DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 03/11/2022. 

Response to Amendment
Claims 1, 10 and 16 have been amended.
Claims 1-20 have been examined. 
Applicant’s arguments with respect to claims 1, 10 and 16 regarding the new limitations: “wherein the session establishment request message comprises a supported laver, a supported key length, and a supported security algorithm”, have been considered but are in view of the new ground of rejection presented in the current office action.

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-3, 9-11, 16-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20150128205 to Mahaffey et al (hereinafter Mahaffey), CN104378374A to Pang et al (hereinafter Pang) and US 20020087729 to Edgar (hereinafter Edgar).
Examiner’s Note: The examiner used an English translation of CN104378374A. The English translation is attached to the end of the original document. 
As per claims 1 and 16, Mahaffey teaches:
A data transmission method, comprising: determining, by user equipment (UE), a security attribute of a session of the UE (Mahaffey: [0192]: a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured. [0301]: In a step 1115, context information associated with a first type of network connection between a mobile communications device and a remote destination is collected. [0302]: context information is collected before the network connection is established); 
starting, by the UE, an application having a security requirement (Mahaffey: [0193] Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used); 
when the security attribute of the session is lower than the security requirement of the application, determining, by the UE, that the security attribute of the session does not meet the security requirement of the application (Mahaffey: [0190]: For example, the interceptor may intercept an attempt by an application program on the mobile device to connect to a network. [0191]: The assessment engine is responsible for evaluating or applying a connection policy based on the current context. For example, upon the connection interceptor intercepting a connection attempt, the assessment engine may be called to determine the type of connection that should be established. Determining the type of connection that should be established is based on the collected context data. [0192]: For example, a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured. [0193]: Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. Also, [0228], [0301]-[0302], [0307]); and 
sending, by the UE, a session establishment request message to a control plane node, wherein the session establishment request message is used to request to establish a session corresponding to the security requirement of the application (Mahaffey: [0193]: If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. [0207] Accordingly, at step 602, a request for a secure network connection account may be received at a server), 
wherein the session establishment request message comprises the security requirement of the application (Mahaffey: [0336]: In a step 1410, a security policy associated with a network connection between a mobile communications device and a remote destination is received. The security policy includes a specification of a particular type of network connection to be used during a particular context. [0337] Thus, an administrator of the remote destination can, via the security policy (security requirement), specify the type of network connection that should be used to communicate with the remote destination. The security policy may be sent from the mobile communications device to the server for the server to apply the policy).
Mahaffey teaches a network connection but does not explicitly teach a session. Also, Mahaffey does not teach: wherein the session establishment request message comprises a security capability of the UE, wherein the session establishment request message comprises a supported laver, a supported key length, and a supported security algorithm. However, Pang teaches:
a session and wherein the session establishment request message comprises a security capability of the UE (Pang: [0020]: S11. The client sends a first handshake message to the load balancing device, where the first handshake message includes: a session ID, cipher suite information (security capability of the UE). [0085]: Session id: determine the session id of the session. Also, [0082]: First, the client 1 sends a Client hello message to the SSL-BaseCPK-PU in the load balancing device 2, that is, the first handshake message and waits for the PU to respond),
wherein the session establishment request message comprises a supported laver, and a supported security algorithm (Pang: [0082]: S11. The client 1 sends a first handshake message to the load balancing device 2, where the first handshake message includes: the version number of the secure socket layer supported by the client 1 (supported layer), …, cipher suite information. [0082]: In FIG. 3, the first stage of the SSL handshake starts a logical connection, The security capability to establish this connection. First, the client 1 sends a Client hello message to the SSL-BaseCPK-PU in the load balancing device 2, that is, the first handshake message and waits for the PU to respond. The Client hello message includes: [0083]: Version: The highest version number of SSL that the client can support; [0086]: Cipher suite: a list of cipher suites that a client can support. [0087]: Among them, the list of common cipher suites is as follows: [0089]: The list of cipher suites of common national secret protocols is as follows: [0092]: For example, the key exchange algorithm of *_ECDH_ECDSA_* is ECDH, and the signature algorithm is ECDSA).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pang in the invention of Mahaffey to include the above limitations. The motivation to do so would be to establish communication based on a secure socket layer for the problems that the RSA encryption algorithm occupies a large storage space and high bandwidth requirements (Pang: [0009]).
Mahaffy in view of Pang does not teach: wherein the session establishment request message comprises a supported key length. However, Edgar teaches:
wherein the session establishment request message comprises a supported key length (Edgar: [0292]: Second, the ATP client sends an ATP Session Initiation Request packet, with the ATP_FLAG_SEC flag set. This flag indicates that the request includes security information. The security data length field is 3, and the security flags field has ATP_FLAG_CRYPT set. The first byte of the security data field indicates the maximum length RC4 session key supported by the client. The second and third bytes, together a word with the least significant byte being the second byte and the most significant byte being the third byte, indicate the maximum length RSA public key supported by the client).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Edgar in the invention of Mahaffey in view of Pang to include the above limitations. The motivation to do so would be to provide a secure channel for communication between clients and servers (Edgar: [0290]). 

