Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsCisco Technology Inc. › 17750132
Last updated: April 19, 2026
Application No. 17/750,132

CONTINUOUS TRUSTED ACCESS OF ENDPOINTS

Non-Final OA §103
Filed
May 20, 2022
Examiner
AYALA, KEVIN ALEXIS
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Cisco Technology Inc.
OA Round
5 (Non-Final)
64%
Grant Probability
Moderate
5-6
OA Rounds
3y 4m
To Grant
96%
With Interview

Interview Optional

+31.8% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 164 resolved cases, 2023–2026

Examiner Intelligence

AYALA, KEVIN ALEXIS View full profile →
Grants 64% of resolved cases
64%
Career Allow Rate
105 granted / 164 resolved
+6.0% vs TC avg
Strong +32% interview lift
Without
With
+31.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
35 currently pending
Career history
199
Total Applications
across all art units

Statute-Specific Performance

§101
11.6%
-28.4% vs TC avg
§103
53.2%
+13.2% vs TC avg
§102
6.7%
-33.3% vs TC avg
§112
23.9%
-16.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 164 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/20/2026 has been entered. Response to Arguments In response to 35 USC 112(a) on page 7, filed 02/20/2026, the 35 USC 112(a) rejection has been withdrawn in light of claim amendment. In response 35 USC 103 on pages 7-10, filed 02/20/2026, for independent claims 1, 12 and 20 along with their respective dependent claims, applicant indicates that Cheng and shah fails to teach performing, by the device, one or more mitigation actions on the asset based on the risk score and a policy associated with the asset, wherein the policy includes a logical combination of component tags and activity tags associated with the asset. The examiner does not concede. Cheng teaches “wherein the policy includes a logical combination of component tags and activity tags associated with the asset”. Cheng recites “the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services. Protocols can include applicable protocols used in providing IoT devices access to network services. For example, protocols can include infrastructure protocols, identification protocols, transport protocols, discovery protocols, data protocols, device management protocols, semantic protocols, and multi-layer framework protocols. IoT device risk factors related to protocols used by IoT devices in accessing network services can include a number of differed protocols used by an IoT device in accessing network services and characteristics of protocols used by an IoT device in accessing network services. For example, IoT device risk factors related to protocols used by an IoT device in accessing network services can include a number of protocols used by an IoT device in accessing network services at a specific time or during a specific time duration [Col 7 line 53-Col 8 line 4][Col 5lines 4-24]”. Cheng shows a form of a policy that contains an id of the device and a protocol. Furthermore, Shah teaches “performing, by the device, one or more mitigation actions on the asset based on the risk score and a policy associated with the asset”. Shah recites “ANSS 100 may implement (at 110) different protections in response to detecting anomalous behavior via the regression analysis and/or the computed threat risk associated with that anomalous behavior. For instance, ANSS 100 may generate an alert that notifies a system administrator of first anomalous behavior by a first UE when the first anomalous behavior is classified to be of a low threat (e.g., a threat score of 1), and ANSS 100 may block network data being issued by a second UE when the anomalous behavior of the second UE is classified to be a significant threat (e.g., a threat score of 9) [0029][0028][0041-42][0057]. Generating and adapting network security rules and/or policies based on the expected behaviors that are modeled, and/or performing different actions in response to anomalous behavior that deviates from the expected behaviors used to define the rules and/or policies [0014-0015]”. Shah discloses performing a mitigation based on based on risk score and policy. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-5, 7-8, 10-16 and 18- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Cheng et al. (US 11087005, hereinafter Cheng) in view of Shah et al. (US 20230105021, hereinafter Shah). Re. claim 1, Cheng discloses a method, comprising: determining, by a device (Cheng discloses a device [Col 10 lines 1-16]), a profile of an asset in a computer network, the profile identifying a type of the asset and a particular activity of the asset (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]. The IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41], determines the profile that identifies the model and protocol or location); determining, by the device, a specific context of the asset within the computer network (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]. A device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16], determine what kind of protocol the device is using in the network); wherein the policy includes a logical combination of component tags and activity tags associated with the asset (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services. Protocols can include applicable protocols used in providing IoT devices access to network services. For example, protocols can include infrastructure protocols, identification protocols, transport protocols, discovery protocols, data protocols, device management protocols, semantic protocols, and multi-layer framework protocols. IoT