DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined. 

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 07/28/2020 and 02/16/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Objections
Claim 10 is objected to because of the following informalities:  Claim 10 recites: “wherein the new destination based on a particular security level associated with a particular application …” instead of “wherein the new destination is based on a particular security level associated with a particular application …”.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/921765 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because: 
Instant application
Copending Application No. 16/921765
1. A method performed by a security system to manage network traffic of a 5G network, the method comprising: instantiating the security system to sort incoming network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications and one of multiple security levels, 


wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level; 
inspecting portions of incoming network traffic that contain addressing information required for the network traffic to reach an intended application or function; 
sorting the incoming network traffic into the multiple groups based in part on the inspection of the portions of the network traffic; and 




dynamically directing the incoming network traffic for the 5G network based on a particular security level associated with a particular application or a particular function of each of the multiple groups.


5. The method of claim 1 further comprising: dynamically adjusting a priority order of the multiple groups.

6. The method of claim 1, wherein the high security level is associated with an emergency service, the medium security level is associated with a business service, and the low security level is associated with a leisure service.

8. The method of claim 1 further comprising, prior to instantiating the security system: detecting an elevated security risk to the 5G network, wherein the security system is instantiated in response to the detected security risk.

9. The method of claim 1 further comprising: detecting a change in a security threat level to the 5G network; and in response to the detected change, terminating the instantiation of the security system upon dispatching an entirety of the sorted network traffic.
1. A method performed by a security system to manage network traffic of a 5G network, the method comprising: instantiating the security system to sort incoming or outgoing network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple traffic types and one of multiple security levels, wherein the multiple traffic types include a user traffic type, a control traffic type, and a management traffic type, 
wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium level is prioritized relative to the low security level; inspecting segments of data included in the incoming network traffic, wherein the segments of the data contain addressing information required for the data to reach one or more intended destinations; 

sorting multiple portions of the network traffic into the multiple groups based in part on the inspection of the segments of the data that contain the addressing information, wherein each of the multiple portions is included in a group that is associated with a matching traffic type and a matching security level; dynamically adjusting an available bandwidth of the 5G network based on a load of each of the multiple groups; and dispatching the multiple portions of the network traffic in accordance with a traffic type and a security level of each of the multiple groups.

3. The method of claim 1 further comprising: dynamically adjusting a priority order of the multiple groups.

4. The method of claim 1, wherein the high security level is associated with an emergency service, the medium security level is associated with a business service, and the low security level is associated with a leisure service.

7. The method of claim 1 further comprising, prior to instantiating the security system: detecting an elevated security risk for the 5G network, wherein the security system is instantiated in response to the detected security risk.

8. The method of claim 1 further comprising: detecting a change in a security threat level to the 5G network; and in response to the detected change, terminating the instantiation of the security system upon dispatching an entirety of the sorted network traffic.


