Prosecution Insights
Last updated: July 17, 2026
Application No. 17/656,020

METHOD AND DEVICE FOR DETECTING FUZZING ANALYSIS ON AN ELECTRONIC DEVICE

Non-Final OA §103
Filed
Mar 23, 2022
Examiner
BREENE, PAUL J
Art Unit
2129
Tech Center
2100 — Computer Architecture & Software
Assignee
NXP Semiconductors N.V.
OA Round
3 (Non-Final)
62%
Grant Probability
Moderate
3-4
OA Rounds
0m
Est. Remaining
86%
With Interview

Examiner Intelligence

Grants 62% of resolved cases
62%
Career Allowance Rate
39 granted / 63 resolved
+6.9% vs TC avg
Strong +24% interview lift
Without
With
+24.2%
Interview Lift
resolved cases with interview
Typical timeline
4y 2m
Avg Prosecution
7 currently pending
Career history
83
Total Applications
across all art units

Statute-Specific Performance

§101
1.8%
-38.2% vs TC avg
§103
92.5%
+52.5% vs TC avg
§102
4.8%
-35.2% vs TC avg
§112
0.4%
-39.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 63 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on December 15th, 2025 has been entered. Response to Arguments Applicant’s arguments with respect to claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 5-6, 8-9, 11, 14-15, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over “A Data Mining Framework for Securing 3G Core Network from GTP Fuzzing Attacks,” Center of Excellence in Information Assurance (CoEIA), King Saud University (KSU), Ahmed et al; Ahmed in view of “Sequence-aware Intrusion Detection in Industrial Control Systems,” Caselli et al; Caselli, further in view of US Pre-Grant Patent 2020/0137103 (Ngo et al; Ngo). Regarding claim 1 and analogous claim 11: 1. A method for detecting a fuzzing analysis in a first device, the method comprising: (Ahmed, Abstract) “In this paper, we present the design of a multi-layer framework to detect fuzzing attacks targeted to GTP control (GTP-C) packets.” 2. receiving a new message of a message type from a second device; (Ahmed, pg. 283, Sect. 3.1, ¶1) “Whenever a user needs to send/receive packet data from external network, it re quests the network to activate a PDP context. On receiving such a request, the SGSN [i.e. a second device;] sends a Create PDP context Request message containing IMSI number of the user,(Access Point NAme) APN and Tunnel Endpoint Identifiers (TEID) for GTP-C and GTP-U plane, to GGSN [i.e. receiving a new message of a message type].” 3. determining the message type of the new message by analyzing the new message; (Ahmed, pg. 286, Sect. 5, ¶1) “The detection framework perform byte-level analysis of the incoming GTP-C packets and classify them as normal or malformed [i.e. determining the message type of the new message by analyzing the new message;].” 4. predicting the message type of the new message from previously received messages; (Ahmed, pg. 287, Sect. 5.1, ¶1) “The PBA module acts separately for each type of GTP control packet. Its inputs are the validated GTP packets. The validation process is done through an input interface, which checks input packets for explicit errors like invalid message type. For each packet, it performs a byte-level analysis…The transition between two states is represented as sxy and that the transition probability as τxy. This gives a state transition probability matrix calculated as F : S × P → τ(S)where,F is a transition function. The PBA computes τ(S) for each packet and outputs the probability matrix which is used by the decision module [i.e. predicting the message type of the new message from previously received messages;].” Examiner notes that the packet byte analyzer uses a time discrete Markov chain to predict the state of the newly received messages. Ahmed does not explicitly teach: 1. determining a likelihood that the predicted message type matches the determined message type of the new message; 2. and triggering an alert of the fuzzing analysis based on the likelihood being below a threshold likelihood value; 3. and performing an action to hinder the fuzzing analysis based on the triggering of the alert. Caselli teaches: 1. determining a likelihood that the predicted message type matches the determined message type of the new message; (Caselli, pg. 19, col. 2, Sect. 7.2, ¶1) “In the detection phase we evaluate differences between trained DTMCs and DTMCs built up during detection. The detection mechanism flags as “anomalous” a DTMC state created in the detection phase that does not match with any state of a DTMC created in training phase. The same check is performed by looking for new transitions (between known states). Finally, given a known DTMC state (a state included in one of the training models), the detection algorithm looks at its transition set and computes the difference between the probability values measured in the learning phase and the new ones [i.e. determining a likelihood that the predicted message type matches the determined message type of the new message;].” Examiner notes that DTMC refers to discrete-time Markov chain. 