Prosecution Insights
Last updated: July 17, 2026
Application No. 17/205,966

IMPLEMENTING A MULTI-DIMENSIONAL UNIFIED SECURITY AND PRIVACY POLICY WITH SUMMARIZED ACCESS GRAPHS

Non-Final OA §103
Filed
Mar 18, 2021
Priority
Feb 24, 2021 — provisional 63/153,362
Examiner
CAREY, FORREST L
Art Unit
2491
Tech Center
2400 — Computer Networks
Assignee
Theom Inc.
OA Round
6 (Non-Final)
57%
Grant Probability
Moderate
6-7
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 57% of resolved cases
57%
Career Allowance Rate
151 granted / 267 resolved
-1.4% vs TC avg
Strong +54% interview lift
Without
With
+54.4%
Interview Lift
resolved cases with interview
Typical timeline
3y 7m
Avg Prosecution
18 currently pending
Career history
293
Total Applications
across all art units

Statute-Specific Performance

§101
1.1%
-38.9% vs TC avg
§103
87.2%
+47.2% vs TC avg
§102
9.8%
-30.2% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 267 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims Claims 1, 5, 7-8, 10-11 are pending. Claims 2-4, 6, 9 are cancelled. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 5, 10-11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wu et al (PGPUB 2022/0050828), and further in view of Binkley et al (PGPUB 2020/0110894), Brezinski (US 9,225,730), Chari et al (PGPUB 2015/0326594), and Madan (US 11,847,244). Regarding Claim 1: Wu teaches a computerized method for implementing risk discovery with a set of unified security and privacy policies in a cloud-computing platform (abstract, method for asset discovery, data classification, risk evaluation, and data/device security; paragraph 48, cloud server), comprising: with at least one processor (paragraph 5, processor): discovering a set of data and a set of data accesses within an enterprise computing system comprising the cloud-computing platform (paragraph 52, asset discovery manager 135 retrieving data stored at one or more remote locations, summarizing the retrieved data at the one or more remote locations, and transferring the summarized data from the one or more remote locations to one or more computing devices; paragraph 59, data summarization 305 may include identifying detailed cloud data storage file access activities; paragraph 46, enterprise data); classifying a set of discovered data and the set of data accesses with an identification that shows which of the set of discovered data are important or critical for the enterprise by (paragraph 37, techniques include and implement advanced machine learning techniques to perform automatic data classification, finding the most probable data type related with each asset without any software agent or human manual inspection; paragraph 55, ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups): determining a use region value of where each data asset is located (paragraph 111, the data analysis manager 915 may collect at least one of a geographic location of the data stored at the one or more remote locations), determining which of the set of discovered data and the set of data accesses have or are associated with sensitive information (paragraph 55, data input module 205 may retrieve data stored at one or more remote locations, summarize the retrieved data at the one or more remote locations, and transfer the summarized data from the one or more remote locations to a computing device (e.g., device 105, or server 110, or database 115, or a network device of network 120, or any combination thereof); discovering the assets includes discovering known assets and unknown assets; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential), placing the set of discovered data and the set of data accesses that are associated with sensitive information into a set of discovered information about an infrastructure, wherein the discovered information comprises the region value (paragraph 59, data summarization 305 may include identifying detailed cloud data storage file access activities; paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential; paragraph 100-101, the data input manager 910 may summarize the retrieved data at the one or more remote locations; the data input manager 910 may transfer the summarized data from the one or more remote locations to the at least one computing device; the data analysis manager 915 may process the transferred data by the at least one computing device; paragraph 111, the data analysis manager 915 may collect at least one of a geographic location of the data stored at the one or more remote locations), determining which of the set of discovered data and the set of data accesses are relevant in context of a specified governmental data privacy regulation (paragraph 39, techniques allow compliance with GDPR, CCPA; paragraph 57, Table 1, types of data includes health insurance portability and accountability database (i.e. HIPAA); paragraph 72, model interference 435 may use department information to infer a server's data type/classification; when over 50% of the users on this server come from HR department (e.g., the highest user ratio), then model interference 435 may assign the server's data type as HR and data classification as Private; model inference 435 may apply a data type to the server based at least in part on the highest represented organization