances corresponding to a subscriber or a device (e.g., endpoint device): (i) mismatches in traffic characteristics corresponding to the subscriber or the device (e.g., traffic belonging to or corresponding to a single subscriber or user equipment device having average call duration (ACD) traffic characteristics indicative of an enterprise system or private branch exchange (PBX), etc. [0104] In sub-step 1016, the first node determines if the first set of traffic instances contains a set of characteristics or patterns that match a set of characteristics or patterns which are indicative of a threat of the first type. [0234]: wherein said set of characteristics or patterns are one of the following: a set of characteristics learned adaptively by the application for threat detection and mitigation (e.g., by generating a traffic pattern profile for a user or device (subscriber profile) and detecting when traffic corresponding to the user or the device is not in conformance with said generated traffic pattern profile for said user or said device.) [0108] In step 1024, the first node notifies an operator of the communications system of the first threat. [0112]: In step 1034, in response to detecting an operator indicated action to be taken in response to the first threat of the first type, the communications system implements the operator indicated action. Step 1034 in some embodiments includes one or more of the sub-steps 1036, 1038, and 1040. In sub-step 1036, a policy change to be implemented to enforce the operator indicated action is determined. In sub-step 1038, the policy change is communicated to one or more enforcement nodes and/or sensor enforcer nodes); and limiting communication activities of the subscriber device based on the information defining the threat response from the central firewall controller (Kuppanna: [0112]: In sub-step 1036, a policy change to be implemented to enforce the operator indicated action is determined. In sub-step 1040, the policy change is enforced at enforcement nodes and/or sensor enforcer nodes of the communications system. [0198], [0246]: wherein said action in response to said first threat is one of the following: restrict one or more user privileges corresponding to one or more users (e.g., restrict a user's access to one or more services and/or servers based on one or more IDs (e.g., SIP identifier, IMS identifier, telephone number, address of record (AOR) corresponding to the user), revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers))). Kuppanna does not teach: the subscriber device having a subscription to the firewall services. However, Ganguli teaches: the subscriber device having a subscription to the firewall services (Ganguli: The users 102 can be associated with a tenant, which may include an enterprise, a corporation, an organization, etc. That is, a tenant is a group of users who share a common access with specific privileges to the cloud-based system 100, a cloud service, etc. [0070] Further, the cloud-based system 100 can be multi-tenant, with each tenant (subscriber) having its own users 102 and configuration, policy, rules, etc. [0082]: In an embodiment, the cloud-based system 100 includes a plurality of enforcement nodes (EN) 150, labeled as enforcement nodes 150-1, 150-2, 150-N, interconnected to one another and interconnected to a central authority (CA) 152. [0083] The enforcement nodes 150 are full-featured secure internet gateways that provide integrated internet security. They inspect all web traffic bi-directionally for malware and enforce security, compliance, and firewall policies, as described herein, as well as various additional functionality. In an embodiment, each enforcement node 150 has two main modules for inspecting traffic and applying policies: a web module and a firewall module. [0086] The central authority 152 hosts all customer (tenant) policy and configuration settings. The enforcement nodes 150 establish persistent connections to the central authority 152 to download all policy configurations, i.e., a firewall subscription is provided to the tenants). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Ganguli in the invention of Kuppanna to include the above limitations. The motivation to do so would be to implement zero trust policies (Ganguli: [0004]). As per claim 15, Kuppanna in view of Ganguli teaches: The device of claim 11, wherein the receiving information defining a threat response from the central firewall controller comprises: receiving information tailored to operational capabilities of the subscriber device to avoid a security threat associated with the threat response (Kuppanna: [0049]: 108, includes a database system including a processor and a storage device. Stored in the policy element 108 database system are user defined policies, essentially the instructions that tailor the decision process of the context engine 106. The stored polices being instructions or rules used by the context engine 106 to make decisions based on data/information received from sensors in the system and generate enforcement instructions which are communicated to and enforced at one or more enforcement points in the system. [0246]: wherein said action in response to said first threat is one of the following: revoke privileges corresponding to an endpoint device (e.g., UE device (e.g., revoke a SIP registration corresponding a UE device)), restrict one or more privileges corresponding to a one or more endpoint devices (e.g., restrict a UE device's access to one or more services and/or servers (e.g., application servers))). As per claim 20, Kuppanna teaches: The non-transitory machine-readable medium of claim 16, wherein the operations further comprise: instantiating a local dynamic firewall module at a network node of the mobility network, the local dynamic firewall module providing firewall services for the subscriber device to a firewall service