DETAILED ACTION
This communication is in response to applicant’s response filed under 37 C.F.R §1.111 in response to a non-final office action.  Claims 1, 8, 11, 18 are amended;  Claims 1 – 20 are currently pending and subject to examination.

Response to Arguments
Applicant’s arguments with respect to claims 1 – 20 filed in the remarks dated 12/07/2021 have been considered but they are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1 – 4, 6, 8, 9, 11 - 15, 17 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Obaidi (US 20180176775 A1) in view of Chen et al. (US 20160345179 A1).

Regarding claim 1, Obaidi discloses a method (Obaidi, FIG. 3), comprising: receiving, by one or more network devices (Obaidi, FIG. 1, infrastructure node 106 in relation to FIG. 2, node 204) of an application service layer network (Obaidi, FIG. 1, network 100), a service request from an application server device (Obaidi, [0077] peer computing device) for a latency certification service (Obaidi, [0054] the service node includes a root-of-trust device, where the root-of-trust device can store cryptographic data such as at least one shared secret, private key, or unique identification value and can compute cryptographic primitives, such as hashes or signatures in relation to [0077] the service node can receive a request from a peer computing device via the communications interface, where the peer computing device may be a computing device such as a terminal, an infrastructure node, or a remote computing device); 
instantiating, by the one or more network devices and in response to the service request, a Transmission Control Protocol (TCP) proxy (Obaidi, [0052] a monitoring application, in response to work-sharing information from a control node, can cause a network functional module to be executed by the processor in a trusted execution environment) for a data session between the application server device and a user equipment (UE) device (Obaidi, [0023] an infrastructure node can provide session-control services to computing devices in relation to [0033] the computing device, in response to actuation by the second user of a “Send” control, can transmit an initiation request of a communication session); 
obtaining, by the TCP proxy, a digital certificate (Obaidi, [0023] the service node processor can provide data to root-of-trust device, which can cryptographically sign the data using a private key kept secret within the root-of-trust device in relation to [0080] the service node can compute a hash, cryptographic signature, or other representation of computer program instructions, header fields, or other information of the monitoring application); 
Obaidi, [0059] the service node can establish an authenticated connection with a control node via the communications interface, where the authenticated connection can include any connection over which messages can be transmitted together with reliable information about the source of those messages); 
applying, by the TCP proxy, a validation to the data packet to form a certified data packet (Obaidi, [0059] the authenticated connection can be established, using Transmission Control Protocol (TCP) over Internet Protocol (IP) or other protocols or protocol stacks in relation to [0060] service node can validate a trusted execution environment of the service node to provide a validation result, including hashing or checksumming of computer program code of the trusted execution environment ; verification of cryptographic signatures of such program code); and 
forwarding, by the TCP proxy, the validated data packet to the application server device (Obaidi, [0065] the service node can transmit an indication of the validation result to the control node via the authenticated connection, where the indication can comprise the validation result or a packet including or otherwise indicating the validation result in relation to [0080] – [0081] a first authenticity data may be based on a nonce including a timestamp, UUID, or random value, where the service node can transmit the first authenticity data to the control node via the communications interface).

Chen et al., for example, from an analogous field of endeavor (Chen et al., [0059] ingress (receiving end) hardware timestamping in an Ethernet switch is done based on source/destination IP and Security Parameter Index (SPI) and the egress (transmitting end) will put a statistically estimated edge timestamp offset in the Residence Time field) suggests applying a certified timestamp to the data packet to form a certified timestamped data packet (Chen et al., [0122] the GW includes a Network Processor module, a Time Stamp module associated with an Ethernet Switch in relation to [0138] from the egress side, the timestamp assigned by the timing module for egress packets (T) is expressed by T = t3 + (estimated offset)).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine applying a certified timestamp to the data packet to form a certified timestamped data packet as taught by Chen et al. with the system of Obaidi in order to mitigate various man-in-the-middle attacks (Chen et al., [0141]).

