Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a reply to the application filed on 07/06/2020, in which, claim(s) 1-20are pending.

When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any anticipated claim amendments.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/28/2020 and 2/16/2022, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Drawings
The drawings filed on 7/6/2020is/are accepted by The Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).


Claim(s) 1-20 is/are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim(s) 1-20 of copending Application No.: 16/921791.  Although the conflicting claims are not identical, they are not patentably distinct from each other because the underlined differences are obvious variations of the same invention (i.e. see table below).
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.

Present Invention
Copending Application No:. 16/921,791
Claim 1: A method performed by a security system to secure a 5G network from a cyberattack, the method comprising:

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance 

processing the incoming network traffic with the security model to output a vulnerability- risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; and 

causing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include blocking the incoming network traffic at the perimeter of the 5G network.

Claim 1: A method performed by a security system to secure a 5G network from a cyberattack, the method comprising: 

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance 

processing the incoming network traffic with the security model to output a vulnerability- risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; 



Claim 9: The method of claim 1 further cased to: determining that the cyberattack to the 5G network has been thwarted; and terminating the instantiation of the security system.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims of the instant application.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim(s) 1-20 is/are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim(s) 1-20 of copending Application No.: 16/921798.  Although the conflicting claims are not identical, they are not patentably distinct from each other because the underlined differences are obvious variations of the same invention (i.e. see table below).
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.

Present Invention
Copending Application No:. 16/921,798
Claim 1: A method performed by a security system to secure a 5G network from a cyberattack, the method comprising:



processing the incoming network traffic with the security model to output a vulnerability- risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; and 

causing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include 

Claim 1: A method performed by a distributed security system to secure a 5G network from a cyberattack, the method comprising:

instantiating an agent component of the security system, wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter, and wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of a cyberattack, and the threat parameter relates to a source of the cyberattack; 

processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter;

Claim 3: The method of claim 1 further comprising: causing one or more actions based on the VRT score to thwart the cyberattack, wherein the one or more actions include quarantining the incoming network traffic at the agent component.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims of the instant application.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz et al. (Pub. No.: US 2019/0380037 A1 – IDS; hereinafter Lifshitz) in view of Muddu et al. (Pat. No.: US 9,516,053 B1; hereinafter Muddu).
Regarding claim 1, Lifshitz discloses a method performed by a security system to secure a 5G network from a cyberattack, the method comprising:
instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model (the TSE unit monitors and controls network traffics for the 5G core network using modeling and machine learning, using predefined parameters [Lifshitz; Abstract, ¶157-158, 166-167, 172-173, 184-185, 209-212);
processing the incoming network traffic with the security model that characterizes the incoming network traffic in relation to the parameter (using the machine learning modeling to automatically detect security issues or threats relating the incoming traffic [Lifshitz; Abstract, ¶17, 157-158, 166-167, 172-173, 184-185, 209-212);
causing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include blocking the incoming network traffic at the perimeter of the 5G 
IN particular, Muddu teaches column 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of 

Regarding claim 2, Lifshitz-Muddu combination discloses the method of claim 1, wherein the one or more actions comprise:
communicating at least an indication of the incoming network traffic to a central database, wherein the central database manages information about multiple VRT parameters collected from multiple networks including the 5G network; receiving an update from the central database, wherein the update includes information about the multiple VRT parameters collected from the multiple networks; and training the security model based on the update (the TSE includes a database for the IoT devices behavior profiles, which the incoming data are collected based on machine learning and the behavior profiles are updated/modify based on the 

Regarding claim 3, Lifshitz-Muddu combination the method of claim 1, wherein causing the one or more actions comprises: based on the VRT score, embedding a tag in the network traffic to indicate that the network traffic includes potential malicious VRT traffic; dispatching the potential malicious VRT traffic with the embedded tag to one or more intended destinations; using the embedded tag to track activity of the potential malicious VRT traffic on the 5G network; comparing the tracked activity of the potential malicious VRT traffic with an expected activity of the potential malicious VRT traffic; and discovering that the network traffic includes malicious VRT traffic based on an output of the comparison between the tracked activity and the expected activity, and wherein the tag is metadata stored in a portion of the network traffic that includes addressing information of the one or more intended destinations of the network traffic  (the incoming traffics are identifies based on set features, timestamp, 5-tuple, etc., [Lifshitz; ¶39-40]. These characters are the metadata of the behavior profiles in the TSE database, which the incoming data are collected based on machine learning and the behavior profiles are updated/modify based on the characteristic of the activities, security features are applies based on matches behavioral profiles/activities and of exhibits abnormality or suspected [Lifshitz; ¶83-85, 125, 166, 171]).

Regarding claim 4, Lifshitz-Muddu combination the method of claim 1, wherein causing the one or more actions comprises: based on the VRT score, embedding a tag in the network traffic to indicate that the network traffic includes potential malicious VRT traffic; dispatching 

Regarding claim 5, Lifshitz-Muddu combination the method of claim 1, wherein the one or more actions comprise: redirecting the incoming network traffic to a destination other than an intended destination of the incoming network traffic (blocking/discarding/thwart the package/message/payload when detecting of anomaly/abnormality [Lifshitz; Abstract, ¶17, 34, 78-79).

Regarding claim 6, Lifshitz-Muddu combination the method of claim 1, wherein the security system is a firewall that processes incoming and outgoing network traffic (security systems [e.g., firewalls] [Lifshitz; Fig. 4 and associated text][Muddu; fig. 4 and associated text]). The motivation to better detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

Regarding claim 7, Lifshitz-Muddu combination the method of claim 1, wherein causing the one or more actions comprises: determining that the VRT score exceeds a threshold value, wherein a VRT score less than the threshold value is indicative of non-VRT traffic and a VRT score greater than the threshold value is indicative of VRT traffic; and responsive to the VRT score exceeding the threshold value, redirecting the incoming network traffic to a containment area in lieu of an intended destination of the incoming network traffic, wherein the containment area is communicatively separate from the 5G network; and wherein the method further comprises causing the containment area to inspect the incoming network traffic and remove the incoming network traffic when including malicious VRT network traffic (determine the threshold scores and anomaly detecting and actions to be performed based on the threshold values. Actions such as block, redirect, quarantines, etc., [Lifshitz; Abstract][Muddu; fig. 81-82 and associated text]). The motivation to better detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

Regarding claim 8, Lifshitz-Muddu combination the method of claim 1, wherein causing the one or more actions comprises: determining that the VRT score exceeds a threshold value, wherein a VRT score less than the threshold value is indicative of non-VRT traffic and a VRT score greater than the threshold value is indicative of VRT traffic; and responsive to the VRT score exceeding the threshold value, redirecting the incoming network traffic to a containment area in lieu of an intended destination of the incoming network traffic, wherein the containment area is communicatively separate from the 5G network (determine the threshold scores and 

Regarding claim 9, Lifshitz-Muddu combination the method of claim 1, wherein causing the one or more actions comprises: based on the VRT score, determining that the incoming network traffic includes malicious VRT traffic; and redirecting the malicious VRT traffic to a containment area that is communicatively separate and distinct from the 5G network thereby capturing and removing the incoming network traffic from the 5G network (determine the threshold scores and anomaly detecting and actions to be performed based on the threshold values. Actions such as block, redirect, quarantines, etc., [Lifshitz; Abstract][Muddu; fig. 81-82 and associated text]). The motivation to better detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

The requirements of claims 10-19 is substantially the same as rejected claims 1-9.

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Conclusion
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998.  The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 


/DAO Q HO/Primary Examiner, Art Unit 2432