Detailed Action
This is a Non-final Office action in response to communications received on 12/14/2021.  Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings, filed 12/14/2021, are acknowledged.

Examiner Notes
Examiner interprets the processor of claim 1 as hardware due to being coupled to the claimed memory for purposes of 101 considerations.

Double Patenting
A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
Claims 1-7, 9-13 and 15-19 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-5, 7-10 and 14-17 of prior U.S. Patent No. 11,233,829. This is a statutory double patenting rejection. Below is a comparison of the claims of the instant application and the Patent mentioned above. The bolded portions correspond to the cited limitations of the instant application.

Application 17/550,891
Patent No. 11,233,829
1. A system, comprising: a processor configured to: 

monitor network traffic on a service provider network at a security platform to identify a subscriber with a new IP flow, wherein the security platform is configured to passively monitor one or more 3rd Generation Partnership Project (3GPP) related interfaces; 





associate the subscriber with the new IP flow at the security platform; 

determine a security policy to apply at the security platform to the new IP flow based on the subscriber, 

wherein the security platform is configured to infer a plurality of security policies for IP addresses associated with a plurality of subscribers using the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform; apply dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform, 

wherein a subscriber/IP address is mapped to a security policy to facilitate security policy enforcement per IP flow using the security platform; and 






enforce the security policy on the new IP flow using the security platform to allow the new IP flow to access a resource based on the security policy; and 






a memory coupled to the processor and configured to provide the processor with instructions.
1. A system, comprising: a processor configured to:… 

…monitor network traffic on a service provider network at a security platform to identify a subscriber of a plurality of subscribers with a new IP flow, wherein the plurality of subscribers includes a first subscriber and a second subscriber, and wherein the security platform is configured to monitor and/or communicate on one or more 3rd Generation Partnership Project (3GPP) related interfaces…

…associate the subscriber with the new IP flow at the security platform…

…select a security policy to apply at the security platform to the new IP flow based on the subscriber… 

…apply dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted between network elements on a mobile core network of the service provider network during passive monitoring of the network traffic at the security platform using one or more 3GPP related interfaces,…





…wherein the selecting of the security policy to apply at the security platform to the new IP flow is based on the first subscriber or the second subscriber, and wherein a first security policy associated with the first subscriber is different from a second security policy associated with the second subscriber; …

7. The system recited in claim 1, wherein the processor is further configured to: allow another new IP flow to access another resource based on the security policy.…enforce the security policy on the new IP flow using the security platform to block the new IP flow to access a resource based on the security policy; and …

…a memory coupled to the processor and configured to provide the processor with instructions.
2. The system recited in claim 1, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
2. The system recited in claim 1, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
3. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces.
3. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces…
4. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces.
3. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces…
5. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces to apply a plurality of security policies in real-time as data calls are setup and modified on the service provider network.
3. The system recited in claim 1, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces to apply a plurality of security policies in real-time as data calls are setup and modified on the service provider network.
6. The system recited in claim 1, wherein the security platform monitors network traffic associated with one or more of a Policy Control and Charging Rules Function (PCRF) entity, an Authentication, Authorization, and Accounting (AAA) server, Lightweight Directory Access Protocol (LDAP) server, or Traffic Detection Function (TDF) entity.
4. The system recited in claim 1, wherein the security platform monitors network traffic associated with one or more of a Policy Control and Charging Rules Function (PCRF) entity, an Authentication, Authorization, and Accounting (AAA) server, Lightweight Directory Access Protocol (LDAP) server, or Traffic Detection Function (TDF) entity.
7. The system recited in claim 1, wherein the security platform is configured with a plurality of security policies for IP addresses associated with a plurality of subscribers using the service provider network.
5. The system recited in claim 1, wherein the security platform is configured with a plurality of security policies for IP addresses associated with the plurality of subscribers using the service provider network.
9. The system recited in claim 1, wherein the processor is further configured to: block another new IP flow from accessing another resource based on the security policy.
1. …enforce the security policy on the new IP flow using the security platform to block the new IP flow to access a resource based on the security policy; and …
10. A method, comprising: monitoring network traffic on a service provider network at a security platform to identify a subscriber with a new IP flow, 


wherein the security platform is configured to passively monitor one or more 3rd Generation Partnership Project (3GPP) related interfaces; associating the subscriber with the new IP flow at the security platform; 

determining a security policy to apply at the security platform to the new IP flow based on the subscriber, 



wherein the security platform is configured to infer a plurality of security policies for IP addresses associated with a plurality of subscribers using the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform; applying dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform, 

wherein a subscriber/IP address is mapped to a security policy to facilitate security policy enforcement per IP flow using the security platform; and 






enforcing the security policy on the new IP flow using the security platform to allow the new IP flow to access a resource based on the security policy.
8. A method, comprising: monitoring network traffic on a service provider network at a security platform to identify a subscriber of a plurality of subscribers with a new IP flow…

…wherein the security platform is configured to monitor and/or communicate on one or more 3rd Generation Partnership Project (3GPP) related interfaces;… 


…associating the subscriber with the new IP flow at the security platform and selecting a security policy to apply at the security platform to the new IP flow based on the subscriber… 

…applying dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted between network elements on a mobile core network of the service provider network during passive monitoring of the network traffic at the security platform using one or more 3GPP related; interfaces…





…wherein the selecting of the security policy to apply at the security platform to the new IP flow is based on the first subscriber or the second subscriber, and wherein a first security policy associated with the first subscriber is different from a second security policy associated with the second subscriber;… 

