Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Huber et al., CN 113170307 A  1. 


Chen et al., CN 108738093, 6. The method of claim 1, wherein:

sending a service request message that includes at least one of a fabricated response (RES) value, a fabricated cipher key sequence number (CKSN), or a key set identifier (ID), the appropriate response comprises a service reject message, the inappropriate response comprises a service accept message (usage of any authentication response value, attach request, attach reject, attach accept, etc., messages with illegal device, last paragraph, page 3, second paragraph, page 6, para 7, 8, page 6

ES 2824527 T3 PALANIGOUNDER , 6. The method of claim 1, wherein:

sending a service request message that includes at least one of a fabricated response (RES) value, a fabricated cipher key sequence number (CKSN), or a key set identifier (ID), the appropriate response comprises a service reject message, the inappropriate response comprises a service accept message (usage of any response value, request message, reject message, accept message, etc., messages with any device, second paragraph, page 9.

7. The method of claim 6, further comprising:

Huber also determining whether an International Mobile Subscriber Identity (IMSI) was sent to the device (para 2, page 20); and

attempting to re-register with the device in response to determining that an IMSI was sent to the device (para 1, page 19),

determining that the device is an illegitimate base station in response to determining that an IMSI was not sent to the device (para 1, page 19)

KR 102315881 B1  (no inventor name) 8. The method of claim 7, wherein:

sending the fabricated message to the device comprises sending an authentication response including the fabricated message;

attempting to re-register with the device comprises:

sending an attach request message to the device; and receiving an authentication request from the device; and

determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining that the device is an illegitimate base station in response to determining that the response message includes an attach accept message,

the method further comprising determining that the device is a legitimate base station in response to determining that the response message includes an authentication reject message.

In one embodiment, bits "3" through "6" indicate the access class (which is granted access and the corresponding key used or intended to be used to create or verify the AV). The eNodeB 104 or local EPC 108 creates AVs (AUC function in a secure environment). Alternatively, instead of creating AVs, the eNodeB 104 or local EPC 108 may be preset with AVs (of different access classes). The oracle access management (OAM) server presets the list of AVs in the eNodeB 104 or the local EPC 108 (for different access classes). The presetting of AVs in eNodeB 104 or local EPC 108 is necessary because any compromised eNodeB or local EPC can leak AVs and also fake base stations can use stolen AVs to gain access in certain areas. It does not provide a level of security, first paragraph, page 8.
In addition, the UICC unit 102a or the controller 202 may be configured to authenticate the UE 102 by providing at least one parameter for a response message to the eNodeB 104 or the local EPC 108 . In one embodiment, this response message is an AUTH response message. This parameter may be RES, MAC-1, or a combination thereof. Further, the UICC unit 102a or the controller 202 may be configured to receive an accept message from the eNodeB 104 or the local EPC 108 . This accept message is an ATTACH accept message. The storage unit 204 may be configured to store a token received from the eNodeB 104 or the local EPC 108, first paragraph, page 9.
Also, the controller 304 may be configured to receive a response message including at least one parameter from the UE 102 using the receiver 302 . This response message is an AUTH response message. This parameter may be RES, MAC-1, or a combination thereof. Also, the controller 304 may be configured to authenticate the UE 102 based on at least one parameter. After verifying the RES received from the UE 102, the controller 304 authenticates the UE 102. The control unit 304 may be configured to authenticate the UE 102 after verifying the MAC-1. Also, the controller 304 may be configured to transmit an ATTACH accept message to the UE 102 using the transmitter 308 . The storage unit 306 may be configured to store the generated token, which may also be used by the control unit 304 to derive the key, last paragraph, page 9.
At step 414b , method 400b includes receiving an accept message (eg, an ATTACH accept message) from the eNodeB 104 or the local EPC 108 . In one embodiment, method 400 enables UE 102 to receive ATTACH accept message from eNodeB 104 or local EPC 108, third paragraph, page 11.
At step 628 , the eNodeB 104 or the local EPC 108 sends an accept message (ie, an ATTACH accept message) to the UE 102, fifth paragraph, page 13.
In step 904 , .sub.after receiving the ATTACH request message including the IMSI 2 , the eNodeB 104 or the local EPC 108 sends an ATTACH reject message to the UE 102 . The ATTACH reject message indicates that the eNodeB 104 or local EPC 108 is in IOPS mode of operation, para 6, page 15.
At step 1212 , the method 1200 receives an accept message (eg, an ATTACH accept message) from the eNodeB 104 or the local EPC 108 . Method 1200 enables USIM 102b to receive ATTACH accept message from eNodeB 104 or local EPC 108, para 2, page 18.