area, the firewall service area including a geographic area containing the subscriber device (Kuppanna: [0012] The sensor enforcer nodes/devices and enforcement nodes/devices may be, and in some embodiments are, firewall devices and SBC devices deployed at access points on the edge of the communication system. [0066]: sensors and sensor enforcer nodes can non-intrusively monitor, collect and provide information (e.g., call record reports (CDRs) on the Unified Communications traffic to the node(s) executing threat detection and mitigation application(s). [0067]: nodes or components of the above mentioned systems are implemented within one or more virtual machines. The containers instantiated within the virtual machines are completely dynamic. [0060]: Sensor 216′ is located so as to sense information concerning UE 310 and sensor 216″ is located so as to sense information concerning UE 312)); Kuppanna does not teach: modifying the firewall service area responsive to movement and activities of the subscriber device. However, Ganguli teaches: modifying the firewall service area responsive to movement and activities of the subscriber device (Ganguli: [0082]: The enforcement nodes 150 provide an onramp to the users 102 and are configured to execute policy, based on the central authority 152, for each user 102. The enforcement nodes 150 can be geographically distributed, and the policy for each user 102 follows that user 102 as he or she connects to the nearest (or other criteria) enforcement node 150). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Ganguli in the invention of Kuppanna to include the above limitations. The motivation to do so would be to implement zero trust policies (Ganguli: [0004]). Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Kuppanna in view of Ganguli as applied to claim 1 above, and further in view of US 20250141900 to Pourzandi et al (hereinafter Pourzandi). As per claim 3, Kuppanna in view of Ganguli does not teach the limitations of claim 3. However, Pourzandi teaches: wherein the detecting communication activity of the subscriber device comprises: detecting, by the processing system, peer-to-peer communications between the subscriber device and a second user device (Pourzandi: [0043]: the non-limiting terms wireless device (WD) or a user equipment (UE) are used interchangeably. The WD herein can be any type of wireless device capable of communicating with a network node or another WD over radio signals, such as wireless device (WD). The WD may also be a radio communication device, target device, device to device (D2D) WD, machine type WD or WD capable of machine to machine communication (M2M), etc. [0044]: Transmitting in sidelink may pertain to (direct) transmission from one wireless device to another. Uplink, downlink and sidelink (e.g., sidelink transmission and reception) may be considered communication directions. It may be considered that backhaul and/or relay communication and/or network communication is implemented as a form of sidelink or uplink communication or similar thereto. [0048]: Some embodiments provide dynamic virtual security agent (VSA) based monitoring in a network. [0051]: In some embodiments, a network node 16 is configured to include a VSA 32 which is configured to perform one or more VSA actions as described herein such as with respect to monitoring communications associated with one or more wireless devices 22). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pourzandi in the invention of Kuppanna in view of Ganguli to include the above limitations. The motivation to do so would be to proactively find the potential attackers in the network by placing VSA in the operator's network dynamically in terms of physical locations as well as different layers/tiers (Pourzandi: [0006]). As per claim 4, Kuppanna in view of Ganguli and Pourzandi teaches: The method of claim 3, wherein the detecting peer-to-peer communications comprises: detecting, by the processing system, a sidelink communication between the subscriber device and the second user device (Pourzandi: [0043]: The WD herein can be any type of wireless device capable of communicating with another WD over radio signals, such as wireless device (WD). [0044]: Transmitting in sidelink may pertain to (direct) transmission from one wireless device to another. Uplink, downlink and sidelink (e.g., sidelink transmission and reception) may be considered communication directions. It may be considered that backhaul and/or relay communication and/or network communication is implemented as a form of sidelink or uplink communication or similar thereto. [0051]: In some embodiments, a network node 16 is configured to include a VSA 32 which is configured to perform one or more VSA actions as described herein such as with respect to monitoring communications associated with one or more wireless devices 22). The examiner provides the same rationale to combine prior arts Kuppanna in view of Ganguli and Pourzandi as in claim 3 above. Claims 5, 6, and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Kuppanna in view of Ganguli as applied to claim 1 above, and further in view of US 20140126369 to Ericson et al (hereinafter Ericson). As per claim 5, Kuppanna in view of Ganguli does not teach the limitations of claim 5. However, Ericson teaches: comprising: identifying, by the processing system, one or more other subscriber devices associated with the subscriber profile; and extending, by the processing system, the firewall services for the subscriber device to the one or more other subscriber devices according to the subscriber profile (Ericson: [0017]: As shown in FIG. 1, a subscriber 100 can access a telecommunications network 102 utilizing a variety of subscriber equipment 100a, 100b, 100c. Subscriber equipment 100a, 100b, 100c represents different equipment associated with the same subscriber. [0021]: A subscriber service 130 