DETAILED ACTION
This final office action is in response to claims 1-11 and 15-18 filed on 10/30/2020 for examination. Claims 1-11 and 15-18 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Amendment
The amendment filed October 30, 2020 has been entered. Claims 1-11 and 15-16 remain pending in the application. Claims 17-18 are newly added. Applicant’s arguments and amendments to the claims have overcome each and every claim objection previously set forth in the Non-Final Office Action mailed August 06, 2020. Claims 1-5, 7-11, and 15-16 have been amended and have necessitated a new ground(s) of rejection in this Office Action. Further, Applicants’ arguments filed on 10/30/2020 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claim 1-11 and 15-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranke (WO2016020012, Hereinafter “Ranke”) in view of Liang et al. (US20060128433, Hereinafter “Liang”).
Regarding claim 1, Ranke teaches a monitor device comprising: at least one memory storing instructions (page 4, lines 25-34 – storing unit 706; page 15, lines 27-30 – program is stored by storing unit 706); and at least one processor (page 15, lines 20-25 – “the computer program may be executed by the processing unit 700”) configured to execute the instructions too; 
determine whether a first communication terminal configured to communicate with a base station is misbehaving in a mobile network based on whether a NAS (Non-Access Stratum) message which is transmitted from the first communication terminal, is rejected by the base station (page 1, lines 23-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment)”; page 2, lines 1-7 – If “authentication response”  from the UE does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures in an area may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 7 – If the failure level reaches a threshold <i.e., attacking is detected>, requests from attacking or fraudulent UE’s are not performed; see also Figs. 4/5), the NAS message being for registering the first communication terminal (page 1, lines 20-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment),” and is performed as part of a network access join request; page 12, lines 8-15 – authentication request is part of the access request between a UE and control node; page 13, lines 6-8 and Fig. 5, step 420 - IMSI/IMEI of the UE are stored during normal  with a communication device in the mobile network (page 1, lines 20-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment),” and is performed as part of a network access request; page 5, lines 5-14 – UE may be a cellular telephone or mobile station), and 
cause the base station to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station (page 2, lines 1-7 – If “authentication response” does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 31 – If the failure level reaches a threshold, requests from a specific area are not performed <i.e., restricted from processing>; see also Figs. 4/5; note: NAS is the setup complete message of an RRC connection setup, accordingly, this RRC connection setup complete message disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see NPL: “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is [[in a specific range]] (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see NPL: “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS), wherein [[the specific range]] is set in order to include a value of communication terminal identification information assigned to the first communication terminal (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an .
While Ranke discloses detecting a DoS attack and restricting or ignoring attach communications from a region to reduce system overloading from the attack (see, e.g.: pg. 9 line 28-pg.10 line 18; pg. 11 lines 1-13; and pg. 16, lines 5), Ranke fails to specifically disclose that the restricting comprises a specific range.  
However, Liang discloses wherein standard IMSIs follow a structure numerically ordered by area (e.g., the first three digits of an IMSI are the country code, followed by the mobile network code, then additional digits). Liang at [0011], fig. 1. Such area-based restriction of values (as is taught in Ranke pg. 9, line 28-pg. 10, line 31) naturally comprises a restriction of a range of numbers when following the standard IMSI protocol as described in Liang (for example, if the area you wish to restrict is Malaysia – IMSIs covered by Malaysia are the range 502XXXXXXXXXXX0-502XXXXXXXXXXX9). 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Ranke with the known teachings of Liang, to cause the base station to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is in a specific range, wherein the specific range is set in order to include a value of communication terminal identification information assigned to the first communication terminal, as any area-wide restriction would cover a specific range of IMSI values when preventing attacks from said region (see Liang at [0011], Fig. 1 with Ranke at pg. 9, line 28-pg. 10, line 8).

Regarding claim 2, the combination of Ranke and Liang teach the monitor device according to Claim 1, wherein the NAS message is rejected in a case where the communication terminal identification information received from the first communication terminal is illegal (Ranke at page 12, lines 10-15 – and access request for authentication is received, “this access request comprises the identity of the subscriber (IMSI or TMSI) and the UE 100/105 identity IMEI”; fig. 4 – retrieve previous authentication result for the IMSI/IMEI, and test if the authentication failure counter is over a threshold; page 13, lines 19-28 and fig. 6 – 610 IMSI/IMEI is tested, and, if the previous authentication result was a failure, step 650 the control node 120 rejects or ignore the access request; page 11, lines 1-15 – fraudulent UE’s access attempts may by dismissed by “one of rejecting the access request or ignoring the access request”).  