device risk factors related to protocols used by IoT devices in accessing network services can include a number of differed protocols used by an IoT device in accessing network services and characteristics of protocols used by an IoT device in accessing network services. For example, IoT device risk factors related to protocols used by an IoT device in accessing network services can include a number of protocols used by an IoT device in accessing network services at a specific time or during a specific time duration [Col 7 line 53-Col 8 line 4][Col 5lines 4-24]). Although Cheng discloses assessing risk score and matching profiles, Cheng does not explicitly teach but Shah teaches determining, by the device, an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context (Shah teaches ANSS 100 may use one or more AI/ML techniques to identify patterns, sequencing, rates, trends, signatures, values, attributes, and/or other indicia of regular or expected behavior from the network data groups. UEs 103 for different content at different times to detect commonality for an expected behavior [0034][0057][0014][0016]); assigning, by the device, a risk score for the asset based on one or more risk factors associated with the expected for assets associated with the type and the particular activity, and within specific context (Shah teaches analysis may include comparing the actual behavior exhibited by the new requests or network data against the expected behavior of the one or more models [0027]. The regression analysis that compares parameters, values, timing, and/or other attributes of new network data 303 and 305 against the modeled expected behavior 301. The comparison may be used to determine whether new network data 303 and 305 exhibit anomalous behavior that deviates from the modeled expected behavior 301, and/or to quantify the threat risk posed by any detected anomalous behavior to the devices and/or systems protected by ANSS 100 [0040][0041-0042][0057][0069]); performing, by the device, one or more mitigation actions on the asset based on the risk score and a policy associated with the asset (Shah teaches ANSS 100 may implement (at 110) different protections in response to detecting anomalous behavior via the regression analysis and/or the computed threat risk associated with that anomalous behavior. For instance, ANSS 100 may generate an alert that notifies a system administrator of first anomalous behavior by a first UE when the first anomalous behavior is classified to be of a low threat (e.g., a threat score of 1), and ANSS 100 may block network data being issued by a second UE when the anomalous behavior of the second UE is classified to be a significant threat (e.g., a threat score of 9) [0029][0028][0041-42][0057]. Generating and adapting network security rules and/or policies based on the expected behaviors that are modeled, and/or performing different actions in response to anomalous behavior that deviates from the expected behaviors used to define the rules and/or policies [0014-0015]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng to include determining, by the device, an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context; assigning, by the device, a risk score for the asset based on one or more risk factors associated with the expected for assets associated with the type and the particular activity, and within specific context; performing, by the device, one or more mitigation actions on the asset based on the risk score and a policy associated with the asset as disclosed by Shah. One of ordinary skill in the art would have been motivated for the purpose of performing different actions in response to anomalous behavior that deviates from the expected behaviors (Shah [0014]). Re. claim 3, the combination of Cheng-Shah teach the method as in claim 1, wherein determining the profile of the asset comprises: receiving the profile from a behavioral analytics engine (Cheng discloses the IoT device behavior deviation determination engine 710 can determine an IoT device is actually deviating from regular IoT device behaviors if it begins communicating with a new external host [Col 33 lines 50-67]. In determining operational performance deviations of an IoT device using device profiles, the IoT device behavior deviation determination engine 710 can determine the operational performance deviations of the IoT device by comparing or tracking instances of an IoT device, included as part of a device profile of the IoT device [Col 34 lines 1-27]). Re. claim 4, the combination of Cheng-Shah teach the method as in claim 1, wherein the profile is based on the component tags and the activity tags associated with the asset (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services. Protocols can include applicable protocols used in providing IoT devices access to network services. For example, protocols can include infrastructure protocols, identification protocols, transport protocols, discovery protocols, data protocols, device management protocols, semantic protocols, and multi-layer framework protocols. IoT device risk factors related to protocols used by IoT devices in accessing network services can include a number of differed protocols used by an IoT device in accessing network services and characteristics of protocols used by an IoT device in accessing network services. For example, IoT device risk factors related to protocols used by an IoT device in accessing network services can include a number of protocols used by an IoT device in accessing network services at a specific time or during