Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detail Action
This office action is response to the application 17/326,130 filed on 05/20/2021. Claims 1-20 are pending in this communication.

Examiner’s Note
The examiner is requesting the applicant’s representative to provide direct phone number and email address in next communication, which will be very helpful to advance the prosecution.
Generally the text that are italicized are claims; the text that are in bold are reference citations (with some obvious exception); the text which is neither italicized nor bolded are by the examiner.
The Examiner used figures, paragraph and line numbers from the instant application’s pre-grant publication or pdf copy of allowance. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Objection 
The dependent claim 17 claims “second mobile device that is within a defined distance of the first mobile device” has no written description in the instant application’s specification. The applicant is requested to identify written description or amend claim 7 by removing the term “defined distance”.

Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

 Claims 1-12 & 14-20 are rejected under AIA  35 U.S.C. 103 as being unpatentable over BOYLE; Charles W. et al., Pub. No.: US 2021/0135954 A1 in view of KURAPATI; Krishna et al., Pub. No.: US 2007/0121596 A1.

Regarding Claim 1, BOYLE discloses a method, comprising:
receiving, by network equipment {Fig. 1 element 106 – ‘Radio Access Network’} comprising a processor {Fig. 5 element 510 – ‘Processor’}, application protocol identification data representative of an application protocol identification associated {Fig. 1 element 102 – ‘user devices’ & [0025], “The capture devices 118 may include various probes … that collect the data being transmitted to either the MME or the SGW. For instance, each capture device may collect and decode data packets and send digest of the data packets to the analytics platform 101. The digest of the data packets may include particular protocol events, associated network elements associated with the activity, call or flow identifiers, other application/protocol specific information elements (…), specific measurements (e.g. upstream/downstream packets, upstream/downstream bytes, inter-packet measurements, latency between certain procedures, etc.)”} with a user equipment {[0013], “The classification mechanism may also take into account protocols used by different portions of the network, such as those protocols used by the Radio Access Network (RAN), the Core Network (CN), the user equipment or end-user device (UE), and the like”};
receiving, by the network equipment, international mobile subscriber identity data representative of an international mobile subscriber identity associated with the user equipment {[0018], “an event object may include information from multiple protocols (for example, SIP, RTP, S11-MME etc.) that are involved in a VoLTE call. Because a specific attribute such as IMSI & CallID may not be present in every protocol associated with a particular call, the information from multiple protocols may be used to identify common attributes across two or more protocols”};
in response to receiving the application protocol identification data and the international mobile subscriber identity data, correlating, by the network equipment, the application protocol identification to the international mobile subscriber identity, resulting in correlation data {[0061], “Summarized information from RTP data records that include, downlink bytes, uplink bytes, interpacket gaps, jitter, delay, UP Link timeouts, Downlink Timeouts etc., are combined with SIP call records “DATA” events by correlation using IMSI, User IP Addresses, SGW, ENB IP Addresses, TCP/UDP Port Numbers, event Timestamps etc. Similarly, event data from other protocol events, such as S11 tunnel creation/deletion events, Sv (SRVCC) VOLTE to CS Handover are correlated using common attributes such as IMSI, MSISDN, From/To Identifiers, event time stamp etc.”};
BOYLE, however, does not explicitly disclose
receiving, by the network equipment, anomaly data representative of an anomaly associated with the user equipment; and
in response to receiving the anomaly data and based on the correlation data, sending, by the network equipment to server equipment, an instruction to prevent the user equipment from communicating with cloud server equipment.
In an analogous reference KURAPATI discloses
receiving, by the network equipment, anomaly data representative of an anomaly associated with the user equipment {[0011], “Security against such attacks is provided by a comprehensive suite of VoIP application specific security techniques including VoIP Protocol anomaly detection & filtering and VoIP end-points” … [0238], “FIG. 20 illustrates a Denial of Service Protection Subsystem 2000 in accordance with the present invention … The system detects DoS attacks based on protocol message exploitation (TAM 1702 and Behavior Anomaly Detection 2018), detects persistence of abnormal call volume (Flood DoS Filter 2006, Stealth DoS Filter 2008 and Distributed DoS Detection 2016)”. Examiner’s note: in Fig. 20 ‘Call In’ are from user equipment}; and
in response to receiving the anomaly data and based on the correlation data, sending, by the network equipment to server equipment, an instruction to prevent the user equipment from communicating {[0238], “Source behavior 2004, detects and prevents resource exhaustion of call server (tolerance tuning 2018), detects Call-walking, and protects against maliciously formatted messages aimed at exploiting a vulnerability in secured entity” … Fig. 63 & [0676], “The IMS vulnerability protection system provides IMS Si 1104 provides per subscriber behavioral modeling and learning (Stealth DoS), detect attacks through network level correlation (Distributed DoS) and handles VoIP SPAM. Ss 1108 detects and prevents IMS Signaling layer misuse (IPSEC, TLS, DNS, DHCP, TCP, BootP, SIP, DIAMETER, H.248, etc.), and detects and prevents IMSI spoofing stealth attacks”} with cloud server equipment {[0014], “the stages are applicable to one or more protocols including SIP, IMS, UMA, H.248, H.323, RTP, CSTA/XML or a combination thereof. In addition, the stages can be implemented within a single device or are distributed across a network (e.g., SIP network, a UMA network, an IMS network or a combination thereof)” … [0111], “FIG. 2A shows: (a) unauthenticated communications between the IP Phone 202 and Application Server 204, Presence Server 206 and Configuration Server 208; and (b) authenticated communications between the IP Phone 202 and Call Server 210, which in turn communicates with Media Server 212 and Access, Authorization, and Accounting ("AAA") Server 214”. Examiner’s note: ‘distributed across a networking’ can be referred as “cloud” computing}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify BOYLE’s technique of ‘associating application protocol identification data with IMSI’ for ‘preventing mobile device access to RAN network if the device is in blacklist prepared by using network protocol data with a device IMSI’, as taught by KURAPATI, in order to block a UE to join a RAN network. The motivation is - IMSI is important in mobile technology because it helps identify network subscribers. Additionally, IMSI numbers are used in subscriber authentication, which is a process that helps to ensure that only authorized user devices can access a network which prevents network overload or distributed denial of service.
All references are inventions in analogous area but each invention teaches specific claimed limitation specifically and other references mutually cure each other’s deficiencies. When all claimed techniques are combined they teach claimed invention. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims unless addressed separately. 