Similarly, the rest of the independent and dependent claims are analogous to the rest of the independent and dependent claims of Copending Application No. 16/921765.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over US 20190380037 to Lifshitz et al (hereinafter Lifshitz) and US 20070089165 to Wei et al (hereinafter Wei).
As per claim 1, Lifshitz teaches:
A method performed by a security system to manage network traffic of a 5G network, the method comprising: 
instantiating the security system to sort incoming network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications (Lifshitz: [0031], [0033]. [0036] A Sensor Unit 221, or other sensing or listening or tracking or monitoring unit, sees or listens or monitors or tracks or captures or collects all the relevant network traffic (e.g., via Gi interface), as well as subscriber (IoT device) address mapping information. [0166] System 400 operates, and implements methods, to detect and to mitigate attacks that are performed on the CP of mobile networks, and particularly on the CP of a cellular 5G network or a 5G New Radio (NR) network. [0037] The mapping may be performed, for example, in two stages: (i) identifying which traffic (e.g., directed to which IP address, and/or incoming from which IP address) belong to which Subscriber Identity Module (SIM) card; (ii) identifying the type of IoT device, such as by mapping or classifying a particular IoT device into a class or group or type of IoT devices (e.g., soda vending machines; metering units of an electric company; smoke detectors; or the like). [0038]-[0039]: The second stage, of mapping or classifying a particular SIM card to a particular type of IoT devices, may be performed in one or more suitable ways; for example, based on data received via integration with SIM(s) management platform (e.g., a network entity or element or unit that handles or manages the connectivity IoT SIMs), and/or by traffic profiling, i.e., traffic is sorted based on the type of IoT device), 
inspecting portions of incoming network traffic that contain addressing information required for the network traffic to reach an intended application or function (Lifshitz: [0040] The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices, and/or for each data connection: (a) timestamp of start; (b) 5-tuple of the connections (e.g., source IP address, source port, destination IP address, destination port, protocol being used)); 
sorting the incoming network traffic into the multiple groups based in part on the inspection of the portions of the network traffic (Lifshitz: [0041] An Analyzer unit 212 performs analysis of the collected data: (a) Network activity profiling, performed periodically (e.g., at pre-defined time intervals), by clustering the collected data (e.g., via Cd interface) using a pre-defined clustering mechanism or clustering algorithm (e.g., by utilizing K-Means, or other suitable clustering method); and performing extraction of features from the data-set, per class of IoT devices, wherein a class pertains to a set of IoT devices that belongs to the same IoT service or type (e.g., type of “vending machine”, or type of “smoke detector”)); and 
dynamically directing the incoming network traffic for the 5G network (Lifshitz: [0042]: The deep observation mode may further include steering of HTTP traffic to inspection engines for Bot detection or infiltration; and/or detection of scanning attempts from the suspected IoT devices towards other internal hosts on the network or in the system. [0079]: allowing passage and/or relaying and/or forwarding and/or delivering packets or messages or signals that are directed from the IoT device to a destination on the whitelist, or that are directed from a sender on the whitelist towards the IoT device).
Lifshitz does not teach: sort incoming network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels; wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level. Also, Lifshitz teaches dynamically directing incoming network traffic but does not teach: dynamically directing the incoming network traffic based on a particular security level associated with a particular application or a particular function of each of the multiple groups.
sort incoming network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels; wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level (Wei: [0148]: The criterion is such that when a subscriber subscribes to a certain level of security service from the network, the higher the level is, the higher the quality of the security service provided from the network is, under the same other conditions. For example, a subscriber who has subscribed to a security service of higher level will be subject to less limitation in network access upon implementing an access service, and can get a corresponding level of security mechanism so as to ensure more secure communications. [0153] The network access strategy includes: [0154] flow control: providing different network bandwidth resources; thresholds for blocking subscribers are set according to the security service levels of subscribers, where the threshold for a higher security service level is set to be higher, and a possibility for the flow thereof to be blocked is lower. [0159] In step S930, a differential security service is implemented for the subscriber according to the level of a security service subscribed to by a subscriber in implementing the security strategy. It is inherent that high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level);
dynamically directing the incoming network traffic based on a particular security level associated with a particular application or a particular function of each of the multiple groups (Wei: [0156] access limiting: A subscriber who has subscribed to a higher level of security service may access more secure destination addresses and network segments. [0158] The application service control strategy includes: a subscribed application service is not always disabled and can be provided for a subscriber who has subscribed to a higher level of security service; a service with a risk in security is limited, such as QoS parameters, an upper limit for the flow of a specific service, etc. In addition, it is possible that the service provision in rush hours is not limited for a subscriber who has subscribed to a higher level of security service. For a service provided by an ASP as a third party, the down flows into the network may be limited).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wei in the invention of Lifshitz to include the above limitations. The motivation to do so would be to implement differential security protection among different subscribers (Wei: [0006]).

As per claim 3, Lifshitz in view of Wei teaches: 
The method of claim 1 wherein dynamically directing the network traffic for the 5G network comprises: redirecting the network traffic to a destination other than that indicated by the addressing information (Lifshitz: [0042]: The deep observation mode may further include steering of HTTP traffic to inspection engines for Bot detection or infiltration; and/or detection of scanning attempts from the suspected IoT devices towards other internal hosts on the network or in the system).

