DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/31/2021 has been entered.

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 06/05/2021 and 07/29/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

 Response to Amendment
Claims 1, 10 and 16 have been amended. 
Applicant’s arguments with respect to claim(s) 1, 10 and 16 regarding the new limitations: “when the security attribute of the session is lower than the security requirement of the application, determining, by the UE, that the security attribute of the session does not meet the security requirement of the application” and “wherein the session establishment request message comprises a security capability of the UE and the security requirement of the application” have been considered but are moot in view of the new grounds of rejection presented in the current rejection. As per the applicant’s arguments that prior arts of record fail to teach the above limitations, the examiner respectfully disagrees. Prior art of record Mahaffey teaches: [0190]: For example, the interceptor may intercept an attempt by an application program on the mobile device to connect to a network. [0191]: The assessment engine is responsible for evaluating or applying a connection policy based on the current context. For example, upon the connection interceptor intercepting a connection attempt, the assessment engine may be called to determine the type of connection that should be established. Determining the type of connection that should be established is based on the collected context data. [0192]: For example, a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured. [0193]: Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context (determining that the security attribute of the connection does not meet the security requirement of the application). [0336]: In a step 1410, a security policy associated with a network connection between a mobile communications device and a remote destination is received. The security policy includes a specification of a particular type of network connection to be used during a particular context. [0337] Thus, an administrator of the remote destination can, via the security policy (security requirement), specify the type of network connection that should be used to communicate with the remote destination. The security policy may be sent from the mobile communications device to the server for the server to apply the policy, i.e., the security requirement of the application is transmitted in the request message. And, Mehr teaches: Column 8, lines 57-67 and column 9, lines 1-19: the handshake process may be any handshake for establishment of a cryptographically protected communications session. In a specific example, the system performing the process 300 initiates 302 the handshake process by receiving a TLS ClientHello message from the client. The ClientHello message may list for example, a set of cipher suites supported by the client (security capability of UE) where the set may have a single cipher suite specified or may have multiple cipher suites specified. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-3, 9-11, 13, 16-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20150128205 to Mahaffey et al (hereinafter Mahaffey) and prior art of record US 9935769 to Nima Sharifi Mehr (hereinafter Mehr).
As per claims 1 and 16, Mahaffey teaches:
A data transmission method, comprising: 
determining, by user equipment (UE), a security attribute of a session of the UE (Mahaffey: [0192]: a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured. [0301]: In a step 1115, context information associated with a first type of network connection between a mobile communications device and a remote destination is collected. [0302]: context information is collected before the network connection is established); 
starting, by the UE, an application having a security requirement (Mahaffey: [0193] Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used);
when the security attribute of the session is lower than the security requirement of the application, determining, by the UE, that the security attribute of the session does not meet the security requirement of the application (Mahaffey: [0190]: For example, the interceptor may intercept an attempt by an application program on the mobile device to connect to a network. [0191]: The assessment engine is responsible for evaluating or applying a connection policy based on the current context. For example, upon the connection interceptor intercepting a connection attempt, the assessment engine may be called to determine the type of connection that should be established. Determining the type of connection that should be established is based on the collected context data. [0192]: For example, a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured. [0193]: Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. Also, [0228], [0301]-[0302], [0307]); and
sending, by the UE, a session establishment request message to a control plane node wherein the session establishment request message is used to request to establish a session corresponding to the security requirement of the application (Mahaffey: [0193]: If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. [0207] Accordingly, at step 602, a request for a secure network connection account may be received at a server), 
wherein the session establishment request message comprises the security requirement of the application (Mahaffey: [0336]: In a step 1410, a security policy associated with a network connection between a mobile communications device and a remote destination is received. The security policy includes a specification of a particular type of network connection to be used during a particular context. [0337] Thus, an administrator of the remote destination can, via the security policy (security requirement), specify the type of network connection that should be used to communicate with the remote destination. The security policy may be sent from the mobile communications device to the server for the server to apply the policy).
Mahaffey teaches a network connection but does not explicitly teach a session and wherein the session establishment request message comprises a security capability of the UE. However, Mehr teaches:
a session and wherein the session establishment request message comprises a security capability of the UE (Mehr: Column 20, lines 52-58: User or client devices can include … cellular, wireless and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols. Column 8, lines 57-67 and column 9, lines 1-19: the handshake process may be any handshake for establishment of a cryptographically protected communications session. In a specific example, the system performing the process 300 initiates 302 the handshake process by receiving a TLS ClientHello message from the client. The ClientHello message may list for example, a set of cipher suites supported by the client (security capability of UE) where the set may have a single cipher suite specified or may have multiple cipher suites specified. Column 18, lines 7-16).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Mehr in the invention of Mahaffey to include the above limitations. The motivation to do so would be to provide dynamic cipher suite selection based on planned session use (Mehr: column 2, lines 14-15).

