Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is the initial office action that has been issued in response to patent application, 19/052,096, filed on 02/12/2025. Claims 2-41 are currently pending and have been considered below. Claim 2, 14, 21, 22, 32 and 41 are independent claim. Claim 1 has been cancelled.
Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 06/16/2025 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Priority
This application is a CON of application No. 18/314,023 filed on 05/08/2023 and US Patent No. 12,255,874 B2. Application 18/314,023 is a CON of application No 16/917,490 filed on 06/30/2020 and US Patent No 11,689,502 B2.
Drawings
The drawings filed on 02/12/2025 are accepted by the examiner.
Claim Objections
The claim 2, 14, 21 recite “allow set up of the GTP-U tunnel”. The claim has antecedent basis issue.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 2, 14, 21, 22, 32 and 41 are non-provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of application No 16/917,490 (US Patent No 11,689,502 B2). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the patented application contains every element of claims of the instant application. A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a 35 patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
Claims 2, 14, 21, 22, 32 and 41 are non-provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of application 16/917,490 (US Patent No 11,689,502 B2). This is a nonstatutory anticipation type double patenting rejection.
This is a non-provisional non-statutory double patenting rejection because the conflicting claims have already got patented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 2-9, 14-27, 32-37 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Panchal (US Patent Application No 2021/0136870 A1) in view of Yasukawa (US Patent Application Publication No 2019/0349791 A1).
Regarding Claim 2, Panchal discloses a system, comprising:
a processor configured to (Panchal, ¶[0080], Fig-8):
monitor network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extract a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforce a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced); and
obtain an IP address of the user plane and a tunnel endpoint identifier (TEID) range from the network traffic (Panchal, ¶[0068], the address for the endpoint may be identified with a Tunnel Endpoint Identifier (“TEID”), an IP address, and/or a port number); and
a memory coupled to the processor and configured to provide the processor with instructions (Panchal, ¶[0080], Fig-8).
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
allow set up of the GTP-U tunnel matching the TEID range with the IP address (Yasukawa, ¶[0028], ¶[0033], first server 105 establishes a U-plane GTP tunnel (GTP-U). ¶[0044]- ¶[0045], a GTP tunnel can be identified by a TEID. Control server may monitor the TEID assigned by each first server and may select the second server to which the packet is transferred to prevent interference between the GTP tunnel).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Regarding Claim 3, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the allowing of the GTP-U tunnel comprises to:
compare the IP address with the valid range of TEIDs (Panchal, ¶[0068], the address for the endpoint may be identified with a Tunnel Endpoint Identifier (“TEID”), an IP address, and/or a port number. Also Yasukawa, ¶[0042]-¶[0044]).
Regarding Claim 4, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the enforcing of the security policy comprises to:
determine whether a rate of PFCP messages is greater than or equal to a message rate threshold (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or services); and
in response to a determination that the rate of PFCP messages is greater than or equal to the message rate threshold, limit the rate of PFCP messages (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or services).
Regarding Claim 5, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the plurality of parameters extracted from the PFCP message at the security platform further include a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165).
Regarding Claim 6, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the security platform is configured with a plurality of security policies to secure control and user plane separation in the mobile network (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced).
Regarding Claim 7, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the processor is further configured to:
parse the PFCP message to extract a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use related to a PFCP association (Panchal, ¶[0068]).
Regarding Claim 8, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the processor is further configured to:
parse the PFCP message to extract a Node ID related to a PFCP association (Panchal, ¶[0032]- ¶[0034]).
Regarding Claim 9, Panchal in view of Yasukawa discloses the system recited in claim 2, wherein the security platform monitors network traffic to and/or in a core network for a 5G network to secure control and user plane separation in the mobile network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function).