As per claim 17, Lifshitz teaches: 
At least one non-transitory computer-readable storage medium storing instructions for execution by at least one processor, wherein execution of the instructions cause a security system at a perimeter of a 5G network to: 
sort network traffic at the perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications (Lifshitz: [0031], [0033]. [0036] A Sensor Unit 221, or other sensing or listening or tracking or monitoring unit, sees or listens or monitors or tracks or captures or collects all the relevant network traffic (e.g., via Gi interface), as well as subscriber (IoT device) address mapping information. [0166] System 400 operates, and implements methods, to detect and to mitigate attacks that are performed on the CP of mobile networks, and particularly on the CP of a cellular 5G network or a 5G New Radio (NR) network. [0037] The mapping may be performed, for example, in two stages: (i) identifying which traffic (e.g., directed to which IP address, and/or incoming from which IP address) belong to which Subscriber Identity Module (SIM) card; (ii) identifying the type of IoT device, such as by mapping or classifying a particular IoT device into a class or group or type of IoT devices (e.g., soda vending machines; metering units of an electric company; smoke detectors; or the like). [0038]-[0039]: The second stage, of mapping or classifying a particular SIM card to a particular type of IoT devices, may be performed in one or more suitable ways; for example, based on data received via integration with SIM(s) management platform (e.g., a network entity or element or unit that handles or manages the connectivity IoT SIMs), and/or by traffic profiling, i.e., traffic is sorted based on the type of IoT device), 
inspect portions of the network traffic that contain addressing information required for the network traffic to reach an intended application or function (Lifshitz: [0040] The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices, and/or for each data connection: (a) timestamp of start; (b) 5-tuple of the connections (e.g., source IP address, source port, destination IP address, destination port, protocol being used)); 
sort the incoming network traffic into the multiple groups based in part on the inspection of the portions of the network traffic (Lifshitz: [0041] An Analyzer unit 212 performs analysis of the collected data: (a) Network activity profiling, performed periodically (e.g., at pre-defined time intervals), by clustering the collected data (e.g., via Cd interface) using a pre-defined clustering mechanism or clustering algorithm (e.g., by utilizing K-Means, or other suitable clustering method); and performing extraction of features from the data-set, per class of IoT devices, wherein a class pertains to a set of IoT devices that belongs to the same IoT service or type (e.g., type of “vending machine”, or type of “smoke detector”)); and 
dynamically dispatch the network traffic for the 5G network (Lifshitz: [0042]: The deep observation mode may further include steering of HTTP traffic to inspection engines for Bot detection or infiltration; and/or detection of scanning attempts from the suspected IoT devices towards other internal hosts on the network or in the system. [0079]: allowing passage and/or relaying and/or forwarding and/or delivering packets or messages or signals that are directed from the IoT device to a destination on the whitelist, or that are directed from a sender on the whitelist towards the IoT device).
Lifshitz does not teach: sort network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels. Also, Lifshitz teaches dynamically dispatching incoming network traffic but does not teach: dynamically dispatch the network traffic based on a particular security level associated with a particular application or a particular function of each of the multiple groups. However, Wei teaches:
sort network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels (Wei: [0148]: The criterion is such that when a subscriber subscribes to a certain level of security service from the network, the higher the level is, the higher the quality of the security service provided from the network is, under the same other conditions. For example, a subscriber who has subscribed to a security service of higher level will be subject to less limitation in network access upon implementing an access service, and can get a corresponding level of security mechanism so as to ensure more secure communications. [0153] The network access strategy includes: [0154] flow control: providing different network bandwidth resources; thresholds for blocking subscribers are set according to the security service levels of subscribers, where the threshold for a higher security service level is set to be higher, and a possibility for the flow thereof to be blocked is lower. [0159] In step S930, a differential security service is implemented for the subscriber according to the level of a security service subscribed to by a subscriber in implementing the security strategy);
dynamically dispatch the network traffic based on a particular security level associated with a particular application or a particular function of each of the multiple groups (Wei: [0156] access limiting: A subscriber who has subscribed to a higher level of security service may access more secure destination addresses and network segments. [0158] The application service control strategy includes: a subscribed application service is not always disabled and can be provided for a subscriber who has subscribed to a higher level of security service; a service with a risk in security is limited, such as QoS parameters, an upper limit for the flow of a specific service, etc. In addition, it is possible that the service provision in rush hours is not limited for a subscriber who has subscribed to a higher level of security service. For a service provided by an ASP as a third party, the down flows into the network may be limited).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wei in the invention of Lifshitz to include the above limitations. The motivation to do so would be to implement differential security protection among different subscribers (Wei: [0006]).

As per claim 18, Lifshitz in view of Wei teaches: 
The computer-readable storage medium of claim 17, wherein the network traffic is dispatched based on a priority order associated with the multiple groups (Wei: [0147] Based on the above, a differential application security service can be provided for subscriber, in which different levels of security services can be provided for the subscribers, such that a subscriber who has subscribed to a security service of higher level can be provided with a quicker security response, an application service of higher quality and higher priority. [0148]: For example, a subscriber who has subscribed to a security service of higher level will be subject to less limitation in network access upon implementing an access service, and can get a corresponding level of security mechanism so as to ensure more secure communications. [0153] The network access strategy includes: [0154] flow control: providing different network bandwidth resources; thresholds for blocking subscribers are set according to the security service levels of subscribers, where the threshold for a higher security service level is set to be higher, and a possibility for the flow thereof to be blocked is lower. [0159] In step S930, a differential security service is implemented for the subscriber according to the level of a security service subscribed to by a subscriber in implementing the security strategy).
The examiner provides the same rationale to combine prior arts Lifshitz and Wei as in claim 17 above.