As per claims 2 and 17, Mahaffey does not teach the limitations of the claims. However, Mehr teaches:
The method according to claim 1, wherein the security attribute comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location; and the security requirement of the application comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location (Mehr: column 4, lines 4-35: cipher suites for instance may not provide any data confidentiality but only data integrity. Such cipher suites may be suitable for instance, for data that are publicly available and generally for which confidentiality is not a requirement. Such cipher suites may provide the advantage in that assurance that data has not become corrupted while traversing a network are available while there is no need to utilize processing capacity for the purpose of encryption and decryption. Some cipher suites may provide data confidentiality but may be cryptographically weaker than other cipher suites. Cryptographic strength may be measured in various ways in accordance with various embodiments. For instance, cipher suites may be ranked in accordance with current understandings of resistance to cryptographic attacks. Cryptographic strength may also be measured in key size for an encryption or other algorithm of the cipher suite).
The examiner provides the same rationale to combine Mahaffey and Mehr as provided in claims 1 and 16 above.

As per claims 3 and 18, Mahaffey in view of Mehr teaches:
The method according to claim 1, wherein after the sending, by the UE, a session establishment request message to a control plane node, the method further comprises: receiving, by the UE, a session establishment response message from the control plane node, wherein the session establishment response message comprises a security attribute of the session corresponding to the security requirement of the application; and sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application (Mahaffey: [0211] At step 604, a secure network connection account may be generated at the server. The secure network connection account may be a temporary account that includes credentials for a secure network connection. [0212] At step 606, the credentials may be transmitted to the mobile communications device. The mobile communications device may use the credentials to automatically configure a secure network connection, such as a SNC connection. [0213] At step 608, a secure network connection may be established between the server and the mobile communications device in response to receiving the credentials from the mobile communications device. Also, [0214]. Mehr: Column 18, lines 7-16: If the system performing the process 800 determines 808 that the response has been denied, a system performing the process 800 may then renegotiate 812 a cryptographically protected communications session with the same computer system. For example, if using TLS a system performing the process 800 may transmit a ClientHello message for a renegotiation such as described in RFC5746, which is incorporated herein by reference, and completing a handshake. Column 2, lines 14-55: In an embodiment, during a handshake process to establish a cryptographically protected communications session, such as a secure sockets layer (SSL) or transport layer security (TLS) session, a client indicates to a server a planned use of the session. The server then selects a cipher suite appropriate to the client's planned use of the session and completes the handshake accordingly. Techniques of the present disclosure also allow for access control based at least in part on cipher suites in use to submit requests. In an embodiment, a cryptographically protected communications session utilizing a cipher suite is established between a client and a server. The cryptographically protected communications session may be used by a client to submit a request over the session. Column 3, lines 5-22: The server may, as part of the renegotiation, select a cipher suite that is suitable for fulfillment of the request (if available) such that the response can be provided over the new cryptographically protected communications session that results).
The examiner provides the same rationale to combine Mahaffey and Mehr as provided in claims 1 and 16 above.