Humer also 9. The method of claim 1, further comprising:

receiving an emergency message from the device; and

sending a message invoking a service to the device;

determining whether the device is an illegitimate base station based on a response to the message invoking the service that is received from the device.
In addition, by hijacking the shared paging channel, illegal base station can inject false emergency paging message and send it to a large number of wireless device. This may damage the wireless device user's safety, cause man-made emergency, or cause public confusion.

10. The method of claim 9, further comprising:

determining that the device is a legitimate base station in response to determining that the response to the message invoking the service includes a positive response.

11. The method of claim 10, further comprising:

RYOO et al., WO 2018030866 A1 performing a soft reset operation in response to determining that the device is a legitimate base station, 

When the base station 120 detects the change of the RRC state application criteria at any time, the base station 120 resets the RRC state information such as the RRC state configuration and transition event rule to be applied to the terminal 110 to the terminal 110. It can be configured / sent as a RRC reconfiguration message, para 2, page 11,
At this time, DRX_inactivity_timer, DRX_short_Cycle_timer and user-Inactivity-timer are triggered based on the last arrival traffic to the terminal 110 and the base station 120 to start the timer operation, and then new traffic to the terminal 110 and the base station 120 When it arrives, it is reset and the tmer value can be reset to zero. When the timer expires, the RRC state transition to the short DRX mode 992, the long DRX mode 993, or the RRC idle state 997 can be started, para 1, page 13.
20A illustrates an example of an attack situation of a fake UE or a fake base station in a process of transitioning an RRC state from an RRC inactive state to an RRC connected state according to an embodiment of the present invention, para 9, page 25.


12. The method of claim 10, further comprising:

Swathi et al., KR 20200033866 A simulating removal and re-insertion of a universal integrated circuit card (UICC) containing a universal SIM (USIM) card in response to determining that the device is a legitimate base station.

Initial messages transmitted between the UE and the MME may not be protected. Thus, unprotected NAS messages may be intercepted and exploited by attackers, such as unauthorized base stations. In another instance, an unauthorized base station may launch a Denial of Service (DoS) attack against the UE. For example, an unauthorized base station may receive a tracking area update (TAU) request message in the message, and the unauthorized base station may cause the UE to identify the subscriber identity module until the UE is switched off or the card containing the SIM is removed. SIM) may reject the TAU request from the UE in a rejection message that may cause it to be considered invalid for EPS services and non-EPS services, last paragraph, page 2.

Communications between the UE 115 and the core network 130 may include non-access layer (NAS) communications. As described herein, the NAS layer is a functional layer used in protocol stacks between the UE 115 and the core network 130, and may be implemented by an MME located in the core network 130. In some examples, the first NAS message between the UE 115 and the MME may be an attach request. Initial messages transmitted between the UE and the MME may not be protected. Thus, unprotected NAS messages may be intercepted and exploited by attackers, such as unauthorized base stations. In another instance, an unauthorized base station may launch a Denial of Service (DoS) attack against the UE. For example, an unauthorized base station may receive a tracking area update (TAU) request message in the message, and the unauthorized base station may cause the UE to identify the subscriber identity module until the UE is switched off or the card containing the SIM is removed. SIM) may reject the TAU request from the UE in a rejection message that may cause it to be considered invalid for EPS services and non-EPS services, para 4, page 5.

