DETAILED ACTION
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This Office Action is in response to the communication filed on 01/21/2026.
Claims 2 and 9 are cancelled.
Claims 1, 3, 8, and 15 have been amended.
Claims 1, 3-8, and 10-22 are pending for consideration.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see Pages 1-2 of Applicant’s Statement Pursuant to 35 U.S.C. 102(b)(c), filed 01/21/2026, with respect to the rejections of claims 1-20 under 35 U.S.C. 103 have been fully considered and are persuasive. Pursuant to the statement filed on 01/21/2026, U.S. Patent Application Publication (2025/0063430) is disqualified as prior art under 35 U.S.C. 102(a)(2). Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made over Normann et al. (U.S. 2024/0381081)(hereinafter Normann) in view of Subbana et al. (hereinafter Subbana).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-8, and 10-22 are rejected under 35 U.S.C. 103 as being unpatentable over Normann et al. (U.S. 2024/0381081)(hereinafter Normann) in view of Subbana et al. (U.S. 12,184,696)(hereinafter Subbana).
Regarding claims 1 and 8, Normann teaches in response to a session request for a user device (Normann: see Page 5 paragraph 0070, “The AMF 312 may receive, from UE 301, non-access stratum (NAS) messages transmitted in accordance with NAS protocol. NAS messages relate to communications between UE 301 and the core network. Although NAS messages may be relayed to AMF 312 via AN 302, they may be described as communications via the N1 interface. NAS messages may facilitate UE registration and mobility management, for example, by authenticating, identifying, configuring, and/or managing a connection of UE 301”), selecting a network slice for the user device wherein the session request identifies the network slice (Normann: see Page 6 paragraph 0077, "The NSSF 370 may select one or more network slices to be used by the UE 301. The NSSF 370 may select a slice based on slice selection information. For example, the NSSF 370 may receive Single Network Slice Selection Assistance Information (S-NSSAI) and map the S-NSSAI to a network slice instance identifier (NSI)");
indicating the network slice to the user device (Normann: see Page 9 paragraph 0107 lines 12-13, "The network may indicate to the UE one or more allowed and/or rejected S-NSSAIs");
determining the user device qualifies for enhanced slice security(Normann: see Page 13 paragraph 0151, "The subscription data may be based on information obtained from the UDM (and/or the UDR). The subscription data may include subscription identifiers, security credentials, access and mobility related subscription data and/or session related data"); Page 13 paragraph 0153, "The PCF may determine access and mobility policies for the UE based on the subscription data, network operator data, current network conditions, and/or other suitable information. For example, the owner of a first UE may purchase a higher level of service than the owner of a second UE. The PCF may provide the rules associated with the different levels of service. Based on the subscription data of the respective UEs, the network may apply different policies which facilitate different levels of service"; Page 13 paragraph 0154, "As noted above, different policies may be obtained and/or enforced based on subscription data of the UE, location of the UE (i.e., location of the AN and/or AMF), or other suitable factors"), in response to determining the user device qualifies for the enhanced slice security, updating the network slice to route user data for a session of the user device on the network slice (Normann: see Page 5 paragraph 0072, "The PCF 320 may provide, to other NFs, services relating to policy rules. The PCF 320 may use subscription data and information about network conditions to determine policy rules and then provide the policy rules to a particular NF which may be responsible for enforcement of those rules. Policy rules may relate to policy control for access and mobility, and may be enforced by the AMF. Policy rules may relate to session management, and may be enforced by the SMF 314. Policy rules may be, for example, network-specific, wireless device-specific, session-specific, or data flow-specific");
exchanging the user data with the user device over the network slice (Normann: see Page 9 paragraph 0115 lines 3-7, "The UE 701 may receive services through a PDU session, which may be a logical connection between the UE 701 and a data network (DN). The UE 701 and the DN may exchange data packets associated with the PDU session"; Page 14 paragraph 0171 lines 3-8, "The PDU session establishment request may be a NAS message. The PDU session establishment request may indicate: a PDU session ID; a requested PDU session type (new or existing); a requested DN (DNN); a requested network slice (S-NSSAI); a requested SSC mode; and/or any other suitable information");