a specific time duration [Col 7 line 53-Col 8 line 4], shows protocol at a specific time (which could be the activity tag)). Re. claim 5, the combination of Cheng-Shah teach the method as in claim 1, Shah further teaches wherein the one or more mitigation actions are selected from a group consisting of: blocking the particular activity of the asset; blocking all activities of the asset; remediating the particular activity of the asset; continuing the particular activity of the asset; and flagging the particular activity of the asset (Shah teaches ANSS 100 may dynamically select an action to perform based on the risk classification (e.g., the score for the threat risk) and the one or more parameters from the new request that contributed to the risk classification. ANSS 100 may select a first action to perform in response to classifying an anomalous value of a first parameter as a threat risk of 10, and may select a second action to perform in response to classifying an anomalous value of a second parameter as a threat risk of 10, wherein the first action may protect against a first type of attack associated with the first parameter having an anomalous value, and the second action may protect against a second type of attack associated with the second parameter. In this case, the first action may include a rate limiting rule that limits the number of requests a UE may issue in a given interval, and the second action may include a blocking rule that prevents requests with a certain anomalous parameter from reaching its intended destination. [0042] [0079]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng to include wherein the one or more mitigation actions are selected from a group consisting of: blocking the particular activity of the asset; blocking all activities of the asset; remediating the particular activity of the asset; continuing the particular activity of the asset; and flagging the particular activity of the asset as disclosed by Shah. One of ordinary skill in the art would have been motivated for the purpose of performing different actions in response to anomalous behavior that deviates from the expected behaviors (Shah [0014]). Re. claim 7, the combination of Cheng-Shah teach the method as in claim 1, wherein determining the specific context of the asset within the computer network is based on one or more factors selected from a group consisting of: a location of the asset within the computer network; a type of the computer network; a known configuration of the asset; communication paths used by the particular activity; destinations of traffic sent by the asset; one or more protocols in use by the asset; a level within a logical network model; a particular cell in which the asset operates; a particular area in which the asset operates; a particular zone in which the asset operates; a particular security level of the asset; and a time at which the particular activity operates (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]. A device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16], determine what kind of protocol the device is using in the network). Re. claim 8, the combination of Cheng-Shah teach the method as in claim 1, wherein the expected behavior is based on one or more of a learned behavior, a researched behavior, and a configured behavior (Cheng discloses regular IoT device behavior includes typical behavior exhibited by IoT devices in operation. Regular IoT device behavior can include typical IoT device behavior of a specific IoT device, typical IoT device behavior of IoT devices of a specific type, and typical IoT device behavior of a group of IoT devices. For example, regular IoT device behavior can include typical IoT device behavior of a group of IoT devices within an enterprise network. In another example, regular IoT device behavior can include typical IoT device behavior of a group of IoT devices at a physical location [Col 9 lines 36-58], acting as learned behavior). Re. claim 10, the combination of Cheng-Shah teach the method as in claim 1, wherein the one or more risk factors are selected from a group consisting of: riskiness of activity regardless of context; riskiness of the type of device regardless of context; riskiness of a communication reach to a destination outside of the computer network regardless of context; riskiness of a communication reach from a source outside of the computer network regardless of context; and riskiness of a protocol in use by the particular activity regardless of context (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]. The IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]). Re. claim 11, the combination of Cheng-Shah teach the method as in claim 1, wherein the type of the asset is one or more features selected from a group consisting of: a make of the asset; a model of the asset; a hardware version of the asset; a firmware version of the asset; a software version of the asset; a manufacturer of the asset; a country of origin of the asset; a date of manufacture of the asset; and an operating system of the asset (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]). Re. claim 12, Cheng discloses a non-transitory, computer-readable medium having computer-executable instructions stored thereon that, when executed by a processor on a computer, cause the computer to perform a method comprising (Cheng discloses An engine can include hardware, firmware, or software embodied in a computer-readable medium for execution by the processor [Col 4 lines 4-24]): determining a profile of an asset in a computer network, the