2. and triggering an alert of the fuzzing analysis based on the likelihood being below a threshold likelihood value; (Caselli, pg. 20, col. 1, Sect. 7.2, ¶1) “The detection procedure based on DTMC state distances defines a threshold θ. If the result of Equations 1 or 2 exceeds θ, the detection mechanism triggers an alert to the user showing the involved DTMC state and its semantic meaning [i.e. and triggering an alert of the fuzzing analysis based on the likelihood being below a threshold likelihood value;].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed with Caselli. Ahmed recognizes the need to detect fuzzing attacks directed to protocol control packets and already uses probabilistic model-based analysis to classify malformed packet traffic, while Caselli teaches that network intrusion detection can be improved by modeling the temporal sequence of protocol messages and identifying unknown or statistically deviant transitions. The combination would have predictably improved Ahmed’s fuzzing detector by causing the detector to evaluate whether a newly received message type is expected in view of previously received messages, rather than relying only on isolated packet-byte or field-level features. As Caselli states, “Common intrusion detection systems (IDSs) generally search for single events that either show clearly malicious or at least “unusual” characteristics. However, sequence attacks do not involve such characteristics and are likely to pass through unnoticed (Caselli, pg. 14, col. 1, Sect. 1, ¶2).” Neither Ahmed nor Caselli teaches: 1. and performing an action to hinder the fuzzing analysis based on the triggering of the alert. Ngo teaches: 1. and performing an action to hinder the fuzzing analysis based on the triggering of the alert. (Ngo, ¶0036) “In one or more embodiments, the present invention utilizes a supervised machine learning method (e.g., a neural network) to automatically scan customer profiles, generate new protection rules, and enforce these rules across all affected customers to block malicious traffic and prevent likely attacks [i.e. and performing an action to hinder the fuzzing analysis based on the triggering of the alert].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is to improve the fuzzing detection system by enforcing rules after the malicious attack is discovered, to “perform an intermediate mitigation action that reduces a functionality of the computer system resource in the particular computer system until a solution is implemented that both restores the functionality of the computer system resource in the particular computer system and mitigates the vulnerability of the particular computer system to the malicious attack (Ngo, Abstract).” Regarding claim 2: Ahmed, Caselli, and Ngo teach the method of claim 1. Ngo teaches: 1. wherein the action comprises one or more of forbidding a query type, disabling one or more parts of a protocol enabling communication between the first device and the second device, enabling additional checks or countermeasures, rebooting or resetting the first device, erasing firmware in the first device, erasing a memory of the first device, sending a fake response message to the second device, sending a message to alert a server of the fuzzing analysis, or asking a user to perform an additional task. (Ngo, ¶0037) “It does this by an intermediate measure that is derived by applying policy enforcement changes based on CVE data that is collected in near real time. The solution involves the use of natural language processing of CVE databases to evaluate the risk, scope and exploit vector of the CVE. This information is then used to automate changes inside a customer's computer resources to protect them (in an intermediate manner) from the exposure that this vulnerability presents. Such intermediate changes to the customer's computer resources (e.g., a network) include, but are not limited to, limiting what devices/parties (if any) are allowed to access the vulnerable resource, change signatures (e.g., passwords) required to access the vulnerable resource, change what agents of the host are allowed to access the vulnerable resource, changing the software and/or hardware configuration of the vulnerable resource, applying a temporary patch that limits and/or stops access to the vulnerable resource, etc [i.e. wherein the action comprises one or more of… enabling additional checks or countermeasures,].