13. The method of claim 1, wherein:

sending a fabricated message to the device comprises sending one or more fabricated messages to the device;

in block 816, in response to determining that the monitoring of the base station has been disabled times exceeds a threshold value, the processor can increase the suspicious illegal base station monitoring the forbidden time threshold value or time period. That is, when the monitoring is disabled, waiting for overtime period and restarting the monitoring of the suspicious illegal base station of the operation is repeated a plurality of times, the behaviour indicating base station continuously attempts to initiate paging channel hijacking attack. In order to solve this situation, each time the cycle is repeated, the processor can exponentially increase the timeout value in block 816. This makes the overtime value increase to such a degree that: The illegal base station will not damage the detection mechanism of various embodiments as another attack mechanism. In addition, when the monitoring of the paging based on the IMSI is disabled due to the forbidden value of the specific base station exceeds a threshold value, the wireless device can be prevented from performing any connection to the specific base station, last paragraph, page 23.;


receiving a response message from the device comprises receiving more than one response from the device; and

in block 816, in response to determining that the monitoring of the base station has been disabled times exceeds a threshold value, the processor can increase the suspicious illegal base station monitoring the forbidden time threshold value or time period. That is, when the monitoring is disabled, waiting for overtime period and restarting the monitoring of the suspicious illegal base station of the operation is repeated a plurality of times, the behaviour indicating base station continuously attempts to initiate paging channel hijacking attack. In order to solve this situation, each time the cycle is repeated, the processor can exponentially increase the timeout value in block 816. This makes the overtime value increase to such a degree that: The illegal base station will not damage the detection mechanism of various embodiments as another attack mechanism. In addition, when the monitoring of the paging based on the IMSI is disabled due to the forbidden value of the specific base station exceeds a threshold value, the wireless device can be prevented from performing any connection to the specific base station, last paragraph, page 23;

determining whether the response message is an inappropriate response to the fabricated message comprises determining whether any one or more of the received response messages is an inappropriate response.

In some aspects, adjusting the illegal probability of the base station may include: adjusting the probability value indicating that the base station sending the first IMSI-based paging message is not the probability value of the legal base station authorized by the service provider network associated with the wireless device; and the aspect may further include: determining whether the illegal probability exceeds a threshold value, and in response to determining that the illegal probability exceeds a threshold value to execute the operation for preventing illegal base station. Some aspects may further include: in response to determining that another subframe receives the IMSI-based paging message or determining that there is a repeated IMSI-based paging message, the processor performs monitoring for subsequent wireless electronic frames for an additional indication of the illegal base station; and in response to detecting an additional indication of the illegal base station, adjusting the illegal probability, second last paragraph, page 2.

In response to determining that the number of sub-frames within the paging frame exceeds a threshold value "Th2" (i.e., determining that frame 704 = "yes"). ; one or more radio sub-frames in the subsequent radio frame in the DRX period receives a plurality of IMSI-based paging messages exceeding or equal to " Th3 " (i.e., determining frame 718 = " yes ") the illegal probability exceeds a threshold value (i.e., determining frame 712 = " is ") or receiving more than or equal to the threshold value "Thl" for a plurality of IMSI-based paging messages in a subframe that is not a paging occasion (i.e., determining block 716 = "yes"). The wireless device processor may take a response action or perform a driving operation in the operation box 708. The actions taken in response to detecting an illegal base station or a paging hijacking attack may include ignoring a future message from a base station transmitting a first paging message, and deattaching and/or generating and issuing a notification message to the safety server from the base station. Threshold "Thl" and "Th3" are specifically implemented, and when the response action (in block 8) is triggered immediately after receiving a paging message based on the IMSI outside the paging occasion, the minimum value of these thresholds may be 1. Similarly, the threshold value "Th2" is also specific to the embodiment. Threshold "Th2" takes into account all the received IMSI paging messages, whether they are within the paging occasion. Thus, generally "Th2" > "Thl". When the UE determines that it is likely to normally use the IMSI-based paging operator network operation in the condition of using the page based on TMSI, the threshold value " Th2 " can be automatically adjusted to a higher value, and the increasing rate of the illegal probability can be automatically adjusted to a lower value, para 5, page 22.
 