exchanging other user data with other user devices that do not qualify for the enhanced slice security over the network slice (Normann: see Page 9 paragraph 0115 lines 3-7, "The UE 701 may receive services through a PDU session, which may be a logical connection between the UE 701 and a data network (DN). The UE 701 and the DN may exchange data packets associated with the PDU session"; Page 14 paragraph 0171 lines 3-8, "The PDU session establishment request may be a NAS message. The PDU session establishment request may indicate: a PDU session ID; a requested PDU session type (new or existing); a requested DN (DNN); a requested network slice (S-NSSAI); a requested SSC mode; and/or any other suitable information"); and
routing the other user data to the data network without routing the other user data to the edge security service (Normann: see Page 15 paragraph 0175, "At 1240, the network sets up a data path for uplink data associated with the PDU session"; Page 15 paragraph 0176, "The SMF may determine and/or allocate an IP address for the PDU session. The SMF may select one or more UPFs (a single UPF in the example of FIG. 12) to handle the PDU session. The SMF may send an N4 session message to the selected UPF. The N4 session message may be an N4 Session Establishment Request and/or an N4 Session Modification Request. The N4 session message may include packet detection, enforcement, and reporting rules associated with the PDU session"; Page 15 paragraph 0179, "After the data path for uplink data is set up at 1240, the UE may optionally send uplink data associated with the PDU session. As shown in FIG. 12, the uplink data may be sent to a DN associated with the PDU session via the AN and the UPF").
However, Normann does not teach an edge security service and routing the user data to the edge security service wherein the edge security service enforces security policies on the user data and delivers the user data to a data network.
Nevertheless, Subbana-which is in the same field of endeavor- teaches an edge security service (Subbana: see Col 13 lines 53-55, "When users access applications, the packet has an entry point at a secure access service edge (SASE) and an SASE egress exit point") and routing the user data to the edge security service wherein the edge security service enforces security policies on the user data and delivers the user data to a data network (Subbana: see Col 13 lines 46-59, "The disclosed policy enforcement layers address the concern of traffic traveling outside of an enterprise data center, and whether the user is behind a corporate firewall by delivering consistent visibility and enforcement of security policy. The cloud-based policy enforcement system includes the delivery of networking and security services for traffic en route to the Internet, cloud applications or the data center. When users access applications, the packet has an entry point at a secure access service edge (SASE) and an SASE egress exit point. Packets flow through several logical components and boundaries in system 302, where multiple security functions offer identity-based secure access, delivering cloud-based security services").
Normann and Subbana are analogous art because they are from the same field of endeavor. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine Normann’s method for determining network slice subscription data with Subbana’s cloud-based policy enforcement system. The suggestion/motivation for doing so would be to dynamically enforce policy, processing, and/or access controls on network slices and improve overall system scalability.
Regarding claims 3 and 16, Normann teaches selecting the network slice for the wireless user device comprises mapping a Single-Network Slice Selection Assistance Information (S-NSSAI) indicated by the user device in the session request to a network slice instance (Normann: see Page 6 paragraph 0077, " The NSSF 370 may select one or more network slices to be used by the UE 301. The NSSF 370 may select a slice based on slice selection information. For example, the NSSF 370 may receive Single Network Slice Selection Assistance Information (S-NSSAI) and map the S-NSSAI to a network slice instance identifier (NSI)”); and
determining when the user device qualifies for the enhanced slice security comprises accessing a subscriber profile for the user device and identifying a subscriber attribute that indicates the user device qualifies for the enhanced slice security (Normann: see Page 13 paragraph 0151, "The subscription data may be based on information obtained from the UDM (and/or the UDR). The subscription data may include subscription identifiers, security credentials, access and mobility related subscription data and/or session related data"); Page 13 paragraph 0153, "The PCF may determine access and mobility policies for the UE based on the subscription data, network operator data, current network conditions, and/or other suitable information. For example, the owner of a first UE may purchase a higher level of service than the owner of a second UE. The PCF may provide the rules associated with the different levels of service. Based on the subscription data of the respective UEs, the network may apply different policies which facilitate different levels of service"; Page 13 paragraph 0154, "As noted above, different policies may be obtained and/or enforced based on subscription data of the UE, location of the UE (i.e., location of the AN and/or AMF), or other suitable factors").
