DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/28/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/921781 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because: 
Instant application
Copending Application No. 16/921781
1. A method performed by a distributed security system to secure a 5G network from a cyberattack, the method comprising: 
instantiating an agent component of the security system, wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter, and wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of a cyberattack, and the threat parameter relates to a source of the cyberattack; 
processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; 







comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic; 







communicating, by the agent component to a central component, at least an indication of the VRT score, the incoming network traffic, or the security model; wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks and generates updates for the multiple agent components based on the collected VRT information; receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; and training the security model based on the update.

4. The method of claim 1 further comprising: based on the VRT score, diverting the incoming network traffic to a destination other than an intended destination of the incoming network traffic.

5. The method of claim 1 further comprising: based on the VRT score, quarantining the incoming network traffic in a containment area that this communicatively separate and distinct from the 5G network.
1. A method performed by a security system to secure a 5G network from a cyberattack, the method comprising: 

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that is based on a vulnerability parameter, a risk parameter, and a threat parameter, 


wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; processing the incoming network traffic with the security model to output a vulnerability- risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; and 
causing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include blocking the incoming network traffic at the perimeter of the 5G network.

7. The method of claim 1, wherein causing the one or more actions comprises: determining that the VRT score exceeds a threshold value, wherein a VRT score less than the threshold value is indicative of non-VRT traffic and a VRT score greater than the threshold value is indicative of VRT traffic; …

2. The method of claim 1, wherein the one or more actions comprise: communicating at least an indication of the incoming network traffic to a central database, 

wherein the central database manages information about multiple VRT parameters collected from multiple networks including the 5G network; receiving an update from the central database, wherein the update includes information about the multiple VRT parameters collected from the multiple networks; and 
training the security model based on the update.

5. The method of claim 1, wherein the one or more actions comprise: redirecting the incoming network traffic to a destination other than an intended destination of the incoming network traffic.

8. The method of claim 1, wherein causing the one or more actions comprises: determining that the VRT score exceeds a threshold value, wherein a VRT score less than the threshold value is indicative of non-VRT traffic and a VRT score greater than the threshold value is indicative of VRT traffic; and responsive to the VRT score exceeding the threshold value, redirecting the incoming network traffic to a containment area in lieu of an intended destination of the incoming network traffic, wherein the containment area is communicatively separate from the 5G network.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims of the instant application. 
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/921791 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because: 
Instant application
Copending Application No. 16/921791
1. A method performed by a distributed security system to secure a 5G network from a cyberattack, the method comprising: 
instantiating an agent component of the security system, wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter, and wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of a cyberattack, and the threat parameter relates to a source of the cyberattack; processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic; 

















communicating, by the agent component to a central component, at least an indication of the VRT score, the incoming network traffic, or the security model; 
wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks and generates updates for the multiple agent components based on the collected VRT information; 
receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; and 

training the security model based on the update.

5. The method of claim 1 further comprising: based on the VRT score, quarantining the incoming network traffic in a containment area that this communicatively separate and distinct from the 5G network.


6. The method of claim 1, wherein an edge device of the 5G network includes the agent component.



8. The method of claim 1 further comprising: detecting that the cyberattack to the 5G network has been thwarted; and terminating the instantiation of the agent component.
1. A method performed by a security system to secure a 5G network from a cyberattack, the method comprising: 

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model including a vulnerability parameter, a risk parameter, and a threat parameter, 


wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; processing the incoming network traffic with the security model to output a vulnerability- risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; 
based on the VRT score, redirecting the incoming network traffic to a containment area that mimics an intended destination or related process for the incoming network traffic; mimicking the intended destination or related process for the incoming network traffic for a time period, wherein the time period is set to induce malicious activity by the incoming network traffic; detecting that the incoming network traffic includes malicious VRT traffic; and in response to detecting that the incoming network traffic includes malicious VRT traffic, performing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include preventing the incoming network traffic from being communicated to the intended destination.

3. The method of claim 1 further comprising: communicating at least an indication of the malicious VRT traffic to a central database, 

wherein the central database manages VRT information collected from multiple networks including the 5G network; 



receiving an update from the central database, wherein the update includes at least an indication of the VRT information collected from the multiple networks; and 
training the security model based on the update.

8. The method of claim 1, wherein the containment area includes a network that is separate and distinct from the 5G network such that malicious activity of the incoming network traffic is induced separate and distinct from the 5G network.

7. The method of claim 1, wherein the 5G network includes an edge device that includes the security system to perform the one or more actions by the edge device.