Regarding claim 3, the combination of Ranke and Liang teach the monitor device according to Claim 1, wherein the NAS message is rejected in a case where authentication information generated by the first communication terminal does not match authentication information generated by the mobile network (Ranke at page 7 line 25 to page 8, line 26 – control node 250 determines the authentication vector (lines 17-19), which is computed based on multiple factors such as the IMSI and combined with the IMEI (line 7-14), and the authentication response provided by the UE is compared with the expected response (lines 17-26); then page 8, lines 22-26 and fig. 3 – “In this example flow, authentication fails, so both SRES do not match. In this case the control node 250 responds to the UE 200 with an authentication reject message 225”).  

Regarding claim 5, the combination of Ranke and Liang teach the monitor device according to Claim 1, wherein the at least one processor is further configured to execute the instructions to cause the base station to restrict from processing the at least one RRC connection setup complete message in a case where the value of the communication terminal identification information indicates that the at least one communication terminal which sent the at least one RRC connection setup complete message performs communication in the mobile network for a first time (Ranke at page 12, lines 10-15 – and access request for authentication is received, “this access request comprises the identity of the subscriber (IMSI or TMSI) and the UE 100/105 identity IMEI”; page 10, liens 19-31 – control node 120 checks a log to detect if the first access of the UE 100/105; fig. 4 – retrieve previous authentication result for the IMSI/IMEI, and test if the authentication failure counter is over a threshold; page 13, lines 19-28 and fig. 6 – 610 IMSI/IMEI is tested, and, if the previous authentication result was a failure, step 650 the control node 120 rejects or ignore the access request).  

Regarding claim 6, the combination of Ranke and Liang teach the monitor device according to Claim 1, wherein the communication terminal identification information includes an IMSI (International Mobile Subscriber Identity) (Ranke at page 12, lines 10-15 – and access request for authentication is received, “this access request comprises the identity of the subscriber (IMSI or TMSI) and the UE 100/105 identity IMEI”; fig. 4 – retrieve previous authentication result for the IMSI/IMEI, and test if the authentication failure counter is over a threshold; page 13, lines 19-28 and fig. 6 – 610 IMSI/IMEI is tested, and, if the previous authentication result was a failure, step 650 the control node 120 rejects or ignore the access request; page 8, lines 7-13 – the authentication vector is calculated based on the IMSI).   

Regarding claim 10, Ranke teaches a base station comprising: 
at least one memory storing instructions (page 4, lines 25-34 – storing unit 706; page 15, lines 27-30 – program is stored by storing unit 706); and at least one processor configured to execute the instructions to: determine whether a first communication terminal is misbehaving in a mobile network based on whether a NAS (Non-Access Stratum) message which is transmitted from the first communication terminal, is rejected (page 1, lines 23-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment)”; page 2, lines 1-7 – If “authentication response”  from the UE does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures in an area may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 7 – If the failure level reaches a threshold <i.e., attacking is detected>, requests from attacking or fraudulent UE’s are not performed; see also Figs. 4/5), the NAS message being for registering the first communication terminal with a communication device in the mobile network (page 1, lines 20-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment),” and is performed as part of a network access request; page 12, lines 8-15 – authentication request is part of the access request between a UE and control node; page 13, lines 6-8 and Fig. 5, step 420 - IMSI/IMEI of the UE are stored during normal authentication; page 5, lines 5-14 – UE may be a cellular telephone or mobile station), and 
determine whether to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station (page 2, lines 1-7 – If “authentication response” does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 7 – If the failure level reaches a threshold, requests from attacking or i.e., restricted from processing>; see also Figs. 4/5; note: NAS is the setup complete message of an RRC connection setup, accordingly, this RRC connection setup complete message disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is [[in a specific range]] (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS), wherein [[the specific range]] is set in order to include a value of communication terminal identification information assigned to the first communication terminal (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI <i.e., the first communication terminal IMSI identity is restricted from processing as it is located in the restricted area>).  
While Ranke discloses detecting a DoS attack and restricting or ignoring attach communications from a region and/or attackers to reduce system overloading from the attack (see, e.g.: pg. 9 line 28-pg.10 line 18; pg. 11 lines 1-13; and pg. 16, lines 5), Ranke fails to specifically disclose wherein the restricting comprises a specific range.  
However, Liang discloses that IMSIs are a specific structure numerically arranged by area (e.g., the first three digits of an IMSI are the country code, followed by the mobile network code, then additional digits). Liang at [0011], fig. 1. Accordingly, such area-based restriction of values (as is taught in Ranke pg. 9, line 28-pg. 10, line 31) is a restriction of a range of numbers (for example, if the area you 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Ranke with the known teachings of Liang, to cause the base station to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is in a specific range, wherein the specific range is set in order to include a value of communication terminal identification information assigned to the first communication terminal, as IMSI areas are defined by a range of number and these areas may be restricted (see Liang at [0011], Fig. 1 with Ranke at pg. 9, line 28-pg. 10, line 8).