As per claim 19, Lifshitz in view of Wei teaches: 
The computer-readable storage medium of claim 17, wherein the multiple security levels include a high security level and a low security level, and wherein a first group of the network traffic associated with a high security level is prioritized for dispatching relative to a second group of the network traffic that is associated with a low security level (Wei: [0147] Based on the above, a differential application security service can be provided for subscriber, in which different levels of security services can be provided for the subscribers, such that a subscriber who has subscribed to a security service of higher level can be provided with a quicker security response, an application service of higher quality and higher priority. [0148]: For example, a subscriber who has subscribed to a security service of higher level will be subject to less limitation in network access upon implementing an access service, and can get a corresponding level of security mechanism so as to ensure more secure communications. [0153] The network access strategy includes: [0159] In step S930, a differential security service is implemented for the subscriber according to the level of a security service subscribed to by a subscriber in implementing the security strategy).
The examiner provides the same rationale to combine prior arts Lifshitz and Wei as in claim 17 above.

Claims 2 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Wei as applied to claim 1 above, and further in view of applicant provided prior art US 9516053 to Muddu et al (hereinafter Muddu).
As per claim 2, Lifshitz in view of Wei does not teach the limitations of claim 2. However, Muddu teaches: 
further comprising, prior to dynamically directing the incoming network traffic: processing the incoming network traffic with a security model to output a vulnerability-risk- threat (VRT) score that labels the incoming network traffic in relation to a vulnerability parameter, a risk parameter, and a threat parameter, wherein the incoming network traffic is sorted in part based on the VRT score (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score. Column 9, line 65-column 10, line 11: When the security-related conclusion indicates that a potential security breach (e.g., a threat or a threat indicator) has occurred, at step 2110, the model deliberation process thread can generate a user interface element to solicit an action command to activate a threat response. In one example, the user interface element triggers the action command for sending a message to the target-side computer system to demand …, blocking of specific network traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

As per claim 7, Lifshitz in view of Wei does not teach the limitations of claim 7. However, Muddu teaches: 
further comprising, prior to dynamically directing the incoming network traffic: processing the incoming network traffic with a machine learning model to output a score relative to a vulnerability, risk, and threat by the cyberattack to the 5G network, wherein the incoming network traffic is sorted in part based on the score (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score. Column 9, line 65-column 10, line 11: When the security-related conclusion indicates that a potential security breach (e.g., a threat or a threat indicator) has occurred, at step 2110, the model deliberation process thread can generate a user interface element to solicit an action command to activate a threat response. In one example, the user interface element triggers the action command for sending a message to the target-side computer system to demand …, blocking of specific network traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Wei as applied to claim 1 above, and further in view of US 20070022468 to Iijima et al (hereinafter Iijima).
As per claim 4, Lifshitz in view of Wei does not teach the limitations of claim 4. However, Iijima teaches: 
further comprising: detecting a change in a condition of the 5G network; and in response to the detected change, changing a security level associated with at least one of the multiple groups (Iijima: [0025]: The security level 1 for user 1 is the highest level of security, and the FW module and IDS module are set as its destination application module. The security level 1 is mainly for those users sending harmful traffic. A security level 2 is set for user 2 and the FW module is set as its destination application module. This security level 2 is usually assigned to users sending unusual traffic whose results show contamination such as from a virus. The security level 3 for the user 3 does not use module transfer. Traffic at security level 3 is sent directly from the platform module to an outside network. This security level is for general users and is intended only for high-speed packet transmission. [0029]: However if the sample packet of the user 3 for example contains a URL (Uniform Resource Locator) that was registered beforehand in the FW module as a suspicious URL, then the FW module decides that this traffic is unauthorized (suspicious) traffic. If decided to be an unauthorized access then the FW module discards the sample packet as shown in FIG. 11, and sends a control message to the platform module to change the security level from 3 to 2. After receiving the control message, the sampling module changes the security level in the destination table. The security level of the user 3 is from this point on changed to 2 in this way, and all traffic from the user 3 is sent to the FW module and is monitored by the FW module. [0030]: If determined to be an unauthorized access then the IDS module sends a control message to the platform module to change the security level of the user 3 from 2 to 1 as shown in FIG. 11).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Iijima in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to allow highly efficient packet transmission by providing reliable module processing (Iijima: [0031]).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Wei as applied to claim 1 above, and further in view of US 8284780 to Sullivan et al (hereinafter Sullivan).
As per claim 5, Lifshitz in view of Wei does not teach: dynamically adjusting a priority order of the multiple groups. However, Sullivan teaches:
further comprising: dynamically adjusting a priority order of the multiple groups (Sullivan: column 5, line 64-column 6, line 6: For example, the depicted embodiment of traffic policy table 520 includes a first category of port numbers from 1-79 and a second category of port numbers including port numbers 80 and 81. For a low value of the traffic state parameter, edge device 140 is open for both types of packet traffic. If, however, the value of the traffic state parameter increases to the very high level, traffic policy table 520 indicates that edge device 140 will be open to packets in the first category but closed to packets in the second category. column 6, line 51-column 7, line 2: First application 710 may represent an application that generates high priority packet traffic and second application 720 may represent an application that generates lower priority packet traffic. For example, first application 710 may represent an email program that transmits and receives email content while second application 720 may represent a Web browser. When first application 710 and second application 720 generate packet traffic that is received by edge device 140, the traffic policy in place may differentiate the manner in which edge device 140 handles or processes the traffic for the two applications. If the traffic state parameter value is sufficiently high, edge device 140 may block the low priority traffic including, in some embodiments, HTTP traffic generated by second application 720 while transmitting high priority traffic including, in some embodiments, traffic generated by first application 710).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Sullivan in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to filter traffic in a data processing network (Sullivan: column 2, lines 14-15).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Wei as applied to claim 1 above, and further in view of US 20090122699 to Alperovitch et al (hereinafter Alperovitch).
As per claim 6, Lifshitz in view of Wei does not teach the limitations of claim 2. However, Alperovitch teaches: 
wherein the high security level is associated with an emergency service, the medium security level is associated with a business service, and the low security level is associated with a leisure service (Alperovitch: [0018] In some implementations, the prioritization scheme can allocate network bandwidth to highest priority data classifications first, and recursively allocate bandwidth to successively lower priority data classifications until there is no more bandwidth or all data classifications have been allocated bandwidth. For example, if there are classifications of business traffic having first priority, news traffic having second priority, and spam traffic having third priority, the business traffic can be allocated bandwidth first, the news traffic can be allocated bandwidth second (if any bandwidth is available), and the spam traffic can be allocated bandwidth third (if any bandwidth is available). [0040]: For example, entities with a reputation for sending government traffic might be provided priority over other entities in emergency situations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Alperovitch in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to prioritize certain network traffic based upon classification(s) associated with the network traffic and/or reputations of one or more entities associated with the network traffic, while blocking other network traffic based upon classification(s) of the network traffic and/or reputations of one or more entities associated with the network traffic (Alperovitch: [0014]).

