DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application filed on 11/13/2020. Claims 1-20 are examined.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Louafi (U.S. 20210321259), in view of Zavesky (U.S. 20190215688).

Regarding claim 1, 6 and 15, 
Louafi discloses: A system comprising: a processor; and a memory ([0021] a system comprises one or more processing nodes each comprising one or more processors, memory) that stores computer-executable instructions that, when executed by the processor ([0021] stores instructions executable by the respective one or more processors), cause the processor to perform operations comprising ([0094] a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of the vRAN 202 or a component of the vRAN 202 (e.g., the NAD function 222) according to any of the embodiments described herein is provided) obtaining ([0059] the collected data), at a computing device that executes a network data analytic function ([0059] by using streaming analytic methods), event data based ([0055] extracting relevant data) on an event stream ([0055] the data and logs collected), the event data representing events on a cellular network ([0051] UE behavior in the cellular communications system; [0076] UE behavior include a number of connections made by the UE during the period of time, an average bandwidth used by the UE during the period of time, frequency and/or length of the connections made by the UE during the time period, and/or signaling anomalies for the UE); providing, to a training module, the event data ([0055] provides the preprocessed data to the trainer 302); training, using the training module, a plurality of models associated with the cellular network ([0056] [0056] The trainer 302 of the NAD function 222-1 processes the preprocessed data collected for the UEs 210 connected to the vRAN 202-1 to generate a trained partial model of UE behavior in the vRAN 202-1 (step 428). Likewise, the trainer 302 of the NAD function 222-2 processes the preprocessed data collected for the UEs 210 connected to the vRAN 202-2 to generate a trained partial model of UE behavior in the vRAN 202-2 (step 430) wherein the plurality of models comprises a cell fingerprint [0017] the first NAD function is implemented in a distributed manner such that the first NAD function comprises one or more components implemented in the first RAN and one or more components implemented in a core network associated with the first RAN; [0031] Systems and methods are disclosed herein for detecting abnormal User Equipment (UE) behavior in a cellular communications system, particularly one that uses a virtualized Radio Access Network (vRAN) architecture. As used herein, a “vRAN” is term that refers to functions of a Radio Access Network (RAN) and, in particular to functions of a radio base station, that are virtualized (e.g., running as one or more virtual components). Typically, the vRAN implements layers 2 and higher of a radio base station, whereas most if not all of layer 1 (i.e., the physical layer) of the radio base station is implemented in a physical radio component(s) referred to herein as a Remote Radio Head (RRH) and a device fingerprint ([0045] Each UE is identified by a unique (global) identifier (e.g., an IMSI)), wherein the cell fingerprint comprises a statistical model of a cell of the cellular network, and wherein the device fingerprint comprises a statistical model of a device that connected to the cellular network; and outputting the plurality of models ([0058 and Fig 4B - (428, 430, 440 and 444)] generation of the partial models in steps 428 and 430 and the generation of the global models in steps 440 and 444).
Altough Louafi a plurality of models, Louafi does not explicitly disclose: a statistical model. 
However Zavesky discloses: a statistical model. ([0073] Classification as used herein, can be inclusive of statistical regression that is utilized to develop models of priority).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zavesky in the machine learning of Louafi by using statistical models (0067). This would have been obvious because the person having ordinary skill in the art would have been motivated in order to model interactions between devices (0040). A person of ordinary skill could have reasonably used statistical modeling as in Louafi because a person of ordinary skill would have reasonably concluded The machine learning and reasoning component 402 can employ automated learning and reasoning procedures (e.g., the use of explicitly and/or implicitly trained statistical classifiers) (0067).

Regarding claim 2, 11 and 16,
Louafi in view of Zavesky discloses: The system of claim 1, wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations further comprising: 
Louafi further discloses: splitting, using a data collection module, the event stream into a first portion of the event data and a second portion of the event data, wherein providing the event data to the training module comprises providing the first portion of the event data to the training module; and providing, to a production module, the second portion of the event data ([0018] In some other embodiments, a method of operation of a first NAD function associated with a first RAN for predicting normal and/or abnormal UE behavior in a cellular communications system comprises, during a period of time from a time T.sub.0 to a time T.sub.0+T: obtaining information regarding a plurality of UEs served by the first RAN; receiving, from a second NAD function associated with a second RAN, information regarding a particular UE that moved from the second RAN to the first RAN during the period of time; and correlating the information regarding the particular UE received from the second NAD function associated with the second RAN with information regarding the particular UE obtained while the particular UE was being served by the first RAN during the period of time).