is provided which is adapted to resolve the variety of different identifier types and provide event broker 110 with a GUID associated with a specific subscriber 100. Subscriber service 130 utilizes a pluggable data provider 132 with access to a subscriber store 134 to resolve the variety of different identifier types associated with subscriber 100 to determine the GUID. The subscriber service 130 includes subscriber profiles containing GUIDs and other subscriber identifier types and profile attributes. [0022]: For example, actor 124a can retrieve the subscriber profile and attributes of subscriber 100 from subscriber service 130. The actor 124a can thus process the request in accordance with service and quality of service constraints specified in the subscriber profile associated with the subscriber and GUID. [0023] Actor 124a can process requests from subscriber 100 in accordance with the subscriber's profile and provide the appropriate services and quality of service, in light not only of the subscriber profile, but also in light of other pending requests from the same subscriber and/or already established sessions of the same subscriber. [0024]: The profile can include …, service restrictions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Ericson in the invention of Kuppanna in view of Ganguli to include the above limitations. The motivation to do so would be to provide for subscriber-centric routing of network traffic/events (Ericson: [0005]). As per claim 6, Kuppanna in view of Ganguli and Ericson teaches: The method of claim 5, further comprising: communicating, by the processing system, with a second local firewall module to provide the firewall services for one or more other subscriber devices, the second local firewall serving a geographic area occupied by at least one subscriber device of the one or more other subscriber devices (Ganguli: [0082]: The enforcement nodes 150 provide an onramp to the users 102 and are configured to execute policy, based on the central authority 152, for each user 102. The enforcement nodes 150 can be geographically distributed, and the policy for each user 102 follows that user 102 as he or she connects to the nearest (or other criteria) enforcement node 150). The examiner provides the same rationale to combine prior arts Kuppanna and Ganguli as in claim 1 above. As per claim 12, Kuppanna in view of Ganguli teaches: The device of claim 11, wherein the operations further comprise: modifying the firewall service area in response to movement and activities of the subscriber device and the one or more other subscriber devices (Ganguli: [0082]: The enforcement nodes 150 provide an onramp to the users 102 and are configured to execute policy, based on the central authority 152, for each user 102. The enforcement nodes 150 can be geographically distributed, and the policy for each user 102 follows that user 102 as he or she connects to the nearest (or other criteria) enforcement node 150). Kuppanna in view of Ganguli does not teach the rest of the limitations of claim 12. However, Ericson teaches: identifying one or more other subscriber devices associated with the subscription to the firewall services; extending the firewall service area to include geographic areas where the one or more other subscriber devices are located to provide the firewall services to the one or more other subscriber devices (Ericson: [0017]: As shown in FIG. 1, a subscriber 100 can access a telecommunications network 102 utilizing a variety of subscriber equipment 100a, 100b, 100c. Subscriber equipment 100a, 100b, 100c represents different equipment associated with the same subscriber. [0021]: A subscriber service 130 is provided which is adapted to resolve the variety of different identifier types and provide event broker 110 with a GUID associated with a specific subscriber 100. Subscriber service 130 utilizes a pluggable data provider 132 with access to a subscriber store 134 to resolve the variety of different identifier types associated with subscriber 100 to determine the GUID. The subscriber service 130 includes subscriber profiles containing GUIDs and other subscriber identifier types and profile attributes. [0022]: For example, actor 124a can retrieve the subscriber profile and attributes of subscriber 100 from subscriber service 130. The actor 124a can thus process the request in accordance with service and quality of service constraints specified in the subscriber profile associated with the subscriber and GUID. [0023] Actor 124a can process requests from subscriber 100 in accordance with the subscriber's profile and provide the appropriate services and quality of service, in light not only of the subscriber profile, but also in light of other pending requests from the same subscriber and/or already established sessions of the same subscriber. [0024]: The profile can include …, service restrictions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Ericson in the invention of Kuppanna in view of Ganguli to include the above limitations. The motivation to do so would be to provide for subscriber-centric routing of network traffic/events (Ericson: [0005]). As per claim 13, Kuppanna in view of Ganguli and Ericson teaches: The device of claim 12, wherein the operations further comprise: receiving updates to the subscriber profile associated with the subscription to the firewall services; modifying the subscriber profile; and modifying the firewall services in response to the modifying the subscriber profile (Ganguli: [0087] The policy can be tenant-specific and can include access privileges for users, websites and/or content that is disallowed, restricted domains, DLP dictionaries, etc. Once downloaded, a tenant's policy is cached until a policy change is made in the management system 120. When this happens, all of the cached policies are purged, and the enforcement nodes 150 request the new policy