Prosecution Insights
Last updated: July 17, 2026
Application No. 17/745,762

ENTROPY EXCLUSION OF TRAINING DATA FOR AN EMBEDDING NETWORK

Non-Final OA §101§103
Filed
May 16, 2022
Examiner
HICKS, AUSTIN JAMES
Art Unit
2142
Tech Center
2100 — Computer Architecture & Software
Assignee
CrowdStrike Inc.
OA Round
3 (Non-Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
310 granted / 413 resolved
+20.1% vs TC avg
Strong +25% interview lift
Without
With
+25.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
54 currently pending
Career history
467
Total Applications
across all art units

Statute-Specific Performance

§101
3.9%
-36.1% vs TC avg
§103
82.7%
+42.7% vs TC avg
§102
9.0%
-31.0% vs TC avg
§112
3.8%
-36.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 413 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 4/15/2026 has been entered. Response to Arguments Applicant's arguments filed 4/15/2026 have been fully considered but they are not persuasive. Applicant argues “A computer-executable file in a non-computer-executable representation is therefore ‘a new kind of file that enables a computer security system to do things it could not do before.’” Remarks 13. Examiner disagrees, see Identifying Authorship by Byte-Level N-Grams: The Source Code Author Profile (SCAP) Method by Frantzeskou et al. The file-type doesn’t improve the functioning of a computer and the claim to the file-type merely links the abstract idea to the field of non-executable information, and does not amount to significantly more than the abstract idea. With respect to the arguments about the prior art (Remarks 14-19), the arguments are moot because new art is applied below. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite the mental concept of extracting data, excluding high entropy data, and extracting labeled features from the data. This judicial exception is not integrated into a practical application because it is not directed to an improvement to computers or a technological field. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements of a computer or storage media are directed to generic computer parts. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3, 5-8, 10, 12-15, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al, US20160366155A1 to El-Moussa et al, Identifying Authorship by Byte-Level N-Grams: The Source Code Author Profile (SCAP) Method by Frantzeskou et al. Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al, US20160366155A1 to El-Moussa et al, Identifying Authorship by Byte-Level N-Grams: The Source Code Author Profile (SCAP) Method by Frantzeskou et al and US20190138423A1 to Agerstam et al. Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al, US20160366155A1 to El-Moussa et al, Identifying Authorship by Byte-Level N-Grams: The Source Code Author Profile (SCAP) Method by Frantzeskou et al and US20180253755A1 to Cheng et al. Choi teaches claims 1, 8 and 15. A method comprising: extracting a (Choi para 35 “generate, from the system log data 197 a time series 127A-127 n (FIGS. 3A and 3B) of overlapping windowed system log data 126, where each time window 127 of the overlapping windowed system log data 126 includes a respective batch of system log data 128 (FIG. 4, Block 420).” The log data in Choi fig. 3b is the sample executable file of labeled dataset. The labels are the “behavior keywords” shown in para 35 and fig. 4. The hyperparameter is “the predetermined window size, the predetermined window overlap size, and the entropy threshold T, for at least one (or each) time window 127.”) wherein the sample comprises a non-computer-executable representation of the(Choi para 35 “windowed system log data 126”, log data is not computer executable. All data has subsequences. The windows with log data has at least bits and subsequences from the sampled log data.) (Choi para 36 “the entropy module 115 is configured to determine the system entropy measurements from the extracted features 111 extracted from the respective batch of system log data 128 from the at least one window 127 of the overlapping windowed system log data 126 (FIG. 4, Block 440).”) extracting a labeled feature from the entropy(Choi para 50-51 “Extract keywords from the captured windowed batch of system log data 128 using natural language processing (FIG. 4, Blocks 420 and 430); Create a feature vector(s) “X” 111V1-111Vn from the keywords extracted from the captured windowed batch of system log data 128 (FIG. 4, Blocks 420 and 430)…”) Choi doesn’t teach excluding a subset of windows based on entropy. However, El-Moussa teaches non-overlapping set of extracted windows… (El-Moussa paragraph 98 teaches “As depicted in FIG. 10, the windows 1008 are generally defined to span different continuous subsets of network traffic…” A different continuous subset of network traffic is a non-overlapping window. El-Moussa paragraph 79 teaches “here multiple traffic portion definitions 526 are retrieved for a protocol, such portion definitions will constitute windows of network traffic that may overlap or occur adjacent in the flow of network traffic.” An adjacent window is a non-overlapping window.) excluding at least some extracted windows among the set of extracted windows according to information entropy to derive an entropy-excluded subset of extracted windows. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.”) Choi, El-Moussa and the claims are all directed to detecting malicious data. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to filter the windows and exclude windows with low entropy because “a window is not suitable for use in the detection of malicious encrypted network traffic since such a window would always exhibit consistent characteristics and the measure of entropy may stay substantially the same irrespective of the nature of a network connection.” El-Moussa para 103. Further, preventing overlapping windows avoids overfit on a temporally small set of data. Choi doesn’t teach that the sampled file is executable. However, Frantzeskou teaches the sample comprises a non-computer-executable representation of the executable file. (Frantzeskou abs. “the disputed program is compared to undisputed, known programming samples by the predefined author candidates.”) Choi and Frantzeskou and the claims are all directed to detecting malicious data. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to include program code in log data because “There are several scenarios where digital evidence of this kind plays a role in investigation and adjudication, such as… tracing the source of code left in the system after a cyber attack…” Frantzeskou abs. Choi teaches claims 2, 9 and 16. The method of claim 1, wherein an extracted window of the set of extracted windows comprises a sub-sequence having a length corresponding to a window size hyperparameter, (Choi para 38 “a predetermined window size…”) Choi doesn’t teach the spacing. However, Agerstam teaches sub-sequences being spaced apart according to a window distance hyperparameter. (Agerstam para 90 “if the unit of time is milliseconds, the data collector 1014 collects three (n=3) time windows of data spaced apart by a number of specified milliseconds. If the unit of time is seconds, the data collector 1014 collects three (n=3) time windows of data spaced apart by a number of specified seconds.”) Agerstam, Choi and the claims are all detecting anomalies in data. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to use millisecond spacing “for analyzing quick changes in a scene…” Agerstam para 90. El-Moussa teaches claims 3, 10 and 17. The method of claim 1, further comprising determining a first subset among the set of extracted windows having highest information entropy; determining a second subset among the set of extracted windows having lowest information entropy; and excluding the first subset and the second subset from the set of extracted windows. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.” This process excludes all windows with entropy that are far away from the windows that El-Moussa is trying to monitor. This means that windows with “low” and “high” entropy numbers will be outside of the cluster based on distance and those windows are excluded. El-Moussa para 102 “That is to say that the relative similarity of all measures of entropy for a window can be measured, and a window having measures of entropy that are most similar overall is identified by the window selector 958.”) El-Moussa teaches claims 4, 11 and 18. The method of claim 3, wherein extracted windows highest in information entropy and lowest in information entropy are determined according to a set (El-Moussa para 103 “embodiments of the invention employ clustering algorithms such as, inter alia, k-means algorithms, distribution-based clustering algorithms and/or density-based clustering algorithms to identify clusters of entropy measures among all entropy measures for a window.”) El-Moussa doesn’t filter out a proportion of windows. However, Cheng filters a proportion of all extracted data. (Cheng para 61 “when a is greater than b, the quantity of clicks exceeding the threshold for the quantity of clicks (a-b) is filtered by selecting a filtering ratio according to a corresponding relationship between a value space of (a-b) and the filtering ratio.”) Cheng, El-Moussa and the claims are all directed to anomalous activity. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to take a proportion of the entropies because the distribution-based clustering almost requires a proportional filtering scheme and filtering like this separates fraudulent data from normal data.1 El-Moussa teaches claims 5, 12 and 19. The method of claim 3, wherein extracted windows highest in information entropy and lowest in information entropy are determined according tohighest to lowest information entropy. (El-Moussa para 103 “embodiments of the invention employ clustering algorithms such as, inter alia, k-means algorithms, distribution-based clustering algorithms and/or density-based clustering algorithms to identify clusters of entropy measures among all entropy measures for a window.”) El-Moussa doesn’t teach extracting a set number of windows. However, Choi teaches a set number of windows. (Choi para 38 “and a number of data windows N…”) El-Moussa teaches claims 6, 13 and 20. The method of claim 1, further comprising collecting the entropy-excluded subset of extracted windows into a data stream; and. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.”) wherein extracting a labeled feature comprises taking (El-Moussa para 98 “Each window can be defined by way of a start point 1010 and an end point 1012, each of the start and end points indicating a location in network traffic for a network connection such as a byte, message, segment or packet offset in network traffic, Alternatively, a start point 1010 and an extent, length or size 1014 can define a window.”) El-Moussa doesn’t teach n-grams. However, Choi teaches n-grams. (Choi para 35 “the natural language pre-processing 300 of the natural language processing module 112 firstly tokenizes the system log data 197 … by chopping up the text messages that form the respective batch of system log data 128 into individual terms…. For example, “USA” and “U.S.A.” are treated as being equivalent, “cyber attack” and “cyber-attack”…” This shows an n=1 and n=2 n-gram, USA and cyber attack respectively.) El-Moussa teaches claims 7 and 14. The method of claim 6, wherein the data stream comprises one or more data structures storing the entropy-excluded subset of extracted windows in order of extraction from the sample executable file, (El-Moussa para 100 “the network traffic recorder 950 can record network traffic from an earliest point in all applicable window definitions to a latest point in all applicable window definitions such that, subsequently, the particular window definitions can be used to extract subsets of the recorded traffic to store network traffic subsets 960 for each window definition.”) El-Moussa doesn’t teach arbitrary order. However, Choi teaches extracting windows in an order arbitrary from the order of extraction. (Choi para 35 “corresponding to a respective time window 127 in the time series 127A-127 n of overlapping windowed system log data 126.”) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Austin Hicks whose telephone number is (571)270-3377. The examiner can normally be reached Monday - Thursday 8-4 PST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela Reyes can be reached at (571) 270-1006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUSTIN HICKS/Primary Examiner, Art Unit 2142 1 Cheng para 62 “to furthest reduce the quantity of clicks of the low level fraudulent user from the quantity of clicks on the advertisement.”
Read full office action