Regarding claim 11, Ranke teaches a monitor method comprising: 
determining whether a first communication terminal configured to communicate with a base station is misbehaving in a mobile network based on whether a NAS (Non-Access Stratum) message which is transmitted from the first communication terminal, is rejected by the base station (page 1, lines 23-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment)”; page 2, lines 1-7 – If “authentication response”  from the UE does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures in an area may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 7 – If the failure level reaches a threshold <i.e., attacking is detected>, requests from attacking or fraudulent UE’s are not performed; see also Figs. 4/5), the NAS message being for registering the first communication terminal (page 1, lines 20-28 – “as part of the network access 5, step 420 - IMSI/IMEI of the UE are stored during normal authentication; page 5, lines 5-14 – UE may be a cellular telephone or mobile station); with a communication device in the mobile network (page 1, lines 20-28 – “as part of the network access procedure, the control node sends an ‘Authentication Request’ message on the Non-Access Stratam (NAS) towards the UE (user equipment),” and is performed as part of a network access request; page 5, lines 5-14 – UE may be a cellular telephone or mobile station); and 
causing the base station to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station (page 2, lines 1-7 – If “authentication response” does not match with expected response, authentication fails; page 9, lines 6-24 – number of failures may be counted; page 9, lines 6-24 – the control node 120 determines whether an authentication failure level has reached a threshold; page 9, line 25 to page 10, line 7 – If the failure level reaches a threshold, requests from attacking or fraudulent UE’s are not performed <i.e., restricted from processing>; see also Figs. 4/5; note: NAS is the setup complete message of an RRC connection setup, accordingly, this RRC connection setup complete message disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is [[in a specific range]] (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at , 
wherein [[the specific range]] is set in order to include a value of communication terminal identification information assigned to the first communication terminal (pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI <i.e., the first communication terminal IMSI identity is restricted from processing as it is located in the restricted area>).  
While Ranke discloses detecting a DoS attack and restricting or ignoring attach communications from a region and/or attackers to reduce system overloading from the attack (see, e.g.: pg. 9 line 28-pg.10 line 18; pg. 11 lines 1-13; and pg. 16, lines 5), Ranke fails to specifically disclose wherein the restricting comprises a specific range.  
However, Liang discloses that IMSIs are a specific structure numerically arranged by area (e.g., the first three digits of an IMSI are the country code, followed by the mobile network code, then additional digits). Liang at [0011], fig. 1. Accordingly, such area-based restriction of values (as is taught in Ranke pg. 9, line 28-pg. 10, line 31) is a restriction of a range of numbers (for example, if the area you wish to restrict is Malaysia – IMSIs covered by Malaysia are the range 502XXXXXXXXXXX0-502XXXXXXXXXXX9). 
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Ranke with the known teachings of Liang, to cause the base station to restrict from processing at least one RRC (Radio Resource Control) connection setup complete message transmitted from at least one communication terminal served by the base station in a case where a value of communication terminal identification information set in the at least one RRC connection setup complete message is in a specific range, wherein the specific range is set in order to include a value of communication terminal identification information assigned to the first Liang at [0011], Fig. 1 with Ranke at pg. 9, line 28-pg. 10, line 8).
  