Referring to claim 3, Huber discloses wherein the fabricated TMSI is a fabricated TMSI without integrity protection, and wherein: an appropriate response comprises an identity request message; 

In response to determining that the number of sub-frames within the paging frame exceeds a threshold value "Th2" (i.e., determining that frame 704 = "yes"). ; one or more radio sub-frames in the subsequent radio frame in the DRX period receives a plurality of IMSI-based paging messages exceeding or equal to " Th3 " (i.e., determining frame 718 = " yes ") the illegal probability exceeds a threshold value (i.e., determining frame 712 = " is ") or receiving more than or equal to the threshold value "Thl" for a plurality of IMSI-based paging messages in a subframe that is not a paging occasion (i.e., determining block 716 = "yes"). The wireless device processor may take a response action or perform a driving operation in the operation box 708. The actions taken in response to detecting an illegal base station or a paging hijacking attack may include ignoring a future message from a base station transmitting a first paging message, and deattaching and/or generating and issuing a notification message to the safety server from the base station. Threshold "Thl" and "Th3" are specifically implemented, and when the response action (in block 8) is triggered immediately after receiving a paging message based on the IMSI outside the paging occasion, the minimum value of these thresholds may be 1. Similarly, the threshold value "Th2" is also specific to the embodiment. Threshold "Th2" takes into account all the received IMSI paging messages, whether they are within the paging occasion. Thus, generally "Th2" > "Thl". When the UE determines that it is likely to normally use the IMSI-based paging operator network operation in the condition of using the page based on TMSI, the threshold value " Th2 " can be automatically adjusted to a higher value, and the increasing rate of the illegal probability can be automatically adjusted to a lower value, para 5, page 22.

an inappropriate response comprises a message that does not include an identity request message. (last paragraph page22, second last paragraph, page 23) 

4. The method of claim 1, further comprising:

determining whether an International Mobile Subscriber Identity (IMSI) was sent to the device in response to receiving a message from the device; and

performing one or more authentication operations in response to determining that an IMSI was sent to the device,

wherein determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining that the device is an illegitimate base station in response to determining that an IMSI was not sent to the device.

5. The method of claim 4, wherein when the message received from the device is an identity request message performing one or more authentication operations comprises:

receiving an authentication request message from the device;

determining whether the authentication request message can be verified;

determining that the device is a legitimate base station in response to determining that the authentication request message can be verified; and

determining that the device is an illegitimate base station in response to determining that the authentication request message cannot be verified.

TBD


14. A wireless device, comprising:

a wireless transceiver; and

a processor coupled to the wireless transceiver and configured with processor-executable instructions to perform operations comprising:

53

Attorney Docket No.: 192978 sending a fabricated message to a device in communication with the wireless device in response to determining that the device is a suspect base station; receiving a response message from the device; determining whether the response message is an appropriate response or an inappropriate response to the fabricated message; determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message; and performing a protective action in response to determining that the device is an illegitimate base station.

15. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that sending the fabricated message to the device comprises sending an area update message that includes a fabricated Temporary Mobile Subscriber Identity (TMSI).

16. The wireless device of claim 15, wherein the processor is configured with processor-executable instructions to perform operations further comprising: fabricating the TMSI without integrity protection; determining that the response message is an appropriate response 1n response to determining that the response message comprises an identity request message; and determining that the response message is an inappropriate response in response to determining that the response message comprises an identity request message.

17. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising: 54

Attorney Docket No.: 192978

determining whether an International Mobile Subscriber Identity (IMSI) was sent to the device in response to receiving a message from the device; and

performing one or more authentication operations in response to determining that an IMSI was sent to the device,

wherein the processor is configured with processor-executable instructions to perform operations such that determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining that the device is an illegitimate base station in response to determining that an IMSI was not sent to the device.

