DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
This Action is Non-Final.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 19 and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed “machine-readable storage medium.” based on the guidance provided by the Official Gazette on Subject Matter Eligibility of Computer Readable Media (see 1351 OG 212), encompasses include both transitory (i.e. non-statutory) media and non-transitory (i.e. statutory) media. The Specification (see, for example, paragraphs [00119]-[00120]), provides a special definition for “computer-readable media” to exclude transitory type media, but does not provide such a definition for the claimed “machine-readable storage medium”. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-8, 9, 11, 14-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ranjbar et al. (US 20200021994) in view of Maria (US 9363278).
As per claims 1, 11, and 19, Ranjbar et al. discloses a medium, system, and method comprising: 
determining, by a system comprising a processor, whether there is an occurrence of a malicious event comprising a disruption of service of a radio access network device by a portion of a group of devices associated with a radio access network (see paragraphs [0037] and [0040] for detecting the malicious event and paragraph [0062] showing the radio access network), the determining based on respective characteristics associated with respective devices of the group of devices and a defined baseline that indicates whether the malicious event is occurring, wherein the respective characteristics are determined based on an analysis of first information relating to the group of devices, and wherein the defined baseline is adapted from a defined baseline based on second information relating to a attempted malicious event against the radio access network device by a group of devices (see paragraphs [0038] and [0041]-[0043] where the system uses statistics from a group of devices which is compared against known data to detect malicious events/attacks); and 
in response to determining there is the occurrence of the malicious event, determining, by the system, whether to block a connection of a device of the group of devices to the radio access network device (see paragraph [0039]).
While Ranjbar et al. teaches the detection of malicious events based on previous baselines and determining whether to block the device, there lacks a specific teaching of the baselines are previous attempted malicious events and the blocking of devices is determined based on a level of criticality associated with a message.
However, Maria teaches detecting malicious events based on previous malicious events (see column 7 line 56 through column 8 line 6) and in response blocking non-critical traffic and allowing critical traffic (see column 11 lines 25-50).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the teachings of Maria in the Ranjbar et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for more flexibility in the system by using both known safe data and known malicious data and to allow certain important messages rather than blocking all messages.
As per claims 4-6, 14-16, and 20, the modified Ranjbar et al. and Maria system discloses  the device is a first device, wherein the message is a first message, wherein the level of criticality is a first level of criticality, and wherein the method further comprises: determining, by the system, the first level of criticality associated with the first message satisfies a defined threshold level of criticality, based on a first evaluation of a first characteristic associated with the first device or the first message; determining, by the system, a second level of criticality associated with a second message being communicated by a second device of the group of devices does not satisfy the defined threshold level of criticality, based on a second evaluation of a second characteristic associated with the second device or the second message; and in response to determining there is the occurrence of the malicious event comprising the disruption of the service of the radio access network device by the portion of the group of devices: determining, by the system, that the first device is to be connected to the radio access network device to communicate the first message based on the first level of criticality being determined to satisfy the defined threshold level of criticality; and determining, by the system, that the second device is to be blocked from connecting to the radio access network device based on the second level of criticality being determined not to satisfy the defined threshold level of criticality in response to determining that the second device is to be blocked from connecting to the radio access network device, communicating, by the system, instructions to the radio access network device to instruct the radio network access device to block the connection of the second device to the radio access network device; and determining, by the system, that the first message is a defined emergency message, a defined mission critical message, or a defined priority message that is associated with the first level of criticality associated with the first message, based on the first evaluation of the first characteristic associated with the first device or the first message, in accordance with a defined network security criterion. (see Maria column 11 lines 25-50 where the data transmissions are blocked while the voice and emergency data are allowed).
As per claim 7, the modified Ranjbar et al. and Maria system discloses the malicious event comprises a distributed denial of service attack by the portion of the group of devices (see Ranjbar et al. paragraph [0057]).
As per claim 8, the modified Ranjbar et al. and Maria system discloses analyzing, by the system, the first information relating to the group of devices; determining, by the system, the respective characteristics associated with the respective devices of the group of devices based on the analyzing of the first information; determining, by the system, a preliminary result that initially indicates there is the occurrence of the malicious event, based on the respective characteristics associated with the respective devices (see Ranjbar et al. paragraphs [0037]-[0038] and [0040]-[0043]).
As per claim 17, the modified Ranjbar et al. and Maria system discloses a subgroup of devices is part of the previous group of devices and part of the portion of the group of devices, or wherein the previous group of devices has no device in common with the portion of the group of devices (see Ranjbar et al. paragraphs [0037]-[0038] and [0040]-[0043]).
Claims 2, 3, 10, 12, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Ranjbar et al. and Maria system as applied to claims 1 and 11 above, and further in view of Louafi et al. (US 20210321259).