Regarding claim 10, Normann teaches map a Single-Network Slice Selection Assistance Information (S-NSSAI) indicated by the user device in the session request to a network slice instance to select the network slice for the wireless user device (Normann: see Page 6 paragraph 0077, " The NSSF 370 may select one or more network slices to be used by the UE 301. The NSSF 370 may select a slice based on slice selection information. For example, the NSSF 370 may receive Single Network Slice Selection Assistance Information (S-NSSAI) and map the S-NSSAI to a network slice instance identifier (NSI)”); and
access a subscriber profile for the user device and identify a subscriber attribute that indicates the user device qualifies for the enhanced slice security to determine when the user device qualifies for the enhanced slice security (Normann: see Page 13 paragraph 0151, "The subscription data may be based on information obtained from the UDM (and/or the UDR). The subscription data may include subscription identifiers, security credentials, access and mobility related subscription data and/or session related data").
Regarding claim 17, Normann teaches accessing a subscriber profile for the user device and retrieving the subscriber attributes that indicate the user device is subscribed for the secondary authentication and the enhanced slice security (Normann: see Page 13 paragraph 0151, "The subscription data may be based on information obtained from the UDM (and/or the UDR). The subscription data may include subscription identifiers, security credentials, access and mobility related subscription data and/or session related data"; Page 19 paragraph 0207, “For example, as shown in FIG. 15, the AMF may determine whether NSSAA is required for each S-NSSAI based on locally stored information or from the UDM. The AMF may omit NSSAA for an S-NSSAI in the following cases: subscription information indicates that NSSAA is not required”).
Regarding claims 4, 11, and 18, Normann teaches transferring a registration accept message to the user device that directs the user device to begin a Protocol Data Unit (PDU) session over the network slice and that includes a User Equipment Route Selection Policy (URSP) rule that directs the user device to route the user data to the network slice (Normann: see Page 13 paragraph 0154, "The access and mobility policies may include a UE route selection policy (URSP)) that influences routing to an established PDU session or a new PDU session. As noted above, different policies may be obtained and/or enforced based on subscription data of the UE, location of the UE (i.e., location of the AN and/or AMF), or other suitable factors"; Page 13 paragraph 0156, "At 1060, AMF #2 sends a registration accept message to the AN, which forwards the registration accept message to the UE. The registration accept message may include a new UE identifier and/or a new configured slice identifier"; Page 13 paragraph 0157, " At 1070, AMF #2 may obtain UE policy control information from the PCF. The PCF may provide an access network discovery and selection policy (ANDSP) to facilitate non-3GPP access. The PCF may provide a UE route selection policy (URSP) to facilitate mapping of particular data traffic to particular PDU session connectivity parameters. As an example, the URSP may indicate that data traffic associated with a particular application should be mapped to a particular SSC mode, network slice, PDU session type, or preferred access type (3GPP or non-3GPP)").
