DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 05/13/2022. 

Terminal Disclaimer
The terminal disclaimer filed on 05/13/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of any patent granted on Application Number 16/921781 or any patent granted on Application Number 16/921791 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Amendment
Claims 1, 8, 11 and 19 have been amended.
Claims 13, 16 and 20 have been cancelled. 
Claims 21-23 have been newly added. Claims 1-12, 14-15, 17-19 and 21-23 have been examined. 
Examiner’s double patenting rejections are withdrawn in light of the terminal disclaimer filed by the applicant.
Applicant’s arguments with respect to claims 1, 11 and 19 regarding the new limitations: “dynamically instantiating an agent component of the security system in response to detecting an indication of a cyberattack” and “dynamically terminating the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period”, have been considered but are moot in view of the new ground of rejection presented in the current office action.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 6-11, 14-19, 21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record WO 2021152262 to Sedjelmaci (hereinafter Sedjelmaci), prior art of record US 9516053 to Muddu et al (hereinafter Muddu), prior art of record US 20150373043 to Wang et al (hereinafter Wang) and CN104301895A to Gao et al (hereinafter Gao).
Examiner’s Note: The examiner used an English translation of CN104301895A which is attached to the end of the original document. 
As per claim 1, Sedjelmaci teaches:
A method performed by a distributed security system to secure a 5G network from a cyberattack, the method comprising: 
dynamically instantiating an agent component of the security system in response to detecting an indication of a cyberattack, wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0029], lines 247-252: It analyzes the traffic data provided to it (or representative characteristics derived from this data) and determines whether these present an anomaly (for example, they are representative of attack traffic or do not match normal behavior depending on the nature of the first detection technique). If applicable and only in this case, the second detection technique is activated, i.e., the second detection technique is dynamically activated in response to detecting a cyberattack. [0047], lines 493-495: the intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network. [0089], lines 703-706: The functional modules of the intrusion detection device 2 include in particular, as illustrated in FIG. 1 for only one of the IoTD connected objects for the sake of simplification, a first intrusion detection module 2A, configured to apply during of successive iterations to a plurality of subsets of data, a first technique for detecting intrusions. [0095]-[0096], lines 759-773: The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the subsets of data that it analyzes. These functional modules include: a second intrusion detection module 2B, configured to apply to this subset of data a second intrusion detection technique denoted D. In the embodiment described here, the second technique D uses an automatic learning algorithm (security model) known per se. This automatic learning algorithm is also based on an artificial neural network whose parameters are denoted QD); 
communicating, by the agent component to a central component, at least an indication of the VRT score, the incoming network traffic, or the security model (Sedjelmaci: [0110], lines 820-822: In the embodiment described here, the 2D alert module is configured to notify a security operations center 8 (also designated by SOC 8) supervising a plurality of distinct nodes of the NW network and in particular the connected objects IoTD. [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network, and more particularly, to process the information transmitted by the 2D alert modules of the intrusion detection devices 2 according to the invention embedded in nodes of the network NW, in relation to the data monitored (incoming network traffic) by the intrusion detection devices 2 and/or the anomalies detected by them in these data and/or the configuration of the detection techniques G, D and/or LF used by them to monitor this data (security model). Also, [0135]-[0138], lines 1176-1189); 
wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks (Sedjelmaci: [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network). 
Sedjelmaci teaches detection of cyberattacks ([0005], lines 31-32) using automatic learning techniques (security model) but does not teach: a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter, and wherein the vulnerability parameter relates to a susceptibility of the 5G network to the cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic; and-2-31419.8300.US03\155893973.2Application No.: 16/921,798Docket No.: 031419-8300.USO3Response to Office Action dated February 15, 2022 generates updates for the multiple agent components based on the collected VRT information; receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; training the security model based on the update; and dynamically terminating the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period. However, Muddu teaches:
a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to the cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack (Muddu: column 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 75, lines 43-48. Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter)); 
processing, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score); 
comparing, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes malicious VRT traffic (Muddu: column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score indicative of the probability or likelihood that malware is present in the computer network given the set of feature scores for a particular entity); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Sedjelmaci to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).
Sedjelmaci in view of Muddu does not teach: wherein the central component generates updates for the multiple agent components based on the collected VRT information; receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information; and training the security model based on the update; and dynamically terminating the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period.. However, Wang teaches:
wherein the central component generates updates for the multiple agent components based on the collected VRT information (Wang: [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions);
receiving, by the agent component from the central component, an update that includes at least an indication of the collected VRT information (Wang: [0092] Flow moves from operation 480 to operation 485 where the centralized controller 240 transmits result data of training of the global model(s) to the data analysis engine 220. The result data may include not only the results of training the global model(s) (e.g., a blacklist of known threats) but also information of the modeling itself so that the data analysis engine 220 can refine or adapt the local modeling. For example, the information received from the centralized controller 240 to refine a local model may include information specifying a feature modification for the local model (e.g., removing features, prioritizing certain features, and/or adding features), intermediate results of training a global model such as a risk probability score associated with the feature(s) of the local model, and/or a modification to the algorithm of the local model); and 
training the security model based on the update (Wang: [0060] The local threat intelligence module 345 receives and caches information from the centralized controller 240 and also manages refining local threat intelligence based on the data received from the centralized controller 240 and network sensor engines 200. The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. Also, [0094]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wang in the invention of Sedjelmaci in view of Muddu to include the above limitations. The motivation to do so would be to perform adaptive threat modeling between global and local threat intelligence (Wang: [0075]). 
And, Gao teaches:
dynamically terminating the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period (Gao: [0030]-[0032]: Trigger judgment step: the base station sends an abnormal alarm to the aggregation node when the difference between the predicted value of the traffic and the actual value exceeds a predetermined threshold, and the local intrusion detection system starts to be activated in the abnormal area. [0045]: 2)After receiving the abnormal alarm sent to itself, the nodes in the area will record the monitoring node information in the abnormal alarm activity list and activate the local intrusion detection for detection activities. [0046]: 3)If no abnormality is found in the network within the continuous time T (time period) of the local intrusion detection operation, the node will send an application for deactivating the local intrusion detection to the sink node, and the monitoring node information in the abnormal alarm activity list of this node will be recorded in the application package; [0047]: 4)When the sink node receives the deactivation application, it will be classified and recorded according to different monitoring node information. During the time t, when the sink node has received the deactivation application of all nodes in the same area, it will broadcast to the area to end the anomaly. alarm; [0048]: 5)After the node in the area receives the end abnormal alarm command, it deletes the relevant monitoring node information in its own abnormal alarm activity list. At this time, the node abnormal activity list is scanned. If the abnormal activity list is empty, the local intrusion detection model of the node is closed. [0126]-[0132]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gao in the invention of Sedjelmaci in view of Muddu and Wang to include the above limitations. The motivation to do so would be to reduce the energy consumption of the network to a large extent and to achieve the accuracy of detection (Gao: [0050]).