Regarding Claim 14, Panchal discloses a method, comprising:
monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extracting a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network, comprising (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced):
obtaining an IP address of the user plane and a tunnel endpoint identifier (TEID) range from the network traffic (Panchal, ¶[0068], the address for the endpoint may be identified with a Tunnel Endpoint Identifier (“TEID”), an IP address, and/or a port number); and
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
allowing set up of the GTP-U tunnel matching the TEID range with the IP address (Yasukawa, ¶[0028], ¶[0033], first server 105 establishes a U-plane GTP tunnel (GTP-U). ¶[0044]- ¶[0045], a GTP tunnel can be identified by a TEID. Control server may monitor the TEID assigned by each first server and may select the second server to which the packet is transferred to prevent interference between the GTP tunnel).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Regarding Claim 15, Panchal in view of Yasukawa discloses the method recited in claim 14, wherein the allowing of the GTP-U tunnel comprises:
comparing the IP address with the valid range of TEIDs (Panchal, ¶[0068], the address for the endpoint may be identified with a Tunnel Endpoint Identifier (“TEID”), an IP address, and/or a port number. Also Yasukawa, ¶[0042]-¶[0044]).
Regarding Claim 16, Panchal in view of Yasukawa discloses the method recited in claim 14, wherein the enforcing of the security policy comprises:
determining whether a rate of PFCP messages is greater than or equal to a message rate threshold (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or services); and
in response to a determination that the rate of PFCP messages is greater than or equal to the message rate threshold, limiting the rate of PFCP messages (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or services).
Regarding Claim 17, Panchal in view of Yasukawa discloses the method recited in claim 14, wherein the plurality of parameters extracted from the PFCP message at the security platform further include a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165).
Regarding Claim 18, Panchal in view of Yasukawa discloses the method recited in claim 14, wherein the security platform is configured with a plurality of security policies to secure control and user plane separation in the mobile network (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced).
Regarding Claim 19, Panchal in view of Yasukawa discloses the method recited in claim 14, further comprising:
parsing the PFCP message to extract a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use related to a PFCP association (Panchal, ¶[0068]).
Regarding Claim 20, Panchal in view of Yasukawa discloses the method recited in claim 14, further comprising:
parsing the PFCP message to extract a Node ID related to a PFCP association (Panchal, ¶[0032]- ¶[0034]).
Regarding Claim 21, Panchal discloses a computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extracting a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network, comprising (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced):
obtaining an IP address of the user plane and a tunnel endpoint identifier (TEID) range from the network traffic (Panchal, ¶[0068], the address for the endpoint may be identified with a Tunnel Endpoint Identifier (“TEID”), an IP address, and/or a port number); and
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
allowing set up of the GTP-U tunnel matching the TEID range with the IP address (Yasukawa, ¶[0028], ¶[0033], first server 105 establishes a U-plane GTP tunnel (GTP-U). ¶[0044]- ¶[0045], a GTP tunnel can be identified by a TEID. Control server may monitor the TEID assigned by each first server and may select the second server to which the packet is transferred to prevent interference between the GTP tunnel).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Regarding Claim 22, Panchal discloses a system, comprising:
a processor configured to:
monitor network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extract a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforce a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network, comprising to (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced):
in the event that the number of PFCP messages monitored over the period of time exceeds a rate limiting threshold, prevent additional PFCP messages from passing through the security platform (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or service); and
a memory coupled to the processor and configured to provide the processor with instructions (Panchal, ¶[0080], Fig-8).
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
determine a number of PFCP messages monitored over a period of time (Yasukawa, ¶[0038], time stamp indicating data reception time).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Regarding Claim 23, Panchal in view of Yasukawa discloses the system recited in claim 22, wherein the plurality of parameters extracted from the PFCP message at the security platform include a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165).
Regarding Claim 24, Panchal in view of Yasukawa discloses the he system recited in claim 22, wherein the security platform is configured with a plurality of security policies to secure control and user plane separation in the mobile network (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced).
Regarding Claim 25, Panchal in view of Yasukawa discloses the system recited in claim 22, wherein the processor is further configured to:
parse the PFCP message to extract a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use related to a PFCP association (Panchal, ¶[0032]- ¶[0068]).
Regarding Claim 26, Panchal in view of Yasukawa discloses the system recited in claim 22, wherein the processor is further configured to:
parse the PFCP message to extract a Node ID related to a PFCP association (Panchal, ¶[0032]- ¶[0034]).