Regarding Claim 2, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
wherein receiving the application protocol identification data is in response to the user equipment sending a protocol data unit to base station equipment {BOYLE: Fig. 1 element 102 – ‘user device’, element 106 – ‘Radio Access Network’ & [0019], “The radio access network 106 includes the stations (in this case eNodeB's 108) that wirelessly connect to mobile devices, such as the user devices 102 … the user devices 102 may communicate using SIP and Real-time Transfer Protocol (RTP)”}.

Regarding Claim 3, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
wherein the anomaly data is determined to be classified as a network attack with respect to radio access network equipment of a radio access network {BOYLE: Fig. 1 element 106 – ‘Radio Access Network’ & [0013], “The classification mechanism may also take into account protocols used by different portions of the network, such as those protocols used by the Radio Access Network (RAN), the Core Network (CN), the user equipment or end-user device (UE), and the like”};

Regarding Claim 4, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
wherein the anomaly data is determined to be classified as an attack with respect to the cloud server equipment {KURAPATI: [0014], “the stages are applicable to one or more protocols including SIP, IMS, UMA, H.248, H.323, RTP, CSTA/XML or a combination thereof. In addition, the stages can be implemented within a single device or are distributed across a network (e.g., SIP network, a UMA network, an IMS network or a combination thereof)” … [0111], “FIG. 2A shows: (a) unauthenticated communications between the IP Phone 202 and Application Server 204, Presence Server 206 and Configuration Server 208; and (b) authenticated communications between the IP Phone 202 and Call Server 210, which in turn communicates with Media Server 212 and Access, Authorization, and Accounting ("AAA") Server 214”. Examiner’s note: ‘distributed across a networking’ can be referred as “cloud” computing.

Regarding Claim 5, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
monitoring, by the network equipment, a packet gateway call data record of a radio access network to identify the anomaly {BOYLE: [0061], “Summarized information from RTP data records that include, downlink bytes, uplink bytes, interpacket gaps, jitter, delay, UP Link timeouts, Downlink Timeouts etc., are combined with SIP call records “DATA” events by correlation using IMSI, User IP Addresses, SGW”}.