As per claim 11 and 19, Sedjelmaci teaches:
A security system comprising: 
a processor; and a memory coupled to the processor and configured to store instructions that, when executed by the processor (Sedjelmaci: [0087], lines 680-681 and [0088], lines 688-691), cause the security system to: 
dynamically instantiate an agent component of the security system for a 5G network, wherein the agent component is instantiated in response to detecting an indication of a cyberattack to the 5G network; wherein the agent component is configured to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0029], lines 247-252: It analyzes the traffic data provided to it (or representative characteristics derived from this data) and determines whether these present an anomaly (for example, they are representative of attack traffic or do not match normal behavior depending on the nature of the first detection technique). If applicable and only in this case, the second detection technique is activated, i.e., the second detection technique is dynamically activated in response to detecting a cyberattack. [0047], lines 493-495: the intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network. [0089], lines 703-706: The functional modules of the intrusion detection device 2 include in particular, as illustrated in FIG. 1 for only one of the IoTD connected objects for the sake of simplification, a first intrusion detection module 2A, configured to apply during of successive iterations to a plurality of subsets of data, a first technique for detecting intrusions. [0095]-[0096], lines 759-773: The intrusion detection device 2 comprises a plurality of other functional modules defined by the instructions of the program PROG and activated if (and only if here) an anomaly is detected by the first detection module 2A in one of the subsets of data that it analyzes. These functional modules include: a second intrusion detection module 2B, configured to apply to this subset of data a second intrusion detection technique denoted D. In the embodiment described here, the second technique D uses an automatic learning algorithm (security model) known per se. This automatic learning algorithm is also based on an artificial neural network whose parameters are denoted QD), and 
communicate, by the agent component to a central component, at least an indication of the incoming network traffic (Sedjelmaci: [0110], lines 820-822: In the embodiment described here, the 2D alert module is configured to notify a security operations center 8 (also designated by SOC 8) supervising a plurality of distinct nodes of the NW network and in particular the connected objects IoTD. [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network, and more particularly, to process the information transmitted by the 2D alert modules of the intrusion detection devices 2 according to the invention embedded in nodes of the network NW, in relation to the data monitored (incoming network traffic) by the intrusion detection devices 2 and/or the anomalies detected by them in these data and/or the configuration of the detection techniques G, D and/or LF used by them to monitor this data (security model). Also, [0135]-[0138], lines 1176-1189), 
wherein the central component collects VRT information from multiple agent components distributed at respective 5G networks (Sedjelmaci: [0101], lines 834-839: The security operations center 8 is configured here to manage the alerts sent by the various nodes of the NW network); 
Sedjelmaci teaches detection of cyberattacks ([0005], lines 31-32) using automatic learning techniques (security model) but does not teach: a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of a cyberattack; process, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; compare, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes VRT traffic; communicate, by the agent component to a central component, at least an indication of the VRT score; wherein the central component generates updates for the multiple agent components based on the collected VRT information; receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information, wherein the update is used to train the security model; and dynamically terminate the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period. However, Muddu teaches: 
a security model that defines a vulnerability parameter, a risk parameter, and a threat parameter; wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of a cyberattack (Muddu: column 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure (e.g. a count) of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 75, lines 43-48. Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter)); 
process, by the agent component, the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter (Muddu: Column 60, lines 12-26: Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network (risk parameter). Column 62, lines 8-10, 43-67: The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity (threat parameter). Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity (internal or external) over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain (vulnerability parameter). Column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score); 