Regarding Claim 27, Panchal in view of Yasukawa discloses the system recited in claim 22, wherein the security platform monitors network traffic to and/or in a core network for a 5G network to secure control and user plane separation in the mobile network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function).
Regarding Claim 32, Panchal discloses a method, comprising:
monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extracting a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network, comprising:
determining a number of PFCP messages monitored over a period of time (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced); and
in the event that the number of PFCP messages monitored over the period of time exceeds a rate limiting threshold, preventing additional PFCP messages from passing through the security platform (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or service).
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
determine a number of PFCP messages monitored over a period of time (Yasukawa, ¶[0038], time stamp indicating data reception time).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Regarding Claim 33, Panchal in view of Yasukawa discloses the method of claim 32, wherein the plurality of parameters extracted from the PFCP message at the security platform include a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165).
Regarding Claim 34, Panchal in view of Yasukawa discloses the method of claim 32, wherein the security platform is configured with a plurality of security policies to secure control and user plane separation in the mobile network (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced).
Regarding Claim 35, Panchal in view of Yasukawa discloses the method of claim 32, further comprising:
parsing the PFCP message to extract a source IP address, Session Endpoint Identifier (SEID) 1, a destination IP address, SEID 2, and a protocol in use related to a PFCP association (Panchal, ¶[0068]).
Regarding Claim 36, Panchal in view of Yasukawa discloses the method of claim 32, further comprising:
parsing the PFCP message to extract a Node ID related to a PFCP association (Panchal, ¶[0032]- ¶[0034]).
Regarding Claim 37, Panchal in view of Yasukawa discloses the method of claim 32, wherein the security platform monitors network traffic to and/or in a core network for a 5G network to secure control and user plane separation in the mobile network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function).
Regarding Claim 41, Panchal discloses a computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for:
monitoring network traffic on a mobile network at a security platform to identify a Packet Forwarding Control Protocol (PFCP) message associated with a new session, wherein the mobile network includes a 4G network or a 5G network (Panchal, ¶[0011] & ¶[0013], systems may perform pseudo-slicing within a 4G and 5G wireless network. ¶[0033], the controller may use PFCP session establishment message to initiate the bearer establishment procedure. ¶[0068], SAEGW - C 175 may perform a PFCP session establishment procedure with SAEGW - U 165 to setup a PFCP session between the control plane function and the user plane function);
extracting a plurality of parameters from the PFCP message at the security platform (Panchal, ¶[0034], assign a bearer identifier to identify the established bearer context for first pseudo-slice. Bearer identifier may correspond to an IP address or another address. ¶[0068], a PFCP session establishment request message to establish a new PFCP session context. The address for endpoint may be identified with a TEID, an IP address and/or a port number. ¶[0068], the PFCP Session Establishment Response message may include the bearer identifier and/or addressing for reaching SAEGW - U 165); and
enforcing a security policy at the security platform on the new session based on one or more of the plurality of parameters to secure control and user plane separation in the mobile network, comprising (Panchal, ¶[0014], a Control and User Plane Separation (CUPS) architecture, such that control plane and user plane functionality may be separated and/or provided by different devices. ¶[0022], in CUPS architecture, element 175 and 180 may operate as separate devices. ¶[0027], PCRF may provide these policies and/or policy identifiers so that policies can be enforced):
in the event that the number of PFCP messages monitored over the period of time exceeds a rate limiting threshold, preventing additional PFCP messages from passing through the security platform (Panchal, ¶[0026], the profile information may include identifiers (e.g., QCI, SPID, ARP, etc.) that identify applications and/or services that are permitted for and/or accessible by the subscriber, identifying information for UE 110 (e.g., MDN, IMSI, IMEI, etc.), bandwidth or data rate thresholds associated with the applications and/or service).
Panchal does not explicitly teach the following limitation that Yasukawa teaches:
determining a number of PFCP messages monitored over a period of time (Yasukawa, ¶[0038], time stamp indicating data reception time).
Panchal in view of Yasukawa are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa to include the idea of an integrated solution to include a routing policy defined by a routing table for access limitation. As a result the UE which can access the external private network cannot be limited (Yasukawa, ¶[0050]).