Prosecution Timeline

Show 1 earlier event
Aug 15, 2025
Non-Final Rejection mailed — §101, §103
Dec 15, 2025
Response Filed
Jan 15, 2026
Final Rejection mailed — §101, §103
Feb 23, 2026
Examiner Interview Summary
Feb 23, 2026
Applicant Interview (Telephonic)
Apr 15, 2026
Request for Continued Examination
Apr 24, 2026
Response after Non-Final Action
Jun 17, 2026
Non-Final Rejection mailed — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12645389
COMPUTATIONAL STORAGE DEVICE FOR DEEP-LEARNING RECOMMENDATION SYSTEM AND METHOD OF OPERATING THE SAME
4y 0m to grant Granted Jun 02, 2026
Patent 12639558
NEURAL NETWORK PROCESSOR SYSTEM AND METHODS OF OPERATING AND FORMING THEREOF
4y 3m to grant Granted May 26, 2026
Patent 12626157
IDENTIFYING IDLE-CORES IN DATA CENTERS USING MACHINE-LEARNING (ML)
3y 7m to grant Granted May 12, 2026
Patent 12626178
QUANTUM COMPUTING BASED KERNEL ALIGNMENT FOR A SUPPORT VECTOR MACHINE TASK
3y 6m to grant Granted May 12, 2026
Patent 12608441
SCREENING FOR FLUCTUATING ENERGY RELAXATION TIMES
4y 1m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+25.2%)
3y 2m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 413 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month