14. The method of claim 8, further comprising: allowing another new IP flow to access another resource based on the security policy.
11. The method of claim 10, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
9. The method of claim 8, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
12. The method of claim 10, wherein the security platform monitors wireless and wired interfaces.
10. The method of claim 8, wherein the security platform monitors wireless and wired interfaces…
13. The method of claim 10, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces.
10. The method of claim 8, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces…
15. The method of claim 10, further comprising: blocking another new IP flow from accessing another resource based on the security policy.
8. …enforcing the security policy on the new IP flow using the security platform to block the new IP flow to access a resource based on the security policy.
16. A computer program product, the computer program product being embodied in a non- transitory tangible computer readable storage medium and comprising computer instructions for: 


monitoring network traffic on a service provider network at a security platform to identify a subscriber with a new IP flow, 



wherein the security platform is configured to passively monitor one or more 3rd Generation Partnership Project (3GPP) related interfaces; 

associating the subscriber with the new IP flow at the security platform; determining a security policy to apply at the security platform to the new IP flow based on the subscriber, 

wherein the security platform is configured to infer a plurality of security policies for IP addresses associated with a plurality of subscribers using the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform; applying dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted during monitoring of the network traffic on the service provider network at the security platform, 

wherein a subscriber/IP address is mapped to a security policy to facilitate security policy enforcement per IP flow using the security platform; and 






enforcing the security policy on the new IP flow using the security platform to allow the new IP flow to access a resource based on the security policy.
15. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable medium and comprising computer instructions for:… 

…monitoring network traffic on a service provider network at a security platform to identify a subscriber of a plurality of subscribers with a new IP flow..

…wherein the security platform is configured to monitor and/or communicate on one or more 3.sup.rd Generation Partnership Project (3GPP) related interfaces;… 

…associating the subscriber with the new IP flow at the security platform and selecting a security policy to apply at the security platform to the new IP flow based on the subscriber… 

…applying dynamic policy per the new IP flow with the security policy for IP addresses associated with the subscriber on the service provider network based on one or more messages intercepted between network elements on a mobile core network of the service provider network during passive monitoring of the network traffic at the security platform using one or more 3GPP related; interfaces…





…wherein the selecting of the security policy to apply at the security platform to the new IP flow is based on the first subscriber or the second subscriber, and wherein a first security policy associated with the first subscriber is different from a second security policy associated with the second subscriber;…

…enforcing the security policy on the new IP flow using the security platform to allow the new IP flow to access a resource based on the security policy.
17. The computer program product recited in claim 16, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
16. The computer program product recited in claim 15, wherein the security platform applies dynamic policy per IP flow for wireless and wired devices.
18. The computer program product recited in claim 16, wherein the security platform monitors wireless and wired interfaces.
17. The computer program product recited in claim 15, wherein the security platform monitors wireless and wired interfaces…
19. The computer program product recited in claim 16, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces.
17. The computer program product recited in claim 15, wherein the security platform monitors wireless and wired interfaces including a plurality of 3GPP interfaces and a plurality of non-3GPP interfaces…


The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 8, 14 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 7-8 and 14-15 of U.S. Patent No. 11,233,829, as applied to claims 1, 10 and 16 of the instant application, in view of Ramle (US 2013/0150039 A1).
Application 17/550,891
Patent No. 10,880,072 
Ramle (US 2013/0150039 A1)
8. The system recited in claim 1, wherein the one or more 3GPP related interfaces is selected from the following 3GPP related interfaces: SGi, Gi, S5, and S8.
Ramle; Para. [0008]: Gi, Gx, LTE-Uu, Rx, SGi, S1-U, S1-MME, S1-U, S3, S4, S5, S5/S8, S6a, S10, S11, S12 and Uu etc are in correspondence with the 3GPP specifications and illustrate that logical interfaces with the corresponding names are used for communication between said arrangements by means of said connectivity.
14. The method of claim 10, wherein the one or more 3GPP related interfaces is selected from the following 3GPP related interfaces: SGi, Gi, S5, and S8.
Ramle; Para. [0008]: Gi, Gx, LTE-Uu, Rx, SGi, S1-U, S1-MME, S1-U, S3, S4, S5, S5/S8, S6a, S10, S11, S12 and Uu etc are in correspondence with the 3GPP specifications and illustrate that logical interfaces with the corresponding names are used for communication between said arrangements by means of said connectivity.
20. The computer program product recited in claim 16, wherein the one or more 3GPP related interfaces is selected from the following 3GPP related interfaces: SGi, Gi, S5, and S8.
Ramle; Para. [0008]: Gi, Gx, LTE-Uu, Rx, SGi, S1-U, S1-MME, S1-U, S3, S4, S5, S5/S8, S6a, S10, S11, S12 and Uu etc are in correspondence with the 3GPP specifications and illustrate that logical interfaces with the corresponding names are used for communication between said arrangements by means of said connectivity.


Ramle is combinable with Patent No. 11,233,829 (Rappard) because both are from the same field of endeavor of management of communication between devices. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system of Rappard to incorporate different 3GPP communications interfaces as in Ramle in order to expand the functionality of the system by providing a means by various types of 3GPP communication interfaces may be utilized for communication..

Prior Art Considered But Not Relied Upon
Archer (US 2011/0289564 A1) teaches applying a security policy on a per user or resource level granularity based on the resource and identification from a network device based on information received and blocking, based on the security policy or policies, access to resources/applications by the user of the network device communicating with the authentication server.
Rash (US 2014/0282823 A1) teaches A policy based dynamic mirroring function involving snooping flows of network traffic while monitoring the flows of the network at an intrusion detection system.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BLAKE ISAAC NARRAMORE whose telephone number is (303)297-4357.  The examiner can normally be reached on Monday - Friday 0700-1700 MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/B.I.N./Examiner, Art Unit 2438  

/TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438