Notice of Pre-AIA  or AIA  Status
Claims 1-20 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/28/20, 2/16/22, 6/29/22, 6/30/22, and 9/27/22 have all been considered by the Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,516,670. Although the claims at issue are not identical, they are not patentably distinct from each other because the noted differences between the claims are obvious variations of the same invention.  By way of illustration, consider the respective claim 1 from each application:

Claim 1 of the instant application
Claim 1 of the ‘670 patent
1. A method performed by a security system to secure a 5G network from a cyberattack, the method comprising: 

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model including a vulnerability parameter, a risk parameter, and a threat parameter, wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; 

processing the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; 

based on the VRT score, redirecting the incoming network traffic to a containment area that mimics an intended destination or related process for the incoming network traffic; 

mimicking the intended destination or related process for the incoming network traffic for a time period, wherein the time period is set to induce malicious activity by the incoming network traffic;






detecting that the incoming network traffic includes malicious VRT traffic; and 

in response to detecting that the incoming network traffic includes malicious VRT traffic, performing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include preventing the incoming network traffic from being communicated to the intended destination.
1. A method performed by a security system to secure a 5G network from a cyberattack, the method comprising: 

instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model that is based on a vulnerability parameter, a risk parameter, and a threat parameter, wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; 

processing the incoming network traffic with the security model to output a vulnerability-risk-threat (VRT) score that characterizes the incoming network traffic in relation to the vulnerability parameter, the risk parameter, and the threat parameter; and 

causing one or more actions based on the VRT score to mitigate the cyberattack, wherein causing the one or more actions comprises: embedding, at the perimeter of the 5G network, a tag in the incoming network traffic to indicate that the incoming network traffic includes potential malicious VRT traffic; dispatching the potential malicious VRT traffic with the embedded tag to one or more intended destinations; using the embedded tag to track activity of the potential malicious VRT traffic on the 5G network; comparing the tracked activity of the potential malicious VRT traffic with an expected activity of the potential malicious VRT traffic; and 

discovering that the incoming network traffic includes malicious VRT traffic based on an output of the comparison between the tracked activity and the expected activity.


	It is noted that the features specific to the ‘670 patent but not explicitly recited in the instant invention are nevertheless fully supported by the disclosure of the instant application (paragraphs 0016, 0050, & 0059 of the specification as originally filed) and vice versa (col. 3, lines 10-25 of the ‘670 patent teaching the features of the instant application not explicitly claimed in the ‘670 patent).  The remaining claims 2-20 of the instant application are similarly analogous to claims 2-20 of the ‘670 patent and stand rejected for similar reasons as discussed supra.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lifshitz (U.S. patent Publication 2019/0380037) in view of Muddu (U.S. Patent 9,516,053) in view of Yadav (U.S. Patent Publication 2019/0207976).

Regarding claims 1, 10 and 17:
Lifshitz discloses a method, system, and non-transitory computer-readable storage medium performed by a security system to secure a 5G network from a cyberattack, the method comprising: instantiating the security system to monitor and control incoming network traffic at a perimeter of the 5G network in accordance with a security model (the TSE unit monitors and controls network traffic for the 5G core network using modeling and machine learning, using predefined parameters: Abstract, & paragraphs 0157-0158, 0166-0167, 0172-0173, 0184-0185, & 0209-0212) processing the incoming network traffic with the security model to output a score that characterizes the incoming network traffic in relation to the parameters (Lifshitz, Ibid); detecting that the incoming network traffic includes malicious VRT traffic (Lifshitz, Ibid); and in response to detecting that the incoming network traffic includes malicious VRT traffic, performing one or more actions based on the VRT score to mitigate the cyberattack, wherein the one or more actions include preventing the incoming network traffic from being communicated to the intended destination (Lifshitz, Abstract, and paragraphs 0017,0034, & 0078-0079).  Specific to claim 10, Lifshitz further discloses a processor and memory (paragraphs 0138-0140).
Lifshitz does not disclose wherein the parameters include a vulnerability parameter, a risk parameter, and a threat parameter, wherein the vulnerability parameter relates to a susceptibility of the 5G network to a cyberattack, the risk parameter relates to a scope of the cyberattack, and the threat parameter relates to a source of the cyberattack; the use of which would necessarily make the score computer by the Lifshitz invention a VRT score.  However, Muddu discloses a related invention for detecting malicious traffic comprising these limitations: (col. 15, lines 56-63: Different machine learning models may evaluate different aspects of the pre-processed event data received from the distribution block 320. The machine learning models can also generate security-related scores for the events. Column 58, lines 5564: Process 2500 begins at step 2502 with receiving event data 2302 indicative of activity by a particular entity associated with a computer network. Column 59, lines 26-53. Column 60, lines 12-26: Process 2600 continues at step 2604 with assigning a threat indicator score based on processing the anomaly data 2304. Calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network [risk parameter]. Column 62, lines 8-10, 43-67: FIG. 28 illustrates a second use case for identifying threat indicators based on entity associations with detected anomalies. In some embodiments, the use case described in FIG. 28 involves a process that begins with determining a measure [e.g. a count] of anomalies associated with a particular entity of the computer network. The process continues with identifying a threat indicator if the measure of anomalies associated with the particular entity satisfies a specified criterion. In an embodiment, the specified criterion may simply be a threshold number of anomalies associated with a particular entity [threat parameter]. Column 75, lines 43-48. Column 104, lines 44-67: In some embodiments, generating the plurality of feature scores includes analyzing a sequencing of communications associated with an entity [internal or external] over a time period and assigning a feature score based on the analysis, wherein the feature score is indicative of a level of confidence that the communications are associated with an exploit chain [vulnerability parameter], column 105, lines 36-65: the plurality of feature scores may be processed according to one or more machine learning models to generate an anomaly score indicative of the probability or likelihood that malware is present in the computer network given the set of feature scores for a particular entity). It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Lifshitz in view of Muddu with the motivation to better detect security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown (Muddu: col. 9, lines 5-7). 
Neither Lifshitz nor Muddu explicitly disclose based on the VRT score, redirecting the incoming network traffic to a containment area that mimics an intended destination or related process for the incoming network traffic; or mimicking the intended destination or related process for the incoming network traffic for a time period, wherein the time period is set to induce malicious activity by the incoming network traffic.  However, Yadav discloses a related invention for malicious network traffic detection wherein these limitations are taught (the system can detect access attempts by a malicious user to access the network, at which point the system redirects those access attempts to a decoy network that serves to mimic valid responses to the attacker’s access attempts while actually recording the actions taken by the attacker for forensic evidence: see e.g. Figure 5 and paragraphs 0103-0109; see also paragraphs 0017, 0037-0039, 0044 & 0090).  It would have been obvious prior to the filing date of the instant invention to include a decoy honeypot network as part of the Lifshitz and Muddu inventions, as doing so allows for the ability to easily detect and block subsequent attacks from the same malicious user in a superior manner to merely using blacklists which the malicious user can otherwise evade (Yadav, paragraph 0001). 