Claims 8, 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Wei as applied to claim 1 above, and further in view of CN 105471835 A to Zhang (hereinafter Zhang).
Examiner’s Note: The examiner used an English translation of CN 105471835 A which is attached to the end of the original document. 
As per claim 8, Lifshitz in view of Wei does not teach the limitations of claim 8. However, Zhang teaches: 
further comprising, prior to instantiating the security system: detecting an elevated security risk to the 5G network, wherein the security system is instantiated in response to the detected security risk (Zhang: [0010]: According to the comparison result of the variation range of the described connection table item quantity and the described table item quantity threshold value, determine whether there is a network attack threat in the current network environment; Wherein, if there is a network attack threat in the current network environment, then open the firewall The anti-network attack function of the firewall is used to perform attack detection on the traffic entering the firewall. Also, [0036]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhang in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to greatly improve the performance of the firewall, and effectively improve the rate at which the firewall forwards data packets (Zhang: [0021]).

As per claim 9, Lifshitz in view of Wei does not teach the limitations of claim 9. However, Zhang teaches: 
further comprising: detecting a change in a security threat level to the 5G network; and in response to the detected change, terminating the instantiation of the security system upon dispatching an entirety of the sorted network traffic (Zhang: [0014]: after enabling the anti-network attack function of the firewall, querying the connection table according to the message whether there is a connection table corresponding to the current message Item; the connection table includes quintuple information, and the quintuple information includes source IP address, destination IP address, source port, destination port and protocol type; according to the query result, execute the corresponding message forwarding action or message Discard action. [0037]: Step 105: If it is determined that there is no threat of a network attack in the current network environment, the anti-network attack function is turned off, thereby stopping attack detection on the data traffic entering the firewall).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhang in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to greatly improve the performance of the firewall, and effectively improve the rate at which the firewall forwards data packets (Zhang: [0021]).

As per claim 20, Lifshitz in view of Wei does not teach the limitations of claim 20. However, Zhang teaches: 
further caused to: detect a condition of the 5G network; and in response to the detected condition, cause the security system to: change a security level associated with a group, change a priority order of the multiple groups, or terminate the instantiation of the security system (Zhang: [0037]: Step 105: If it is determined that there is no threat of a network attack in the current network environment, the anti-network attack function is turned off, thereby stopping attack detection on the data traffic entering the firewall).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhang in the invention of Lifshitz in view of Wei to include the above limitations. The motivation to do so would be to greatly improve the performance of the firewall, and effectively improve the rate at which the firewall forwards data packets (Zhang: [0021]).