when the user 102 next makes a request. In an embodiment, the enforcement node 150 exchange “heartbeats” periodically, so all enforcement nodes 150 are informed when there is a policy change). The examiner provides the same rationale to combine prior arts Kuppanna and Ganguli as in claim 11 above. As per claim 14, Kuppanna in view of Ganguli and Ericson teaches: The device of claim 13, wherein the receiving updates to the subscriber profile comprises: providing a user interface to a user associated with the subscriber device; receiving user information from the user, wherein the user information defines security and firewall protection for the subscriber device and the one or more other subscriber devices (Kuppanna: [0047]-[0049]: Stored in the policy element 108 database system are user defined policies, essentially the instructions that tailor the decision process of the context engine 106. The stored polices being instructions or rules used by the context engine 106 to make decisions based on data/information received from sensors in the system and generate enforcement instructions which are communicated to and enforced at one or more enforcement points in the system. Using a user interface to specify the policies is well known to one of ordinary skill in the art); and modifying the subscriber profile based on the information defining security and firewall protection Ganguli: [0087]: Once downloaded, a tenant's policy is cached until a policy change is made in the management system 120. When this happens, all of the cached policies are purged, and the enforcement nodes 150 request the new policy when the user 102 next makes a request. In an embodiment, the enforcement node 150 exchange “heartbeats” periodically, so all enforcement nodes 150 are informed when there is a policy change. Any enforcement node 150 can then pull the change in policy when it sees a new request). The examiner provides the same rationale to combine prior arts Kuppanna and Ganguli as in claim 11 above. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Kuppanna in view of Ganguli as applied to claim 1 above, and further in view of US 20250165616 to Cameron et al (hereinafter Cameron). As per claim 9, Kuppanna in view of Ganguli does not teach the limitations of claim 5. However, Cameron teaches: The method of claim 1, wherein the receiving information defining a threat response from the central firewall controller comprises: receiving, by the processing system, information about a prediction of future security threats to the subscriber device, the prediction of future security threats developed by a machine learning module responsive to the communication activity of the subscriber device and the additional information related to possible security threats (Cameron: [0032]: For example, the inventors have developed systems and methods that combine the power of supervised machine learning models and unsupervised machine learning models to generate unique cyber-security attack vectors, patterns, and characteristics to defend computing systems from future cyber-security attacks. To do so, the system accesses multi-modal data that indicates a set of security information related to a computing system of an entity. For example, the security information may include different domains of information that characterize the security of a computing system of an entity, such as security attributes of computing system components of the entity (e.g., system protection measures, communication protocols, encryption standards, firewalls, software libraries, configuration profiles, logging information, etc.), security policy information (e.g., security standards, security governance, guidelines, etc.), and third party-derived security-vulnerability information (e.g., known cyber-security attack vectors, exploits, cyber-security threat descriptions, etc.). The system applies a supervised machine learning model to the multi-modal data to generate a set of extracted characteristics indicating a cyber-security attack on the computing system of the entity. [0033] The system can then apply an unsupervised machine learning model to the set of extracted characteristics (e.g., as generated via the supervised machine learning model) to generate a revised set of extracted characteristics indicating the cyber-security attack on the computing system of the entity. For example, the unsupervised machine learning model is a generative model that modifies the originally generated set of extracted characteristics to generate a set of characteristics that define a new, previously undiscovered cyber-security attack vector/pattern. For instance, as opposed to existing systems that are constrained to historical/known patterns, the unsupervised machine learning model can leverage the historical cyber-security attack characteristics to generate at least one new characteristic indicating a cyber-security attack that was not included in the original set of extracted characteristics that indicate a cyber-security attack. By doing so, the system predicts the unknown (e.g., future cyber-security attack vectors, patterns, or other characteristics). This, in turn, improves computing system cyber-security as the system may leverage such predicted cyber-security attacks to optimize computing system protection measures to defend against anticipated future cyber-security attacks). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Cameron in the invention of Kuppanna in view of Ganguli to include the above limitations. The motivation to do so would be to optimize computing system protection measures to defend against anticipated future cyber-security attacks (Cameron: [0033]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 20150200969 to Leung et al: Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MADHURI R. HERZOG Primary Examiner Art Unit 2438 /MADHURI R HERZOG/Primary Examiner, Art Unit 2438