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Regarding claim 5 and analogous claim 14: Ahmed, Caselli, and Ngo teach the method of claim 1. Caselli teaches: 1. wherein the alert is triggered after a plurality of comparisons indicating the likelihood is below the threshold likelihood value. (Caselli, col. 1, pg. 20, ¶1) “The detection procedure based on DTMC state distances defines a threshold θ. If the result of Equations 1 or 2 exceeds θ, the detection mechanism triggers an alert to the user showing the involved DTMC state and its semantic mean ing. The proper definition of the threshold value strongly impacts the performance of a “sequence-aware” NIDS. If θ is too high the accuracy of the NIDS increases (fewer false positives) but its comprehensiveness decreases (more false negatives). On the other hand, if θ is too low the resulting high number of false positives is likely to make the NIDS ineffective [i.e. wherein the alert is triggered after a plurality of comparisons indicating the likelihood is below the threshold likelihood value].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Regarding claim 6 and analogous claim 15: Ahmed, Caselli, and Ngo teach the method of claim 1. Ahmed teaches: 1. wherein the method is implemented in a program comprising instructions stored in a non-transitory storage medium and executed by a processor in the first device. (Ahmed, pg. 282, Sect. 3, ¶4) “GPRS is an extension GSM, in fact it has been overlaid on the already existing GSMinfrastructure [15]. To handle packet data, a Packet Control Unit(PCU) is introduced at Base Transceiver Station(BTS). Besides that two GPRS support nodes(GSNs) have been added to the structure. SGSN is connected with many BTSs analogous to BSC, and serves to transfer data requests over the network.” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Regarding claim 8 and analogous claim 17: Ahmed, Caselli, and Ngo teach the method of claim 1. Ngo teaches: 1. wherein the message type of the new message is a request for data. (Ngo, ¶0069 “As shown in block 505, the request/API/call is validated according to a policy of a particular customer/owner of the affected computer resource by determining whether a change to the affected computer resource is needed.” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Regarding claim 9 and analogous claim 18: Ahmed, Caselli, and Ngo teach the method of claim 1. Caselli teaches: 1. wherein the new message is a malformed request for data, and wherein the malformed request for data has a relatively low likelihood value. (Caselli, pg. 19, col. 1, ¶1) “We argue that it is unlikely to have many false positives related to “Unknown Probability” anomalies. This mainly comes from the robustness of such a parameter. Substantial changes in the probability values of a Markov chain mean a considerable modification in the way events are correlated within the system under control. Actions of this kind cannot be frequent. For this reason a S-IDS should always notify “Unknown Probability” anomalies [i.e. wherein the new message is a malformed request for data, and wherein the malformed request for data has a relatively low likelihood value].” Examiner interprets the “malformed request for data” to be a false-positive. One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Regarding claim 20: Ahmed, Caselli, and Ngo teach the method of claim 1. Ahmed teaches: 1. wherein determining the message type of the new message by analyzing the new message further comprises using instruction execution circuitry of a processor to decode the new message to determine the message type. (Ahmed, pg. 285, Sect. 4.2, ¶2) “Our fuzzed dataset consists of packets with fuzzed fields such as message type field. Fuzzing this type of field changes the message type, for example, from Create PDP Context Request message (messagetype=0x10) to some other message type, which may result in a message type that is not recognizable by the GGSN or in a message type that GGSN is not expected to receive.” (Ahmed, pg. 286, Sect. 5, ¶1) “Firstly, it reduces the processing overhead by the simultaneous analysis of different GTP control packets and secondly, it allows a deeper level of inspection by analyzing each packet type according to its use of extension headers as explained in section 4.2 [i.e. to decode the new message to determine the message type]. The detection framework perform byte-level analysis of the incoming GTP-C packets and classify them as normal or malformed [i.e. wherein determining the message type of the new message by analyzing the new message further comprises using instruction execution circuitry of a processor].