As per claims 2 and 17, Mahaffey in view of Pang and Edgar teaches: 
The method according to claim 1, wherein the security attribute comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location (Mahaffey: [0192]: For example, a user may have initially been playing an online game where, based on a connection policy, the connection network could be unsecured (encrypted location). [0193]: Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. [0210]: Once established, the secure network connection may provide the mobile communications device with a safe and encrypted network connection that is not susceptible to eavesdropping attempts.); and the security requirement of the application comprises at least one security parameter of a security algorithm, a key length, or an encrypted location (Pang: [0082]: The Client hello message includes: [0086]: Cipher suite: a list of cipher suites that a client can support. [0087]: Among them, the list of common cipher suites is as follows: [0089]: The list of cipher suites of common national secret protocols is as follows: [0092]: For example, the key exchange algorithm of *_ECDH_ECDSA_* is ECDH, and the signature algorithm is ECDSA).
The examiner provides the same rationale to combine Mahaffey and Pang as provided in claims 1 and 16 above.

As per claims 3 and 18, Mahaffey in view of Pang and Edgar teaches:
The method according to claim 1, wherein after the sending, by the UE, a session establishment request message to a control plane node, the method further comprises: receiving, by the UE, a session establishment response message from the control plane node, wherein the session establishment response message comprises a security attribute of the session corresponding to the security requirement of the application; and sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application (Mahaffey: [0211] At step 604, a secure network connection account may be generated at the server. The secure network connection account may be a temporary account that includes credentials for a secure network connection. [0212] At step 606, the credentials may be transmitted to the mobile communications device. The mobile communications device may use the credentials to automatically configure a secure network connection, such as a SNC connection. [0213] At step 608, a secure network connection may be established between the server and the mobile communications device in response to receiving the credentials from the mobile communications device. Pang: S11. The client 1 sends a first handshake message to the load balancing device 2, where the first handshake message includes: the version number of the secure socket layer supported by the client 1, a random number, a session ID, cipher suite information, and compression algorithm information. [0093]: For example: SSL-BaseCPK-PU returns a server hello message to client 1, that is, the second handshake message, and confirms the information in the client hello message. The confirmation information includes: [0095]: session ID: Select a supported cipher suite and compression method from the client hello. In this article, the suite is selected as SM2_ECDH_ECDSA_*, and the value is selected as {0xe, 0x0b}. [0120]: S8. The client 1 and the load balancing device 2 establish communication after successful mutual authentication. 696 After the SSL authentication of both parties is completed, the client will start communication with the load balancing device 2, the client will transmit the application data to the SSL-BaseCPK-PU, and the SSL-BaseCPK-PU will decrypt the data).
The examiner provides the same rationale to combine Mahaffey and Pang as provided in claims 1 and 16 above.

As per claims 9 and 20, Mahaffey in view of Pang and Edgar teaches:
The method according to claim 1, wherein the session comprises at least one session, the method further comprising: when a security attribute of the at least one session meets the security requirement of the application, sending, by the UE, data of the application through one of the at least one session (Mahaffey: [0340]: if the context information indicates that the user is accessing their account balances, the system may allow the current secure network connection to be maintained. 0093]: For example: SSL-BaseCPK-PU returns a server hello message to client 1, that is, the second handshake message, and confirms the information in the client hello message. The confirmation information includes: [0095]: session ID: Select a supported cipher suite and compression method from the client hello. In this article, the suite is selected as SM2_ECDH_ECDSA_*, and the value is selected as {0xe, 0x0b}. [0120]: S8. The client 1 and the load balancing device 2 establish communication after successful mutual authentication. 696 After the SSL authentication of both parties is completed, the client will start communication with the load balancing device 2, the client will transmit the application data to the SSL-BaseCPK-PU, and the SSL-BaseCPK-PU will decrypt the data).
The examiner provides the same rationale to combine Mahaffey and Pang as provided in claims 1 and 16 above.