department; the data type applied to the server may be the organization department that determined to be the highest represented organization department; as per Table 1, data types include HIPAA database), placing the set of discovered data and the set of data accesses that are relevant in the context of a specified governmental data privacy regulation into the set of discovered information about the infrastructure (paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; paragraph 72, model inference 435 may apply a data type to the server based at least in part on the highest represented organization department); and with the set of discovered information about the infrastructure, mapping the set of discovered information about the infrastructure to a set of deterministic dimensions (paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential; predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set); and wherein a deterministic dimension represents a policy or an intent of the enterprise (EXAMINER’S NOTE: broadest reasonable interpretation of “intent of the enterprise” can include tasks or processes which the enterprise means to happen; deliberately classifying data into datasets by a machine learning engine could therefore be considered “intent”; paragraph 55, data input module 205 transfers the summarized data from the one or more remote locations to a computing device; ML engine module 210 may classify, based on the processing of the transferred data, data that resides on each asset of the discovered assets into a respective confidentiality group of multiple confidentiality groups; paragraph 79, predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set, which represents “intent” of the enterprise). Wu does not explicitly teach the method, further comprising: enabling the enterprise to select a subset of deterministic dimensions from the set deterministic dimensions to represent a policy or intent; providing an Open Policy Agent (OPA) as a general-purpose policy engine that implements a set of authorization and admission control to data filtering operations based on the selected subset of deterministic dimensions; and generating a unified privacy and security OPA policy, wherein the unified privacy and security OPA policy assists enterprises to maintain a desired posture with respect to the specified governmental regulations. However, Binkley teaches the concept of a method comprising: enabling an enterprise to select a subset of deterministic dimensions from a set deterministic dimensions to represent a policy or intent (paragraph 18, apparatus is further configured to receive, using the processing circuitry, one or more data attributes (i.e. “deterministic dimensions”) associated with the dataset from a metadata repository; receive, using the processing circuitry, one or more data attribute protection policies associated with the one or more data attributes; and enforce, using the processing circuitry, the one or more data attribute protection policies associated with the one or more data attributes by transmitting the one or more data attribute protection policies to a data protection system); providing an Open Policy Agent (OPA) as a general-purpose policy engine that implements a set of authorization and admission control to data filtering operations based on the selected subset of deterministic dimensions (paragraph 154, the asset integrates with a data protection system, for example the data protection system 106, for authorization; in this regard, in some such embodiments, the data protection system 106 functions as the enforcement point with regard to such authorization; the data protection system 106 may be configured to retrieve and/or otherwise receive data attribute protection policies and/or individual data permissions of use information for use in determining whether to provide authorization); and generating a unified privacy and security OPA policy, wherein the unified privacy and security OPA policy assists enterprises to maintain a desired posture with respect to specified governmental regulations (paragraph 161, exemplary operations performed by apparatus 200 for enforcing attribute protection policies in accordance with some example embodiments; at operation 902, the apparatus 200 includes means, such as communications circuitry 210, input/output circuitry 212, or the like, for receiving one or more data attributes associated with the dataset from the metadata repository 102B; the data attributes are attribute classifications associated with the dataset; example attributes may be associated with PHI and/or specific sensitive data to be accessible based on policies and/or permissions; in one such example context, example attributes indicate: whether the dataset include social security numbers, whether the dataset include health insurance claim numbers, whether the dataset include biometric identifiers, whether the dataset include genomic data, whether the dataset include names, or whether the dataset include Medicare beneficiary identifiers; paragraph 106, indicator represents whether the dataset associated with the dataset identifier and/or the volume associated with the volume identifier includes Personal Identifiable Information or Protected Health Information under the definition of Health Insurance Portability and Accountability Act (HIPAA)). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the policy based on set of deterministic dimensions teachings of Binkley with the system implementing risk discovery teachings of Wu, in order to provide an enterprise the means to adapt a policy over any type or number of attributes associated with a quantity of data, thereby providing security and access according to the needs of an enterprise at a particular time, and allowing compliance with associated data regulations and preventing accidental disclosure of sensitive materials. Neither Wu nor Binkley explicitly teaches the method, further comprising: defining a set of summary attributes for each data asset of the discovered data, wherein, the set of summary attributes comprises a criticality value with three levels of criticality: high, medium, low, wherein the discovered information comprises the set of summary attributes used, generating a Risk criticality (RC) graph in a form of an array of tuples representing paths between services or identities based on the subset of deterministic dimensions, wherein the RC graph provides a multi-dimensional risk-criticality representation of the discovered data assets built from the scanned infrastructure; the RC graph quantifies a risk of a service or a data being subject to a cyber attack; and the RC graph includes a risk level with three levels of criticality comprising high, medium, and low, wherein the risk level is driven by a customizable template based on the discovered data. However, Brezinski teaches the concept of a method, comprising: defining a set of summary attributes for each data asset of discovered data, wherein, the set of summary attributes comprises a criticality value with three levels of criticality: high, medium, low (col 2 line 45-64, collected event data may be employed to generate a graph that includes a plurality of vertices, each vertex corresponding to an entity (e.g., a host device, process, or service) in a computing environment; col 2 line 65-col 3 line 22, an edge corresponding to an event may include a risk metric indicating a level of security risk associated with the event, or associated with the entities involved in the event; col 3 line 23-31, risk metric for an edge may be determined by accessing security risk data which provides a risk metric corresponding to particular host devices, processes, services, users, event types, and so forth; the risk metric may be a numeric metric of any range (e.g., a metric ranging from 0 to 10, with a higher number corresponding to a higher security risk); the risk metric may also be descriptive and may include any number of risk categories (e.g., high, medium, or low risk)), wherein discovered information comprises the set of summary attributes used (col 3 line 23-31, risk metric for an edge may be determined by accessing security risk data which provides a risk metric corresponding to particular host devices, processes, services, users, event types, and so forth; the risk metric may be a numeric metric of any range (e.g., a metric ranging from 0 to 10, with a higher number corresponding to a higher security risk); the risk metric may also be descriptive and may include any number of risk categories (e.g., high, medium, or low risk)), generating a Risk criticality (RC) graph in a form of an array of tuples representing paths between services or identities based on a subset of deterministic dimensions (col 2 line 45-64, the collected event data may be employed to generate a graph that includes a plurality of vertices, each vertex corresponding to an entity (e.g., a host device, process, or service) in a computing environment; implementations also support the use of vertices corresponding to other types of entities, such as users, data files, and so forth; the graph may include any number of edges, each edge connecting two vertices to indicate an event involving the two entities corresponding to the two connected vertices; col 12 line 12-34, the anomalous activity data 122 may be graphically presented as an overlay to the full graph 118 or as an overlay to a surrounding or nearby region of the graph 118 to facilitate analysis; in some cases, the anomalous activity data 122 may include a description of one or more events as tuples of vertex-edge-vertex, including the first entity ID 204 and the second entity ID 206 associated with the vertices 402; the tuples may also include various attributes of the edge 404, including but not limited to the timestamp attribute 406, the event type attribute 408, the user attribute 410, the risk metric 412, or the rarity metric 502), wherein the RC graph provides a multi-dimensional risk-criticality representation of the discovered data assets built from the infrastructure (col 12 line 12-34, the anomalous activity data 122 may be graphically presented as an overlay to the full graph 118 or as an overlay to a surrounding or nearby region of the graph 118 to facilitate analysis; in some cases, the anomalous activity data 122 may include a description of one or more events as tuples of vertex-edge-vertex, including the first entity ID 204 and the second entity ID 206 associated with the vertices 402; the tuples may also include