Claim 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz, Zhang and Wei.
As per claim 10, Lifshitz teaches:
A security system comprising: a processor; and a memory coupled to the processor and configured to store instructions that, when executed by the processor, cause the security system to: 
instantiate a security function to sort network traffic at a perimeter of the 5G network into one of multiple groups that are each uniquely associated with one of multiple functions or applications (Lifshitz: [0031], [0033]. [0036] A Sensor Unit 221, or other sensing or listening or tracking or monitoring unit, sees or listens or monitors or tracks or captures or collects all the relevant network traffic (e.g., via Gi interface), as well as subscriber (IoT device) address mapping information. [0166] System 400 operates, and implements methods, to detect and to mitigate attacks that are performed on the CP of mobile networks, and particularly on the CP of a cellular 5G network or a 5G New Radio (NR) network. [0037] The mapping may be performed, for example, in two stages: (i) identifying which traffic (e.g., directed to which IP address, and/or incoming from which IP address) belong to which Subscriber Identity Module (SIM) card; (ii) identifying the type of IoT device, such as by mapping or classifying a particular IoT device into a class or group or type of IoT devices (e.g., soda vending machines; metering units of an electric company; smoke detectors; or the like). [0038]-[0039]: The second stage, of mapping or classifying a particular SIM card to a particular type of IoT devices, may be performed in one or more suitable ways; for example, based on data received via integration with SIM(s) management platform (e.g., a network entity or element or unit that handles or manages the connectivity IoT SIMs), and/or by traffic profiling, i.e., traffic is sorted based on the type of IoT device), 
inspect one or more portions of the network traffic that contain addressing information required for the network traffic to reach an intended application or function (Lifshitz: [0040] The Sensor Unit 221 monitors and collects the following data for each of the endpoints identified as managed IoT devices, and/or for each data connection: (a) timestamp of start; (b) 5-tuple of the connections (e.g., source IP address, source port, destination IP address, destination port, protocol being used)); 
sort the network traffic into the multiple groups based in part on the inspection of the portions of the network traffic (Lifshitz: [0041] An Analyzer unit 212 performs analysis of the collected data: (a) Network activity profiling, performed periodically (e.g., at pre-defined time intervals), by clustering the collected data (e.g., via Cd interface) using a pre-defined clustering mechanism or clustering algorithm (e.g., by utilizing K-Means, or other suitable clustering method); and performing extraction of features from the data-set, per class of IoT devices, wherein a class pertains to a set of IoT devices that belongs to the same IoT service or type (e.g., type of “vending machine”, or type of “smoke detector”)); and 
dynamically redirect the network traffic of the 5G network to a new destination other than a destination indicated by the addressing information (Lifshitz: [0042]: The deep observation mode may further include steering of HTTP traffic to inspection engines for Bot detection or infiltration; and/or detection of scanning attempts from the suspected IoT devices towards other internal hosts on the network or in the system. [0079]: allowing passage and/or relaying and/or forwarding and/or delivering packets or messages or signals that are directed from the IoT device to a destination on the whitelist, or that are directed from a sender on the whitelist towards the IoT device).
Lifshitz does not teach: detect a security threat to a 5G network, in response to the detected security threat, instantiate a security function; sort incoming network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels; wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level. Also, Lifshitz teaches dynamically directing incoming network traffic but does not teach: wherein the new destination based on a particular security level associated with a particular application or a particular function of each of the multiple groups. However, Zhang teaches:
detect a security threat to a 5G network, in response to the detected security threat, instantiate a security function (Zhang: [0010]: According to the comparison result of the variation range of the described connection table item quantity and the described table item quantity threshold value, determine whether there is a network attack threat in the current network environment; Wherein, if there is a network attack threat in the current network environment, then open the firewall The anti-network attack function of the firewall is used to perform attack detection on the traffic entering the firewall. Also, [0036]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Zhang in the invention of Lifshitz to include the above limitations. The motivation to do so would be to greatly improve the performance of the firewall, and effectively improve the rate at which the firewall forwards data packets (Zhang: [0021]).
And, Wei teaches:
sort incoming network traffic into one of multiple groups that are each uniquely associated with one of multiple security levels; wherein the multiple security levels include a high security level, a medium security level, and a low security level, and wherein the high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level (Wei: [0148]: The criterion is such that when a subscriber subscribes to a certain level of security service from the network, the higher the level is, the higher the quality of the security service provided from the network is, under the same other conditions. For example, a subscriber who has subscribed to a security service of higher level will be subject to less limitation in network access upon implementing an access service, and can get a corresponding level of security mechanism so as to ensure more secure communications. [0153] The network access strategy includes: [0154] flow control: providing different network bandwidth resources; thresholds for blocking subscribers are set according to the security service levels of subscribers, where the threshold for a higher security service level is set to be higher, and a possibility for the flow thereof to be blocked is lower. [0159] In step S930, a differential security service is implemented for the subscriber according to the level of a security service subscribed to by a subscriber in implementing the security strategy. It is inherent that high security level is prioritized relative to the medium security level and the medium security level is prioritized relative to the low security level);
wherein the new destination based on a particular security level associated with a particular application or a particular function of each of the multiple groups (Wei: [0059] In addition, redirection may also be performed. Redirection means to redirect, by the network access controller 131, a specific flow of an insecure mobile terminal or ASP to another special network security device for further processing. [0153] The network access strategy includes: [0154] flow control: providing different network bandwidth resources; wherein a possibly vicious subscriber flow is redirected preferentially to a network element with higher performance in processing, and the subscriber data packages cleared of viruses are forwarded at a higher priority. [0156]. [0158] The application service control strategy includes: a subscribed application service is not always disabled and can be provided for a subscriber who has subscribed to a higher level of security service; a service with a risk in security is limited, such as QoS parameters, an upper limit for the flow of a specific service, etc. In addition, it is possible that the service provision in rush hours is not limited for a subscriber who has subscribed to a higher level of security service. For a service provided by an ASP as a third party, the down flows into the network may be limited. [0162]: For example, for a subscriber who has subscribed to a security service of higher level, in addition to general redirection, a redirection function based on a flow system analysis of protocols and states may be provided to assist the subscriber in quick virus detection and clearing without affecting the normal implementation of the subscriber's service as far as possible).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wei in the invention of Lifshitz in view of Zhang to include the above limitations. The motivation to do so would be to implement differential security protection among different subscribers (Wei: [0006]).