compare, by the agent component, the VRT score with a threshold value to determine a likelihood that the incoming network traffic includes VRT traffic (Muddu: column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score indicative of the probability or likelihood that malware is present in the computer network given the set of feature scores for a particular entity); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Muddu in the invention of Sedjelmaci to include the above limitations. The motivation to do so would be to detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: column 9, lines 5-7).
Sedjelmaci in view of Muddu does not teach: communicate, by the agent component to a central component, at least an indication of the VRT score; wherein the central component generates updates for the multiple agent components based on the collected VRT information; receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information, wherein the update is used to train the security model; and dynamically terminate the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period. However, Wang teaches:
communicate, by the agent component to a central component, at least an indication of the VRT score (Wang: [0059]: The data transmitted to the centralized controller 240 is referred to as analysis engine data 360. The analysis engine data 360 may include derived risk modeling scores that may be attached to each flow record, which can be used for joint intelligence in the centralized controller 240); 
wherein the central component generates updates for the multiple agent components based on the collected VRT information (Wang: [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions); 
receive, by the agent component from the central component, an update that includes at least an indication of the collected VRT information (Wang: [0092] Flow moves from operation 480 to operation 485 where the centralized controller 240 transmits result data of training of the global model(s) to the data analysis engine 220. The result data may include not only the results of training the global model(s) (e.g., a blacklist of known threats) but also information of the modeling itself so that the data analysis engine 220 can refine or adapt the local modeling. For example, the information received from the centralized controller 240 to refine a local model may include information specifying a feature modification for the local model (e.g., removing features, prioritizing certain features, and/or adding features), intermediate results of training a global model such as a risk probability score associated with the feature(s) of the local model, and/or a modification to the algorithm of the local model),  
wherein the update is used to train the security model (Wang: [0060] The local threat intelligence module 345 receives and caches information from the centralized controller 240 and also manages refining local threat intelligence based on the data received from the centralized controller 240 and network sensor engines 200. The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. Also, [0094]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Wang in the invention of Sedjelmaci in view of Muddu to include the above limitations. The motivation to do so would be to perform adaptive threat modeling between global and local threat intelligence (Wang: [0075]).
And, Gao teaches:
dynamically terminate the instantiation of the agent component once the cyberattack is thwarted as a result of an action taken by the agent component or upon expiration of a time period (Gao: [0030]-[0032]: Trigger judgment step: the base station sends an abnormal alarm to the aggregation node when the difference between the predicted value of the traffic and the actual value exceeds a predetermined threshold, and the local intrusion detection system starts to be activated in the abnormal area. [0045]: 2)After receiving the abnormal alarm sent to itself, the nodes in the area will record the monitoring node information in the abnormal alarm activity list and activate the local intrusion detection for detection activities. [0046]: 3)If no abnormality is found in the network within the continuous time T (time period) of the local intrusion detection operation, the node will send an application for deactivating the local intrusion detection to the sink node, and the monitoring node information in the abnormal alarm activity list of this node will be recorded in the application package; [0047]: 4)When the sink node receives the deactivation application, it will be classified and recorded according to different monitoring node information. During the time t, when the sink node has received the deactivation application of all nodes in the same area, it will broadcast to the area to end the anomaly. alarm; [0048]: 5)After the node in the area receives the end abnormal alarm command, it deletes the relevant monitoring node information in its own abnormal alarm activity list. At this time, the node abnormal activity list is scanned. If the abnormal activity list is empty, the local intrusion detection model of the node is closed. [0126]-[0132]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gao in the invention of Sedjelmaci in view of Muddu and Wang to include the above limitations. The motivation to do so would be to reduce the energy consumption of the network to a large extent and to achieve the accuracy of detection (Gao: [0050]).