profile identifying a type of the asset and a particular activity of the asset (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]. The IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41], determines the profile that identifies the model and protocol or location); determining a specific context of the asset within the computer network (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]. A device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16], determine what kind of protocol the device is using in the network); wherein the policy includes a logical combination of component tags and activity tags associated with the asset (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services. Protocols can include applicable protocols used in providing IoT devices access to network services. For example, protocols can include infrastructure protocols, identification protocols, transport protocols, discovery protocols, data protocols, device management protocols, semantic protocols, and multi-layer framework protocols. IoT device risk factors related to protocols used by IoT devices in accessing network services can include a number of differed protocols used by an IoT device in accessing network services and characteristics of protocols used by an IoT device in accessing network services. For example, IoT device risk factors related to protocols used by an IoT device in accessing network services can include a number of protocols used by an IoT device in accessing network services at a specific time or during a specific time duration [Col 7 line 53-Col 8 line 4][Col 5 lines 4-24]). Although Cheng discloses assessing risk score and matching profiles, Cheng does not explicitly teach but Shah teaches determining, by the device, an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context (Shah teaches ANSS 100 may use one or more AI/ML techniques to identify patterns, sequencing, rates, trends, signatures, values, attributes, and/or other indicia of regular or expected behavior from the network data groups. UEs 103 for different content at different times to detect commonality for an expected behavior [0034][0057][0014][0016]); assigning, by the device, a risk score for the asset based on one or more risk factors associated with the expected for the assets associated with the type and the particular activity, and within specific context (Shah teaches analysis may include comparing the actual behavior exhibited by the new requests or network data against the expected behavior of the one or more models [0027]. The regression analysis that compares parameters, values, timing, and/or other attributes of new network data 303 and 305 against the modeled expected behavior 301. The comparison may be used to determine whether new network data 303 and 305 exhibit anomalous behavior that deviates from the modeled expected behavior 301, and/or to quantify the threat risk posed by any detected anomalous behavior to the devices and/or systems protected by ANSS 100 [0040][0041-0042][0057][0069]); performing, by the device, one or more mitigation actions on the asset based on the risk score and a policy associated with the asset (Shah teaches ANSS 100 may implement (at 110) different protections in response to detecting anomalous behavior via the regression analysis and/or the computed threat risk associated with that anomalous behavior. For instance, ANSS 100 may generate an alert that notifies a system administrator of first anomalous behavior by a first UE when the first anomalous behavior is classified to be of a low threat (e.g., a threat score of 1), and ANSS 100 may block network data being issued by a second UE when the anomalous behavior of the second UE is classified to be a significant threat (e.g., a threat score of 9) [0029][0028][0041-42][0057]. Generating and adapting network security rules and/or policies based on the expected behaviors that are modeled, and/or performing different actions in response to anomalous behavior that deviates from the expected behaviors used to define the rules and/or policies [0014-0015]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng to include determining, by the device, an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context; assigning, by the device, a risk score for the asset based on one or more risk factors associated with the expected for assets associated with the type and the particular activity, and within specific context; performing, by the device, one or more mitigation actions on the asset based on the risk score, wherein the one or more mitigation actions comprises enforcement of one or more network policies on the asset, the one or more network policies configured based on the risk score as disclosed by Shah. One of ordinary skill in the art would have been motivated for the purpose of performing different actions in response to anomalous behavior that deviates from the expected behaviors (Shah [0014]). Re. claim 13, rejection of claim 12 is included and claim 13 is rejected with the same rationale as applied in claim 2 above. Re. claim 14, rejection of claim 12 is included and claim 14 is rejected with the same rationale as applied in claim 3 above. Re. claim 15, rejection of claim 12 is included and claim 15 is rejected with the same rationale as applied in claim 4 above. Re. claim 16, rejection of claim 12 is included and claim 16 is rejected with the same rationale as applied in claim 5 above. Re. claim 17, rejection of claim 12 is included and claim 17 is rejected with the same rationale as applied in claim 6 above. Re. claim 