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify Ahmed and Caselli with Ngo. The motivation is the same as claim 1. Claims 3-4 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over “A Data Mining Framework for Securing 3G Core Network from GTP Fuzzing Attacks,” Center of Excellence in Information Assurance (CoEIA), King Saud University (KSU), Ahmed et al; Ahmed in view of “Sequence-aware Intrusion Detection in Industrial Control Systems,” Caselli et al; Caselli, further in view of US Pre-Grant Patent 2020/0137103 (Ngo et al; Ngo), further in view of “LSTM-Based Intrusion Detection System for In-Vehicle Can Bus Communications,” IEEE Access Vol. 8, 2020 (Hossain et al; Hossain). Regarding claim 3 and analogous claim 12: Ahmed, Caselli, and Ngo teach the method of claim 1. Neither Ahmed, Caselli, and Ngo teach: 1. wherein predicting the message type of the new message is performed using a machine learning model in the first device. Hossain teaches: 1. wherein predicting the message type of the new message is performed using a machine learning model in the first device. (Hossain, pg. 1, col. 2, ¶3) “The CAN bus protocol is effective for vehicular network systems because of its low cost and centralized system. The ECUs communicate with messages by using the CAN protocol [I.e. wherein predicting the message type of the new message].” (Hossain, pg. 2, col. 2, ¶1) “We propose Long Short-term Memory (LSTM) based IDS for detecting attacks in the CAN bus system of a vehicle [i.e. is performed using a machine learning model in the first device].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify the combination of Ahmed, Caselli, and Ngo with Hossain. It would have been obvious to attempt to improve the system with the use of machine learning, as stated in Hossain: “LSTM is a powerful deep learning classifier that was created to address the look-back-in-time issue of Recurrent Neural Networks (RNN). We employ a deep learning algorithm because artificial intelligence (AI) is the contemporaneous dominant technology with proven applications in various fields such as image recognition, voice recognition, weather forecasting, market analysis, etc (Hossain, pg. 2, col. 2, ¶1).” Regarding claim 4 and analogous claim 13: Ahmed, Caselli, and Ngo teach the method of claim 1. Neither Ahmed, Caselli, and Ngo teach: 1. wherein the machine learning model comprises a long short-term memory (LSTM) neural network. Hossain teaches: 1. wherein the machine learning model comprises a long short-term memory (LSTM) neural network. (Hossain, pg. 2, col. 2, ¶1) “We propose Long Short-term Memory (LSTM) based IDS for detecting attacks in the CAN bus system of a vehicle [i.e. wherein the machine learning model comprises a long short-term memory (LSTM) neural network].” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify the combination of Ahmed, Caselli, and Ngo with Hossain. The motivation is the same as claim 3. Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over “A Data Mining Framework for Securing 3G Core Network from GTP Fuzzing Attacks,” Center of Excellence in Information Assurance (CoEIA), King Saud University (KSU), Ahmed et al; Ahmed in view of “Sequence-aware Intrusion Detection in Industrial Control Systems,” Caselli et al; Caselli, further in view of US Pre-Grant Patent 2020/0137103 (Ngo et al; Ngo), further in view of “TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection,” Wang et al; Wang. Regarding claim 7 and analogous claim 16: Ahmed, Caselli, and Ngo teach the method of claim 1. Ahmed, Caselli, and Ngo teach the method of claim 1. Neither Ahmed, Caselli, nor Ngo teach: 1. wherein the method is capable of being disabled during software development in the first device. (Wang, pg. 12, Sect. 5, col. 2, ¶2) “From software testing point of view, some vulnerabilities could be hidden behind such complex application defenses (e.g., digital signatures). We