As per claims 9 and 20, Mahaffey in view of Mehr teaches:
The method according to claim 1, wherein the session comprises at least one session, the method further comprising: when a security attribute of the at least one session meets the security requirement of the application, sending, by the UE, data of the application through one of the at least one session (Mahaffey: [0340]: if the context information indicates that the user is accessing their account balances, the system may allow the current secure network connection to be maintained. Mehr: column 17, lines 45-60: Having established 802 the cryptographically protected communications session, the process 800 may include transmitting 804 a request over the established cryptographically protected communications session. A response to the request may be received 806. The response may for example, include data that was obtained as part of fulfillment of the request).
The examiner provides the same rationale to combine Mahaffey and Mehr as provided in claims 1 and 16 above.

As per claim 10, Mahaffey teaches:
A data transmission method, comprising: 
receiving, by a control plane node, a session establishment request message from user equipment (UE), wherein the session establishment request message is used to request to establish a session corresponding to a security requirement of an application of the UE, wherein the application was started by the UE (Mahaffey: [0193] Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. [0207] Accordingly, at step 602, a request for a secure network connection account may be received at a server. [0301]: In a step 1115, context information associated with a first type of network connection between a mobile communications device and a remote destination is collected) and 
wherein the session establishment request message comprises the security requirement of the application (Mahaffey: [0336]: In a step 1410, a security policy associated with a network connection between a mobile communications device and a remote destination is received. The security policy includes a specification of a particular type of network connection to be used during a particular context. [0337] Thus, an administrator of the remote destination can, via the security policy (security requirement), specify the type of network connection that should be used to communicate with the remote destination. The security policy may be sent from the mobile communications device to the server for the server to apply the policy); and 
sending, by the control plane node, a session establishment response message to the UE based on the session establishment request message, wherein the session establishment response message comprises a security attribute of the session corresponding to the security requirement of the application (Mahaffey: [0211] At step 604, a secure network connection account may be generated at the server. The secure network connection account may be a temporary account that includes credentials for a secure network connection. [0212] At step 606, the credentials may be transmitted to the mobile communications device. The mobile communications device may use the credentials to automatically configure a secure network connection, such as a SNC connection. [0213] At step 608, a secure network connection may be established between the server and the mobile communications device in response to receiving the credentials from the mobile communications device).
Mahaffey teaches a request to establish a secure network connection and sending, by the server, a response to establish a secure network connection but does not explicitly teach: a session establishment request message; sending, by the control plane node, a session establishment response message and wherein the session establishment request message comprises a security capability of the UE. However, Mehr teaches:
a session establishment request message; sending, by the control plane node, a session establishment response message and wherein the session establishment request message comprises a security capability of the UE (Mehr: Column 20, lines 52-58: User or client devices can include … cellular, wireless and handheld devices running mobile software and capable of supporting a number of networking and messaging protocols. Column 8, lines 57-67 and column 9, lines 1-19: the handshake process may be any handshake for establishment of a cryptographically protected communications session. In a specific example, the system performing the process 300 initiates 302 the handshake process by receiving a TLS ClientHello message from the client. The ClientHello message may list for example, a set of cipher suites supported by the client (security capability of UE) where the set may have a single cipher suite specified or may have multiple cipher suites specified. Column 10, lines 35-56: Having selected 308 a cipher suite from the set of client supported cipher suites that match the planned use that was determined 304, a system performing the process 300 may complete 310 the handshake process using the selected cipher suite. The way in which the handshake process is completed 310 may vary in accordance with various embodiments. For instance, in the example of TLS, a server performing the process 300 may transmit a ServerHello message to the client, where the ServerHello message indicates to the client to use the selected 308 cipher suite. Column 18, lines 7-16 and column 2, lines 14-55).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Mehr in the invention of Mahaffey to include the above limitations. The motivation to do so would be to provide dynamic cipher suite selection based on planned session use (Mehr: column 2, lines 14-15).

As per claim 11, Mahaffey does not explicitly teach the limitations of the claim. However, Mehr teaches:
The method according to claim 10, wherein the security attribute comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location; and the security requirement of the application comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location (Mehr: column 4, lines 4-35: cipher suites for instance may not provide any data confidentiality but only data integrity. Such cipher suites may be suitable for instance, for data that are publicly available and generally for which confidentiality is not a requirement. Such cipher suites may provide the advantage in that assurance that data has not become corrupted while traversing a network are available while there is no need to utilize processing capacity for the purpose of encryption and decryption. Some cipher suites may provide data confidentiality but may be cryptographically weaker than other cipher suites. Cryptographic strength may be measured in various ways in accordance with various embodiments. For instance, cipher suites may be ranked in accordance with current understandings of resistance to cryptographic attacks. Cryptographic strength may also be measured in key size for an encryption or other algorithm of the cipher suite).
The examiner provides the same rationale to combine Mahaffey and Mehr as provided in claim 10 above. 