18. The wireless device of claim 17, wherein the processor is configured with processor-executable instructions to perform one or more authentication operations in response receiving an identity request message from the device comprising:

receiving an authentication request message from the device;

determining whether the authentication request message can be verified;

determining that the device is a legitimate base station in response to determining that the authentication request message can be verified; and

determining that the device is an illegitimate base station in response to determining that the authentication request message cannot be verified.

19. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that:

sending the fabricated message comprises sending a service request message that includes at least one of a fabricated response (RES) value, a fabricated cipher key sequence number (CKSN), or a key set ID;

the appropriate response comprises a service reject message; and

the inappropriate response comprises a service accept message.

55

Attorney Docket No.: 192978

20. The wireless device of claim 19, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

determining whether an International Mobile Subscriber Identity (IMSI) was sent to the device;

attempting to re-register with the device in response to determining that an IMSI was sent to the device; and

determining that the device is an illegitimate base station in response to determining that an IMSI was not sent to the device.

21. The wireless device of claim 20, wherein the processor is configured with processor-executable instructions to perform operations such that:

sending the fabricated message to the device comprises sending an authentication response including the fabricated message;

attempting to re-register with the device comprises:

sending an attach request message to the device; and receiving an authentication request from the device; and

determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining that the device is an illegitimate base station in response to determining that the response message includes an attach accept message,

wherein the processor is configured with processor-executable instructions to perform operations further comprising determining that the device is a legitimate base station in response to determining that the response message includes an authentication reject message.

22. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

receiving an emergency message from the device; and

56

Attorney Docket No.: 192978

sending a message invoking a service to the device,

wherein the processor is configured with processor-executable instructions to perform operations such that determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining whether the device is an illegitimate base station based on a response to the message invoking the service that is received from the device.

23. The wireless device of claim 22, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

determining that the device is a legitimate base station in response to determining that the response to the message invoking the service includes a positive response.

24. The wireless device of claim 23, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

performing a soft reset operation in response to determining that the device is a legitimate base station.

25. The wireless device of claim 23, wherein the processor is configured with processor-executable instructions to perform operations further comprising:

simulating removal and re-insertion of a universal integrated circuit card (UICC) containing a universal SIM (USIM) card in response to determining that the device is a legitimate base station.

26. The wireless device of claim 14, wherein the processor is configured with processor-executable instructions to perform operations such that:

sending a fabricated message to the device comprises sending one or more fabricated messages to the device;

57

Attorney Docket No.: 192978

receiving a response message from the device comprises receiving more than one response from the device; and

determining whether the response message is an inappropriate response to the fabricated message comprises determining whether any one or more of the received response messages in an inappropriate response.

27. A wireless device, comprising:

means for sending a fabricated message to the device a device in communication with the wireless device 1n response to determining that the device is a suspect base station;

means for receiving response messages from the device;

means for determining whether a response message received from the device iS an appropriate response or an inappropriate response to the fabricated message;

means for determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message; and

means for performing a protective action in response to determining that the device is an illegitimate base station.

28. A non-transitory processor-readable storage medium having stored thereon processor-executable software instructions configured to cause a processor of a wireless device to perform operations for identifying an illegitimate base station, comprising:

sending a fabricated message to a device in communication with the wireless device in response to determining that the device is a suspect base station;

receiving a response message from the device;

determining whether the response message is an appropriate response or an inappropriate response to the fabricated message;

58

Attorney Docket No.: 192978

determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message; and

performing a protective action in response to determining that the device is an illegitimate base station.

29. The non-transitory processor-readable storage medium of claim 28, wherein the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform operations further comprising:

determining whether an International Mobile Subscriber Identity (IMSI) was sent to the device in response to receiving a message from the device; and

performing one or more authentication operations in response to determining that an IMSI was sent to the device,

wherein the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform operations such that determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message comprises determining that the device is an illegitimate base station in response to determining that an IMSI was not sent to the device.