Regarding claim 15, the combination of Ranke and Liang teach the monitor device according to claim 1, wherein the case where the value of the communication terminal identification information set in the at least one RRC connection setup complete message is in the specific range (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI ranges <see with Liang, [0011]>; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) includes a case that the value of the communication terminal identification information is a temporary value (Ranke at Pg. 5, lines 5-14: “A UE may be equipped with a SIM (Subscriber Identity Module) comprising unique identities such as IMSI (International Mobile Subscriber Identity) and/or TMSI (Temporary Mobile Subscriber Identity) associated with a subscriber using the UE”; Pg. 12, lines 10-15: “This access request comprises the identity of the subscriber (IMSI or TMSI <TMSI is a randomly assigned temporary value to mobile devices in the area>) and the UE 100/105 identity IMEI.”).  

Regarding claim 16, the combination of Ranke and Liang teach the monitor device according to claim 1, wherein the case where the value of the communication terminal identification information set in the at least one RRC connection setup complete message is in the specific range (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI ranges Liang, [0011]>; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) includes a case that the value of the communication terminal identification information is a random value (Ranke at Pg. 5, lines 23-28: “as part of the network access procedure, the control node sends an "Authentication Request" message on the Non-Access Stratum (NAS) towards the UE (user equipment). The control node includes in that message a random number (RAND) that it has obtained from an authentication vector generated at an AuC (Authentication Center) for the subscriber indicated in the access request”; Pg. 12, lines 10-15: “This access request comprises the identity of the subscriber (IMSI or TMSI <TMSI is a randomly assigned temporary value to mobile devices in the area>) and the UE 100/105 identity IMEI.”).  

Regarding claim 17, the combination of Ranke and Liang teach the monitor method according to claim I 1, wherein, the case where the value of the communication terminal identification information set in the at least one RRC connection setup complete message is in the specific range (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI ranges <see with Liang, [0011]>; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) includes a case that the value of the communication terminal identification information is a temporary value (Ranke at Pg. 5, lines 23-28: “as part of the network access procedure, the control node sends an "Authentication Request" message on the Non-Access Stratum (NAS) towards the UE (user equipment). The control node includes in that message a .”).  

Regarding claim 18, the combination of Ranke and Liang teach the monitor method according to claim 11, wherein the case where the value of the communication terminal identification information set in the at least one RRC connection setup complete message is in the specific range (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI ranges <see with Liang, [0011]>; note: NAS is the setup complete message of an RRC connection setup, accordingly, the RRC connection setup complete message is disclosed by Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS) includes a case that the value of the communication terminal identification information is a random value (Ranke at Pg. 5, lines 23-28: “as part of the network access procedure, the control node sends an "Authentication Request" message on the Non-Access Stratum (NAS) towards the UE (user equipment). The control node includes in that message a random number (RAND) that it has obtained from an authentication vector generated at an AuC (Authentication Center) for the subscriber indicated in the access request”; Pg. 12, lines 10-15: “This access request comprises the identity of the subscriber (IMSI or TMSI <TMSI is a randomly assigned temporary value to mobile devices in the area>) and the UE 100/105 identity IMEI.”).

Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranke in view of Liang, further in view of Zhao et al. (US20150033335, Hereinafter “Zhao”).
Regarding claim 4, the combination of Ranke and Liang teach the monitor device according to Claim 1, While the combination of Ranke and Liang teaches estimating whether a terminal is attacking the station from NAS messages (see, e.g., Ranke at page 1, lines 22-27, and page 9, line 25 to page 10, line 7), the combination of Ranke and Liang appears to fail to disclose wherein the at least one processor is further configured to execute the instructions to determine whether the first communication terminal is misbehaving in the mobile network based on a number of messages in which a specific cause value is set among messages transmitted when the NAS message is rejected.  
However, Zhao teaches a similar system for detecting and mitigating DDoS attacks (see abstract), wherein the at least one processor is further configured to execute the instructions to determine whether the first communication terminal is misbehaving in the mobile network based on a number of messages in which a specific cause value is set among messages transmitted from the base station ([0047-0053], fig. 4, – teaching assigning cause values for the reasons of rejection and determine attacks based on the amount of messages, see, e.g., “If proxy MS server 130 determines that the response code of the response received from application server 120 is a 4xx status code of interest (420, Yes), MS server 130 may increment the values of RWC, DBRC and CBRC (425). Proxy MS server 130 may then evaluate the incremented value of DBRC and CBRC to determine if the incremented value of DBRC and/or the incremented value of CBRC is equal to or greater than its respective one or more predetermined and/or preconfigured threshold values (430). If proxy MS server 130 determines that the value of DBRC and/or the value of CBRC is equal to or greater than its respective one or more predetermined and/or preconfigured threshold values (430, Yes), MS server 130 may add the client identifier corresponding to source client 260 to a blacklist (435).”; additionally, see [0009]: – RWC, DBRC, and CBRC are request messages: “A client identifier corresponding to a source client may be determined from a request message corresponding to the response message. The server may locate one or more counters corresponding to the source client, including a rolling window counter (RWC) that is used to .
It would have been obviously to one of ordinary skill before the effective filing date of the claimed invention to modify the combination of Ranke and Liang with the teachings of Zhao, wherein the at least one processor is further configured to execute the instructions to determine whether the first communication terminal is misbehaving in the mobile network based on a number of messages in which a specific cause value is set among messages transmitted from the base station in response to rejecting the NAS message by the base station, to allow for increased accuracy in the classification as an attack or not (as it would only increment for bad requests, see, e.g., Zhao at [0009]).

