Prosecution Insights
Last updated: July 17, 2026
Application No. 17/357,987

Forensically Analysing and Determining a Network Associated with a Network Security Threat

Final Rejection §103
Filed
Jun 25, 2021
Priority
Jun 25, 2020 — EU 20182261.6
Examiner
HABTEGEORGIS, MATTHIAS
Art Unit
2491
Tech Center
2400 — Computer Networks
Assignee
Vocalink International Limited
OA Round
8 (Final)
78%
Grant Probability
Favorable
9-10
OA Rounds
0m
Est. Remaining
96%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
86 granted / 111 resolved
+19.5% vs TC avg
Strong +18% interview lift
Without
With
+18.3%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
17 currently pending
Career history
138
Total Applications
across all art units

Statute-Specific Performance

§101
1.3%
-38.7% vs TC avg
§103
93.0%
+53.0% vs TC avg
§102
1.5%
-38.5% vs TC avg
§112
3.0%
-37.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 111 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see Remarks, filed 04/03/2026, with respect to the rejection(s) of independent claims 1 and 15 under 35 USC § 103 has been fully considered, but are moot because of the new ground of rejection based on a newly found relevant reference material, Maida, US 202101525749. The amendments applied to claim 14 overcome the 35 USC § 112(b) rejection, and thus the rejection of claim 14 under 35 USC § 112(b) has been withdrawn. However, claim 14 and its dependent claims are under 35 USC § 103 based on the newly found prior art, Maida. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes, and further in view of US-PGPUB No. 2021/0152574 A1 to Maida et al. (hereinafter “Maida”) Regarding claim 1: Stokes discloses: A computer-implemented method for forensically analyzing and determining a network of datasets associated with a network security threat (¶14: “… a forensic analysis method that may be used for tracking malicious lateral movement across a computer network;”, see Fig. 4), the method comprising: a) obtaining details of a flagged network event (see Fig. 3, malicious access path (dashed line) G to I, I to L or I to M) comprising data associated with a network security threat (¶08: “receiving, at a forensic analysis module of a computing device, an identification of a compromised node on a network connection graph corresponding to the computer network, the compromised node indicating a malicious computer or account on the computer network; receiving, at the forensic analysis module of the computing device, a path-rate score for a plurality of paths in the network connection graph, each of the plurality of paths comprising the malicious node and at least one other node of the network connection graph; ”), the flagged network event involving unauthorized movement of the data associated with the network security threat (¶08: “identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph.”, Note: “lateral movement” is an unauthorized movement) between a first dataset (¶66: “… a known compromised node (denoted as node G) …”, see Fig. 3) and a destination dataset (see Fig. 3, nodes L and M) (¶66: “… the identification of the malicious node is provided to the forensic analysis module 185, e.g., via the compromised computer and account list 195. At 430, the path-rate score 176 is provided to the forensic analysis module 185 by the path-rate score module 175.”, note: identification of the malicious node, and the path-rate score are details of the flagged network event); b) tracing the data associated with the network security threat from the first dataset to a further dataset (¶64: “… a computer which directly connects to the compromised computer (i.e., 1-hop away), such as nodes D, E, and F with respect to node G.”, see Fig. 3), the tracing involving obtaining details of at least one past network event (see Fig. 3, malicious access paths (dashed lines, inbound paths) F to G) between the first dataset and the further dataset (¶64: “For the forensic analysis problem depicted in FIG. 3, consider both inbound and outbound paths of the compromised computer (node G). For inbound path analysis, search for other compromised computers which connect to the known infected computer (node G).”, ¶66: “Searching for potentially compromised nodes which connect to the known compromised node considers inbound paths …”); c) comparing details of the further dataset (¶59: “At 240, a path-rate score, such as the path-rate score 176, is determined for each path in the graph 173. … The path-rate score 176 for each path may be provided to the general detection module 170 and the forensic analysis module 185.”) to predefined criteria (¶60: “… at 250, infeasible paths are eliminated, and paths outside a threshold amount of time are eliminated.”) to identify whether the further dataset is an intermediate dataset or a source dataset from which the data associated with the network security threat originated (¶62: “… determining which user accounts and/or computers in the network graph were connected to the infected computer and which computers were later contacted by the infected computer. … the infected computer