Regarding claims 5, 12, and 19, Normann and Subbana teach routing the user data to the edge security service when the user device qualifies for the enhanced slice security comprises routing the user data to a Secure Access Service Edge (SASE) that enforces the security policies on the user data and delivers the user data to the data network (Subbana: see Col 13 lines 46-59, "The disclosed policy enforcement layers address the concern of traffic traveling outside of an enterprise data center, and whether the user is behind a corporate firewall by delivering consistent visibility and enforcement of security policy. The cloud-based policy enforcement system includes the delivery of networking and security services for traffic en route to the Internet, cloud applications or the data center. When users access applications, the packet has an entry point at a secure access service edge (SASE) and an SASE egress exit point. Packets flow through several logical components and boundaries in system 302, where multiple security functions offer identity-based secure access, delivering cloud-based security services").
Motivation to combine Normann and Subbana, in the instant claims, is the same as that in claims 1 and 8.
Regarding claim 6, Normann teaches the network slices comprise at least one of an Ultra-Reliable Low-Latency Communications (URLLC) slice, a Massive Internet-of-Things (MIoT) slice, an Enhanced Mobile Broadband (eMBB) slice, or a Vehicle-to-Anything (V2X) slice (Normann: see Page 9 paragraph 0107, "The S-NSSAI may include a particular slice/service type (SST) indicator (indicating eMBB, URLLC, mMTC, etc").
Regarding claim 7, Normann and Subbana teach the security policies comprise one or more of content filtering, security features, malware scanning, Domain Name Service (DNS) filtering, firewalls, intrusion detection, or intrusion prevention (Subbana: see Col 14 lines 32-41, "Security stack 153 layers include network firewall 455, app firewall 445, secure web gateway (SWG) 176 and N-CASB 155 in one embodiment. Network firewall 455 analyzes IP packets and connections to detect anomalies and apply policies based on packet headers. App firewall 445 analyzes application protocols and streams of data to detect protocol anomalies for HTTP/S and other network protocols, such as server message block (SMB), file transfer protocol (FTP), simple mail transfer protocol (SMTP) and domain name service (DNS)"). Motivation to combine Stammers, Yang, and Subbana, in the instant claim, is the same as that in claim 1.
Regarding claims 13 and 20, Normann and Subbana, teach the network slices comprise at least one of an Ultra-Reliable Low-Latency Communications (URLLC) slice, a Massive Internet-of-Things (MIoT) slice, an Enhanced Mobile Broadband (eMBB) slice, or a Vehicle-to-Anything (V2X) slice (Normann: see Page 9 paragraph 0107, "The S-NSSAI may include a particular slice/service type (SST) indicator (indicating eMBB, URLLC, mMTC, etc"); and the security policies comprise one or more of content filtering, security features, malware scanning, Domain Name Service (DNS) filtering, firewalls, intrusion detection, or intrusion prevention (Subbana: see Col 14 lines 32-41, "Security stack 153 layers include network firewall 455, app firewall 445, secure web gateway (SWG) 176 and N-CASB 155 in one embodiment. Network firewall 455 analyzes IP packets and connections to detect anomalies and apply policies based on packet headers. App firewall 445 analyzes application protocols and streams of data to detect protocol anomalies for HTTP/S and other network protocols, such as server message block (SMB), file transfer protocol (FTP), simple mail transfer protocol (SMTP) and domain name service (DNS)"). Motivation to combine Normann and Subbana, in the instant claims, is the same as that in claims 1 and 8.