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranke in view of Liang, further in view of Papa et al. (US20160044531, Hereinafter “Papa”).
Regarding claim 7, the combination of Ranke and Liang teaches the monitor device according to Claim 1, wherein the at least one processor is further configured to execute the instructions to cause the base station to restrict from processing all RRC connection setup complete messages [[for a specific period]] in a case where the value of the communication terminal identification information set in the at least one RRC connection setup complete messages is in the specific range (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI ranges <see with Liang, [0011]>; note: NAS is the setup complete message of an RRC connection setup, Ranke at pg. 1, lines 22-28; While not presently relied upon, for additional reference see “LTE RRC Connection Setup Messaging” in conclusion defining RRC and NAS).
However, the combination of Ranke and Liang appear to fail to specifically denote where in the range restriction last only for a specific period.
However, Papa discloses a process for reducing system overload when in denial-of-service attack conditions (see abstract, [0005], [0036]), comprising restricting processing of at least one attach message transmitted from at least one communication terminal served by the base station, wherein the at least one processor is further configured to execute the instructions to cause the base station to restrict from processing all connection setup messages for a specific period in a case where the value of the communication terminal identification information set in the at least one connection setup messages is in the specific range ([0079] & [0081] – not responding to connection messages based on IMSI/IMEI ranges, [0085] – “the gateway node can reject calls of roamers (i.e., mobile devices attached to and roaming from other cells) during periods of overload. <i.e., specifically during periods of overload>”; [0113-116] – backoff timer may also be set and sent to the UE with a specific delay time).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Ranke and Liang with the teachings of Papa, comprising wherein the at least one processor is further configured to execute the instructions to cause the base station to restrict from processing all RRC connection setup complete messages for a specific period in a case where the value of the communication terminal identification information set in the at least one RRC connection setup complete messages is in the specific range, to reduce system processing during overloading caused by repeated attach attempts of user equipment and to later return to normal processing (see, e.g., Ranke at pg. 11 lines 21-28 with Papa at [0079]-[0086]).

Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranke in view of Liang and Papa, further in view of Budka et al. (US20020188868, Hereinafter “Budka”).
Regarding claim 8, the combination of Ranke, Liang, and Papa teach the monitor device according to Claim 7, further comprising placing processing restrictions for a specific period in a case where the value of the communication terminal identification information set in the at least one RRC connection setup complete message is in the specific range  (Ranke at pg. 9, line 28-pg. 10, line 31 – when a DoS attack is being detected from an area, the system determines to restrict from processing all connection attempts from the attacking area based on IMSI/IMEI; with Papa at [0085] – “the gateway node can reject calls of roamers (i.e., mobile devices attached to and roaming from other cells) during periods of overload. <i.e., specifically during periods of overload>”; [0113-116] – backoff timer may also be set and sent to the UE with a specific delay time).
The combination of Ranke, Liang, and Papa appears to fail to teach wherein the at least one processor is further configured to execute the instructions to cause the base station to stop all transmission of radio waves during the period. 
However, Budka teaches wherein the at least one processor is further configured to execute the instructions to cause the base station to stop all transmission of radio waves  ([0021] – “In step S8, the wireless data router 14 ignores the mobile station’s request for a temporary link layer address. Consequently, the resources of the wireless data router 14 as well as the other parts of the wireless system required to continue the registration process are not used, thus preventing use of those resources.”; also, [0023] – “However, if the threshold has been reaches, then wireless data router 14 sends a zap command to the mobile station 10. The zap command instructs the mobile station 10 to disable its transmitter for a predetermined period of time called the leak delay.”; [0027] – in a wireless voice network, the method could be implemented by either a mobile switching center or a base station”).
Ranke, Liang, and Papa with the teachings of Budka, wherein the at least one processor is further configured to execute the instructions to cause the base station to stop all transmission of radio waves, so that even the overhead associated with processing the link layer address request is avoided in addition to saving the airlink bandwidth (see Bukda at [0023], [0010]).