may be the source of the initial infection, an intermediate node in the lateral movement path, or the final destination in the attack.”) and adding the details of the further dataset to a forensic report (¶48: “Forensic analysis identifies malicious lateral movement paths into and out of each compromised node. … Once a malicious lateral movement subgraph is confirmed, add the two newly discovered nodes to the compromised computer and account list 195.”, see Fig. 1, for item 195); and However, Stokes does not explicitly disclose the following limitation taught by Maida: d) outputting the forensic report indicating the network of datasets associated with the network security threat based on identification of the further dataset as the source dataset or the intermediate dataset (Maida, ¶36: “… a node graph 300 generated for a threat artifact, such as a phishing email received by the target computing system 130. The node graph 300 includes … a node 302 for a link (“ms.ft/pwd.html”) within the artifact, a node 304 for the sender of the email (liz@foo.com), and a node 306 for a malware file (Pwd.Util.exe) attached to the email.”, see Fig. 3A). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Stokes to incorporate the functionality of the method for performing graph-based analysis of computing system threats and incidents, and determining response and/or mitigation actions for the threats and incidents, as disclosed by Maida, such modification would help analysts to detect and investigate incidents, and used during incident response lifecycle to understand the potential damage to a system, and mitigate the attack to proactively prevent current or future damage to the system, as taught in paragraph [0002] of Maida. Regarding claim 2: The combination of Stokes and Maida discloses: The computer-implemented method of claim 1, further comprising if the further dataset is identified to be an intermediate dataset repeating steps b) to c) starting from that intermediate dataset until a source dataset associated with the intermediate dataset is identified, else if the further dataset is identified to be a source dataset adding details of the source dataset to the forensic report comprising details of the determined network associated with the security threat (Stokes, ¶48: “… When there are multiple infected nodes in the list 195, repeat the process for each additional node. In an implementation, these individually confirmed paths can be combined to reveal the entire malicious lateral movement graph.”); Regarding claim 3: The combination of Stokes and Maida discloses: The computer-implemented method of claim 1, further comprising once at least one source dataset has been identified: starting from the at least one source dataset or its associated intermediate dataset, tracing the data associated with the network security threat to identify one or more datasets that are different to the first dataset and the further dataset (Stokes, ¶93: “Identifying lateral movement may comprise … using 2-hop and/or other multi-hop (e.g., 3-hop, 4-hop, etc.) connections with the compromised node.”), the tracing involving identifying network events which led the one or more datasets to including the data associated with the network security threat (Stokes, ¶48: “… the forensic analysis scenario assumes there is a list of compromised nodes as an additional input feature, which contains at least one known compromised computer or user account. Forensic analysis identifies malicious lateral movement paths into and out of each compromised node.”); adding the one or more datasets identified to the forensic report (Stokes, ¶48: “Once a malicious lateral movement subgraph is confirmed, add the two newly discovered nodes to the compromised computer and account list 195.”). Regarding claim 4: The combination of Stokes and Maida discloses: The computer-implemented method of claim 1, wherein the predefined criteria are one or more of (Stokes, ¶40: “Input parameters may include: …”): whether there are any further past network events associated with data arriving at the further dataset (Stokes, ¶40: “… K (the number of hops in suspicious paths);”), the number of past network events that were associated with data transfer to or from the further dataset, the time difference between past network events that were associated with data transfer to or from the further dataset, how long the data has been present in the further dataset (Stokes, ¶40: “… T (the time constraint for filtering improbable lateral movement connections);”), a geographical location associated with the further dataset. Regarding claim 5: The combination of Stokes and Maida discloses: The computer-implemented method of claim 3, wherein the details of the determined network associated with the security threat comprises a map of the network, and/or a list of past network events between the one or more datasets identified (Stokes, ¶63: “FIG. 3 is an illustration of a network connection graph 300 useful for describing forensic analysis with respect to tracking malicious lateral movement across a computer