Regarding claim 14, Normann teaches a Network Function Virtualization Infrastructure (NFVI) configured to execute the control plane and the user plane (Normann: see Page 18 paragraph 0197, "Unlike FIG. 14A, where each NF is deployed in a separate deployment, FIG. 14B illustrates multiple NFs in deployments 1410, 1420. In an example, deployments 1410, 1420 may implement a software-defined network (SDN) and/or a network function virtualization (NFV)"; Page 5 paragraph 0066, " The NFs depicted in FIG. 3 include a user plane function (UPF) 305, an access and mobility management function (AMF) 312, a session management function (SMF) 314, a policy control function (PCF) 320, a network repository function (NRF) 330, a network exposure function (NEF) 340, a unified data management (UDM) 350, an authentication server function (AUSF) 360, a network slice selection function (NSSF) 370, a charging function (CHF) 380, a network data analytics function (NWDAF) 390, and an application function (AF) 399. The UPF 305 may be a user-plane core network function, whereas the NFs 312, 314, and 320-390 may be control-plane core network functions"); and wherein
the control plane comprises one or more of an Access and Mobility Management Function (AMF), a Session Management Function (SMF), a Network Slice Selection Function (NSSF), a Policy Control Function (PCF), a Unified Data Management (UDM), or an Authentication, Authorization, and Accounting (AAA) server (Normann: see Page 8 paragraph 0101, " The network architecture 600A comprises a control plane wherein an AMF 612 and a SMF 614 control various aspects of the user plane"; and the user plane comprises a User Plane Function (UPF) (Normann: see Page 8 paragraph 0101, "The network architecture 600A comprises a user plane wherein UEs 601A, 601B, 601C (collectively, UEs 601) have a physical and logical connection to a DN 608 via an AN 602 and a UPF 605").
Regarding claim 15, Normann and Subbana teach one or more non-transitory computer readable storage media having program instructions stored thereon, wherein the program instruction, when executed by a computing system, direct the computing system to perform operations, the operations comprising (Normann: see Page 16 paragraph 0184 lines 1-7, "The wireless device 1310 may comprise a processing system 1311 and a memory 1312. The memory 1312 may comprise one or more computer-readable media, for example, one or more non-transitory computer readable media. The memory 1312 may include instructions 1313. The processing system 1311 may process and/or execute instructions 1313"): responsive to registration authentication of a user device (Normann: see Page 19 paragraph 0213 lines 4-7, "If the NSSAA is triggered during a registration procedure, the AMF may determine from the UE Context that the UE has already been authenticated for some or all S-NSSAI(s) during the first access"), retrieving subscriber attributes for the user device that indicate the user device is subscribed for secondary authentication and enhanced slice security (Normann: see Page 19 paragraph 0207, "For example, as shown in FIG. 15, the AMF may determine whether NSSAA is required for each S-NSSAI based on locally stored information or from the UDM. The AMF may omit NSSAA for an S-NSSAI in the following cases: subscription information indicates that NSSAA is not required; the UE has previously completed NSSAA successfully, regardless of access type, and the result is still valid or NSSAA for the UE is currently ongoing"; Page 13 paragraph 0153 lines 3-12, "The PCF may determine access and mobility policies for the UE based on the subscription data, network operator data, current network conditions, and/or other suitable information. For example, the owner of a first UE may purchase a higher level of service than the owner of a second UE. The PCF may provide the rules associated with the different levels of service. Based on the subscription data of the respective UEs, the network may apply different policies which facilitate different levels of service");
performing the secondary authentication of the user device to enable the enhanced slice security (Normann: see Page 19 paragraph 0209 lines 1-2, "the AMF may perform NSSAA for the slices that require authentication"; Page 22 paragraph 0251 lines 3-9, "This may help a node to determine the relevant security level of network slice and/or to change configuration of UE. An example embodiment of this disclosure may support delivering policy information for alternative slice. The policy information may help a node to determine whether to use alternative slice for a slice configured for NSSAA");
selecting a network slice for the user device (Normann: see Page 6 paragraph 0077 lines 1-2, "The NSSF 370 may select one or more network slices to be used by the UE 301");
indicating the network slice to the user device (Normann: see Page 9 paragraph 0107 lines 12-13, "The network may indicate to the UE one or more allowed and/or rejected S-NSSAIs");