As per claim 2, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1, wherein the security model is a local security model, the VRT information includes at least indications of local security models of the multiple agent components and the update is based on a common security model (Wang: [0060]: the data analysis engine 220A may include a number of machine learning models that are trained using data received from the network sensor engines 200A1-200AM and/or using data derived from the data received from the network sensor engines 200A1-200AM locally (these models are sometimes referred herein as “local models”). The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions. Also, [0094]).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang as in claim 1 above.

As per claim 6 and 14, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1, wherein an edge device of the 5G network includes the agent component (Sedjelmaci: [0006], lines 39-40: the invention applies in a privileged manner to mobile networks, and in particular to fifth-generation mobile networks or 5G mobile networks. [0061], lines 493-495: intrusion detection device according to the invention is integrated into a server or into other mobile computing equipment (also commonly referred to as an MEC server for Mobile Edge Computing), located at the edge of the network).

As per claims 7 and 15, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1, wherein each of the multiple agent components operate independently (Sedjelmaci: Fig. 1 and [0062], lines 628-634: For the sake of simplification and in no way limiting, only three IoTD connected objects have been represented in FIG. [0085, lines 651-658: Each of the IoTD connected objects incorporates, in the embodiment described here, an intrusion detection device 2 according to the invention, and configured to monitor the data exchanged on the NW network passing through this connected object (eg data sent and/or received by the connected object in question)).

As per claim 8, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1, wherein terminating the instantiation of the agent component comprises: detecting that the cyberattack to the 5G network has been thwarted, wherein the instantiation of the agent component is terminated in response to the cyberattack being thwarted (Gao: [0132]: When the base station finds that the data detected by monitoring node 1 is abnormal, but the data detected by monitoring node 2 is normal, it sends an abnormal alarm to the sink node. After receiving the alarm, the aggregation node multicasts the abnormal alarm to the nodes in area 1. When a node in area 1 receives an abnormal alarm, the local intrusion detection system is turned on. When it is detected that the node 3 is abnormal, the entire network is notified, and the node 3 is removed (thwarting the attack). When the node that starts the local intrusion detection system does not find any abnormality within the time T, it sends a deactivation application to the sink node. When the sink node receives all the deactivation applications sent by all nodes in area 1 within t time, it broadcasts to area 1 to end this abnormal alarm. When the node in area 1 receives the end abnormal alarm control package, it updates its own abnormal activity list. Since the list of nodes in area 1 is empty after the update, the local intrusion detection model is closed).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang and Gao as in claim 1 above. 