9. The method of claim 1 further cased to: determining that the cyberattack to the 5G network has been thwarted; and terminating the instantiation of the security system.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims of the instant application.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 6-11 and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over WO 2021152262 to Sedjelmaci (hereinafter Sedjelmaci), US 9516053 to Muddu et al (hereinafter Muddu) and US 20150373043 to Wang et al (hereinafter Wang).
Examiner’s Note: The examiner used a translated version of WO2021152262. The translated version of the document is attached to end of the original document. 
As per claim 1, Sedjelmaci teaches:
A method performed by a distributed security system to secure a 5G network from a cyberattack, the method comprising: 
instantiating an agent component of the security system, wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0047], lines 493-495: the intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network. [0089], lines 703-706: The functional modules of the intrusion detection device 2 include in particular, as illustrated in FIG. 1 for only one of the IoTD connected objects for the sake of simplification, a first intrusion detection module 2A, configured to apply during of successive iterations to a plurality of subsets of data, a first technique for detecting intrusions. [0095]-[0096], lines 759-773: The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the subsets of data that it analyzes. These functional modules include: a second intrusion detection module 2B, configured to apply to this subset of data a second intrusion detection technique denoted D. In the embodiment described here, the second technique D uses an automatic learning algorithm (security model) known per se. This automatic learning algorithm is also based on an artificial neural network whose parameters are denoted QD), and 
communicating, by the agent component to a central component, at least an indication of the VRT score, the incoming network traffic, or the security model (Sedjelmaci: [0110], lines 820-822: In the embodiment described here, the 2D alert module is configured to notify a security operations center 8 (also designated by SOC 8) supervising a plurality of distinct nodes of the NW network and in particular the connected objects IoTD. [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network, and more particularly, to process the information transmitted by the 2D alert modules of the intrusion detection devices 2 according to the invention embedded in nodes of the network NW, in relation to the data monitored (incoming network traffic) by the intrusion detection devices 2 and/or the anomalies detected by them in these data and/or the configuration of the detection techniques G, D and/or LF used by them to monitor this data (security model). Also, [0135]-[0138], lines 1176-1189); 
wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks (Sedjelmaci: [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network); 
Sedjelmaci teaches detection of cyberattacks ([0005], lines 31-32) using automatic learning techniques (security model) but does not teach: a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of a cyberattack, and the threat parameter relates to a source of the cyberattack; processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic; wherein the central component generates updates for the multiple agent components based on the collected VRT information; receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; and training the security model based on the update. However, Muddu teaches: 
a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of a cyberattack, and the threat parameter relates to a source of the cyberattack (Muddu: column 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 75, lines 43-48. Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter)); 
processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score); 
comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic (Muddu: column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score indicative of the probability or likelihood that malware is present in the computer network given the set of feature scores for a particular entity); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Sedjelmaci to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).
Sedjelmaci in view of Muddu does not teach: wherein the central component generates updates for the multiple agent components based on the collected VRT information; receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; and training the security model based on the update. However, Wang teaches:
wherein the central component generates updates for the multiple agent components based on the collected VRT information (Wang: [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions);
receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information (Wang: [0092] Flow moves from operation 480 to operation 485 where the centralized controller 240 transmits result data of training of the global model(s) to the data analysis engine 220. The result data may include not only the results of training the global model(s) (e.g., a blacklist of known threats) but also information of the modeling itself so that the data analysis engine 220 can refine or adapt the local modeling. For example, the information received from the centralized controller 240 to refine a local model may include information specifying a feature modification for the local model (e.g., removing features, prioritizing certain features, and/or adding features), intermediate results of training a global model such as a risk probability score associated with the feature(s) of the local model, and/or a modification to the algorithm of the local model); and 
training the security model based on the update (Wang: [0060] The local threat intelligence module 345 receives and caches information from the centralized controller 240 and also manages refining local threat intelligence based on the data received from the centralized controller 240 and network sensor engines 200. The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. Also, [0094]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wang in the invention of Sedjelmaci in view of Muddu to include the above limitations. The motivation to do so would be to perform adaptive threat modeling between global and local threat intelligence (Wang: [0075]). 