As per claim 10, Mahaffey teaches: 
A data transmission method, comprising: 
receiving, by a control plane node, a session establishment request message from user equipment (UE), wherein the session establishment request message is used to request to establish a session corresponding to a security requirement of an application of the UE, wherein the application was started by the UE (Mahaffey: [0193] Subsequently, however, the user may have switched to a banking application in order to pay some bills. In this case, the policy may specify that a secure network connection be used. If the existing network connection offers a security level different from what is specified by the policy, the system can terminate the existing network connection and establish a new network connection that offers the appropriate level of security for the current context. [0207] Accordingly, at step 602, a request for a secure network connection account may be received at a server. [0301]: In a step 1115, context information associated with a first type of network connection between a mobile communications device and a remote destination is collected) and 
wherein the session establishment request message comprises a the security requirement of the application (Mahaffey: [0336]: In a step 1410, a security policy associated with a network connection between a mobile communications device and a remote destination is received. The security policy includes a specification of a particular type of network connection to be used during a particular context. [0337] Thus, an administrator of the remote destination can, via the security policy (security requirement), specify the type of network connection that should be used to communicate with the remote destination. The security policy may be sent from the mobile communications device to the server for the server to apply the policy); and 
sending, by the control plane node, a session establishment response message to the UE based on the session establishment request message, wherein the session establishment response message comprises a security attribute of the session corresponding to the security requirement of the application (Mahaffey: [0211] At step 604, a secure network connection account may be generated at the server. The secure network connection account may be a temporary account that includes credentials for a secure network connection. [0212] At step 606, the credentials may be transmitted to the mobile communications device. The mobile communications device may use the credentials to automatically configure a secure network connection, such as a SNC connection. [0213] At step 608, a secure network connection may be established between the server and the mobile communications device in response to receiving the credentials from the mobile communications device).
Mahaffey teaches a request to establish a secure network connection and sending, by the server, a response to establish a secure network connection but does not explicitly teach: a session establishment request message; sending, by the control plane node, a session establishment response message; wherein the session establishment request message comprises a security capability of the UE and wherein the session establishment request message comprises a supported laver, a supported key length, and a supported security algorithm. However, Pang teaches:
a session establishment request message; sending, by the control plane node, a session establishment response message; wherein the session establishment request message comprises a security capability of the UE (Pang: [0020]: S11. The client sends a first handshake message to the load balancing device, where the first handshake message includes: a session ID, cipher suite information (security capability of the UE). [0085]: Session id: determine the session id of the session. Also, [0082]: First, the client 1 sends a Client hello message to the SSL-BaseCPK-PU in the load balancing device 2, that is, the first handshake message and waits for the PU to respond. [0093]: For example: SSL-BaseCPK-PU returns a server hello message to client 1, that is, the second handshake message, and confirms the information in the client hello message. The confirmation information includes: [0095]: session ID: Select a supported cipher suite and compression method from the client hello. In this article, the suite is selected as SM2_ECDH_ECDSA_*, and the value is selected as {0xe, 0x0b});and 
wherein the session establishment request message comprises a supported laver, and a supported security algorithm (Pang: [0082]: S11. The client 1 sends a first handshake message to the load balancing device 2, where the first handshake message includes: the version number of the secure socket layer supported by the client 1 (supported layer), …, cipher suite information. [0082]: In FIG. 3, the first stage of the SSL handshake starts a logical connection, The security capability to establish this connection. First, the client 1 sends a Client hello message to the SSL-BaseCPK-PU in the load balancing device 2, that is, the first handshake message and waits for the PU to respond. The Client hello message includes: [0083]: Version: The highest version number of SSL that the client can support; [0086]: Cipher suite: a list of cipher suites that a client can support. [0087]: Among them, the list of common cipher suites is as follows: [0089]: The list of cipher suites of common national secret protocols is as follows: [0092]: For example, the key exchange algorithm of *_ECDH_ECDSA_* is ECDH, and the signature algorithm is ECDSA).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pang in the invention of Mahaffey to include the above limitations. The motivation to do so would be to establish communication based on a secure socket layer for the problems that the RSA encryption algorithm occupies a large storage space and high bandwidth requirements (Pang: [0009]).
Mahaffy in view of Pang does not teach: wherein the session establishment request message comprises a supported key length. However, Edgar teaches:
wherein the session establishment request message comprises a supported key length (Edgar: [0292]: Second, the ATP client sends an ATP Session Initiation Request packet, with the ATP_FLAG_SEC flag set. This flag indicates that the request includes security information. The security data length field is 3, and the security flags field has ATP_FLAG_CRYPT set. The first byte of the security data field indicates the maximum length RC4 session key supported by the client. The second and third bytes, together a word with the least significant byte being the second byte and the most significant byte being the third byte, indicate the maximum length RSA public key supported by the client).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Edgar in the invention of Mahaffey in view of Pang to include the above limitations. The motivation to do so would be to provide a secure channel for communication between clients and servers (Edgar: [0290]). 