Regarding claim 2, 12, Obaidi - Chen et al. disclose inserting the certified timestamp within an options field of a TCP header for the data packet (Chen et al., [0147] the egress (transmitting end) 1588 in IPsec will put a statistically estimated edge timestamp offset (t1′- t1 for SYNC; t3′- t3 for Delay_Req) in the Residence Time field).  The motivation is the same as in claim 1.

Regarding claims 3, Obaidi - Chen et al. disclose inserting the certified timestamp within a shim header for the data packet; or wrapping the data packet in another header that includes the certified timestamp (Chen et al., [0156] at a transmitting node, an unencrypted timing message originated at a clock and is timestamped, then encrypted as an IPSec message in ESP tunnel mode).  The motivation is the same as in claim 1. 

Regarding claims 4, 13, Obaidi - Chen et al. disclose generating a signature based on the digital certificate (Obaidi, [0059] establishing the authenticated connection can include at least one of: symmetric or asymmetric encryption of communications, using the Blowfish, Advanced Encryption Standard (AES), or Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols (https); key exchange, using Diffie-Hellman or other algorithms; transmission of nonces, [all considered signatures]); 
obtaining a time value from a master timing source in the application service layer network (Chen et al., [0093] slave nodes shall only take timing service from trusted Grand Master Clocks and Boundary clocks); and 
adding the signature and the time value to the data packet (Chen et al., [0156] at a transmitting node, an unencrypted timing message is originated at a clock and is timestamped).  The motivation is the same as in claim 1. 

et al. disclose the TCP proxy includes an instance of a virtual machine executing on the one or more network devices (Obaidi, [0052] a trusted execution environment may include, a sandbox, dedicated hardware, or virtual machine conforming with predetermined security requirements in relation to [0053] the trusted execution environment can include a portion, timeslice, or execution mode of the processor, computer-readable media, or other resources of the service node operated by a supervisor or hypervisor).

Regarding claims 8, 17, Obaidi - Chen et al. disclose after instantiating, providing, to the application server device, a network address for the TCP proxy (Obaidi, [0110] the service node can transmit to control node the indication, a hostname, network address, UUID, or other identifying information).

Regarding claim 9, Obaidi - Chen et al. disclose determining, by the one or more network devices, that the data session between the application server device and the UE device has ended (Obaidi, [0022] the signaling information can additionally or alternatively include information relating to call setup and teardown, SIP INVITE or BYE requests, or SIP 100 Trying, 180 Ringing, or 200 OK responses, [the BYE request indicates end of an established session]); and tearing down the TCP proxy based on the determining (Obaidi, [0048] the processor-executable instructions of the client application can be executed by the processor to perform registration or call setup or teardown).