30. The non-transitory processor-readable storage medium of claim 29, wherein the stored processor-executable software instructions are configured to cause the processor of the wireless device to perform one or more authentication operations when the message received from the device is an identity request message comprising:

receiving an authentication request message from the device;

determining whether the authentication request message can be verified;

determining that the device is a legitimate base station in response to determining that the authentication request message can be verified; and

59

determining that the device is an illegitimate base station in response to determining that the authentication request message cannot be verified. 60

DETAILED ACTION

Status of Claims
Claims 1-30 are subject to examination.  

Specification
The title is objected to because the title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. The present title is well known in the art (please see cited arts), too broad and not sufficient for proper classification of the claimed subject matter. The title should also reflect claimed invention,
IDENTIFYING AN ILLEGITIMATE BASE STATION BASED ON INAPPROPRIATE RESPONSE, please refer to MPEP 606 for title contents.

Drawings
The figures submitted on the filing date of this application are acknowledged. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 2, 4, 5 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Huber et al., CN 113170307 A.
Referring to claim 1, Huber discloses a method of identifying an illegitimate base station performed by a processor of a wireless device, comprising: 

Various embodiments include methods and devices configured to implement these methods, the methods are used for: detecting a channel hijacking attack; and prevent hijacking of the shared paging channel (e.g., PDSCH, etc.) by the following operations: monitoring a shared paging channel during a paging occasion in a discontinuous reception (DRX) period to detect a first IMSI-based paging message in a subframe; and after the first paging message (i.e., after the first IMSI-based paging message); continuously monitoring the subsequent radio sub-frame in the paging frame in the DRX period; and further monitoring all sub-frames of several subsequent radio frames in the current and multiple subsequent DRX period, so as to determine whether one or more sub-frames receive the paging message based on IMSI. for observing the presence of paging based on IMSI, the amount of continuous radio frame after paging frame and the amount of continuous DRX period can be configured and determined by a specific implementation manner. The presence of a paging message including the IMSI value in another subframe other than the paging occasion is the strong indication that the message is sent from an illegal base station that attempts the channel hijacking attack. The presence of a large number of sub-frames (e.g., more than four) of the IMSI-based paging is also observed to be the strong indication sent from the illegal base station in the presence of the same or several consecutive DRX periods. In response to detecting such a condition, the wireless device may perform various driving operations to avoid the victim of the channel hijacking attack, various driving operations such as: ignoring the future message from the base station sending the first paging message; de-attaching and/or generating from the base station and sending a notification message to safety server in the service provider network. In this segment, no matter where the "IMSI-based paging" is indicated, the IMSI indicates the IMSI value of a particular wireless device (or UE) that is receiving a paging message, para 4, page 6.

sending a fabricated message to a device in communication with the wireless device in response to determining that the device is a suspect base station and receiving a response message from the device

in block 816, in response to determining that the monitoring of the base station has been disabled times exceeds a threshold value, the processor can increase the suspicious illegal base station monitoring the forbidden time threshold value or time period. That is, when the monitoring is disabled, waiting for overtime period and restarting the monitoring of the suspicious illegal base station of the operation is repeated a plurality of times, the behaviour indicating base station continuously attempts to initiate paging channel hijacking attack. In order to solve this situation, each time the cycle is repeated, the processor can exponentially increase the timeout value in block 816. This makes the overtime value increase to such a degree that: The illegal base station will not damage the detection mechanism of various embodiments as another attack mechanism. In addition, when the monitoring of the paging based on the IMSI is disabled due to the forbidden value of the specific base station exceeds a threshold value, the wireless device can be prevented from performing any connection to the specific base station, para 1, page 25.

determining whether the response message is an appropriate response or an inappropriate response to the fabricated message; determining that the device is an illegitimate base station in response to determining that the response message is an inappropriate response to the fabricated message; 

In some aspects, adjusting the illegal probability of the base station may include: adjusting the probability value indicating that the base station sending the first IMSI-based paging message is not the probability value of the legal base station authorized by the service provider network associated with the wireless device; and the aspect may further include: determining whether the illegal probability exceeds a threshold value, and in response to determining that the illegal probability exceeds a threshold value to execute the operation for preventing illegal base station. Some aspects may further include: in response to determining that another subframe receives the IMSI-based paging message or determining that there is a repeated IMSI-based paging message, the processor performs monitoring for subsequent wireless electronic frames for an additional indication of the illegal base station; and in response to detecting an additional indication of the illegal base station, adjusting the illegal probability, para 2, page 3.