As per claim 11, Mahaffey in view of Pang and Edgar teaches: 
The method according to claim 10, wherein the security attribute comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location; and the security requirement of the application comprises at least one security parameter of: a security algorithm, a key length, or an encrypted location (Pang: [0082]: The Client hello message includes: [0086]: Cipher suite: a list of cipher suites that a client can support. [0087]: Among them, the list of common cipher suites is as follows: [0089]: The list of cipher suites of common national secret protocols is as follows: [0092]: For example, the key exchange algorithm of *_ECDH_ECDSA_* is ECDH, and the signature algorithm is ECDSA. [0093]: For example: SSL-BaseCPK-PU returns a server hello message to client 1, that is, the second handshake message, and confirms the information in the client hello message. The confirmation information includes: [0095]: session ID: Select a supported cipher suite and compression method from the client hello. In this article, the suite is selected as SM2_ECDH_ECDSA_*, and the value is selected as {0xe, 0x0b}).
The examiner provides the same rationale to combine Mahaffey and Pang as provided in claim 10 above.

Claims 4, 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Pang and Edgar as applied to claims 3 and 10 above, and further in view of prior art of record US 20150052348 to Robert Moskowitz (hereinafter Moskowitz).
As per claim 4, Mahaffey in view of Pang and Edgar does not teach: wherein the security attribute of the session corresponding to the security requirement of the application comprises an encrypted location, and the sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application comprises: determining, by the UE, an encapsulation format of the data of the application based on the encrypted location; and generating, by the UE, a data packet based on the encapsulation format of the data of the application and the data of the application, and sending the data packet. However, Moskowitz teaches:
wherein the security attribute of the session corresponding to the security requirement of the application comprises an encrypted location, and the sending, by the UE, data of the application based on the security attribute of the session corresponding to the security requirement of the application comprises: determining, by the UE, an encapsulation format of the data of the application based on the encrypted location; and generating, by the UE, a data packet based on the encapsulation format of the data of the application and the data of the application, and sending the data packet (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

As per claim 6, Mahaffey in view of Pang and Edgar does not teach: wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate the encapsulation format of the data of the application. However, Moskowitz teaches: 
wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate the encapsulation format of the data of the application (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