Regarding Claim 6, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
monitoring, by the network equipment, a userplane function call data record of a radio access network to identify the anomaly {BOYLE: [0018], “S11-MME includes user plane tunnel establishment procedures and user plane tunnel identifiers (which are also present in SIU user plane tunnels that carry SIP and RTP traffic), tunnels-ID may be used to correlate between S11-MME & SIU user planes that carry SIP and RTP protocol packets”}.

Regarding Claim 7, BOYLE as modified by KURAPATI discloses all the features of claim 1. The combination further discloses
in response to correlating the application protocol identification to the international mobile subscriber identity, storing, by the network equipment, the correlation data for use in determining a second anomaly {KURAPATI: [0241], “The Black List 2206 includes Spammers and the user adds to the list ... The Group Level Callers list also includes a Black List of Spammers”. Examiner’s note: a compiled blacklist is always saved and compared for intrusions over time}.

Regarding claim 8, claim 8 is claim to a system using the method of claim 1. Therefore, claim 8 is rejected for the reasons set forth for claim 1.

Regarding Claim 9, BOYLE as modified by KURAPATI discloses all the features of claim 8. The combination further discloses
wherein the anomaly data is received in response to a determination of the correlation between the application protocol identification and the international mobile subscriber identity {BOYLE: [0018], “voice call identifiers are present in SIP, and not present in RTP and S11-MME. Similarly, an IMSI identifier is present in S11-MME but not present in SIP, RTP etc.”}.

Regarding claim 10, claim 10 is a dependent claim of claim 8, claim 10 is claim to system using the method of claim 2. Therefore, claim 10 is rejected for the reasons set forth for claim 2.

Regarding claim 11, claim 11 is a dependent claim of claim 8, claim 11 is claim to system using the method of claim 4. Therefore, claim 11 is rejected for the reasons set forth for claim 4.

Regarding Claim 12, BOYLE as modified by KURAPATI discloses all the features of claim 8. The combination further discloses
wherein the anomaly data comprises a number of anomalies associated with a group of user equipment comprising the user equipment {BOYLE: [0016], “FIG. 1 is a diagram showing an illustrative environment 100 in which classification of telecommunication event objects may be performed. According to the present example, the environment includes a telecommunication network 104 that establishes communication sessions between devices 102”. Examiner’s note: ‘devices 102’ is referring to a group of UE}.

Regarding Claim 14, BOYLE as modified by KURAPATI discloses all the features of claim 8. The combination further discloses
generating template data representative of a template used to determine when the anomaly has been determined to have occurred {KURAPATI: [0680], “The verification process identifies Stealth and SPAM attacks. These models include call reception parameters, call originating parameters, IPSec tunnel re-initiation parameters, location & mobility behavior parameters, user device protocol message fingerprint, user device boot time behavior, caller Trust Score and called party Credibility Score}. Examiner’s note: ‘attack models’ are functioning as template for actions}.

Regarding claim 15, claim 15 is claim to a non-transitory machine-readable medium using the method of claim 1. Therefore, claim 15 is rejected for the reasons set forth for claim 1.

Regarding Claim 16, BOYLE as modified by KURAPATI discloses all the features of claim 15. The combination further discloses
wherein the instruction to terminate the communication comprises an instruction {KURAPATI: [0527], “Attack type classification: TAM 1702 will identify the attack type according to following matrix and prevent the identified attack by instructing TVM 1714 to invoke security feature (SD/MCD)”}.

Regarding Claim 17, BOYLE as modified by KURAPATI discloses all the features of claim 15. The combination further discloses
wherein the anomaly data is first anomaly data, wherein the anomaly is a first anomaly, wherein the mobile device is first mobile device, and wherein the operations further comprise: receiving second anomaly data representative of a second anomaly associated with a second mobile device that is within a defined distance of the first mobile device {KURAPATI: [0617], “Sm will monitor media for anomalies corresponding to each anomaly template and will report back to Ss” … [0628], “The LAN 5210 is connected to multiple devices, such as IP phones 5212 and 5214, and a device 5216 (e.g., a computer)”}.