Regarding claims 2 and 13:	The combination further discloses: prior to detecting that the incoming network traffic includes malicious VRT traffic: generating a copy of the incoming network traffic that includes the malicious VRT traffic; storing the copy of the incoming network traffic at a memory to preserve an initial state of the incoming network traffic; and upon detecting that the incoming network traffic includes malicious VRT traffic, reporting the copy of the incoming network traffic to the central database; communicating at least an indication of the malicious VRT traffic to a central database, wherein the central database manages VRT information collected from multiple networks including the 5G network; receiving an update from the central database, wherein the update includes at least an indication of the VRT information collected from the multiple networks; and training the security model based on the update (see the data collection and analytics engine(s) of Yadav, e.g. paragraphs 0038-0041 & 0109; see also Lifshitz, paragraphs 0083-005, 0125, 0166, & 0171).

Regarding claim 3:	The combination further discloses: communicating at least an indication of the malicious VRT traffic to a central database, wherein the central database manages VRT information collected from multiple networks including the 5G network; receiving an update from the central database, wherein the update includes at least an indication of the VRT information collected from the multiple networks; and training the security model based on the update (Lifshitz, paragraphs 0083-005, 0125, 0166, & 0171).

Regarding claim 4:	The combination further discloses wherein the security model is a machine learning model that is trained based on VRTs information collected by multiple security systems of multiple networks (Lifshitz, paragraphs 0172-0174).

Regarding claims 5 and 14:	The combination further discloses: detecting that additional network traffic is normal; and in response to detecting that the additional network traffic is normal traffic, redirecting the normal network traffic from the containment area to an intended destination of the normal traffic (Yadav, paragraphs 0038-0040 & 0048).

Regarding claims 6 and 15:	The combination further discloses wherein the security system processes outgoing network traffic to induce malicious activity of the outgoing network traffic (Lifshitz, paragraphs 0150, 0205-0208, & 0213-0220).

Regarding claims 7 and 18:	The combination further discloses wherein the 5G network includes an edge device that includes the security system to perform the one or more actions by the edge device (Yadav, paragraphs 0021-0022).

Regarding claims 8 and 19:	The combination further discloses wherein the containment area includes a network that is separate and distinct from the 5G network such that malicious activity of the incoming network traffic is induced separate and distinct from the 5G network (Yadav: the decoy network element 304 of Figure 3).

Regarding claims 9 and 20:	The combination further discloses determining that the cyberattack to the 5G network has been thwarted; and terminating the instantiation of the security system (Lifshitz, paragraph 0157).

Regarding claim 11:
	The combination further discloses redirecting the network traffic to a containment area that mimics the intended destination of the network traffic (Yadav: the decoy network element 304 of Figure 3).

Regarding claim 12:
	The combination further discloses wherein the time period is set based on a type of network traffic (Yadav, paragraphs 0037-0039).

Regarding claim 16:
	The combination further discloses wherein the network traffic is processed by a security model that defines the vulnerability parameter, the risk parameter, and the threat parameter (Muddu, e.g. col. 105, lines 10-65).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: “Security for 5G and Beyond” (Ahmad et al.).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        12/14/2022