exchanging user data with the user device over the network slice (Normann: see Page 9 paragraph 0115 lines 3-7, "The UE 701 may receive services through a PDU session, which may be a logical connection between the UE 701 and a data network (DN). The UE 701 and the DN may exchange data packets associated with the PDU session"; Page 14 paragraph 0171 lines 3-8, "The PDU session establishment request may be a NAS message. The PDU session establishment request may indicate: a PDU session ID; a requested PDU session type (new or existing); a requested DN (DNN); a requested network slice (S-NSSAI); a requested SSC mode; and/or any other suitable information");
routing the user data to an edge security service based on the secondary authentication wherein the edge security service enforces security policies on the user data and delivers the user data to an enterprise network (Subbana: see Col 13 lines 46-59, "The disclosed policy enforcement layers address the concern of traffic traveling outside of an enterprise data center, and whether the user is behind a corporate firewall by delivering consistent visibility and enforcement of security policy. The cloud-based policy enforcement system includes the delivery of networking and security services for traffic en route to the Internet, cloud applications or the data center. When users access applications, the packet has an entry point at a secure access service edge (SASE) and an SASE egress exit point. Packets flow through several logical components and boundaries in system 302, where multiple security functions offer identity-based secure access, delivering cloud-based security services"); and
exchanging other user data with other user devices that do not qualify for the enhanced slice security over the network slice (Normann: see Page 9 paragraph 0115 lines 3-7, "The UE 701 may receive services through a PDU session, which may be a logical connection between the UE 701 and a data network (DN). The UE 701 and the DN may exchange data packets associated with the PDU session"; Page 14 paragraph 0171 lines 3-8, "The PDU session establishment request may be a NAS message. The PDU session establishment request may indicate: a PDU session ID; a requested PDU session type (new or existing); a requested DN (DNN); a requested network slice (S-NSSAI); a requested SSC mode; and/or any other suitable information"); and
routing the other user data to the data network without routing the other user data to the edge security service (Normann: see Page 15 paragraph 0175, "At 1240, the network sets up a data path for uplink data associated with the PDU session"; Page 15 paragraph 0176, "The SMF may determine and/or allocate an IP address for the PDU session. The SMF may select one or more UPFs (a single UPF in the example of FIG. 12) to handle the PDU session. The SMF may send an N4 session message to the selected UPF. The N4 session message may be an N4 Session Establishment Request and/or an N4 Session Modification Request. The N4 session message may include packet detection, enforcement, and reporting rules associated with the PDU session"; Page 15 paragraph 0179, "After the data path for uplink data is set up at 1240, the UE may optionally send uplink data associated with the PDU session. As shown in FIG. 12, the uplink data may be sent to a DN associated with the PDU session via the AN and the UPF"). Motivation to combine Normann and Subbana, in the instant claim, is the same as that in claims 1 and 8.
Regarding claims 21 and 22, Normann teaches determining that the user device qualifies for secondary authentication (Normann: see (Normann: see Page 13 paragraph 0151, "The subscription data may be based on information obtained from the UDM (and/or the UDR). The subscription data may include subscription identifiers, security credentials, access and mobility related subscription data and/or session related data"; Page 19 paragraph 0207, “For example, as shown in FIG. 15, the AMF may determine whether NSSAA is required for each S-NSSAI based on locally stored information or from the UDM. The AMF may omit NSSAA for an S-NSSAI in the following cases: subscription information indicates that NSSAA is not required”); and
performing the secondary authentication of the user device to enable the enhanced slice security (Normann: see Page 19 paragraph 0209 lines 1-2, "the AMF may perform NSSAA for the slices that require authentication"; Page 22 paragraph 0251 lines 3-9, "This may help a node to determine the relevant security level of network slice and/or to change configuration of UE. An example embodiment of this disclosure may support delivering policy information for alternative slice. The policy information may help a node to determine whether to use alternative slice for a slice configured for NSSAA").
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KELAH JANAE MCFARLAND-BARNES whose telephone number is (571)272-5953. The examiner can normally be reached Monday through Friday 8:00am until 4:00pm Central Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KELAH JANAE MCFARLAND-BARNES/Examiner, Art Unit 2431
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431