network. The network connection graph 300 shows 13 nodes (nodes A-M), with node G being a known compromised (i.e., infected) node (i.e., a compromised computer or account in the computer network represented by the network connection graph 300).”, see Fig. 3 and Fig. 5). Regarding claim 6: The combination of Stokes and Maida discloses: The computer-implemented method of claim 1, wherein the step of obtaining details of past network events between the first dataset and the further dataset involves identifying past network events which fall within a predefined time period (Stokes, ¶60: “… at 250, infeasible paths are eliminated, and paths outside a threshold amount of time are eliminated. Infeasible paths may be eliminated using equation (3) above, and paths outside a threshold amount of time may be eliminated using equation (4) above.”). Regarding claim 14: Stokes discloses: A system configured to forensically analyze and determining a network of datasets associated with a network security threat (¶21: “… environment 100 for tracking malicious lateral movement across a computer network.”, see Fig. 1), the system comprising: one or more processors (see Fig. 1, Processing unit 702); and a non-transitory computer-readable memory storing instructions (¶85: “Computer storage media include volatile and non-volatile, and removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions”) that, when executed by the one or more processors, cause the one or more processors to: obtain detail of a flagged network event comprising data associated with a network security threat, the flagged network event involving unauthorized movement of the data associated with the network security threat (¶08: “identifying, at the forensic analysis module of the computing device, lateral movement on the computer network using the identification of the compromised node and the path-rate score for the plurality of paths in the network connection graph.”, Note: “lateral movement” is an unauthorized movement) between a first dataset (¶66: “… a known compromised node (denoted as node G) …”, see Fig. 3) and a destination dataset (see Fig. 3, nodes L and M) (¶66: “… the identification of the malicious node is provided to the forensic analysis module 185, e.g., via the compromised computer and account list 195. At 430, the path-rate score 176 is provided to the forensic analysis module 185 by the path-rate score module 175.”, note: identification of the malicious node, and the path-rate score are details of the flagged network event); trace the data associated with the network security threat from the first dataset to a further dataset, the tracing involving obtaining details of past network events between the first dataset and the further dataset (¶64: “For the forensic analysis problem depicted in FIG. 3, consider both inbound and outbound paths of the compromised computer (node G). For inbound path analysis, search for other compromised computers which connect to the known infected computer (node G).”, ¶66: “Searching for potentially compromised nodes which connect to the known compromised node considers inbound paths …”); compare details of each of the further dataset to predefined criteria to identify if the further dataset is an intermediate dataset or a source dataset from which the data associated with the network security threat originated (¶62: “… determining which user accounts and/or computers in the network graph were connected to the infected computer and which computers were later contacted by the infected computer. … the infected computer may be the source of the initial infection, an intermediate node in the lateral movement path, or the final destination in the attack.”); However, Stokes does not explicitly disclose the following limitation taught by Maida: output a forensic report comprising details of the determined network of datasets associated with the security threat when the further dataset is identified to be a source dataset based on identification of the further dataset as the source dataset or the intermediate dataset (Maida, ¶36: “… a node graph 300 generated for a threat artifact, such as a phishing email received by the target computing system 130. The node graph 300 includes … a node 304 for the sender of the email …”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Stokes to incorporate the functionality of the method for performing graph-based analysis of computing system threats and incidents, and determining response and/or mitigation actions for the threats and incidents, as disclosed by Maida, such modification would help analysts to detect and investigate incidents, and used during incident response lifecycle to understand the potential damage to a system, and mitigate the attack to proactively prevent current or future damage to the system, as taught in paragraph [0002] of Maida. Regarding claim 15: Stokes discloses: A non-transitory computer-readable storage medium storing instructions thereon (¶85: “Computer storage media include volatile and non-volatile, and removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions”) which, when executed by a processor (see Fig. 1, Processing unit 702), cause the processor to perform the following steps: In addition to the above limitations, claim 15 substantially recites the same limitations as claim 1 in the form of a non-transitory computer-readable storage medium storing instructions, therefore it is rejected by the same rationale. Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, and further in view of US-PGPUB No. 2007/0294271 A1 to Bammi et al. (hereinafter “Bammi”) Regarding claim 7: The combination of Stokes and Maida discloses the computer-implemented method of claim 1, but does not explicitly disclose the following limitation taught by Bammi: wherein the network is a financial network (Bammi, ¶75: “… a financial institution.”) and the network security threat is the unauthorised modification of routing information (Bammi, ¶75: “… escheat fraud …”) within the financial network (Bammi, ¶75: “One form of fraud in the banking industry is escheat fraud, wherein bank employees identify dormant accounts, process unauthorized address changes, and make fraudulent fund transfers. …”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes and Maida to incorporate the functionality of the software instrumentation system process unauthorized address changes, and make fraudulent fund transfers, as disclosed by Bammi, such modification would allow the systems and methods to enable banking authorities to identify unauthorized account activities, the fraudsters involved, the monetary amounts of the fraudulent transactions, and the accounts affected, among other things, and take appropriate remedial actions. Claims 8 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, and further in view of US-PGPUB No. 2020/0160340 A1 to Walters et al. (hereinafter “Walters”) Regarding claim 8: The combination of Stokes and Maida discloses the computer-implemented method of claim 1, but does not explicitly disclose the following limitation taught by Walters: further comprising determining a procedure for returning the data associated with the network security threat at the flagged network event to each of the identified source datasets (Walters, ¶49: “… if the set of nodes 102 decide to revert the transaction, then such a result can be communicated to any other node 102 operating within the mesh network including the nodes 102-1 and 102-5. The set of nodes can then create a new cryptocurrency wallet for the node 102-1.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes and Maida to incorporate the techniques for handling fraudulent or erroneous transactions conducted within a mesh network using a localized cryptocurrency, as disclosed by Walters, such modification would allow the system to detect fraudulent, unauthorized, mistaken, erroneous, or unfillable transactions, such that such transactions would be addressed with or without the use of a central authority, wherein such transactions can be reversed by addressing changes to a wallet of a participant requesting the transaction reversions. Regarding claim 13: The combination of Stokes, Maida and Walters discloses: The computer implemented method of claim 8, returning the data based on the determined procedure for returning (Walters, ¶52: “… the node 102-5 will receive a new wallet will the majority of the funds involved in the transaction restored but with a portion distributed as processing and transactional cost fees as described herein.”). The same motivation which is applied to claim 8 with respect to Walters applies to claim 13. Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, Walters, and further in view of US-PGPUB No. 2007/0089172 A1 to Bare et al. (hereinafter “Bare”) Regarding claim 9: The combination of Stokes, Maida and Walters discloses the computer-implemented method of claim 8, but does not explicitly disclose the following limitation taught by Bare: wherein when there is more than one source dataset in the network, the step of determining a procedure for returning comprises: determining which network event between the first dataset and further datasets occurred first (Bare, ¶44: “… recursive actions may not only be applied forward but may also be applied backward (i.e., in reverse) to determine if suspect node A may have been the recipient of the SRT from another node on the network. In an example, suspect node A in a previous time (i.e., t.sub.1 t.sub.0) has shown to be in communication with node E (section 402).”, see Fig. 4, a diagram illustrating a simple snapshot of blocks of flow data in FHR 226.); adding details of this network event to the forensic report for future use of returning the data associated with the network security threat associated with this network event to the further dataset (Bare, ¶34: “… a network management station (NMS) 224 may take a snapshot of the network flow at a point in time and may store the flow data (e.g., the source address, destination address, date and time, etc.) in a FHR 226.”, FHR- Forensic Historical Repository); and if it is determined that some data associated with the network security threat will remain in the first dataset after the future use of returning repeating steps (i) to (iii) (Bare, ¶43: “Depending upon the severity of the SRT, recursive actions to expand the tracking of the affected trail to identify further suspect nodes may be implemented.