Regarding claim 11, Obaidi discloses a network device (Obaidi, FIG. 1, infrastructure node 106 in relation to FIG. 2, node 204) in an application service layer network (Obaidi, FIG. 1, network 100), the network device comprising: 
a communications interface (Obaidi, FIG. 2, interface 236); a memory to store instructions (Obaidi, FIG. 2, computer readable media 232); and one or more processors (Obaidi, FIG. 2, processor 228), wherein the one or more processors execute the instructions to: 
receive, from an application server device (Obaidi, [0077] peer computing device), a service request for a latency certification service (Obaidi, [0054] the service node includes a root-of-trust device, where the root-of-trust device can store cryptographic data such as at least one shared secret, private key, or unique identification value and can compute cryptographic primitives, such as hashes or signatures in relation to [0077] the service node can receive a request from a peer computing device via the communications interface, where the peer computing device may be a computing device such as a terminal, an infrastructure node, or a remote computing device); 
instantiate, in response to the service request, a Transmission Control Protocol (TCP) proxy (Obaidi, [0052] a monitoring application, in response to work-sharing information from a control node, can cause a network functional module to be executed by the processor in a trusted execution environment) for a data session between the application server device and a user equipment (UE) device (Obaidi, [0023] an infrastructure node can provide session-control services to computing devices in relation to [0033] the computing device, in response to actuation by the second user of a “Send” control, can transmit an initiation request of a communication session); 
obtain a digital certificate for the TCP proxy (Obaidi, [0023] the service node processor can provide data to root-of-trust device, which can cryptographically sign the data using a private key kept secret within the root-of-trust device in relation to [0080] the service node can compute a hash, cryptographic signature, or other representation of computer program instructions, header fields, or other information of the monitoring application); 
receive, at the TCP proxy and from the UE device, a data packet from the UE device for the application server device (Obaidi, [0059] the service node can establish an authenticated connection with a control node via the communications interface, where the authenticated connection can include any connection over which messages can be transmitted together with reliable information about the source of those messages); 
apply, by the TCP proxy, a validation to the data packet to form a certified data packet (Obaidi, [0059] the authenticated connection can be established, using Transmission Control Protocol (TCP) over Internet Protocol (IP) or other protocols or protocol stacks in relation to [0060] service node can validate a trusted execution environment of the service node to provide a validation result, including hashing or checksumming of computer program code of the trusted execution environment; verification of cryptographic signatures of such program code); and 
Obaidi, [0065] the service node can transmit an indication of the validation result to the control node via the authenticated connection, where the indication can comprise the validation result or a packet including or otherwise indicating the validation result in relation to [0080] – [0081] a first authenticity data may be based on a nonce including a timestamp, UUID, or random value, where the service node can transmit the first authenticity data to the control node via the communications interface).
Obaidi does not expressly disclose applying a certified timestamp to the data packet to form a certified timestamped data packet.
Chen et al., for example, from an analogous field of endeavor (Chen et al., [0059] ingress (receiving end) hardware timestamping in an Ethernet switch is done based on source/destination IP and Security Parameter Index (SPI) and the egress (transmitting end) will put a statistically estimated edge timestamp offset in the Residence Time field) suggests applying a certified timestamp to the data packet to form a certified timestamped data packet (Chen et al., [0122] the GW includes a Network Processor module, a Time Stamp module associated with an Ethernet Switch in relation to [0138] from the egress side, the timestamp assigned by the timing module for egress packets (T) is expressed by T = t3 + (estimated offset)).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine applying a certified timestamp to the data packet to form a certified timestamped data packet as taught by et al. with the system of Obaidi in order to mitigate various man-in-the-middle attacks (Chen et al., [0141]).

Regarding claim 14, Obaidi - Chen et al. disclose obtaining a time value from a master timing source in the application service layer network (Chen et al., [0140] the time that the access point eventually calculates and the time that the gateway delivered to the access point from the master clock will correspond minus the latency between the machines).

