Prosecution Insights
Last updated: July 05, 2026
Application No. 17/697,793

EXPANSION (E)-PORT SPOOFING DETECTION AND COUNTERMEASURES

Final Rejection §103
Filed
Mar 17, 2022
Examiner
MAI, KEVIN S
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Dell Products L.P.
OA Round
4 (Final)
29%
Grant Probability
At Risk
5-6
OA Rounds
4m
Est. Remaining
56%
With Interview

Examiner Intelligence

Grants only 29% of cases
29%
Career Allowance Rate
126 granted / 430 resolved
-28.7% vs TC avg
Strong +26% interview lift
Without
With
+26.3%
Interview Lift
resolved cases with interview
Typical timeline
4y 8m
Avg Prosecution
39 currently pending
Career history
471
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
95.7%
+55.7% vs TC avg
§102
3.1%
-36.9% vs TC avg
§112
0.5%
-39.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 430 resolved cases

Office Action

§103
DETAILED ACTION This Office Action has been issued in response to Applicant's Amendment filed January 1, 2026. Claims 1 and 11 have been amended. Claims 1-13 and 17-23 have been examined and are pending. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed January 1, 2026 have been fully considered but they are not persuasive. Applicant argues Symons does not disclose monitoring to determine real changes to a fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions. The result of the comparison in Symons is detecting new devices or switches which is determining real changes to a fabric. Paragraph [0055] of Symons discloses the present invention allows a data center operator to quickly determine changes to the network infrastructure such as a new device 110 or switch 120 which has been added to the network. Applicant’s arguments are directed toward their detecting being fundamentally different than what occurs in Symons however as currently claimed it does not appear to capture this difference. Applicant argues in Kleinsteiber the changes do not actually occur and thus changes are not detected. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). The reference states the zoning changes are made and thus appear to occur. Applicant argues the references in combination with Cohen do not disclose the limitation. The claims recite a variety of patterns involving changes in the number of switches and changes in zoning. Cohen discloses that identifying patterns among known indicators of compromise is known in the art. Symons and Kleinsteiber disclose that changes in the number of switches and changes in zoning are known indicators of compromise. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 2, 3, 6, 8, 9, 10, 12, 17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2004/0221047 to Grover (hereinafter “Grover”) and further in view of US Pub. No. 2003/0105881 to Symons et al. (hereinafter “Symons”) and further in view of US Pub. No. 2003/0163692 Kleinsteiber et al. (hereinafter “Kleinsteiber”). As to Claim 1, Grover discloses a computer-implemented intrusion detection method for identifying cybersecurity attack, the method comprising: obtaining network-related information about one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID); examining at least some of the network-related information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting, in real-time or near real-time, a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred). Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric. However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the intrusion detection system as disclosed by Grover, with detecting new switches as disclosed by Symons. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Symons are directed toward intrusion detection systems and as such it would be obvious to use the techniques of one in the other. Using the techniques of Symons in Grover would improve Grover’s ability to detect intrusions. Grover does not explicitly disclose a change in zoning. However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). Paragraph [0055] of Symons discloses the present invention allows a data center operator to quickly determine changes to the network infrastructure such as a new device 110 or switch 120 which has been added to the network. It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the security system as disclosed by Grover, with using change in zoning as an indication as disclosed by Kleinsteiber. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Kleinsteiber are directed toward security systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0055] of Grover discloses may perform this procedure in conjunction with other feature, e.g., zoning, to provide added measures of security. As to Claim 2, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the one or more indicators further comprise: detecting one or more segmentations, one or more link resettings, or both (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links). Examiner recites the same rationale to combine used for claim 1. As to Claim 3, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the unauthorized device is at least one of an unauthorized host that acts as a switch or a host bus adapter that acts as a switch (Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions). Examiner recites the same rationale to combine used for claim 1. As to Claim 6, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the cybersecurity attack comprises E-port spoofing (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred). As to Claim 8, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 7 wherein the alert comprises a risk score (Paragraph [0032] of Grover discloses personnel responsible for maintaining the storage device may be alerted if a possible security breach has occurred. In addition, or as an alternative, a security breach warning may be sent to a remote user console from the device, or to other network components that perform security functions for the FC network). As to Claim 9, Grover discloses a non-transitory computer-readable medium or media comprising one or more sequences of instructions which, when executed by at least one processor, causes steps to be performed comprising: receiving network information regarding one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID); examining at least some of the network information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting a change in a number of the switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred). Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric. However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions. Examiner recites the same rationale to combine used for claim 1. Grover does not explicitly disclose a change in zoning. However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). Examiner recites the same rationale to combine used for claim 1. As to Claim 10, Grover-Symons-Kleinsteiber discloses the non-transitory computer-readable medium or media of claim 9 wherein the one or more indicators further comprise, detecting one or more link segmentations, one or more link resettings, or both (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links). Examiner recites the same rationale to combine used for claim 1. As to Claim 12, Grover-Symons-Kleinsteiber discloses the non-transitory computer-readable medium or media of claim 9 wherein the step of examining is performed by a switch in the FC fabric or a remotely located device that uses the one or more indicators to predict a risk of a security breach of the FC fabric (Paragraph [0035] of Grover discloses an FC switch may verify a PLOGI request sent by a host to a storage device). As to Claim 17, Grover discloses a system for identifying cybersecurity attacks, the system comprising: one or more processors; and a non-transitory computer-readable medium or media comprising one or more sets of instructions which, when executed by at least one of the one or more processors, causes steps to be performed comprising: receiving network-related information regarding one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID); examining at least some of the network-related information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred). Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric. However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions. Examiner recites the same rationale to combine used for claim 1. Grover does not explicitly disclose a change in zoning. However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). Examiner recites the same rationale to combine used for claim 1. As to Claim 19, Grover-Symons-Kleinsteiber discloses the system of claim 17 wherein the non-transitory computer-readable medium or media further comprises one or more sets of instructions which, when executed by at least one of the one or more processors, causes steps to be performed comprising using at least one of the one or more indicators to predict a risk of a security breach of the FC fabric (Paragraph [0032] of Grover discloses personnel responsible for maintaining the storage device may be alerted if a possible security breach has occurred. In addition, or as an alternative, a security breach warning may be sent to a remote user console from the device, or to other network components that perform security functions for the FC network). As to Claim 20, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the security breach comprises E-port spoofing (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred). Claims 4, 5, 7, 11, 13, 18, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Grover-Symons-Kleinsteiber and further in view of US Pub. No. 2024/0362321 to Cohen (hereinafter “Cohen”). As to Claim 4, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [preceding] an increase in a number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links). Examiner recites the same rationale to combine used for claim 1. Grover-Symons-Kleinsteiber does not explicitly disclose preceding. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the intrusion detection system as disclosed by Grover, with detecting sequences as disclosed by Cohen. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Cohen are directed toward intrusion detection systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0003] of Cohen discloses such a technique is a broadly known cyber defense technique. As to Claim 5, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches or devices acting as switches in the FC fabric [followed] by a change in zoning (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). Grover-Symons-Kleinsteiber does not explicitly disclose followed. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 7, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches in the FC fabric, [followed] by a change in zoning, [followed] by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). Grover-Symons-Kleinsteiber does not explicitly disclose followed. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 11, Grover-Symons discloses the non-transitory computer-readable medium or media of claim 9 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [preceding] an increase in a number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links). Examiner recites the same rationale to combine used for claim 1. Grover-Symons-Kleinsteiber does not explicitly disclose preceding. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 13, Grover-Symons discloses the non-transitory computer-readable medium or media of claim 9 wherein the indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches or devices acting as switches in the FC fabric, [followed] by a change in zoning, followed by a decrease or devices acting as switches in the number of switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). Grover-Symons-Kleinsteiber does not explicitly disclose followed. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 18, Grover-Symons discloses the system of claim 17 wherein the one or more indicators further comprise detecting one or more link segmentations, one or more link resettings, or both that precede a change in the number of the switches or devices acting as switches (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links). Examiner recites the same rationale to combine used for claim 1. Grover-Symons-Kleinsteiber does not explicitly disclose preceding. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 21, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting an increase in a number of switches or devices acting as switches in the FC fabric [followed] by a change in zoning (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 22, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting an increase in a number of switches or devices acting as switches in the FC fabric, followed by a change in zoning, followed by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). Grover-Symons-Kleinsteiber does not explicitly disclose followed. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. As to Claim 23, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [followed] by an increase in a number of switches or devices acting as switches in the FC fabric, [followed] by a change in zoning, and [followed] by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)). Grover-Symons-Kleinsteiber does not explicitly disclose followed. However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs). Examiner recites the same rationale to combine used for claim 4. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin S Mai whose telephone number is (571)270-5001. The examiner can normally be reached Monday to Friday 9AM to 5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KEVIN S MAI/Primary Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Show 6 earlier events
Mar 15, 2025
Response after Non-Final Action
Apr 13, 2025
Request for Continued Examination
Apr 22, 2025
Response after Non-Final Action
Oct 01, 2025
Non-Final Rejection mailed — §103
Jan 02, 2026
Response Filed
May 05, 2026
Final Rejection mailed — §103
Jul 02, 2026
Applicant Interview (Telephonic)
Jul 02, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12657306
BMC BASED HROT IMPLEMENTATION ESTABLISHING CHAIN OF TRUST IN A SECURED SERVER SYSTEM
3y 5m to grant Granted Jun 16, 2026
Patent 12506731
Conference Data Sharing Method and Conference Data Sharing System Capable of Communicating with Remote Conference Members
4y 8m to grant Granted Dec 23, 2025
Patent 12413610
ASSESSING SECURITY OF SERVICE PROVIDER COMPUTING SYSTEMS
3y 9m to grant Granted Sep 09, 2025
Patent 12406064
PRE-BOOT CONTEXT-BASED SECURITY MITIGATION
3y 3m to grant Granted Sep 02, 2025
Patent 12363200
PROVIDING EVENT STREAMS AND ANALYTICS FOR ACTIVITY ON WEB SITES
3y 2m to grant Granted Jul 15, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
29%
Grant Probability
56%
With Interview (+26.3%)
4y 8m (~4m remaining)
Median Time to Grant
High
PTA Risk
Based on 430 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month