Regarding claim 3, 12 and 17,
Louafi in view of Zavesky discloses: The system of claim 1, wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations further comprising: 
Louafi further discloses: receiving a new instance of event data from the event stream; providing, to a production module, the new instance of event data ([0041] the NAD functions 222 obtain information associated with the operation of the UEs 210); determining, by the production module and based on the new instance of event data and the plurality of models ([0041] Each of the NAD functions 222 then uses the machine learning model that it generated to perform abnormal UE behavior detection), if abnormal activity is detected in the cellular network, wherein the abnormal activity is associated with the device that connected to the cellular network or a network component of the cellular network ([0041] In order to enable detection of abnormal UE behavior); and in response to determining that the abnormal activity is detected, triggering, using a notification and action module, an action ([0077] As an example, any time a UE 210 is considered to exhibit abnormal behavior (e.g., bogus, malicious, bots), the Identifier (ID) of the UE 210 (e.g., UE's IMSI) is reported to security management for the appropriate actions).

Regarding claim 4, 13 and 18,
Louafi in view of Zavesky discloses: The system of claim 3, wherein the action comprises: 
Louafi further discloses: generating, using the notification and action module, a command to remediate the abnormal activity; and providing, using the notification and action module, the command to a network management entity of the cellular network to modify an operation of the cellular network ([0077] Using the trained global model, the predictor 304 of each NAD function 222 uses the trained global model and the preprocessed data for the respective vRAN 202 to cluster the UEs among different clusters. Some of the clusters are considered to characterize the UEs presenting malicious or bogus behavior. As an example, any time a UE 210 is considered to exhibit abnormal behavior (e.g., bogus, malicious, bots), the Identifier (ID) of the UE 210 (e.g., UE's IMSI) is reported to security management for the appropriate actions).

Regarding claim 5, 14 and 19,
Louafi in view of Zavesky discloses: The system of claim 3, wherein the action comprises: 
Louafi further discloses: generating, using the notification and action module, a report that represents the abnormal activity; and providing, using the notification and action module, the report to an operator device ([0077] As an example, any time a UE 210 is considered to exhibit abnormal behavior (e.g., bogus, malicious, bots), the Identifier (ID) of the UE 210 (e.g., UE's IMSI) is reported to security management for the appropriate actions).

Regarding claim 7,
Louafi in view of Zavesky discloses: The method of claim 6, 
Louafi further discloses: wherein the device that connected to the cellular network comprises a user equipment that connected to the cell of the cellular network ([0041] the NAD functions 222 obtain information associated with the operation of the UEs 210 served by the cells of the base stations of the respective vRANs 202 and operate to exchange information to enable each of the NAD functions 222 to generate a global machine learning model of UE behavior).

Regarding claim 8,
Louafi in view of Zavesky discloses: The method of claim 6, 
Louafi further discloses: wherein the device that connected to the cellular network comprises an Internet-of-things device that connected to the cellular network via a customer premises equipment that communicates with the cellular network via a network connection ([0032] In general, connected wireless devices, which are referred to herein as UEs such as mobile devices and Internet of Things (IoT) devices).

Regarding claim 9 and 20,
Louafi and Zavesky disclose: The computer storage medium of claim 15, wherein the event stream is received from a 
Louafi further discloses: network function that operates in a core of the cellular network, the network function comprising a 5G core access and mobility management function or a 5G session management function ([0040] In a similar manner, the vRAN 202-2 includes a BBU pool 212 implemented in a virtualized environment, where the BBU pool 212 includes a number of (virtualized) BBUs 214-1 through 214-M that, together with respective RRHs 216-1 through 216-M, form a number of base stations (e.g., 5G gNBs or LTE eNBs) serving UEs 210 in respective cells of the cellular communications system 200. Optionally, in some embodiments, one or more layer 1 (i.e., PHY layer) functions 218-1 and 218-2 of the base stations are implemented in the vRANs 202-1 and 202-2, respectively. The vRANs 202-1 and 202-2 are connected to a core network(s) 220 (e.g., a 5G Core (5GC) or an Evolved Packet Core (EPC))).

Regarding claim 10,
Louafi in view of Zavesky discloses: The method of claim 6, 
Louafi further discloses: wherein the event stream is received from an operation, administration, and maintenance function that operates in a core of the cellular network ([0035] This approach distributes the detection load among different vRANs and therefore avoids the need for moving around huge quantity of logs and information from the vRANs to the core network or cloudlets to be processed and used for training of detection models).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
De Knijf 12/29/2017 (US 20180191746) teaches Detecting malicious devices using ML analysis of data streams.
Mirashrafi 10/29/2015 (US 20170126705) teaches a method to detect attacks though wireless hot form mobile devices.
Hoydis 4/6/2017 (WO 2018184682) teaches classifying transmission signatures with use of ML.
Lifsshitz 8/20/2019 (US 20190380037) teaches methods to detect signaling storms and how to mitigate them using machine learning.
Akella 3/4/2020 (US 20210281566) teaches detection of abnormal devices such as cell phones on networks and device fingerprinting.

Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436