As per claim 14, Mahaffey in view of Pang and Edgar does not teach: wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate a user plane protocol stack used by the session corresponding to the security requirement of the application. However, Moskowitz teaches:
wherein the session establishment response message further comprises user plane protocol stack indication information, and the user plane protocol stack indication information is used to indicate a user plane protocol stack used by the session corresponding to the security requirement of the application (Moskowitz: [0030] Format type field 315 may uniquely identify one of multiple different format types that may be used at the session layer for encapsulating session layer payload data. Each of the multiple different format types may include a different number and/or length of fields used in the encapsulation overhead data that encapsulated the session layer payload data. Payload data lengths may vary from small to very large lengths, and bandwidths/costs associated with network 120, or network 120's links, may vary from highly constrained to very high bandwidth. Therefore, payload data in each session may be encapsulated using different encapsulation format types. [0055]: Application 110-1 may negotiate, using the KMP, a session security envelope (SSE) encapsulation format type and a ciphersuite with application 110-2 based on a cost or bandwidth associated with network 120, or one or more links of network 120, that connects device 105-1 and device 105-2 (block 820). Application 110-1 and/or application 110-2 may select a SSE encapsulation format type and ciphersuite, for use when sending session layer payload data between app 110-1 and app 110-2, based on the known costs or bandwidths associated with network 120, or the one or more links of network 120. [0060]-[0062]: Application 110 may generate a SSE security encapsulated block(s) of the payload data based on the retrieved encapsulation format type (block 1015). Application 110 may pass the SSE security encapsulated block(s) and ICV to lower OSI layers for sending to the destination application (block 1030). Also, [0037]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Moskowitz in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to contribute to the ability to conserve network resources by reducing network costs (Moskowitz: [0017]).

Claims 5, 7, 8, 12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Pang and Edgar as applied to claims 1, 10 and 16 above, and further in view of prior art of record US 10735956 to Bae et al (hereinafter Bae).
As per claim 5, Mahaffey in view of Pang and Edgar does not teach: wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application. However, Bae teaches:
wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claims 7 and 19, Mahaffey in view of Pang and Edgar does not teach: wherein the security attribute of the session is the security attribute of a slice corresponding to the session. However, Bae teaches: 
wherein the security attribute of the session is the security attribute of a slice corresponding to the session (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claim 8, Mahaffey in view of Pang and Edgar and Bae teaches: 
The method according to claim 7, wherein before the determining, by a UE, a security attribute of a session of the UE, the method further comprises: sending, by the UE, a registration request message to the control plane node; and receiving, by the UE, a registration response message from the control plane node, wherein the registration response message comprises a security attribute of a slice accessible by the UE, and the security attribute of the slice accessible by the UE comprises the security attribute of the slice corresponding to the session (Bae: column 13, lines 1-25: In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. The terminal may notify the network of all the security algorithm information that can be supported by the terminal during the initial access. In step S550, the core network may transmit an initial context setup request message to the base station 5G RAN. The initial context setup request message may include a security context for the network slice. The security context may include at least one of information related to the security algorithm, the network slice identifier information, and the AS security key information K.sub.5G-RAN, k. In step S560, the base station receiving the initial context setup message may store the AS security key information K.sub.5G-RAN, k. Next, in step S570, the base station may transmit RRC connection reconfiguration message (5G RRC connection reconfiguration) or attach accept message to the terminal as a response to the connection request message of the terminal. At this point, the RRC connection reconfiguration message or the attach accept message may include the network slice identifier set by the terminal. In step S580, the terminal receiving the RRC connection reconfiguration message or the attach accept message may use the network slice identifier to generate a security context. That is, the terminal may use the network slice identifier to generate the AS security key information K.sub.5G-RAN, k and verify the security algorithm to be used to generate the security context. Also, Column 10, lines 46-55: when the network slice is first registered, a terminal may be assigned a unique network slice identifier (unique NW slice ID) that may be identified within a service provider network or globally. The network slice identifier may be stored in HSS, and the terminal may receive the network slice identifier during the initial access procedure and use the received network slice identifier to generate security keys for each network slice).
The examiner provides the same rationale to combine Mahaffey in view of Pang and Edgar and Bae as in claim 7 above.

As per claim 12, Mahaffey in view of Pang and Edgar does not teach: wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application. However, Bae teaches: 
wherein the security attribute of the session corresponding to the security requirement of the application is a security attribute of a slice corresponding to the session corresponding to the security requirement of the application (Bae: column 12, lines 55-67 and column 13, lines 1-15: In step S520, after generating the common AS security key, the terminal may generate UE capability. At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. In addition, the security capability may include information related to a security algorithm, information related to a security level, information related to security levels for each network slice, and security algorithm information depending on the security levels or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