As per claim 11 and 19, Sedjelmaci teaches:
A security system comprising: 
a processor; and a memory coupled to the processor and configured to store instructions that, when executed by the processor (Sedjelmaci: [0087], lines 680-681 and [0088], lines 688-691), cause the security system to: 
instantiate an agent component of the security system for a 5G network, wherein the agent component is instantiated in response to detecting an indication of a cyberattack; wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0047], lines 493-495: the intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network. [0089], lines 703-706: The functional modules of the intrusion detection device 2 include in particular, as illustrated in FIG. 1 for only one of the IoTD connected objects for the sake of simplification, a first intrusion detection module 2A, configured to apply during of successive iterations to a plurality of subsets of data, a first technique for detecting intrusions. [0095]-[0096], lines 759-773: The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the subsets of data that it analyzes. These functional modules include: a second intrusion detection module 2B, configured to apply to this subset of data a second intrusion detection technique denoted D. In the embodiment described here, the second technique D uses an automatic learning algorithm (security model) known per se. This automatic learning algorithm is also based on an artificial neural network whose parameters are denoted QD), and 
communicate, by the agent component to a central component, at least an indication of the incoming network traffic (Sedjelmaci: [0110], lines 820-822: In the embodiment described here, the 2D alert module is configured to notify a security operations center 8 (also designated by SOC 8) supervising a plurality of distinct nodes of the NW network and in particular the connected objects IoTD. [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network, and more particularly, to process the information transmitted by the 2D alert modules of the intrusion detection devices 2 according to the invention embedded in nodes of the network NW, in relation to the data monitored (incoming network traffic) by the intrusion detection devices 2 and/or the anomalies detected by them in these data and/or the configuration of the detection techniques G, D and/or LF used by them to monitor this data (security model). Also, [0135]-[0138], lines 1176-1189), 
wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks (Sedjelmaci: [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network); 
Sedjelmaci teaches detection of cyberattacks ([0005], lines 31-32) using automatic learning techniques (security model) but does not teach: a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of a cyberattack; process, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; compare, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes VRT traffic; communicate, by the agent component to a central component, at least an indication of the VRT score; wherein the central component generates updates for the multiple agent components based on the collected VRT information; receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information, wherein the update is used to train the security model. However, Muddu teaches: 
a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of a cyberattack (Muddu: column 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 75, lines 43-48. Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter)); 
process, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score); 
compare, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes VRT traffic (Muddu: column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score indicative of the probability or likelihood that malware is present in the computer network given the set of feature scores for a particular entity); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Sedjelmaci to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).
Sedjelmaci in view of Muddu does not teach: communicate, by the agent component to a central component, at least an indication of the VRT score; wherein the central component generates updates for the multiple agent components based on the collected VRT information; receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information, wherein the update is used to train the security model. However, Wang teaches:
communicate, by the agent component to a central component, at least an indication of the VRT score (Wang: [0059]: The data transmitted to the centralized controller 240 is referred to as analysis engine data 360. The analysis engine data 360 may include derived risk modeling scores that may be attached to each flow record, which can be used for joint intelligence in the centralized controller 240); 
wherein the central component generates updates for the multiple agent components based on the collected VRT information (Wang: [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions); 
receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information (Wang: [0092] Flow moves from operation 480 to operation 485 where the centralized controller 240 transmits result data of training of the global model(s) to the data analysis engine 220. The result data may include not only the results of training the global model(s) (e.g., a blacklist of known threats) but also information of the modeling itself so that the data analysis engine 220 can refine or adapt the local modeling. For example, the information received from the centralized controller 240 to refine a local model may include information specifying a feature modification for the local model (e.g., removing features, prioritizing certain features, and/or adding features), intermediate results of training a global model such as a risk probability score associated with the feature(s) of the local model, and/or a modification to the algorithm of the local model),  
wherein the update is used to train the security model (Wang: [0060] The local threat intelligence module 345 receives and caches information from the centralized controller 240 and also manages refining local threat intelligence based on the data received from the centralized controller 240 and network sensor engines 200. The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. Also, [0094]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wang in the invention of Sedjelmaci in view of Muddu to include the above limitations. The motivation to do so would be to perform adaptive threat modeling between global and local threat intelligence (Wang: [0075]).

As per claim 2, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1, wherein the security model is a local security model, the VRT information includes at least indications of local security models of the multiple agent components and the update is based on a common security model (Wang: [0060]: the data analysis engine 220A may include a number of machine learning models that are trained using data received from the network sensor engines 200A1-200AM and/or using data derived from the data received from the network sensor engines 200A1-200AM locally (these models are sometimes referred herein as “local models”). The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions. Also, [0094]).

As per claim 6 and 14, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1, wherein an edge device of the 5G network includes the agent component (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0061], lines 493-495: intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network).

As per claim 7 and 15, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1, wherein each of the multiple agent components operate independently (Sedjelmaci: Fig. 1 and [0062], lines 628-634: For the sake of simplification and in no way limiting, only three IoTD connected objects have been represented in FIG. [0085, lines 651-658: Each of the IoTD connected objects incorporates, in the embodiment described here, an intrusion detection device 2 according to the invention, and configured to monitor the data exchanged on the NW network passing through this connected object (eg data sent and/or received by the connected object in question)).

