Prosecution Insights
Last updated: July 17, 2026
Application No. 17/376,182

Method of Handling Security of an Operating System

Final Rejection §103
Filed
Jul 15, 2021
Priority
Nov 19, 2020 — provisional 63/115,622
Examiner
SAVENKOV, VADIM
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
Moxa Inc.
OA Round
6 (Final)
62%
Grant Probability
Moderate
7-8
OA Rounds
0m
Est. Remaining
82%
With Interview

Examiner Intelligence

Grants 62% of resolved cases
62%
Career Allowance Rate
193 granted / 314 resolved
+3.5% vs TC avg
Strong +21% interview lift
Without
With
+20.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
30 currently pending
Career history
371
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
92.0%
+52.0% vs TC avg
§102
2.6%
-37.4% vs TC avg
§112
2.3%
-37.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 314 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment / Arguments Regarding claims rejected under 35 USC 103: Applicant's arguments have been fully considered but they are not persuasive. Applicant argues against the Ahmed-Bargury-Bhalotra combination, writing that “the security services of Bargury utilizes a machine learning model to detect unused open ports on machines connected to a cloud-based service and thereby prevents the open ports from being attacked. In comparison, the background of the instant application involves security developer(s) to develop a bunch of rules for defining (e.g., restricting) access and transition rights (authorities) of user(s), user space application(s), process(es), director(ies) and (configuration) file(s) in an operating system… the security threat model of the instant application is created according to the plurality of activities occurred in a kernel space of the operating system, while the detecting of open ports on computer networks in Barbury is nothing to do with the kernel space. In other words, the first system test performed on the security model of the instant application is different from the testing of the machine learning model of Bargury.” In response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the Ahmed reference teaches recording a plurality of activities that occurred in a kernel space of an OS. For instance, [0118] of Ahmed states that “[t]he terms ‘computing resource process,’ ‘computer resource process’ or ‘CR process,’ as used in this disclosure, means a computing resource that is in execution or in a state of being executed on an operating system or an operating system kernel of a computing device. Every computing resource that is created, opened or executed on or by the operating system can create a corresponding ‘CR process.’” Additionally, [0062] and [0071] of Ahmed state that “[f]or each computing resource, the data structure can include, for example, CRP identification data, CRP state data, and CRP control data to uniquely identify each corresponding CR process when running on the OS kernel” and that “DB 120D can be arranged to contain information about each computer resource in the computing device 30 (shown in FIG. 1), including computer resources 190. The DB 120D can contain, for example, configuration data, Internet Protocol (IP) address, media access control (MAC) address, policies, or rules. The database 12D can be arranged to store the records of: operating systems or OS kernels; instantiated CR processes, including, for example, instantiated CR process name, instantiated CR process identification number, instantiated CR cryptographic hash and instantiated CR process canonical path; CR process instantiation verification data, including, for example, CR process name, identification number, CR cryptographic hash and canonical path; SMA table data, including mutex, semaphore or atomic data; timestamps; event logs; and CRP whitelists.” Finally, [0082]-[0084] of Ahmed describe how “ransomware monitor 170 can be arranged to check and enumerate all CR processes running on the OS kernel. The ransomware monitor 170 can be arranged to monitor and enumerate every CR process running on or interacting with the OS kernel, including the CR process's file path (including, for example, canonical path), process name, process cryptographic hash and process identification number, which can be generated by the OS kernel for each CR process.” Both Bargury and Ahmed concern a learning and protect phase, as well as learning from collected log data, and the test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981). In this case, Bargury has been relied upon for its teachings concerning implement machine learning and model testing during a learning phase. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 5-7 and 9-11, and 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed (US 2022/0050896 A1) in view of Bargury (US 2019/0286826 A1) and Bhalotra (US 10,397,255 B1). Regarding claim 1, Ahmed discloses: A method of handling security of an operation system, comprising turning on an unlocked mode of the operating system, and turning off an interactive mode of the operating system; Refer to at least [0089] and [0091] of Ahmed with respect to a learn mode and protect mode of an operating system to be secured, where the modes may be switched via timer or trigger. recording a plurality of activities occurred in a kernel space (e.g., [0071], [0082]-[0084], and [0118] of Ahmed with respect to recording resources of computer resources in an OS kernel) of the operating system in a list; creating a security threat model for the operating system according to the plurality of activities; Refer to at least [0041], [0055], [0063], [0069], and [0093]-[0100] of Ahmed with respect to recording computer resource process information during the learn mode, further including creating a record of normal behavior and implementing a whitelist. and turning off the unlocked mode, and turning on the interactive mode. Refer to at least [0041], [0060], [0082]-[0084], [0087], and [0102]-[0108] of Ahmed with respect to switching to the protect mode and implementing policy