suggest the software developers disable such defense mechanisms at testing phase.” One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify the combination of Ahmed, Caselli, and Ngo with Wang. The motivation is well-known in the discipline because fuzzing was a known software-testing technique, and Taintscope recommends that developers disable defense mechanisms during testing where such defenses would otherwise hide vulnerabilities. Claims 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over “A Data Mining Framework for Securing 3G Core Network from GTP Fuzzing Attacks,” Center of Excellence in Information Assurance (CoEIA), King Saud University (KSU), Ahmed et al; Ahmed in view of “Sequence-aware Intrusion Detection in Industrial Control Systems,” Caselli et al; Caselli, further in view of US Pre-Grant Patent 2020/0137103 (Ngo et al; Ngo), further in view of “Bit-Split String-Matching Engines for Intrusion Detection and Prevention,” ACM Transactions on Architecture and Code Optimization, Vol. 3, No. 1, March 2006, Tan et al; Tan. Regarding claim 10 and analogous claim 19: Ahmed, Caselli, and Ngo teach the method of claim 1. Ahmed teaches: 1. wherein fuzzing analysis detection [is enabled or disabled using a control bit stored in a memory]. (Ahmed, Sect. 6, pg. 288, ¶1) “In this section we evaluate the performance of the proposed GTP-C fuzzing detection framework [i.e. wherein fuzzing analysis detection].” Tan teaches: 1. [wherein fuzzing analysis detection] is enabled or disabled using a control bit stored in a memory. (Tan, Sect. 6.2, pg. 29, ¶2) “The register file has eight registers, which control the functionality of the SME. The first register, bytein, accepts in a byte of data stream to be searched as input. The next register is data enable, which enables the string match engine [i.e. is enabled or disabled using a control bit stored in a memory].” The config data low register r takes in the lower 32 bits of data to be written to a tile in one of the rule modules, while the config data up register takes in the upper 16 bits. The int address register takes the address of memory to write to. The address indicates which rule module, tile, and state in that tile to write to. Each write copies over an entire state worth of data, including the next-state transitions and the partial-match vector One of ordinary skill in the art, at the time the invention was filed, would have been motivated to modify the combination of Ahmed, Caselli, and Ngo with Tan. The motivation is to predictably modify the framework of Ahmed-Caselli with a bit in memory that enables or disables certain functions of the device, as “Through the careful codesign and optimization of our architecture…it is possible to build a system that is 10 times more efficient than the currently best known approaches (Tan, Abstract).” Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL JUSTIN BREENE whose telephone number is (571)272-6320. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web- based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael J Huntley can be reached on 303-297-4307. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786 9199 (IN USA OR CANADA) or 571-272-1000. /P.J.B./ Examiner, Art Unit 2129 /MICHAEL J HUNTLEY/Supervisory Patent Examiner, Art Unit 2129
Read full office action

Prosecution Timeline

Show 2 earlier events
Jun 18, 2025
Response Filed
Oct 17, 2025
Final Rejection mailed — §103
Dec 15, 2025
Response after Non-Final Action
Jan 20, 2026
Request for Continued Examination
Jan 27, 2026
Response after Non-Final Action
Feb 12, 2026
Examiner Interview Summary
Feb 12, 2026
Applicant Interview (Telephonic)
Jun 29, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12664396
FRAMEWORK FOR ESTIMATION OF RESOURCE USAGE AND EXECUTION TIME OF WORKLOADS IN A HETEROGENEOUS INFRASTRUCTURE
4y 8m to grant Granted Jun 23, 2026
Patent 12585959
Framework for Learning to Transfer Learn
2y 7m to grant Granted Mar 24, 2026
Patent 12579427
EMBEDDING OPTIMIZATION FOR MACHINE LEARNING MODELS
4y 5m to grant Granted Mar 17, 2026
Patent 12578718
MODEL CONSTRUCTION SUPPORT SYSTEM AND MODEL CONSTRUCTION SUPPORT METHOD
4y 0m to grant Granted Mar 17, 2026
Patent 12572792
GOAL-SEEK ANALYSIS WITH SPATIAL-TEMPORAL DATA
5y 5m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
62%
Grant Probability
86%
With Interview (+24.2%)
4y 2m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 63 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month