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ranke in view of Liang, further in view of Vasseur et al. (US9654361, Hereinafter “Vasseur”).
Regarding claim 9, the combination of Ranke and Liang teach the monitor device according to Claim 1.
While the combination of Ranke and Liang teach determining whether to execute the NAS message when an attack is detected (see Ranke page 1, lines 23-28, and page 10, line 19 to page 11, line 13), the combination of Ranke and Papa appears to fail to teach wherein the at least one processor is further configured to execute the instructions to generate statistical data related to a number of messages transmitted and received by the base station; determine whether the first communication terminal is misbehaving; andAppln. No.: 15/768,315 determine whether to process the NAS message, in a case where there is a trend of traffic different from a trend of traffic indicated by the statistical data.  
However, Vasseur teaches a similar system for monitoring network traffic and statistics to detect an attack (Column 16, lines 1-16), wherein the at least one processor is further configured to execute the instructions to generate statistical data related to a number of messages transmitted and received by the base station (column 5, lines 33-47 – “TPA 248 may be operable to analyze every facet of the traffic flowing through the router”; it is inherent a part of traffic flowing through the router includes messages transmitted and received); determine whether the first communication terminal is misbehaving (Column 15, lines 1-19 & Column 16, lines 1-16 – determines whether an attack is occurring from the communication nodes <i.e., whether they are misbehaving>); andAppln. No.: 15/768,315 determine whether to process the NAS message, in a case where there is a trend of traffic different from a trend of traffic indicated by the statistical data (Column 15, lines 1-19: “Network anomaly tracker 702 may be configured to detect the presence of an anomalous condition in the network based on traffic pattern data 708. In general, traffic pattern data 708 may include traffic-related information such as the current traffic trends and historical traffic profile […] If there are differences in these values, network anomaly tracker 702 may notify metric requestor 704 of the detected anomaly and provide details regarding where in the network the deviations are arising”; Column 16, lines 1-16: the detection of network anomalies is utilized to determine attacks: “Assume for purposes of illustration that node 11 executes export record generator 243 and that traffic along link 43-33 is exhibiting a higher than expected amount of TCP traffic, as shown in FIG. 8A. This type of situation may indicate that an attack is being mounted by a malicious node against node 43, causing node 43 to send an excess amount of requests.”; column 16, lines 52-67 – in step 920 nodes may be instructed to stop exporting information or change their behavior).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Ranke and Liang with the known technique of Vasseur, wherein the at least one processor is further configured to execute the instructions to generate statistical data related to a number of messages transmitted and received by the base station; determine whether the first communication terminal is misbehaving; andAppln. No.: 15/768,315 determine whether to process the NAS message, in a case where there is a trend of traffic different from a trend of traffic indicated by the statistical data, to quickly detect over requested/overloaded nodes and modify their behavior based on a historical traffic profile (see, e.g., Vasseur at column 14, lines 33-54 and column 15, lines 1-19).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. NPL: “LTE RRC Connection Setup Messaging” (Eventhelix.com Inc., 2012) discloses standard attach provisioning for an LTE system, particularly, wherein an RRC connection request is sent, a response is received, and then RRC is used to deliver NAS for its connection complete message. (Slides 2 & 9).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA RAYMOND WHITE whose telephone number is (571)272-4365.  The examiner can normally be reached on Monday-Thursday, & Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/J.R.W./Examiner, Art Unit 2438                                                                                                                                                                                           /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438