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes, Maida and Walters to incorporate the functionality of the computer-implemented method of ascertaining an infected node in a network of nodes, as disclosed by Bare, such modification would allow the system to perform forensic analysis by analyzing a repository of flow data to determine the primary suspected node and the time period that the attack may have happened, wherein an in-depth forensic analysis may be performed in reverse order to determine how the primary suspect node may have been infected. Regarding claim 10: The combination of Stokes, Maida, Walters and Bare discloses: The computer-implemented method of claim 9, further comprising when the further dataset that the data is to be returned to is an intermediate dataset: iv. determining at this intermediate dataset which network event between this intermediate dataset and the further datasets occurred first (Bare, ¶44: “… determine if suspect node A may have been the recipient of the SRT from another node on the network. … if node E is determined to be infected, then remedial action may be applied to node E. … additional research may be made to track back as far as necessary to identify other infected nodes and to confirm that "patient zero" has been identified”, see Fig. 4, section 402); adding details of this network event to the forensic report for future use of returning the data associated with the network security threat associated with this network event to the further dataset associated with this network event (Bare, ¶34: “… a network management station (NMS) 224 may take a snapshot of the network flow at a point in time and may store the flow data (e.g., the source address, destination address, date and time, etc.) in a FHR 226.”, FHR- Forensic Historical Repository); if it is determined that some data associated with the network security threat will remain in the intermediate dataset after the future use of returning repeating steps (iv) to (vi) (Bare, ¶43: “Depending upon the severity of the SRT, recursive actions to expand the tracking of the affected trail to identify further suspect nodes may be implemented.”). The same motivation which is applied to claim 9 with respect to Bare applies to claim 10. Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, Walters, Bare and further in view of US-PGPUB No. 2015/0326460 A1 to Wang et al. (hereinafter “Wang”) Regarding claim 11: The combination of Stokes, Maida and Walters discloses the computer-implemented method of claim 8, but does not explicitly disclose the following limitation taught by Bare: wherein when there is more than one source dataset in the network, the step of determining a procedure for returning comprises: adding details of each network event and their contribution to the forensic report for future use of returning the data associated with the network security threat associated with each network event to the further datasets based on their identified contribution (Bare, ¶27-28: “… the NMS may take a snapshot of the network flow data at a block of time and may store the flow data in the FHR. … Once a SRT has been confirmed, the users/administrators may methodically perform forensic analysis on the historical data stored on the FHR to determine the affected trail.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes, Maida and Walters to incorporate the functionality of the computer-implemented method of ascertaining an infected node in a network of nodes, as disclosed by Bare, such modification would allow the system to perform forensic analysis by analyzing a repository of flow data to determine the primary suspected node and the time period that the attack may have happened, wherein an in-depth forensic analysis may be performed in reverse order to determine how the primary suspect node may have been infected. However, the combination of Stokes, Maida, Walters and Bare does not explicitly disclose the following limitation taught by Wang: identifying the contribution each network event between the first dataset and further datasets made to the data associated with the network security threat at the flagged network event (Wang, ¶19: “… security incidents, events, targets, network flows, combinations thereof, and/or the like may be correlated to identify, for example, compromised servers, hosts, systems, applications, combinations thereof …”, ¶85: “… a view of correlations between a target 811 with multiple paths (e.g. 813), and a target 814 with multiple events (e.g. 815) … Path 813: traverses as flow 827 from source node 821 to intermediate node 822; …”); It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes, Maida, Walters and Bare to incorporate the functionality of the network flow monitoring and analysis system to correlate security events, targets, and