DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-6, 8-14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Dawson et al., (US 20080127337 A1) hereinafter referred to as Dawson in view of Hippelainen (US 20020078384 A1) hereinafter referred to as Hippelainen.
Regarding Claims 1 and 9, Dawson discloses A radio access network comprising: a one or more radio access points to wirelessly engage in communication with one or more wireless client communication devices; [Figure 2 shows a wireless communication network with multiple communication devices] 
a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points…in order to detect one or more malicious packets transmitted to said radio access network by the one or more wireless client communication devices [paragraph 0064, a centralized security management system in a 4G wireless broadband environment to detect malicious data packets and activity] [paragraph 0067, collection servers perform the task of actively or passively collecting information about various devices in the network. The collection servers can get this information in several ways. In one way, the collection servers may poll the devices to obtain the information. In another way, the devices may send the information to the collection servers] 
and a controller functionally associated with the MPD and configured to alter network operation so as to mitigate malicious packet flow from the one or more malicious packet transmitting wireless communication devices. [paragraph 0064, Based on the detection, the system mitigates the malicious data packets and activity using various techniques that depend on the type of packets or activity encountered, the type of devices involved, and the location in the network where the problems are occurring] [Abstract, Based on the attacks, a mitigation scheme is implemented to remove or reduce the attacks]
Dawson does not explicitly teach and including a packet inspector to perform packeting sniffing into packets wirelessly received by said radio access network while the packets are in an IP tunnel.
Hippelainen teaches and including a packet inspector to perform packeting sniffing into packets wirelessly received by said radio access network while the packets are in an IP tunnel [paragraph 0054, Each LIN is arranged as a packet sniffer and filter, essentially a personal computer with an Ethernet interface and a GTP protocol stack. In effect, each LIN may implement a Gn interface as defined in the GSM specification 09.60. In this case, the LIN is arranged as a passive listening node which is able to read the GPRS Tunneling Protocol (GTP)] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Hippelainen with the disclosure of Dawson. The motivation or suggestion would have been “for performing a lawful interception in a packet network.” (Abstract)
Regarding Claims 2 and 10, Dawson discloses wherein mitigating malicious packet flow from the one or more malicious packet transmitting wireless communication devices includes (a) redirecting packets detected to be part of a malicious packet flow, (b) terminating packets detected to be part of a malicious packet flow, or (c) altering a radio link of the one or more wireless client communication devices with said radio access network. [paragraph 0089, A command is given to deny all traffic from computing device 205. Computing device 205 is effectively removed from the network – a device is removed from the network. This is the removal of the device from the access network]
Regarding Claims 3 and 11, Dawson discloses wherein said MPD detects whether a packet is a malicious packet by inspecting at least one characteristics of the packet to assess whether the packet is part of a denial of service attack on a data network resource. [paragraph 0005, The problem with denial of service attacks becomes more acute when a wireless environment is involved. Not only does a service provider have to know how to detect, reduce, and remove the malicious packet over a packet network like the Internet, the service provider has to know how to perform the mitigation with wireless devices – teaches that detecting a denial of service attack has been difficult] [paragraph 0007, Embodiments of the present invention solve at least the above problems by providing a system, method, and media for, among other things, a centralized security management system – teaches that the centralized security management system solves the problem which includes detecting a denial of service attack in a wireless network] [paragraph 0064, a centralized security management system in a 4G wireless broadband environment to detect malicious data packets and activity. Based on the detection, the system mitigates the malicious data packets and activity using various techniques that depend on the type of packets or activity encountered, the type of devices involved, and the location in the network where the problems are occurring – teaches inspecting multiple different characteristics of the packets for detecting malicious data packets]
Regarding Claims 4 and 12, Dawson discloses wherein the data network resource is selected from the group consisting of: (a) a Domain Name Server, (b) a digital content or media server, and (c) an application engine or server. [Figure 2, elements 205, 215, 210, and 220 represent data network resources which can include digital content or media servers]
Regarding Claims 5 and 13, Dawson discloses wherein said MPD detects whether a packet is part of a malicious packet flow by inspecting at least one characteristic of a set of packets addressed to a common or related data network resource. [paragraph 0064, a centralized security management system in a 4G wireless broadband environment to detect malicious data packets and activity. Based on the detection, the system mitigates the malicious data packets and activity using various techniques that depend on the type of packets or activity encountered, the type of devices involved, and the location in the network where the problems are occurring – teaches multiple different characteristics of the packets for detecting malicious data packets]
Regarding Claims 6 and 14, Dawson discloses wherein the at least one characteristic of the set of packets is selected from the group consisting of: (a) destination address, (b) source address, (c) duration between consecutive packets, (d) patterns of packet transmissions from a given device, and (e) a correlation between packets being transmitted to a common destination address substantially concurrently by separate devices. [paragraph 0078, Behavioral signatures deal with known behavior patterns. For example, a pattern of behavior may denote valid actions for a network or a set of devices. But if a certain pattern is received that is indicative of a "bad" behavior, the system or logic server can identify it immediately as being bad. This can happen in the case of a worm where behavioral patterns of worms are already known. One example is where there are connections with other hosts in a certain way, maybe sending email after being port scanned because something became a spam zombie – teaches detecting patterns of transmissions]
Regarding Claims 8 and 16, Dawson discloses wherein mitigating a malicious packet flow includes reporting detection of the malicious packet flow to a network control unit, wherein reporting includes reporting an identifier of a device transmitting the malicious packet flow. [paragraph 0089, In the scenario, a worm has infected computing device 205. The worm attacks from computing device 205 other devices in the network including mobile devices. In the scenario, CSMS 263 operates to remove or reduce the attacks initiated by the worm. A router 245 and a firewall 260 send their event information to collection servers 110 and 120 in CSMS 263. Collection servers 110 and 120 take the event information and correlates it with other information to produce an alert. Although the singular form "event information" is used, it is also used to denote plural information as well. An operator at console 160 is notified and possible mitigation actions are provided at console 160 – the event information would include the identifier of the device as this event is specifically regarding reporting that a worm has infected computing device 205]

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Dawson in view of Hippelainen, as applied to Claims 1 and 9, respectively, above, and further in view of Gauvin et al., (US 7735116 B1) hereinafter referred to as Gauvin.
Regarding Claims 7 and 15, the combination of Dawson and Hippelainen does not explicitly teach wherein altering a radio link of the device which is transmitting the malicious packet flow includes signaling a radio access point with which the device is communicatively coupled to deallocate or otherwise restrict bandwidth to the device.
Gauvin teaches wherein altering a radio link of the device which is transmitting the malicious packet flow includes signaling a radio access point with which the device is communicatively coupled to deallocate or otherwise restrict bandwidth to the device. [Column 10, lines 37-46, Security Level I 700 provides the means to determine that an incoming packet is valid, does indeed meet the security requirements of the system and is therefore allowed to flow through to the next level of security checks. In general, security processing should drop packets at the earliest time possible. For Security Level I, policies are based on protocol acceptance, bandwidth restriction and system hardening protection. Bandwidth restrictions are influenced by the results from security checks at the higher levels, as well as attack amelioration at this level] [Column 18, line 18, Content security 1104 scans files for malicious content] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Gauvin with the disclosures of Dawson and Hippelainen. The motivation or suggestion would have been “to determine that an incoming packet is valid.” (Column 10, line 38)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923. The examiner can normally be reached M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ANDREW J STEINLE/Primary Examiner, Art Unit 2497