As per claim 9 and 17, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1 further comprising, prior to receiving the update: generating a copy of the incoming network traffic; detecting that the incoming network traffic is VRT traffic; and communicating the copy of the incoming network to the central component (Wang: [0032] As shown, the security framework 110 may be communicatively coupled with the transmission medium 130 via a network interface 150. In general, the network interface 150 operates as a data capturing device (sometimes referred to as a “tap” or “network tap”) that is configured to receive information propagating to/from one or more endpoint devices 170 and provide at least some of this information to the security framework 110. Of course, input information from the network interface 150 may be duplicative from the information originally detected during propagation to/from the targeted endpoint device 170 (copy of network traffic). [0058] The data analysis engines 220A-220L receive and store data sent from the respectively connected network sensor engine and is configured to (i) provide open Application Programming Interface (API) access to the stored network sensor data, (ii) conduct analytics on the network sensor data, (iii) transmit at least a portion of information it has received and/or generated to the centralized controller 240). [0061] The entity risk modeling engine 340 models and monitors the risk of threats for each individual user of the customer for a certain duration of time. In one embodiment, the events are aggregated when assigning a risk score for the user).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang as in claims 1 and 11 above.

As per claim 10 and 18, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1, wherein the security model is a local machine learning model that is trained based on local VRT information and based on a machine learning model at the central component that is trained based on the collected VRT information (Wang: [0060]: the data analysis engine 220A may include a number of machine learning models that are trained using data received from the network sensor engines 200A1-200AM and/or using data derived from the data received from the network sensor engines 200A1-200AM locally (these models are sometimes referred herein as “local models”). The local threat intelligence module 345 may periodically and repeatedly cause these local models to be retrained or adapted using the global threat intelligence result data 365 received from the centralized controller 240, which may itself be adapted using the local intelligence data. [0088], [0090]. [0091] Flow moves from operation 475 to operation 480 where the centralized controller 240 trains one or more global models using at least the data received from the data analysis engines of multiple customers. For example, the global threat intelligence module 330 may aggregate and combine the different input (e.g., the data received from the data analysis engines, external threat feed data, global metadata, and/or internal threat feeds) to train different models along multiple dimensions. Also, [0094]).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang as in claims 1 and 11 above.

As per claim 21, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1: wherein the indication of the cyberattack includes a surge in the network traffic, and wherein the agent component is instantiated in a geographic region of the 5G network that includes the surge in the network traffic (Gao: [0132]: The coverage of monitoring node 1 is area 1, and the coverage of monitoring node 2 is area 2. There are 16 sensor nodes in the network, of which node 1 is a sink node, and nodes 2-16 are common nodes. Nodes 1-9 can be covered by monitoring node 1, and node 1 and nodes 10-16 can be covered by monitoring node 2. That is, nodes 1-9 belong to area 1, and node 1 and nodes 10-16 belong to area 2. The coverage of monitoring node 1 is area 1, and the coverage of monitoring node 2 is area 2. There are 16 sensor nodes in the network, of which node 1 is a sink node, and nodes 2-16 are common nodes. Nodes 1-9 can be covered by monitoring node 1, and node 1 and nodes 10-16 can be covered by monitoring node 2. That is, nodes 1-9 belong to area 1, and node 1 and nodes 10-16 belong to area 2. When the base station finds that the data detected by monitoring node 1 is abnormal, but the data detected by monitoring node 2 is normal, it sends an abnormal alarm to the sink node. After receiving the alarm, the aggregation node multicasts the abnormal alarm to the nodes in area 1. When a node in area 1 receives an abnormal alarm, the local intrusion detection system is turned on).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang and Gao as in claim 1 above. 