network flows, as disclosed by Wang, such modification would allow the system to apply correlations to various applications such as, for example, network defense, situation awareness, incident handling, attack mitigation, forensics, combinations thereof, and/or the like, and in real-time (or near real-time) to identify compromised servers, hosts, systems, applications, combinations thereof, and/or the like within networks, employing correlations in real-time (or near real-time) to detect malware command and control servers and to seek out sources of attack. Regarding claim 12: The combination of Stokes, Maida, Walters, Bare and Wang the computer-implemented method of claim 11, further comprising for each of the datasets that the data is to be returned to that are an intermediate dataset: adding details of these network event and their contribution to the forensic report for future use of returning the data associated with the network security threat associated with each network event to the further datasets based on their identified contribution (Bare, ¶27-28: “… the NMS may take a snapshot of the network flow data at a block of time and may store the flow data in the FHR. … Once a SRT has been confirmed, the users/administrators may methodically perform forensic analysis on the historical data stored on the FHR to determine the affected trail.”). The same motivation which is applied to claim 11 with respect to Bare applies to claim 12. identifying a contribution each network event between the intermediate dataset and further datasets made to the data associated with the network security threat at the intermediate dataset (Wang, ¶19: “… security incidents, events, targets, network flows, combinations thereof, and/or the like may be correlated to identify, for example, compromised servers, hosts, systems, applications, combinations thereof …”, ¶86: “… a view of correlations between a path 911 with multiple paths (e.g. 913), and a path 914 with multiple events (e.g. 917) … is a view of the correlations between two paths 911 and 913 with multiple events (e.g. 915 and 917 respectively), … traverses as virtual flow 928 from intermediate node 922 to intermediate node 923; …”); The same motivation which is applied to claim 11 with respect to Wang applies to claim 12. Claims 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, and further in view of US-PGPUB No. 2020/0201989 A1 to Shu et al. (hereinafter “Shu”) Regarding claim 16: The combination of Stokes and Maida discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Shu: wherein the tracing of the data associated with the network security threat comprises tracing a flow of the data associated with the network security threat backwards and forwards between the source dataset and the destination dataset (Shu, ¶106: “… an automatic causality tracking method and system … provides for multi-point causality tracking for cybersecurity, preferably as three (3) sub-tasks, namely: backward tracking, forward tracking, and path-finding.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes and Maida to incorporate the functionality of the automatic causality tracking method to provide for multi-point causality tracking for cybersecurity, namely: backward tracking, forward tracking, and path-finding, as disclosed by Shu, such modification would enable the system to track early compromises or attack elements in its upstream causality chain, and to evaluate their impacts. Regarding claim 20: Claim 20 recites substantially the same limitations as claim 16 in the form of a non-transitory computer-readable storage medium storing instructions. Therefore, it is rejected by the same rationale. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Maida, US-PGPUB No. 2021/0133648 A1 to Bennett et al. (hereinafter “Bennett”), and further in view of USPAT No. 11128658 B2 to Cheng et al. (hereinafter “Cheng”) Regarding claim 17: The combination of Stokes and Maida discloses the computer-implemented method of claim 1, but fails to explicitly disclose the following limitation taught by Bennett: wherein the forensic report indicates data to be returned to the source dataset(s) (Bennett, ¶20: “… transaction-related data includes return or chargeback data, … fraud reports identifying suspected fraudulent completed transactions, …”) and […] It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes and Maida to incorporate the functionality of the computer-implemented method for evaluating data security of a target system to store transaction related (return or chargeback) data in a datastore, as disclosed by Bennett, such modification would enable the system to identify fraud related target systems. The combination of Stokes, Maida and Bennett fails to explicitly disclose the following limitation taught by Cheng: [wherein the forensic report indicates] … […] one or more paths through the network of datasets that the data would take to reconstruct the source dataset(s) (Cheng, col 5, lines 27-32: “all routers may embed partial path information into IP packet headers when the packets traverse through a network. The destination (e.g., the victim) may use the marking information in multiple packets to reconstruct the routing path or source address of a packet stream.