As per claims 2 and 12, the modified Ranjbar et al. and Maria system generally teaches the secondary analysis, but fails to explicitly disclose the analysis of the first information relating to the group of devices is a first analysis of the first information relating to a first group of devices, and wherein the method further comprises: performing, by the system, a second analysis of second information relating to a second group of devices associated with the radio access network device; and determining, by the system, an update to the defined baseline, based on the second analysis of the second information, to generate an updated defined baseline that indicates whether a subsequent malicious event to disrupt the service of the radio access network device is occurring.
However, Louafi et al. teaches the analysis of the first information relating to the group of devices is a first analysis of the first information relating to a first group of devices, and wherein the method further comprises: performing, by the system, a second analysis of second information relating to a second group of devices associated with the radio access network device; and determining, by the system, an update to the defined baseline, based on the second analysis of the second information, to generate an updated defined baseline that indicates whether a subsequent malicious event to disrupt the service of the radio access network device is occurring (see paragraph [0059]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the updating of the baseline in the modified Ranjbar et al. and Maria system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for the detection system to update with time, thereby allowing the system to detect new malicious events.
As per claims 3 and 13, the modified Ranjbar et al., Maria, and Louafi et al. system discloses he determining the update to the defined baseline to generate the updated defined baseline comprises: based on applying a machine learning function to the second information and feedback information, determining the updated defined baseline that indicates whether the subsequent malicious event to disrupt the service of the radio access network device is occurring, wherein the feedback information comprises result information relating to a result of the determining whether there is the occurrence of the malicious event comprising the disruption of the service of the radio access network device by the portion of the group of devices (see Louafi et al. paragraphs [0048]-[0065]).
As per claims 10 and 18, the modified Ranjbar et al., Maria, and Louafi et al. system discloses parsing, by the system, the first information relating to the group of devices based on a first result of the analysis of the first information relating to the group of devices; based on a second result of the parsing, filtering, by the system, the first information relating to the group of devices to generate filtered information relating to the group of devices that comprises a portion of the first information relating to the group of devices that is determined to satisfy a defined network security criterion relating to information relevancy, wherein the determining whether there is the occurrence of the malicious event comprising the disruption of the service of the radio access network device by the portion of the group of devices comprises determining whether there is the occurrence of the malicious event comprising the disruption of the service of the radio access network device by the portion of the group of devices attempting to connect, or connected, to the radio access network device, based on the filtered information and the defined baseline that indicates whether the malicious event is occurring; and communicating, by the system, the filtered information relating to the group of devices to a machine learning function for subsequent analysis by the machine learning function (see Maria column 9 lines 28-47 and Louafi et al. paragraphs [0048]-[0065]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over the modified Ranjbar et al. and Maria system as applied to claim 8 above, and further in view of Reddy et al. (US 20180007084).
As per claim 9, the modified Ranjbar et al. and Maria system fails to explicitly disclose determining, by the system, whether the preliminary result that initially indicates there is the occurrence of the malicious event is a false positive indication of the occurrence of the malicious event, based on a subsequent analysis of the respective characteristics associated with the respective devices and feedback information relating to false positive determinations of malicious events that is received from a machine learning function; and one of: determining, by the system, that the preliminary result is the false positive indication of the occurrence of the malicious event, and the malicious event did not occur, based on a first result of the subsequent analysis of the respective characteristics associated with the respective devices and the feedback information relating to the false positive determinations of the malicious events; or determining, by the system, that the preliminary result is not the false positive indication of the occurrence of the malicious event, and the malicious event has occurred, based on a second result of the subsequent analysis of the respective characteristics associated with the respective devices and the feedback information relating to the false positive determinations of the malicious events.
However, Reddy et al. teaches determining, by the system, whether the preliminary result that initially indicates there is the occurrence of the malicious event is a false positive indication of the occurrence of the malicious event, based on a subsequent analysis of the respective characteristics associated with the respective devices and feedback information relating to false positive determinations of malicious events that is received from a machine learning function; and one of: determining, by the system, that the preliminary result is the false positive indication of the occurrence of the malicious event, and the malicious event did not occur, based on a first result of the subsequent analysis of the respective characteristics associated with the respective devices and the feedback information relating to the false positive determinations of the malicious events; or determining, by the system, that the preliminary result is not the false positive indication of the occurrence of the malicious event, and the malicious event has occurred, based on a second result of the subsequent analysis of the respective characteristics associated with the respective devices and the feedback information relating to the false positive determinations of the malicious events (see paragraphs [0057]-[0058], [0061]-[0068], and [0077]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to examine false positives in the modified Ranjbar et al. and Maria system.
Motivation to do so would have been to reduce false positives in future detections (see Reddy et al. paragraph [0058]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to detecting malicious events in a network.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Michael Pyzocha/               Primary Examiner, Art Unit 2419