various attributes of the edge 404, including but not limited to the timestamp attribute 406, the event type attribute 408, the user attribute 410, the risk metric 412, or the rarity metric 502, i.e. “multi-dimensional”); wherein the RC graph quantifies a risk of a service or a data being subject to a cyber attack (col 4 line 23-38, by correlating event data in a graph, and traversing the graph according to risk and rarity of events, implementations may enable the detection of an attack that involves a complex chain of accesses in a computing environment); and the RC graph includes a risk level with three levels of criticality comprising high, medium, and low, wherein the risk level is driven by a customizable template based on the discovered data (col 3 line 23-31, risk metric for an edge may be determined by accessing security risk data which provides a risk metric corresponding to particular host devices, processes, services, users, event types, and so forth; the risk metric may be a numeric metric of any range (e.g., a metric ranging from 0 to 10, with a higher number corresponding to a higher security risk); the risk metric may also be descriptive and may include any number of risk categories (e.g., high, medium, or low risk); col 12 line 12-34, the anomalous activity data 122 may be accessed and examined by system administrators, security analysts, system developers, or other personnel to determine whether the events included in the anomalous activity data 122 indicate an attack, exploit, or other form of security breach; in such cases, the anomalous activity data 122 may be presented in a graphical form (e.g., as the subset of the graph 118) to facilitate analysis; in some cases, the anomalous activity data 122 may be graphically presented as an overlay to the full graph 118 or as an overlay to a surrounding or nearby region of the graph 118 to facilitate analysis). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the risk criticality graph teachings of Brezinski with the system implementing risk discovery teachings of Wu in view of Binkley, in order to provide a simple visual means of allowing a user or administrator to visually evaluate risk across a wide range of enterprise assets, giving said user or administrator the ability to rapidly determine which assets were secure and which were not, and focus security and remediation efforts on high impact assets, thereby improving efficiency and enterprise security. Neither Wu nor Binkley nor Brezinski explicitly teaches determining whether each data asset is protected using an encryption or kept in a clear-text, wherein the discovered information comprises whether each data asset is protected using an encryption or kept in a clear-text, and using a frequency value to determine if an event occurs periodically or randomly. However, Chari teaches the concept of determining whether each data asset is protected using an encryption or kept in a clear-text (paragraph 35, the system may determine whether sensitive data provided by the device is properly encrypted, for example whether data that should be encrypted such as passwords are not encrypted), wherein the discovered information comprises whether each data asset is protected using an encryption or kept in a clear-text (paragraph 17, system configured to collect and record system security access data, such as whether the proper encryption has been applied to sensitive data such as passwords, whether non-encrypted data should have been encrypted; paragraph 35, the system may determine whether sensitive data provided by the device is properly encrypted, for example whether data that should be encrypted such as passwords are not encrypted), and using a frequency value to determine if an event occurs periodically or randomly (paragraph 15, system's passive monitoring capability typically includes determining user-supplied network access parameters, such as the number and configuration of mobile devices connected to the enterprise network, the frequency and temporal characteristics of network access, specific users purporting to be using the user-supplied devices on the network and the job functions or other roles of those users; paragraph 29, by maintaining a history of all registration event and connections, the present method embodiments can indicate frequency and temporal properties). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the encryption detection teachings of Chari with the system implementing risk discovery teachings of Wu in view of Binkley and Brezinski, in order to more effectively determine systemwide vulnerabilities by analyzing data to detect encryption status and event frequency, thereby revealing which data has been appropriately secured and which data remains exposed to risk, providing the opportunity for remediation and data loss prevention, thus improving the security environment. Neither Wu nor Binkley nor Brezinski nor Chari explicitly teaches using an Application Programming Interface (API) and key based identity as a list of summarized values for an attribute of the set of summary attributes. However, Madan teaches the concept of using an API and key based identity as a list of summarized values for an attribute of a set of summary attributes (abstract, thod includes