As per claim 13, Mahaffey does not explicitly teach the limitations of the claim. However, Mehr teaches:
The method according to claim 10, further comprising: determining, by the control plane node based on a local configuration policy, the security attribute of the session corresponding to the security requirement of the application; or receiving, by the control plane node, the security attribute of the session corresponding to the security requirement of the application from a subscription server; or receiving, by the control plane node, an index from a policy decision node; and determining, by the control plane node based on the index, the security attribute of the session corresponding to the security requirement of the application (Mehr: column 7, lines 54-67 and column 8, lines 1-29: In an embodiment, the service backend 214 maintains a repository 222 of resource metadata (resource metadata repository) that contains metadata about the resources managed by the service 208. In some embodiments, the resource metadata contains access control information (e.g., policies) additional to access control information stored in policies in the policy repository. The service frontend 210 may be configured to, when a request is received from the principal 202, query the service backend 214 for any applicable access control information and use any returned access control information in determining whether and/or how to fulfill a request. Access control information stored in a policy or resource metadata repository is associated with resources and specifies a set of cipher suites suitable for the resources. For a particular resource, the access control information may specify or otherwise indicate a set of cipher suites such that, to fulfill an API request received over a cryptographically protected communications session and involving the resource, the cryptographically protected communications session must utilize a cipher suite in the set).
The examiner provides the same rationale to combine Mahaffey and Mehr as provided in claim 10 above. 

Claims 4, 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Mehr as applied to claims 3 and 10 above, and further in view of prior art of record US 20150052348 to Robert Moskowitz (hereinafter Moskowitz).
As per claim 4, Mahaffey in view of Mehr does not teach: wherein the security attribute of the session corresponding to the security requirement of the application comprises an encrypted location, and the sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application comprises: determining, by the UE, an encapsulation format of the data of the application based on the encrypted location; and generating, by the UE, a data packet based on the encapsulation format of the data of the application and the data of the application, and sending the data packet. However, Moskowitz teaches:
wherein the security attribute of the session corresponding to the security requirement of the application comprises an encrypted location, and the sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application comprises: determining, by the UE, an encapsulation format of the data of the application based on the encrypted location; and generating, by the UE, a data packet based on the encapsulation format of the data of the application and the data of the application, and sending the data packet (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

As per claim 6, Mahaffey in view of Mehr does not teach: wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate the encapsulation format of the data of the application. However, Moskowitz teaches: 
wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate the encapsulation format of the data of the application (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

As per claim 14, Mahaffey in view of Mehr does not teach: wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate a user plane protocol stack used by the session corresponding to the security requirement of the application. However, Moskowitz teaches:
wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate a user plane protocol stack used by the session corresponding to the security requirement of the application (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