As per claim 11, Lifshitz in view of Zhang and Wei teaches: 
The security system of claim 10 further caused to: detect a change in a condition of the 5G network; and in response to the detected change, cause the system to: change a security level associated with a group, change a priority order of the multiple groups, or terminate the instantiation of the security system (Zhang: [0037]: Step 105: If it is determined that there is no threat of a network attack in the current network environment, the anti-network attack function is turned off, thereby stopping attack detection on the data traffic entering the firewall).
The examiner provides the same rationale to combine prior arts Lifshitz and Zhang as in claim 10 above. 

As per claim 12, Lifshitz in view of Zhang and Wei teaches: 
The security system of claim 10 comprising: a network security appliance that includes the processor and the memory (Lifshitz: [0030]: [0030] A Traffic Sensing and Enforcement (TSE) unit 106 may be deployed at one or more suitable points or nodes, or between particular network nodes or network elements. [0137] Some embodiments may be implemented by using a special-purpose machine or a specific-purpose device that is not a generic computer, or by using a non-generic computer or a non-general computer or machine).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Zhang and Wei as applied to claim 10 above, and further in view of Muddu.
As per claim 13, Lifshitz in view of Zhang and Wei does not teach the limitations of claim 13. However, Muddu teaches: 
further caused to: process the network traffic with a security model to output a vulnerability-risk-threat (VRT) score that labels the incoming network traffic in relation to a vulnerability parameter, a risk parameter, and a threat parameter, wherein the network traffic is sorted in part based on the VRT score (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score. Column 9, line 65-column 10, line 11: When the security-related conclusion indicates that a potential security breach (e.g., a threat or a threat indicator) has occurred, at step 2110, the model deliberation process thread can generate a user interface element to solicit an action command to activate a threat response. In one example, the user interface element triggers the action command for sending a message to the target-side computer system to demand …, blocking of specific network traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Lifshitz in view of Zhang and Wei to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Zhang and Wei as applied to claim 10 above, and further in view of Iijima.
As per claim 14, Lifshitz in view of Zhang and Wei does not teach the limitations of claim 4. However, Iijima teaches: 
further caused to: detecting a condition of the 5G network; and in response to the detected condition, changing a security level associated with at least one of the multiple groups (Iijima: [0025]: The security level 1 for user 1 is the highest level of security, and the FW module and IDS module are set as its destination application module. The security level 1 is mainly for those users sending harmful traffic. A security level 2 is set for user 2 and the FW module is set as its destination application module. This security level 2 is usually assigned to users sending unusual traffic whose results show contamination such as from a virus. The security level 3 for the user 3 does not use module transfer. Traffic at security level 3 is sent directly from the platform module to an outside network. This security level is for general users and is intended only for high-speed packet transmission. [0029]: However if the sample packet of the user 3 for example contains a URL (Uniform Resource Locator) that was registered beforehand in the FW module as a suspicious URL, then the FW module decides that this traffic is unauthorized (suspicious) traffic. If decided to be an unauthorized access then the FW module discards the sample packet as shown in FIG. 11, and sends a control message to the platform module to change the security level from 3 to 2. After receiving the control message, the sampling module changes the security level in the destination table. The security level of the user 3 is from this point on changed to 2 in this way, and all traffic from the user 3 is sent to the FW module and is monitored by the FW module. [0030]: If determined to be an unauthorized access then the IDS module sends a control message to the platform module to change the security level of the user 3 from 2 to 1 as shown in FIG. 11).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Iijima in the invention of Lifshitz in view of Zhang and Wei to include the above limitations. The motivation to do so would be to allow highly efficient packet transmission by providing reliable module processing (Iijima: [0031]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Zhang and Wei as applied to claim 10 above, and further in view of Sullivan.