training a first, machine learning model on a set of known application programming interface keys to detect application programming interface keys, training a second, machine learning model on code including known application programming interface keys to detect adjacent characters to application programming interface keys, scanning a repository with the first, machine learning model to select a proper subset of the repository that includes possible application programming interface keys and adjacent characters, scanning the proper subset of the repository with the second, machine learning model to detect and remove potential false positives of the possible application programming interface keys based on adjacent characters of the possible application programming interface keys to generate a list of probable application programming interface keys, and sending an indication for the list of probable application programming interface keys; col 2 line 28-45, abuse of this leaked information (e.g., credentials) can cause salient security and compliance risks, such as catastrophic loss of sensitive customer data, harming an organization both financially and reputationally, while putting consumers at risk). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the list of detected API key identifiers teachings of Madan with the system implementing risk discovery teachings of Wu in view of Binkley, Brezinski, and Chari, with the benefit of further discovering privacy and security risks through detecting malicious or unintentional API key leaks, thereby allowing an enterprise or service to detect and control release of sensitive information and target the detected risks for mitigation, thus improving the security environment. Regarding Claim 5: Wu in view of Binkley, Brezinski, Chari, and Madan teaches the computerized method of claim 1. In addition, Binkley teaches wherein there are thirty-two (32) deterministic dimensions (paragraph 54, the term “data attributes” refers to one or more items of data representative of one or more classifications associated with secured data in an asset repository; data attributes may be generated by a metadata source based on various sources of truth for attribute classifications; use of the phrase “one or more” implies an overlapping range with the claimed 32 deterministic dimensions (i.e. “attributes”); therefore, Binkley teaches a configuration in which 32 attributes are present). The rationale to combine Wu and Binkley is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 5. Regarding Claim 10: Wu in view of Binkley, Brezinski, Chari, and Madan teaches the computerized method of claim 1. In addition, Wu teaches wherein a deterministic dimension has a cardinality of fixed attributes (paragraph 79, data classifications for datasets associated with a given user and/or datasets associated with a given asset may include Public/Unknown, Private/Restricted, Confidential, and Highly Confidential; predetermined set of data classification options can be seen as at least one deterministic dimension, thereby comprising a set). Regarding Claim 11: Wu in view of Binkley, Brezinski, Chari, and Madan teaches the computerized method of claim 10. In addition, Wu teaches wherein an intent expressed by a specified set of deterministic dimensions is pre-defined (paragraph 52, described techniques include asset discovery manager 135 performing a security action to protect data that resides on an asset of the discovered assets based at least in part on a confidentiality group to which the data on the asset is classified and a calculated risk score of the asset or a calculated risk score of a user of the asset, or both). Claim(s) 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wu in view of Binkley, Brezinski, Chari, and Madan, and further in view of Parthasarathy (PGPUB 2020/0057864). Regarding Claim 7: Wu in view of Binkley, Brezinski, Chari, and Madan teaches the computerized method of claim 1. Neither Wu nor Binkley nor Brezinski nor Chari nor Madan explicitly teaches wherein the governmental regulation comprises General Data Protection Regulation (GDPR). However, Parthasarathy teaches the concept wherein a governmental regulation comprises General Data Protection Regulation (GDPR) (abstract, sensitive data discovery engine; paragraph 122, the SDDE 1601 allows flagging of sensitive data in source systems of an organization and subsequent use of the discovery metadata for data governance initiatives within the organization; moreover, the SDDE 1601 assists in enforcement of the general data protection regulation (GDPR) in the following articles: For example, in Article 4, the SDDE 1601 assists in discovery of all personal data in a computer system, in Article 35, the SDDE 1601 allows an organization to perform data privacy impact assessment that assesses the impact of processing on personal data using the sensitive data discovery map report; in Article 25, the SDDE 1601 implements a data protection and governance mechanism by design and default using the sensitive data discovery map report; in Articles 33 and 34, the SDDE 1601 identifies sensitive data to facilitate immediate notification of any breach to a supervisory authority and data subject as necessary; and in Article 15 that provides the data subjects the right to access data, the SDDE 1601 identifies and renders the locations of the sensitive data to provide the access). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the GDPR compliance teachings of Parthasarathy with the system implementing risk discovery teachings of Wu in view of Binkley, Brezinski, Chari, and Madan, with the benefit of allowing the system to obtain compliance with additional regulations, thereby allowing the system to operate in regions which would otherwise be inaccessible due to a lack of regulatory compliance. Regarding Claim 8: Wu in view of Binkley, Brezinski, Chari, and Madan teaches the computerized method of claim 1. Neither Wu nor Binkley nor Brezinski nor Chari nor Madan explicitly teaches, wherein the governmental regulation comprises California Consumer Privacy Act (CCPA). However, Parthasarathy teaches the concept wherein a governmental regulation comprises California Consumer Privacy Act (CCPA) (abstract, sensitive data discovery engine; paragraph 122, the SDDE 1601 allows flagging of sensitive data in source systems of an organization and subsequent use of the discovery metadata for data governance initiatives within the organization; similarly, the SDDE 1601 assists in enforcing new regulations, for example, the California Consumer Privacy Act, passed after the GDPR). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the CCPA compliance teachings of Parthasarathy with the system implementing risk discovery teachings of Wu in view of Binkley, Brezinski, Chari, and Madan, with the benefit of allowing the system to obtain compliance with additional regulations, thereby allowing the system to operate in regions which would otherwise be inaccessible due to a lack of regulatory compliance. Response to Arguments Applicant's arguments filed 10/10/2025 have been fully considered but they are not persuasive. Regarding the rejection of claims under 35 USC 103: Applicant’s arguments regarding Ganor are moot, as Ganor is no longer part of the rejection of claims under 35 USC 103. Examiner’s response to applicant’s arguments, pages 7-9: In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). Applicant appears to be arguing that the claim is being “carved up”, and examined in a piecemeal fashion, which is incorrect. For instance, with regard to the claim limitations relating to “classifying the set of discovered data and the set of data accesses with an identification that shows which of the set of discovered data assets are important or critical for the enterprise by…”, the recited sub-limitations present little more than a list of determined data characteristics which are well-known in the art, e.g. “determining a use of a region value of where each data asset is located”, or “determining whether each data asset is protected using an encryption or kept in a clear-text”. No characteristic in the list of elements has any relationship to any other characteristic; it is merely a laundry list of preferred data categorization elements. It would certainly be obvious to a person having ordinary skill in the art to incorporate additional data categorization elements from a well-known list of attributes to refine a classification. Reliance on a large number of references in a rejection does not, without more, weigh against the obviousness of the claimed invention. See In re Gorman, 933 F.2d 982, 18 USPQ2d 1885 (Fed. Cir. 1991). Applicant argues, without evidence, that the reasoning relied upon by the Office has no cognizable basis in the prior art, no explanation as to the source of the purported rationale, and instead appears to be grounded solely on the inventive roadmap provided by the applicant. However, while applicant provides a list of each of the provided rationales, applicant has not pointed out how any rationale is invalid. Further, in response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim. However, as shown above, the independent claims are not allowable. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /FORREST L CAREY/Examiner, Art Unit 2491 /WILLIAM R KORZUCH/Supervisory Patent Examiner, Art Unit 2491
Read full office action

Prosecution Timeline

Show 8 earlier events
Dec 05, 2024
Response Filed
Dec 20, 2024
Final Rejection mailed — §103
Apr 21, 2025
Request for Continued Examination
May 01, 2025
Response after Non-Final Action
Jun 11, 2025
Non-Final Rejection mailed — §103
Oct 10, 2025
Response Filed
Feb 12, 2026
Final Rejection mailed — §103
Apr 13, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683928
Hybrid web application firewall
4y 1m to grant Granted Jul 14, 2026
Patent 12647791
METHOD AND DEVICE FOR AUTHENTICATING A PRIMARY STATION
3y 4m to grant Granted Jun 02, 2026
Patent 12625932
IDENTITY AUTHENTICATION USING BIOMETRICS
4y 1m to grant Granted May 12, 2026
Patent 12625979
ENFORCEMENT OF AUTHORIZATION RULES ACROSS DATA ENVIRONMENTS
4y 0m to grant Granted May 12, 2026
Patent 12626000
ADVANCED POLICY ATTRIBUTE DERIVATION FOR DATA MANAGEMENT USING CONTENT-BASED DATASETS
3y 6m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

6-7
Expected OA Rounds
57%
Grant Probability
99%
With Interview (+54.4%)
3y 7m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 267 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month