Regarding claim 18, Obaidi discloses a non-transitory computer-readable storage medium (Obaidi, FIG. 2, computer readable media 232) storing instructions executable by a processor of a device (Obaidi, FIG. 2, processor 228), which when executed cause the device to: 
receive, from an application server device (Obaidi, [0077] peer computing device), a service request for a latency certification Service (Obaidi, [0054] the service node includes a root-of-trust device, where the root-of-trust device can store cryptographic data such as at least one shared secret, private key, or unique identification value and can compute cryptographic primitives, such as hashes or signatures in relation to [0077] the service node can receive a request from a peer computing device via the communications interface, where the peer computing device may be a computing device such as a terminal, an infrastructure node, or a remote computing device); 
Obaidi, [0052] a monitoring application, in response to work-sharing information from a control node, can cause a network functional module to be executed by the processor in a trusted execution environment) for a data session between the application server device and a user equipment (UE) device; 
obtain a digital certificate for the TCP proxy (Obaidi, [0023] an infrastructure node can provide session-control services to computing devices in relation to [0033] the computing device, in response to actuation by the second user of a “Send” control, can transmit an initiation request of a communication session); 
receive, at the TCP proxy and from the UE device, a data packet from the UE device for the application server device (Obaidi, [0059] the service node can establish an authenticated connection with a control node via the communications interface, where the authenticated connection can include any connection over which messages can be transmitted together with reliable information about the source of those messages); 
apply, by the TCP proxy, a validation to the data packet to form a certified data packet (Obaidi, [0059] the authenticated connection can be established, using Transmission Control Protocol (TCP) over Internet Protocol (IP) or other protocols or protocol stacks in relation to [0060] service node can validate a trusted execution environment of the service node to provide a validation result, including hashing or checksumming of computer program code of the trusted execution environment; verification of cryptographic signatures of such program code); and 
Obaidi, [0065] the service node can transmit an indication of the validation result to the control node via the authenticated connection, where the indication can comprise the validation result or a packet including or otherwise indicating the validation result in relation to [0080] – [0081] a first authenticity data may be based on a nonce including a timestamp, UUID, or random value, where the service node can transmit the first authenticity data to the control node via the communications interface).
Obaidi does not expressly disclose applying a certified timestamp to the data packet to form a certified timestamped data packet.
Chen et al., for example, from an analogous field of endeavor (Chen et al., [0059] ingress (receiving end) hardware timestamping in an Ethernet switch is done based on source/destination IP and Security Parameter Index (SPI) and the egress (transmitting end) will put a statistically estimated edge timestamp offset in the Residence Time field) suggests applying a certified timestamp to the data packet to form a certified timestamped data packet (Chen et al., [0122] the GW includes a Network Processor module, a Time Stamp module associated with an Ethernet Switch in relation to [0138] from the egress side, the timestamp assigned by the timing module for egress packets (T) is expressed by T = t3 + (estimated offset)).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine applying a certified timestamp to the data packet to form a certified timestamped data packet as taught by et al. with the system of Obaidi in order to mitigate various man-in-the-middle attacks (Chen et al., [0141]).

Regarding claim 19, Obaidi - Chen et al. disclose inserting the certified timestamp within an options field of a TCP header for the data packet (Chen et al., [0147] the egress (transmitting end) 1588 in IPsec will put a statistically estimated edge timestamp offset (t1′- t1 for SYNC; t3′- t3 for Delay_Req) in the Residence Time field); insert the certified timestamp within a shim header for the data packet; or wrap the data packet in another header that includes the certified timestamp (Chen et al., [0156] at a transmitting node, an unencrypted timing message originated at a clock and is timestamped, then encrypted as an IPSec message in ESP tunnel mode).  The motivation is the same as in claim 18. 

Regarding claim 20, Obaidi - Chen et al. disclose provide, to the application server device, a network address for the TCP proxy (Obaidi, [0110] the service node can transmit to control node the indication, a hostname, network address, UUID, or other identifying information); determine that the data session between the application server device and the UE device has ended (Obaidi, [0022] the signaling information can additionally or alternatively include information relating to call setup and teardown, SIP INVITE or BYE requests, or SIP 100 Trying, 180 Ringing, or 200 OK responses); and tear down the TCP proxy based on determining that the data session between the application server device and the UE device has ended Obaidi, [0048] the processor-executable instructions of the client application can be executed by the processor to perform registration or call setup or teardown). 

Claims 5, 10, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Obaidi - Chen et al., as applied to claim 1 above, and further in view of Zhang et al. (US 20200351900 A1).