enforcement. performing a second system test on the security threat model or manually editing the security threat model; and Refer to at least 245-280 in FIG. 3A-B and [0102]-[0108] of Ahmed with respect to protect mode policy enforcement (e.g., checking computer resource processes for authorization). turning off the interactive mode after performing the second system test or manually editing the security threat model. Refer to at least 280-285 in FIG. 3B, [0104], and [0108] of Ahmed with respect to switching from the protect mode after a timer runs out. Ahmed does not disclose: performing a first system test on the security threat model; swapping the modes (“turning off the unlocked mode, and turning on the interactive mode”) being performed after performing the first system test; performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test. However, in view of Bargury discloses: performing a first system test on the security threat model; swapping the modes (“turning off the unlocked mode, and turning on the interactive mode”) being performed after performing the first system test; Refer to at least FIG. 2 of Bargury with respect to a training phase followed by an execution phase, where the training phase includes testing the model. As per at least FIG. 2, [0006], [0039], [0041], and [0047], the training phase transitions to the execution phase after performing the testing. The teachings of Bargury likewise concern a learning and protect phase, as well as learning from collected log data. They are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ahmed to further implement machine learning and model testing during the learning phase for the purpose of improving the accuracy of detecting normal behavior (e.g., [0044] and [0055] of Ahmed; [0006] and [0069] of Bargury concerning improved accuracy). Ahmed-Bargury does not specify: performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test. However, Ahmed-Bargury in view of Bhalotra discloses: performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test. Refer to at least Col. 3, Ll. 42-51, Col. 4, Ll. 50-53, Col. 12, Ll. 53-59, and Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra with respect to updating models (e.g., Col. 9, Ll. 4-37 of Bhalotra), including during the operational phase and using manual user feedback. As per Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra, switching may be performed after the operational phase back into the learning phase (although it is dispreferred due to potential disruptions). The teachings of Bhalotra also concern a learning and protect phase, as well as implementing security models. They are considered to be within the same field of endeavor and combinable as such. Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ahmed-Bargury to further implement testing and updating models during the protect mode for at least the reasons discussed in Col. 9, Ll. 24-37 and Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra (i.e., improved efficiency, less operational downtime, and adapting to constantly changing security issues). Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to the OS and kernel). Regarding claim 3, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, wherein the unlocked mode is turned on in a security environment of the operating system. Refer to at least [0054] and [0060] of Ahmed with respect to the OS, Kernel, and cybersecurity system MDAP. Regarding claim 5, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, further comprising: recording at least one of at least one port, a number of at least one program, at least one hash of the at least one program, an execution order of the at least one program, at least one timing offset and at least one peripheral equipment. Refer to at least [0057], [0061]-[0062], [0069], and [0071] of Ahmed with respect to information gathered about the computer resource processes, including process name, hash, timestamp, configuration data, and canonical path. Regarding claim 6, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, further comprising: creating a plurality of rules for protecting the operating system according to the security threat model. Refer to at least [0041], [0055], [0063], [0069], [0071], and [0093]-[0100] of Ahmed with respect to obtaining normal behavior, a whitelist, and polices and rules for computer resource processes; databases and data structures storing such. Regarding claim 7, it is rejected for substantially the same reasons as claim 6 above (i.e., a size of a database / list / data structure being “related to” its level of granularity). Regarding independent claim 9, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., see the citations). Regarding claims 10-11 and 13-15, they are substantially similar to claims 3 and 5-7 above, and are therefore likewise rejected. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432 /V.S/Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Show 9 earlier events
Sep 16, 2024
Non-Final Rejection mailed — §103
Dec 02, 2024
Response Filed
Mar 19, 2025
Final Rejection mailed — §103
May 13, 2025
Request for Continued Examination
May 16, 2025
Response after Non-Final Action
Nov 10, 2025
Non-Final Rejection mailed — §103
Feb 03, 2026
Response Filed
Jun 26, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12639449
SYSTEM AND METHOD FOR SCANNING CONTAINERS FOR VULNERABILITIES
2y 4m to grant Granted May 26, 2026
Patent 12632534
ACCESSING SECURE SYSTEM RESOURCES BY LOW PRIVILEGE PROCESSES
7y 12m to grant Granted May 19, 2026
Patent 12613999
DETECTING ELECTRONIC SYSTEM MODIFICATION
6y 10m to grant Granted Apr 28, 2026
Patent 12608482
DETERMINING A SECURITY SCORE IN BINARY SOFTWARE CODE
6y 5m to grant Granted Apr 21, 2026
Patent 12608501
Privacy-Preserving Log Analysis
5y 11m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

7-8
Expected OA Rounds
62%
Grant Probability
82%
With Interview (+20.8%)
3y 4m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 314 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month