18, rejection of claim 12 is included and claim 18 is rejected with the same rationale as applied in claim 7 above. Re. claim 19, rejection of claim 12 is included and claim 19 is rejected with the same rationale as applied in claim 8 above. Re. claim 20, Cheng discloses an apparatus, comprising: a processor configured to execute one or more processes (Cheng discloses processor [Col 2 lines 42-52]); and a memory configured to store a process that is executable by the processor (Cheng discloses processor coupled to the memory [Col 2 lines 42-52]), the process, when executed, configured to: determine a profile of an asset in a computer network, the profile identifying a type of the asset and a particular activity of the asset (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]. The IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41], determines the profile that identifies the model and protocol or location); determine a specific context of the asset within the computer network (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]. A device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16], determine what kind of protocol the device is using in the network); wherein the policy includes a logical combination of component tags and activity tags associated with the asset (Cheng discloses the IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services. Protocols can include applicable protocols used in providing IoT devices access to network services. For example, protocols can include infrastructure protocols, identification protocols, transport protocols, discovery protocols, data protocols, device management protocols, semantic protocols, and multi-layer framework protocols. IoT device risk factors related to protocols used by IoT devices in accessing network services can include a number of differed protocols used by an IoT device in accessing network services and characteristics of protocols used by an IoT device in accessing network services. For example, IoT device risk factors related to protocols used by an IoT device in accessing network services can include a number of protocols used by an IoT device in accessing network services at a specific time or during a specific time duration [Col 7 line 53-Col 8 line 4][Col 5 lines 4-24]). Although Cheng discloses assessing risk score and matching profiles, Cheng does not explicitly teach but Shah teaches determine an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context (Shah teaches ANSS 100 may use one or more AI/ML techniques to identify patterns, sequencing, rates, trends, signatures, values, attributes, and/or other indicia of regular or expected behavior from the network data groups. UEs 103 for different content at different times to detect commonality for an expected behavior [0034][0057][0014][0016]); assign a risk score for the asset based on one or more risk factors associated with the expected for assets associated with the type and the particular activity, and within specific context (Shah teaches analysis may include comparing the actual behavior exhibited by the new requests or network data against the expected behavior of the one or more models [0027]. The regression analysis that compares parameters, values, timing, and/or other attributes of new network data 303 and 305 against the modeled expected behavior 301. The comparison may be used to determine whether new network data 303 and 305 exhibit anomalous behavior that deviates from the modeled expected behavior 301, and/or to quantify the threat risk posed by any detected anomalous behavior to the devices and/or systems protected by ANSS 100 [0040][0041-0042][0057][0069]); perform one or more mitigation actions on the asset based on the risk score and a policy associated with the asset (Shah teaches ANSS 100 may implement (at 110) different protections in response to detecting anomalous behavior via the regression analysis and/or the computed threat risk associated with that anomalous behavior. For instance, ANSS 100 may generate an alert that notifies a system administrator of first anomalous behavior by a first UE when the first anomalous behavior is classified to be of a low threat (e.g., a threat score of 1), and ANSS 100 may block network data being issued by a second UE when the anomalous behavior of the second UE is classified to be a significant threat (e.g., a threat score of 9) [0029][0028][0041-42][0057]. Generating and adapting network security rules and/or policies based on the expected behaviors that are modeled, and/or performing different actions in response to anomalous behavior that deviates from the expected behaviors used to define the rules and/or policies [0014-0015]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng to include determining, by the device, an expected behavior for assets associated with the type and the particular activity of the asset, and within the specific context; assigning, by the device, a risk score for the asset based on one or more risk factors associated with the expected for assets associated with the type and the particular activity, and within specific context; performing, by the device, one or more mitigation actions on the asset based on the risk score, wherein the one or more mitigation actions comprises enforcement of one or more network policies on the asset, the one or more network policies configured based on the risk score as disclosed by Shah. One of ordinary skill in the art would have been motivated for the purpose of performing different actions in response to anomalous behavior that deviates