Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	Claims 1-8, 10-17, 19-20 are pending.  



Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/19/2021 has been entered.
 

Information Disclosure Statement
3.         The information disclosure statement (IDS) submitted on 1/19/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.



Reasons for Allowance
4.        Applicant has amended the claims the recite the additional limitations:

determining, by the telecommunications network node, during a first connectivity cycle of the MTC device, and using the stored rule derived from the CP information, that the MTC device is not behaving in accordance with an expected behavior; and
in response to determining that the MTC device is not behaving in accordance with the expected behavior, incrementing, by the telecommunications network node, a count of incidents in which the MTC device is determined to violate the rule and determining that the count of incidents does not exceed a threshold defined for consecutive connectivity cycles of the MTC device;
determining, by the telecommunications network node, during a second connectivity cycle of the MTC device, and using the stored rule derived from the CP information, that the MTC device is not behaving in accordance with the expected behavior, incrementing the count of incidents, determining that the count exceeds the threshold, and, in response to determining that the count exceeds the threshold defined for consecutive connectivity cycles of the MTC device, performing, by the telecommunications network node, a network security action that mitigates an effect of traffic from the MTC device on the network, wherein performing the network security action includes resetting the MTC device.

The Examiner has carefully considered these limitations in the context of the claims.  These claim amendments have overcome the prior art.  

Closest prior art was Iwai et al. USPGPUB 2018/0070268.  Iwai et al. however fails to disclose Applicant’s newly amended limitation concerning the detection of deviations of expected behavior.

Although the Examiner’s search of the prior art has found that as a general matter, a count of incidents and a threshold hold is generally known as a means of determining malware, such as in

USPGPUB 20170093902, which allows for the detection of security incidents or USPGPUB 20170171235 which updates a risk score based on a number of incidents exceeding a particular threshold, none of the disclosures in the prior art rises to the level of specificity as recited in the claims.

To wit, during a first connectivity cycle of an MTC device, a stored rule is derived from CP behavior and a count of incidents is determined to not exceed a particular threshold for consecutive connectivity cycles of the MTC device.  Furthermore upon the detection that such rule may be exceeded and the behavior deviates from the CP information, performing the security action includes resetting the device.  

It is the Examiner’s position that the particular terms CP behavior and MTC device are terms of art expressly defined by the 3GPP standards.  





Conclusion
5.       The following art not relied upon is made of record:
USPGPUB 20190238584 teaches a system for vulnerability management.
USPGPUB 20150235164 teaches a method of incident response in a secure collaborative network.
USPGPUB 20180124110 teaches a method of detecting malicious behavior
USPGPUB 20180227322 teaches a method of using an incident score in detecting anomalous behavior
USPGPUB 20170093902, is a method of detection of security incidents 
USPGPUB 20170171235 teaches updating a risk score based on a number of incidents exceeding a particular threshold


6.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS M HO whose telephone number is (571)270-7862.  The examiner can normally be reached on 11-7:30PM.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THOMAS  HO/
Examiner, Art Unit 2494

/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494