Regarding Claim 18, BOYLE as modified by KURAPATI discloses all the features of claim 15. The combination further discloses
aggregating the first anomaly data and the second anomaly data; and in response to aggregating the first anomaly data and the second anomaly data {KURAPATI: [0149], “subsystems and other network elements Aggregating and normalizing logs Analyzing and correlating near real-time and offline logs for anomaly detection or incidence examination Detect hidden and blended attacks Generating commands for attack mitigation and propagate remediation for preventative action to Ss and Sm Reducing false alarms by analyzing logs Updating trust scores and credibilities Behavioral learning”}, generating a data structure {KURAPATI: [0318], “Various data structures are listed below: …”} comprising respective identifiers of the first mobile device and the second mobile device {KURAPATI: [0509], “Message type (Request/Response); Local suspected flood attack threshold; Sip request method/response code (Flood of which SIP message is detected, if flood is of only one message; or special id for aggregate flood); Measured traffic volume indicator; and Endpoint Identifier”. Examiner’s note: anomaly data from many end points is aggregated}.

Regarding Claim 19, BOYLE as modified by KURAPATI discloses all the features of claim 18. The combination further discloses
in response to generating the data structure, sending the data structure to the cloud server {KURAPATI: [0631], “The call forwarding component 5252 passes traffic into one or more devices or systems, such as an interactive voice response ("IVR") system 5254, a voicemail system ("VM") 5256, an IP-PBX soft-switch 5258, and/or an IP phone (such as the IP phone 5212 of FIG. 52A). The call forwarding component also feeds information back into the TAM 5234, which sends information to the VPA 5250 and the TVM 5232 … passing the traffic back into the TAM 5234 may aid in the detection of stealth attacks”. Examiner’s note: feeding/sending information is from different data structures}.

Regarding Claim 20, BOYLE as modified by KURAPATI discloses all the features of claim 18. The combination further discloses
associating a radio access network intelligent controller with the mobile device {BOYLE: Fig. 1 element 102 – ‘User Devices’, element 106 – ‘Radio Access Network’, element 101 – ‘Analytic Platform’. Examiner’s note: Fig. 1 associates a user device to a RAN and controlled by the ‘analytic platform}.

Claim 13 is rejected under AIA  35 U.S.C. 103 as being unpatentable over BOYLE; Charles W. et al., Pub. No.: US 2021/0135954 A1 in view of KURAPATI; Krishna et al., Pub. No.: US 2007/0121596 A1 further in view of BALLEW; Dean et al., Pub. No.: US 2022/0329625 A1.

Regarding Claim 13, BOYLE as modified by KURAPATI discloses all the features of claim 8. However, the combination does not explicitly disclose
in response to receiving the anomaly data, deallocating a resource allocated to the user equipment.
In an analogous reference BALLEW discloses
in response to receiving the anomaly data {ABSTRACT, “a filter for blocking network traffic associated with the suspicious or malicious behavior may be applied to a computing device that is in close geographic and/or logical proximity to an attacking computing device”}, deallocating a resource allocated to the user equipment {[0017], “This dynamic reevaluation and/or removal of an applied filter enables the filter device to deallocate computing resources previously allocated to the filter”}.
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to further modify BOYLE’s technique as modified by KURAPATI of ‘associating application protocol identification data with IMSI’ for ‘preventing mobile device access to RAN network if the device is in blacklist prepared by using network protocol data with a device IMSI’ for ‘deallocating allocated resources from a device after the device is prevented to access network services’ by BALLEW’ in order to increase efficiency of a system. The motivation is - free up the resources from a blacklisted device and reducing business or resource expenses.

Conclusion
Following prior arts are consulted but not applied:
SHAW; Venson et al. (US 11,070,982) – Self-cleaning function for a network access node of a network.
XU; Richard H. et al. (US 2018/0376325 A1) – Internet of Things service architecture.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034. The examiner can normally be reached on M-F 8:30AM-5:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B. Patel can be reached on 571-272-3972. The fax phone number for Examiner Farooqui assigned is 571-270-2034.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/QUAZI FAROOQUI/
Primary Examiner, Art Unit 2491