As per claim 23, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The non-transitory computer-readable storage medium of claim 19, wherein the agent component is instantiated and terminated in accordance with the time period (Gao: 3)If no abnormality is found in the network within the continuous time T (time period) of the local intrusion detection operation, the node will send an application for deactivating the local intrusion detection to the sink node, and the monitoring node information in the abnormal alarm activity list of this node will be recorded in the application package; [0047]: 4)When the sink node receives the deactivation application, it will be classified and recorded according to different monitoring node information. During the time t, when the sink node has received the deactivation application of all nodes in the same area, it will broadcast to the area to end the anomaly. alarm; [0048]: 5)After the node in the area receives the end abnormal alarm command, it deletes the relevant monitoring node information in its own abnormal alarm activity list. At this time, the node abnormal activity list is scanned. If the abnormal activity list is empty, the local intrusion detection model of the node is closed. [0126]-[0132]).
The examiner provides the same rationale to combine Sedjelmaci in view of Muddu and Wang and Gao as in claim 19 above. 

Claims 3-5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sedjelmaci in view of Muddu, Wang and Gao as applied to claims 1 and 11 above, and further in view of US 20150341379 to Lefebvre et al (hereinafter Lefebvre).
As per claim 3, Sedjelmaci in view of Muddu, Wang and Gao teaches:
The method of claim 1 further comprising: causing one or more actions based on the VRT score to thwart the cyberattack (Muddu: column 12, lines 8-13: The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like).
Sedjelmaci in view of Muddu, Wang and Gao does not teach: wherein the one or more actions include quarantining the incoming network traffic at the agent component. However, Lefebvre teaches:
wherein the one or more actions include quarantining the incoming network traffic at the agent component (Lefebvre: [0071]: In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (quarantining network traffic), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu, Wang and Gao to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
	
As per claims 4 and 12, Sedjelmaci in view of Muddu, Wang and Gao does not teach the limitations of claims 4 and 12. However, Lefebvre teaches: 
further comprising: based on the VRT score, diverting the incoming network traffic to a destination other than an intended destination of the incoming network traffic (Lefebvre: [0071] The user interface 300 may receive input indicating a request for a menu of actions available for a particular device in response to a high node anomaly score. In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (diverting network traffic to another destination), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu, Wang and Gao to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

As per claim 5, Sedjelmaci in view of Muddu, Wang and Gao does not teach the limitations of claim 5. However, Lefebvre teaches:
further comprising: based on the VRT score, quarantining the incoming network traffic in a containment area that this communicatively separate and distinct from the 5G network (Lefebvre: [0071] The user interface 300 may receive input indicating a request for a menu of actions available for a particular device in response to a high node anomaly score. In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole (diverting network traffic to a containment area), e.g., silently discard or redirect, traffic to or from the particular device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Lefebvre in the invention of Sedjelmaci in view of Muddu, Wang and Gao to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Sedjelmaci in view of Muddu, Wang and Gao as applied to claim 19 above, and further in view of US 7565692 to Maria (hereinafter Maria). 
As per claim 22, Sedjelmaci in view of Muddu, Wang and Gao does not teach the limitations of claim 22. However, Maria teaches:
wherein the agent component is a first agent component that is instantiated based on VRT data collected by the central component from another instance of the agent component (Maria: column 3, lines 23-35: For example, server 101 may receive a message from firewall 120 indicating that an unusual number of incoming network packets directed at network segment 107 have been detected. In response to this message, server 101, using the information about the network stored in database 102, selects computer 114, which is on segment 107, to become an intrusion detection platform. Server 101 then sends a message to the socket on computer 114, requesting that computer 114 become an intrusion detection platform. The socket on computer 114 receives the request, installs the intrusion detection software, and executes it. Thus an intrusion detection platform has been created that is at or near the target of the network attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Maria in the invention of Sedjelmaci in view of Muddu, Wang and Gao to include the above limitations. The motivation to do so would be to respond to increases in network traffic by increasing the number of intrusion detection platforms whenever necessary (Maria: column 2, lines 3-6).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
CN105471835A to Zhang et al: The purpose of the present invention is to provide a method for improving the processing performance of a firewall, which compares the change range of the number of connection entries of the firewall monitored in real time with a preset threshold to determine whether there is a firewall in the current network environment. Attack threats, and accordingly determine whether to enable or disable the anti-network attack function of the firewall, thereby improving the performance of the firewall and the rate of forwarding data packets.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438