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes, Maida and Bennett to incorporate the functionality of the method to implement marking-based IP traceback, wherein routers embed partial path information into IP packet headers when the packets traverse through a network, as disclosed by Cheng, such modification would enable the system to reconstruct the routing path or source address of a packet stream to identify and locate an attack source. Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Stokes, and further in view of Shu Regarding claim 18: Stokes discloses the system of claim 14, but does not explicitly teach the following limitation taught by Shu: wherein the tracing module is configured to trace a flow of the data associated with the network security threat backwards and forwards between the source dataset and the destination dataset (Shu, ¶106: “… an automatic causality tracking method and system … provides for multi-point causality tracking for cybersecurity, preferably as three (3) sub-tasks, namely: backward tracking, forward tracking, and path-finding.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Stokes to incorporate the functionality of the automatic causality tracking method to provide for multi-point causality tracking for cybersecurity, namely: backward tracking, forward tracking, and path-finding, as disclosed by Shu, such modification would enable the system to track early compromises or attack elements in its upstream causality chain, and to evaluate their impacts. Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Stokes, Bennett, and further in view of Cheng Regarding claim 19: Stokes discloses the system of claim 14, but does not explicitly teach the following limitation taught by Bennett: wherein the forensic report generating module is configured to generate the forensic report to indicate data to be returned to the source dataset(s) (Bennett, ¶20: “… transaction-related data includes return or chargeback data, … fraud reports identifying suspected fraudulent completed transactions, …”) and […] It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Stokes to incorporate the functionality of the computer-implemented method for evaluating data security of a target system to store transaction related (return or chargeback) data in a datastore, as disclosed by Bennett, such modification would enable the system to identify fraud related target systems. The combination of Stokes and Bennett fails to explicitly disclose the following limitation taught by Cheng: [generate the forensic report to indicate …] […] one or more paths through the network of datasets that the data would take to reconstruct the source dataset(s) (Cheng, col 5, lines 27-32: “all routers may embed partial path information into IP packet headers when the packets traverse through a network. The destination (e.g., the victim) may use the marking information in multiple packets to reconstruct the routing path or source address of a packet stream.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Stokes and Bennett to incorporate the functionality of the method to implement marking-based IP traceback, wherein routers embed partial path information into IP packet headers when the packets traverse through a network, as disclosed by Cheng, such modification would enable the system to reconstruct the routing path or source address of a packet stream to identify and locate an attack source. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.H./Examiner, Art Unit 2491 /DANIEL B POTRATZ/Primary Examiner, Art Unit 2491
Read full office action

Prosecution Timeline

Show 15 earlier events
Aug 27, 2025
Final Rejection mailed — §103
Oct 24, 2025
Request for Continued Examination
Oct 24, 2025
Response after Non-Final Action
Nov 24, 2025
Request for Continued Examination
Dec 05, 2025
Response after Non-Final Action
Jan 06, 2026
Non-Final Rejection mailed — §103
Apr 03, 2026
Response Filed
Jun 17, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671714
LIMITING THE ABILITY OF RANSOMWARE TO SPREAD WITHIN A DATA CENTER
3y 2m to grant Granted Jun 30, 2026
Patent 12671700
METHOD FOR TRACING PATH OF ATTACK ON SMART CONTRACT ON BLOCKCHAIN
2y 9m to grant Granted Jun 30, 2026
Patent 12659297
APPARATUS AND METHOD FOR INTRUSION DETECTION AND PREVENTION OF CYBER THREAT INTELLIGENCE
2y 8m to grant Granted Jun 16, 2026
Patent 12652296
SYSTEM, METHOD, AND COMPUTER PROGRAM FOR APPLICATION PROGRAMMING INTERFACE (API) SECURITY
2y 1m to grant Granted Jun 09, 2026
Patent 12621263
IMAGE FORMING APPARATUS CAPABLE OF NOTIFYING USER OF ERROR CAUSED DUE TO ZT MODE, METHOD OF CONTROLLING IMAGE FORMING APPARATUS, AND STORAGE MEDIUM
4y 0m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

9-10
Expected OA Rounds
78%
Grant Probability
96%
With Interview (+18.3%)
3y 0m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 111 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month