As per claim 15, Mahaffey in view of Pang and Edgar does not teach: receiving, by the control plane node, a registration request message from the UE, wherein the registration request message comprises configured network slice selection assistance information; determining, by the control plane node based on the configured network slice selection assistance information, a security attribute of a slice accessible by the UE; and sending, by the control plane node, a registration response message to the UE, wherein the registration response message comprises the security attribute of the slice accessible by the UE. However, Bae teaches:
wherein before the receiving, by a control plane node, a session establishment request message from UE, the method further comprises: receiving, by the control plane node, a registration request message from the UE, wherein the registration request message comprises configured network slice selection assistance information (Bae: column 12, lines 65-67 and column 13, lines 1-25: At this time, the UE capability generated by the terminal may include network slice information and security capability (new UE capability for addressing NW slice or security capability). The network slice information includes a network slice indicator indicating a type of network slices (for example, what type of service the network slice is mapped to), information related to the number of network slices set in the terminal, identifier information of the network slice or the like. Thereafter, in step S530, the terminal may transmit connection request messages for each network slice to the core network (NW slice k connection request). The terminal may transmit the connection request messages to the core network to access the networks for each service. The connection request message may include the UE capability); 
determining, by the control plane node based on the configured network slice selection assistance information, a security attribute of a slice accessible by the UE; and sending, by the control plane node, a registration response message to the UE, wherein the registration response message comprises the security attribute of the slice accessible by the UE (Bae: In step S550, the core network may transmit an initial context setup request message to the base station 5G RAN. The initial context setup request message may include a security context for the network slice. The security context may include at least one of information related to the security algorithm, the network slice identifier information, and the AS security key information K.sub.5G-RAN, k. In step S560, the base station receiving the initial context setup message may store the AS security key information K.sub.5G-RAN, k. Next, in step S570, the base station may transmit RRC connection reconfiguration message (5G RRC connection reconfiguration) or attach accept message to the terminal as a response to the connection request message of the terminal. At this point, the RRC connection reconfiguration message or the attach accept message may include the network slice identifier set by the terminal. In step S580, the terminal receiving the RRC connection reconfiguration message or the attach accept message may use the network slice identifier to generate a security context. That is, the terminal may use the network slice identifier to generate the AS security key information K.sub.5G-RAN, k and verify the security algorithm to be used to generate the security context. Also, Column 10, lines 46-55: when the network slice is first registered, a terminal may be assigned a unique network slice identifier (unique NW slice ID) that may be identified within a service provider network or globally. The network slice identifier may be stored in HSS, and the terminal may receive the network slice identifier during the initial access procedure and use the received network slice identifier to generate security keys for each network slice).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bae in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to adaptively manage security according to a service by using different security keys for each service (Bae: column 2, lines 31-35).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey in view of Pang and Edgar as applied to claim 10 above, and further in view of prior art of record US 9935769 to Nima Sharifi Mehr (hereinafter Mehr).
As per claim 13, Mahaffey in view of Pang and Edgar does not explicitly teach the limitations of the claim. However, Mehr teaches:
further comprising: determining, by the control plane node based on a local configuration policy, the security attribute of the session corresponding to the security requirement of the application; or receiving, by the control plane node, the security attribute of the session corresponding to the security requirement of the application from a subscription server; or receiving, by the control plane node, an index from a policy decision node; and determining, by the control plane node based on the index, the security attribute of the session corresponding to the security requirement of the application (Mehr: column 7, lines 54-67 and column 8, lines 1-29: In an embodiment, the service backend 214 maintains a repository 222 of resource metadata (resource metadata repository) that contains metadata about the resources managed by the service 208. In some embodiments, the resource metadata contains access control information (e.g., policies) additional to access control information stored in policies in the policy repository. The service frontend 210 may be configured to, when a request is received from the principal 202, query the service backend 214 for any applicable access control information and use any returned access control information in determining whether and/or how to fulfill a request. Access control information stored in a policy or resource metadata repository is associated with resources and specifies a set of cipher suites suitable for the resources. For a particular resource, the access control information may specify or otherwise indicate a set of cipher suites such that, to fulfill an API request received over a cryptographically protected communications session and involving the resource, the cryptographically protected communications session must utilize a cipher suite in the set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Mehr in the invention of Mahaffey in view of Pang and Edgar to include the above limitations. The motivation to do so would be to provide dynamic cipher suite selection based on planned session use (Mehr: column 2, lines 14-15).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438