Claims 5, 7, 8, 12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Mehr as applied to claims 1, 13 and 16 above, and further in view of prior art of record US 10735956 to Bae et al (hereinafter Bae).
As per claim 5, Mahaffey in view of Mehr does not teach: wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application. However, Bae teaches:
wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claims 7 and 19, Mahaffey in view of Mehr does not teach: wherein the security attribute of the session is the security attribute of a slice corresponding to the session. However, Bae teaches: 
wherein the security attribute of the session is the security attribute of a slice corresponding to the session (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claim 8, Mahaffey in view of Mehr and Bae teaches: 
The method according to claim 7, wherein before the determining, by a UE, a security attribute of a session of the UE, the method further comprises: sending, by the UE, a registration request message to the control plane node; and receiving, by the UE, a registration response message from the control plane node, wherein the registration response message comprises a security attribute of a slice accessible by the UE, and the security attribute of the slice accessible by the UE comprises the security attribute of the slice corresponding to the session (Bae: column 13, lines 1-25: In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. The terminal may notify the network of all the security algorithm information that can be supported by the terminal during the initial access. In step S550, the core network may transmit an initial context setup request message to the base station 5G RAN. The initial context setup request message may include a security context for the network slice. The security context may include at least one of information related to the security algorithm, the network slice identifier information, and the AS security key information K.sub.5G-RAN, k. In step S560, the base station receiving the initial context setup message may store the AS security key information K.sub.5G-RAN, k. Next, in step S570, the base station may transmit RRC connection reconfiguration message (5G RRC connection reconfiguration) or attach accept message to the terminal as a response to the connection request message of the terminal. At this point, the RRC connection reconfiguration message or the attach accept message may include the network slice identifier set by the terminal. In step S580, the terminal receiving the RRC connection reconfiguration message or the attach accept message may use the network slice identifier to generate a security context. That is, the terminal may use the network slice identifier to generate the AS security key information K.sub.5G-RAN, k and verify the security algorithm to be used to generate the security context. Also, Column 10, lines 46-55: when the network slice is first registered, a terminal may be assigned a unique network slice identifier (unique NW slice ID) that may be identified within a service provider network or globally. The network slice identifier may be stored in HSS, and the terminal may receive the network slice identifier during the initial access procedure and use the received network slice identifier to generate security keys for each network slice).
The examiner provides the same rationale to combine Mahaffey in view of Mehr and Bae as in claim 7 above.

As per claim 12, Mahaffey in view of Mehr does not teach: wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application. However, Bae teaches: 
wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claim 15, Mahaffey in view of Mehr does not teach: receiving, by the control plane node, a registration request message from the UE, wherein the registration request message comprises configured network slice selection assistance information; determining, by the control plane node based on the configured network slice selection assistance information, a security attribute of a slice accessible by the UE; and sending, by the control plane node, a registration response message to the UE, wherein the registration response message comprises the security attribute of the slice accessible by the UE. However, Bae teaches:
wherein before the receiving, by a control plane node, a session establishment request message from UE, the method further comprises: receiving, by the control plane node, a registration request message from the UE, wherein the registration request message comprises configured network slice selection assistance information (Bae: column 12, lines 65-67 and column 13, lines 1-25: At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability); 
determining, by the control plane node based on the configured network slice selection assistance information, a security attribute of a slice accessible by the UE; and sending, by the control plane node, a registration response message to the UE, wherein the registration response message comprises the security attribute of the slice accessible by the UE (Bae: In step S550, the core network may transmit an initial context setup request message to the base station 5G RAN. The initial context setup request message may include a security context for the network slice. The security context may include at least one of information related to the security algorithm, the network slice identifier information, and the AS security key information K.sub.5G-RAN, k. In step S560, the base station receiving the initial context setup message may store the AS security key information K.sub.5G-RAN, k. Next, in step S570, the base station may transmit RRC connection reconfiguration message (5G RRC connection reconfiguration) or attach accept message to the terminal as a response to the connection request message of the terminal. At this point, the RRC connection reconfiguration message or the attach accept message may include the network slice identifier set by the terminal. In step S580, the terminal receiving the RRC connection reconfiguration message or the attach accept message may use the network slice identifier to generate a security context. That is, the terminal may use the network slice identifier to generate the AS security key information K.sub.5G-RAN, k and verify the security algorithm to be used to generate the security context. Also, Column 10, lines 46-55: when the network slice is first registered, a terminal may be assigned a unique network slice identifier (unique NW slice ID) that may be identified within a service provider network or globally. The network slice identifier may be stored in HSS, and the terminal may receive the network slice identifier during the initial access procedure and use the received network slice identifier to generate security keys for each network slice).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Mehr to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 9027076 to Roach et al: An approach is provided for causing a change in a security policy of a device based on contextual information. The approach involves determining context information associated with a device. The approach also involves determining a security policy of the device. The approach further involves determining a change of the context information. The approach additionally involves processing the determined change of the context information to cause, at least in part, a revision of the security policy of the device.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438