from the expected behaviors (Shah [0014]). Claims 2 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Cheng et al. (US 11087005, hereinafter Cheng) in view of Shah et al. (US 20230105021, hereinafter Shah) and in further view of Jakobsson et al. (US 11757914, hereinafter Jakobsson). Re. claim 2, the combination of Cheng-Shah teach the method as in claim 1, wherein the asset performs a plurality of activities, and wherein the asset has a corresponding plurality of profiles (Cheng discloses a device profile for an IoT device includes either or both characteristics of the IoT device and characteristics of how the IoT device functions in operation. For example a device profile can include a type of device of an IoT device, a maker of an IoT device, a module of an IoT device, firmware on an IoT device, an operating system of an IoT device, applications executing at or capable of being executed at an IoT device, an entity or an organization associated with an IoT device, a physical location of an IoT device, a network location of an IoT device, uses of an IoT device, characteristics of an IoT device actually operating, patterns of an IoT device in operating [Col 10 lines 1-16]. The IoT device risk assessment system 106 functions to determine risk levels of IoT devices according to IoT device risk factors related to protocols used by IoT devices in accessing network services [Col 7 lines 53-67] [Col 8 lines 18-41]). Although Cheng discloses risk score, the combination of Cheng-Shah do not explicitly teach but Jakobsson teaches aggregating a plurality of risk scores associated with the corresponding plurality of profiles to determine an overall risk assessment of the asset (Jakobsson teaches These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score [Col 55 lines 15-37]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng-Shah to include mitigation action based on the risk score as disclosed by Jakobsson. One of ordinary skill in the art would have been motivated for the purpose of one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores (Jakobsson [Col 58 lines 9-29]). Re. claim 9, the combination of Cheng-Shah teach the method as in claim 1, Although Cheng discloses risk score, the combination of Cheng-Shah do not explicitly teach but Jakobsson teaches wherein the one or more mitigation actions are based on one or more configurable thresholds (Jakobsson teaches the risk score now is −10−5+10+65=60, which is compared to a threshold T1=50. As a result of the score R exceeding T1, the already-modified message is sent to a unit that “scrubs” it. If the score R had exceeded a second threshold T2=72, then the email would not have been delivered, and if the score were below T3=−15, then the email would be delivered verbatim but with a smiley emoji added to the subject line, whereas if the score was greater than or equal to T3, any emoji in the subject line is removed before the message is delivered [Col 22 lines 1-44]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system disclosed by Cheng-Shah to include wherein the one or more mitigation actions are based on one or more configurable thresholds as disclosed by Jakobsson. One of ordinary skill in the art would have been motivated for the purpose of one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores (Jakobsson [Col 58 lines 9-29]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Covell (US 11985128) discloses analyzing metadata associated with the interaction, (e.g., employee profile, applications typically used by the user, location, time of day) comparing the metadata against the user's profile, and classifying the interaction as either suspicious or not suspicious (i.e., normal). Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912. The examiner can normally be reached Monday-Thursday 8AM-5PM; Friday: Variable EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KEVIN AYALA/Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

May 20, 2022
Application Filed
May 18, 2024
Non-Final Rejection — §103
Jul 10, 2024
Interview Requested
Jul 30, 2024
Applicant Interview (Telephonic)
Jul 30, 2024
Examiner Interview Summary
Aug 23, 2024
Response Filed
Nov 13, 2024
Final Rejection — §103
Jan 07, 2025
Interview Requested
Feb 18, 2025
Request for Continued Examination
Feb 19, 2025
Response after Non-Final Action
Mar 21, 2025
Non-Final Rejection — §103
Jun 09, 2025
Interview Requested
Jun 25, 2025
Examiner Interview Summary
Jun 25, 2025
Response Filed
Jun 25, 2025
Applicant Interview (Telephonic)
Sep 09, 2025
Final Rejection — §103
Feb 20, 2026
Request for Continued Examination
Mar 07, 2026
Response after Non-Final Action
Mar 19, 2026
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/293,398
Patent 12549375
DEFINING AND MANAGING FORMS IN A DISTRIBUTED LEDGER TRUST NETWORK
2y 5m to grant Granted Feb 10, 2026
17/330,368
Patent 12542684
SOCIAL MEDIA CONTENT MANAGEMENT SYSTEMS
2y 5m to grant Granted Feb 03, 2026
18/510,462
Patent 12542675
SYSTEMS AND METHODS FOR ENCRYPTED MULTIFACTOR AUTHENTICATION USING IMAGING DEVICES AND IMAGE ENHANCEMENT
2y 5m to grant Granted Feb 03, 2026
16/826,484
Patent 12531746
ENABLING CONSENSUS IN DISTRIBUTED TRANSACTION PROCESSING SYSTEMS
2y 5m to grant Granted Jan 20, 2026
17/449,616
Patent 12530454
Behavior analysis based on finite-state machine for malware detection
2y 5m to grant Granted Jan 20, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
64%
Grant Probability
96%
With Interview (+31.8%)
3y 4m
Median Time to Grant
High
PTA Risk
Based on 164 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month