As per claim 15, Lifshitz in view of Zhang and Wei does not teach the limitations of claim 15. However, Sullivan teaches:
further caused to: dynamically adjust a priority order of the multiple groups (Sullivan: column 5, line 64-column 6, line 6: For example, the depicted embodiment of traffic policy table 520 includes a first category of port numbers from 1-79 and a second category of port numbers including port numbers 80 and 81. For a low value of the traffic state parameter, edge device 140 is open for both types of packet traffic. If, however, the value of the traffic state parameter increases to the very high level, traffic policy table 520 indicates that edge device 140 will be open to packets in the first category but closed to packets in the second category. column 6, line 51-column 7, line 2: First application 710 may represent an application that generates high priority packet traffic and second application 720 may represent an application that generates lower priority packet traffic. For example, first application 710 may represent an email program that transmits and receives email content while second application 720 may represent a Web browser. When first application 710 and second application 720 generate packet traffic that is received by edge device 140, the traffic policy in place may differentiate the manner in which edge device 140 handles or processes the traffic for the two applications. If the traffic state parameter value is sufficiently high, edge device 140 may block the low priority traffic including, in some embodiments, HTTP traffic generated by second application 720 while transmitting high priority traffic including, in some embodiments, traffic generated by first application 710).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Sullivan in the invention of Lifshitz in view of Zhang and Wei to include the above limitations. The motivation to do so would be to filter traffic in a data processing network (Sullivan: column 2, lines 14-15).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz in view of Zhang and Wei as applied to claim 10 above, and further in view of Alperovitch.
As per claim 16, Lifshitz in view of Zhang and Wei does not teach the limitations of claim 16. However, Alperovitch teaches:
wherein the high security level is associated with an emergency service, the medium security level is associated with a business service, and the low security level is associated with a leisure service (Alperovitch: [0018] In some implementations, the prioritization scheme can allocate network bandwidth to highest priority data classifications first, and recursively allocate bandwidth to successively lower priority data classifications until there is no more bandwidth or all data classifications have been allocated bandwidth. For example, if there are classifications of business traffic having first priority, news traffic having second priority, and spam traffic having third priority, the business traffic can be allocated bandwidth first, the news traffic can be allocated bandwidth second (if any bandwidth is available), and the spam traffic can be allocated bandwidth third (if any bandwidth is available). [0040]: For example, entities with a reputation for sending government traffic might be provided priority over other entities in emergency situations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Alperovitch in the invention of Lifshitz in view of Zhang and Wei to include the above limitations. The motivation to do so would be to prioritize certain network traffic based upon classification(s) associated with the network traffic and/or reputations of one or more entities associated with the network traffic, while blocking other network traffic based upon classification(s) of the network traffic and/or reputations of one or more entities associated with the network traffic (Alperovitch: [0014]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 7891001 to Greenawalt et al: An in-network security provider applies security event identification, analysis and processing to a customer's data communications traffic in the form of a "security in the cloud" solution. This method of network defense is achieved when customers pass all of their outbound data communications traffic through the security provider before that data communications traffic reaches the public Internet. Additionally, all inbound data communications traffic is passed through the security provider before it is delivered to the customer. The security provider receives the inbound and outbound sequence of data packets and segregates the sequence of data packets into respective packet flows based on data packet types (HTML, SMTP, FTP, etc.). For individual respective packet flows, the system applies security processing that is appropriate to those packet flows based on that packet flow's data packet type.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438