Regarding claim 5, Obaidi - Chen et al. do not expressly disclose the master timing source is accurate within about 100 nanoseconds.
Zhang et al., for example, from an analogous field of endeavor (Zhang et al., [0045] 5G networks may be designed to support mission-critical, delay-sensitive services for applications such as Internet of Things (IoT) platforms, auto-driving cars, and service-oriented slicing) suggests the master timing source is accurate within about 100 nanoseconds (Zhang et al., [0045] a 5G service may be designed to support very restricted delay constraints for certain applications, e.g., a delay of a few milliseconds, or a delay specified in nanoseconds).
Thus, it would have been an obvious matter of design choice to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine the master timing source is accurate within about 100 nanoseconds as taught by Zhang et al. with the combined system of Obaidi - Chen et al. in order to support 5G mobility services delay level constraint (Zhang et al., [0058]).

et al. disclose the one or more network devices are included within one of: an edge hub for a radio access network (Obaidi, [0023] the infrastructure nodes can serve as anchoring network devices, which proxy signaling traffic for communication session(s) among computing devices).
Obaidi - Chen et al. do not expressly disclose a multi-access edge computing (MEC) network (Obaidi, [0037] the service node can be an infrastructure node(s), a S-CSCF, TAS, (multi-access edge comput$4) or (MEC) or (mobile edge comput$4)
or other AS, additionally or alternatively, the service node can be a terminal, another computing device, configured via transmissions of work-sharing information to perform service functions).
Zhang et al., for example, from an analogous field of endeavor (Zhang et al., [0045] 5G networks may be designed to support mission-critical, delay-sensitive services for applications such as Internet of Things (IoT) platforms, auto-driving cars, and service-oriented slicing) discloses a multi-access edge computing (MEC) network (Zhang et al., [0047] edge computing technology may enable support for delay-critical applications and for mobile edge computing as well as for fog computing).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine a multi-access edge computing (MEC) network as taught by Zhang et al. with the combined system of Obaidi - Chen et al. in order to support 5G mobility services delay level constraint (Zhang et al., [0058]).

et al. do not expressly disclose obtain a time value from a master timing source in the application service layer network.
Zhang et al., for example, from an analogous field of endeavor (Zhang et al., [0045] 5G networks may be designed to support mission-critical, delay-sensitive services for applications such as Internet of Things (IoT) platforms, auto-driving cars, and service-oriented slicing) discloses obtain a time value from a master timing source in the application service layer network (Zhang et al., [0045] a 5G service may be designed to support very restricted delay constraints for certain applications, e.g., a delay of a few milliseconds, or a delay specified in nanoseconds).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine obtain a time value from a master timing source in the application service layer network as taught by Zhang et al. with the combined system of Obaidi - Chen et al. in order to support 5G mobility services delay level constraint (Zhang et al., [0058]).

Claims 7, 16, are rejected under 35 U.S.C. 103 as being unpatentable over Obaidi - Chen et al., as applied to claim 1 above, and further in view of Noy et al. (US 20130058212 A1).

Regarding claim 7, 16, Obaidi - Chen et al. do not expressly disclose applying the certified timestamp further includes: determining, by the one or more network devices, an estimated air transit time between the UE device and the one or more network devices, and adding the estimated air transit time to the certified timestamp.
et al., for example, from an analogous field of endeavor (Noy et al., [0017] a TCP Proxy apparatus for a wireless network section to a TCP-enabled network includes a latency aware unit for monitoring round trip time) discloses determining, by the one or more network devices, an estimated air transit time between the UE device and the one or more network devices (Noy et al., [0067] a latency aware unit for monitoring round trip time over the wireless network section to determine latency within the wireless section), and adding the estimated air transit time to the certified timestamp (Noy et al., [0068] the filter is configured to output a value being a lowest of a plurality of latency measurements over a preset time frame).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine determining, by the one or more network devices, an estimated air transit time between the UE device and the one or more network devices, and adding the estimated air transit time to the certified timestamp as taught by Noy et al. with the combined system of Obaidi - Chen et al. in order to calculate a rate as a function of the filter output (Noy et al., [0075]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIONEL PREVAL whose telephone number is (571)270-5673. The examiner can normally be reached Monday-Thursday 10-4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NOEL BEHARRY can be reached on 5712705630. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 
/L.P./Examiner, Art Unit 2416     

/NOEL R BEHARRY/Supervisory Patent Examiner, Art Unit 2416