As per claim 8, 16 and 20, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1 further comprising: detecting that the cyberattack to the 5G network has been thwarted (Sedjelmaci: [0100], lines 829-830: Such a security operations center 8 can also trigger, if necessary, actions to mitigate the attacks detected in the network NW. [0140], lines 120-122: In addition, other third-party entities can be notified of the anomaly detected, for example entities capable of triggering mitigation actions to stop the progression of the attack detected by the device 2 for detecting intrusions); and terminating the instantiation of the agent component (Sedjelmaci: [0095], lines 759-761: The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the subsets of data that it analyzes. It is inherent that the modules are deactivated (terminated) after a previous process of detecting anomalies during a previous time is finished since they are activated during the current time when an anomaly is detected by the first detection module).

As per claim 9 and 17, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1 further comprising, prior to receiving the update: generating a copy of the incoming network traffic; detecting that the incoming network traffic is VRT traffic; and communicating the copy of the incoming network to the central component (Wang: [0032] As shown, the security framework 110 may be communicatively coupled with the transmission medium 130 via a network interface 150. In general, the network interface 150 operates as a data capturing device (sometimes referred to as a “tap” or “network tap”) that is configured to receive information propagating to/from one or more endpoint devices 170 and provide at least some of this information to the security framework 110. Of course, input information from the network interface 150 may be duplicative from the information originally detected during propagation to/from the targeted endpoint device 170 (copy of network traffic). [0058] The data analysis engines 220A-220L receive and store data sent from the respectively connected network sensor engine and is configured to (i) provide open Application Programming Interface (API) access to the stored network sensor data, (ii) conduct analytics on the network sensor data, (iii) transmit at least a portion of information it has received and/or generated to the centralized controller 240). [0061] The entity risk modeling engine 340 models and monitors the risk of threats for each individual user of the customer for a certain duration of time. In one embodiment, the events are aggregated when assigning a risk score for the user).

As per claim 10 and 18, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1, wherein the security model is a local machine learning model that is trained based on local VRT information and based on a machine learning model at the central component that is trained based on the collected VRT information (Wang: [0060]: the data analysis engine 220A may include a number of machine learning models that are trained using data received from the network sensor engines 200A1-200AM and/or using data derived from the data received from the network sensor engines 200A1-200AM locally (these models are sometimes referred herein as “local models”). The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions. Also, [0094]).

Claims 3-5, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Sedjelmaci in view of Muddu and Wang as applied to claims 1 and 11 above, and further in view of US 20150341379 to Lefebvre et al (hereinafter Lefebvre).
As per claim 3, Sedjelmaci in view of Muddu and Wang teaches:
The method of claim 1 further comprising: causing one or more actions based on the VRT score to thwart the cyberattack (Muddu: column 12, lines 8-13: The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like).
Sedjelmaci in view of Muddu and Wang does not teach: wherein the one or more actions include quarantining the incoming network traffic at the agent component. However, Lefebvre teaches:
wherein the one or more actions include quarantining the incoming network traffic at the agent component (Lefebvre: [0071]: In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (quarantining network traffic), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu and Wang to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
	
As per claims 4 and 12, Sedjelmaci in view of Muddu and Wang does not teach the limitations of claim 4. However, Lefebvre teaches: 
further comprising: based on the VRT score, diverting the incoming network traffic to a destination other than an intended destination of the incoming network traffic (Lefebvre: [0071] The user interface 300 may receive input indicating a request for a menu of actions available for a particular device in response to a high node anomaly score. In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (diverting network traffic to another destination), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu and Wang to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

As per claim 5 and 13, Sedjelmaci in view of Muddu and Wang does not teach the limitations of claim 5. However, Lefebvre teaches:
further comprising: based on the VRT score, quarantining the incoming network traffic in a containment area that this communicatively separate and distinct from the 5G network (Lefebvre: [0071] The user interface 300 may receive input indicating a request for a menu of actions available for a particular device in response to a high node anomaly score. In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (diverting network traffic to a containment area), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu and Wang to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 20190380037 to Lifshitz et al: Detecting, mitigating and isolating a Signaling Storm, particularly in 5G communication networks. A Control Plane signal probe is connected at a first network node located between a Radio Access Network and a 5G Core Network, to monitor control messages originating from 5G-capable devices. A User Plane signal probe is connected at a second network node located between the 5G Core Network and remote entities to which the 5G-capable devices are sending messages, to monitor control messages passing through the second network node. An Inventory Management sub-system stores data correlating between 5G-capable devices and IMSI numbers. A Protector Unit is configured to receive (i) data collected by the Control Plane signal probe, and (ii) data collected by the User Plane signal probe, and (iii) a subset of IMSI numbers. The Protector Unit performs Machine Learning analysis, and detects and quarantines particular 5G-capable devices that are compromised or malfunctioning.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438