Claim 10-13, 28-31, 38-40 are rejected under 35 U.S.C. 103 as being unpatentable over Panchal (US Patent Application No 2021/0136870 A1) in view of Yasukawa (US Patent Application Publication No 2019/0349791 A1) and further in view of Jain (US Patent Application Publication No 2015/0095969 A1).
Regarding Claim 10, Panchal in view of Yasukawa does not disclose the following limitations that Jain teaches:
the system recited in claim 2, wherein the security platform is configured to perform detection and prevention of Denial of Service (DoS) attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Panchal in view of Yasukawa and Jain are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “network security”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Panchal in view of Yasukawa and Jain to include the idea of an integrated solution to the distributed denial of service attacks mitigation for a large network by applying attack mitigation policies.
Regarding Claim 11, Panchal in view of Yasukawa and Jain discloses the system recited in claim 2, wherein the security platform is configured to perform detection and prevention of Session Endpoint Identifier (SEID) Spoofing attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Regarding Claim 12, Panchal in view of Yasukawa and Jain discloses the system recited in claim 2, wherein the processor is further configured to:
block the new session from accessing a resource based on the security policy (Jain, ¶[0059], the DDOS attack mitigation appliance may send the granular traffic information, packet drop statistics to the central controller so that the controller may adjust the mitigation policies).
Regarding Claim 13, Panchal in view of Yasukawa and Jain discloses the system recited in claim 2, wherein the processor is further configured to:
allow the new session to access a resource based on the security policy (Jain, ¶[0024], within the data plane, the DDoS attack mitigation appliance decides whether to drop or to allow incoming packets based on behavioral policies set by the DDoS attack mitigation central controller).
Regarding Claim 28, Panchal in view of Yasukawa and Jain discloses the system recited in claim 22, wherein the security platform is configured to perform detection and prevention of Denial of Service (DoS) attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Regarding Claim 29, Panchal in view of Yasukawa and Jain discloses the system recited in claim 22, wherein the security platform is configured to perform detection and prevention of Session Endpoint Identifier (SEID) Spoofing attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Regarding Claim 30, Panchal in view of Yasukawa and Jain discloses the system recited in claim 22, wherein the processor is further configured to:
block the new session from accessing a resource based on the security policy (Jain, ¶[0059], the DDOS attack mitigation appliance may send the granular traffic information, packet drop statistics to the central controller so that the controller may adjust the mitigation policies).
Regarding Claim 31, Panchal in view of Yasukawa and Jain discloses the system recited in claim 22, wherein the processor is further configured to:
allow the new session to access a resource based on the security policy (Jain, ¶[0024], within the data plane, the DDoS attack mitigation appliance decides whether to drop or to allow incoming packets based on behavioral policies set by the DDoS attack mitigation central controller).
Regarding Claim 38, Panchal in view of Yasukawa and Jain discloses the method of claim 32, wherein the security platform is configured to perform detection and prevention of Denial of Service (DoS) attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Regarding Claim 39, Panchal in view of Yasukawa and Jain discloses the method of claim 32, wherein the security platform is configured to perform detection and prevention of Session Endpoint Identifier (SEID) Spoofing attacks for securing control and user plane separation in the mobile network (Jain, ¶[0019], separates the control and data plane for DDOS attack mitigation. ¶[0022], packet forwarding and attack mitigation per policies and collection of packet rate statistics and enforcement of behavioral thresholds. ¶[0031], Fig-2 shows control and data plane separation. DDOS attack mitigation central controller is responsible for the control plane where the individual appliances manage the data plane and process the packets for DDOS attack mitigation).
Regarding Claim 40, Panchal in view of Yasukawa and Jain discloses the method of claim 32, further comprising:
allowing or blocking the new session from accessing a resource based on the security policy (Jain, ¶[0024], within the data plane, the DDoS attack mitigation appliance decides whether to drop or to allow incoming packets based on behavioral policies set by the DDoS attack mitigation central controller).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-Form 892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923. The examiner can normally be reached on M-F, 8 am to 5 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/WASIKA NIPA/ Primary Examiner, Art Unit 2433