In response to determining that the number of sub-frames within the paging frame exceeds a threshold value "Th2" (i.e., determining that frame 704 = "yes"). ; one or more radio sub-frames in the subsequent radio frame in the DRX period receives a plurality of IMSI-based paging messages exceeding or equal to " Th3 " (i.e., determining frame 718 = " yes ") the illegal probability exceeds a threshold value (i.e., determining frame 712 = " is ") or receiving more than or equal to the threshold value "Thl" for a plurality of IMSI-based paging messages in a subframe that is not a paging occasion (i.e., determining block 716 = "yes"). The wireless device processor may take a response action or perform a driving operation in the operation box 708. The actions taken in response to detecting an illegal base station or a paging hijacking attack may include ignoring a future message from a base station transmitting a first paging message, and deattaching and/or generating and issuing a notification message to the safety server from the base station. Threshold "Thl" and "Th3" are specifically implemented, and when the response action (in block 8) is triggered immediately after receiving a paging message based on the IMSI outside the paging occasion, the minimum value of these thresholds may be 1. Similarly, the threshold value "Th2" is also specific to the embodiment. Threshold "Th2" takes into account all the received IMSI paging messages, whether they are within the paging occasion. Thus, generally "Th2" > "Thl". When the UE determines that it is likely to normally use the IMSI-based paging operator network operation in the condition of using the page based on TMSI, the threshold value " Th2 " can be automatically adjusted to a higher value, and the increasing rate of the illegal probability can be automatically adjusted to a lower value, para 4, page 22.

performing a protective action in response to determining that the device is an illegitimate base station.

In some embodiments, the wireless device processor may be further configured to, in response to detecting that another subframe has a paging based on the IMSI during continuing to monitor a subsequent radio subframe, performing an actuation operation. For example, if a wireless device detects another subframe including a paging based on the IMSI in a radio frame other than the paging occasion of the device, the wireless device may classify the base station as malicious, and de-attach (if already attached) with the base station; ignoring the future message from the base station; and/or issuing a notification message to the safety server to inform the presence or occurrence of the illegal device, para 4, page 10.

Referring to claim 2, Huber discloses wherein the fabricated message comprises an area update message that includes a fabricated Temporary Mobile Subscriber Identity (TMSI).
TMSI value can be used for uniquely identifying and addressing wireless device, randomly assigned temporary identifier. The TMSI value may be assigned to the wireless device by a mobile switching centre or a visitor location register shortly after the initial random access procedure. TMSI value can be specific to the current cell or tracking area of the wireless device, and is updated when each wireless device is moved to the new tracking area. For purposes of safety, the TMSI is the most commonly identified value of the communication between the wireless device and the base station. Para 1, page 9.
telecommunications network typically comprises a plurality of base stations (e.g., eNodeB in LTE), these base stations by using as the terminal point of all radio protocols towards the wireless device and the network component relay voice (e.g., VoIP and so on) in the network; data and control signal, can be used as a bridge between the wireless device and the network (e.g., the second bridge). Each base station typically covers a small geographic area. The base station group forms a positioning area, a routing area or a tracking area (TA). Para 2, page 9.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huber et al., CN 113170307 A in view of TBD
Referring to claim(s) 1, Huber discloses TBD. TBD does not specifically mention about, which is well-known in the art, which TBD discloses, para TBD. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the effective filing date of the claimed invention to modify the invention disclosed by TBD to implement these limitations and also one of ordinary skill in the art would have been motivated to do so because it could provide TBD, para TBD. 
 




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARESH PATEL whose telephone number is (571)272-3973.  The examiner can normally be reached on M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado, can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HARESH N PATEL/Primary Examiner, Art Unit 2496