Prosecution Insights
Last updated: July 17, 2026
Application No. 17/859,148

SYSTEMS AND METHODS FOR SECURITY ENHANCED DOMAIN CATEGORIZATION

Non-Final OA §103§112
Filed
Jul 07, 2022
Examiner
AYALA, KEVIN ALEXIS
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Fortinet Inc.
OA Round
5 (Non-Final)
64%
Grant Probability
Moderate
5-6
OA Rounds
0m
Est. Remaining
93%
With Interview

Examiner Intelligence

Grants 64% of resolved cases
64%
Career Allowance Rate
109 granted / 169 resolved
+6.5% vs TC avg
Strong +29% interview lift
Without
With
+28.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
23 currently pending
Career history
208
Total Applications
across all art units

Statute-Specific Performance

§101
1.5%
-38.5% vs TC avg
§103
93.3%
+53.3% vs TC avg
§102
1.6%
-38.4% vs TC avg
§112
3.2%
-36.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 169 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 04/27/2026 has been entered. Response to Arguments In response to 35 USC 101 on pages 8-10 of the remarks, filed 04/27/2026, have been fully considered and are persuasive. The 35 USC 101 has been withdrawn in light of claim amendment. In response to 35 USC 103 on pages 10-13 of the remarks, filed 04/27/2026, for independent claims 1, 10 and 19 along with their respective dependent claims, applicant argues that Taniguchi-Neel and Pan fails to teach a real-time, inline, closed-loop recategorization and enforcement performed by the same network security appliance during packet forwarding. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., inline packet processing and modifying classification in real-time within a packet processing pipeline) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). The claims do not recite an inline packet processing and modifying classification in real-time within a packet processing pipeline. There is no mention of a packet. Applicant further argues that Taniguchi does not detect domain characteristic changes during processing of a network communication. The examiner does not concede. Taniguchi does teach detect domain characteristic changes during processing of a network communication. The claim does not recite a “real-time gateway packet handling”. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e. dynamic recategorization of domains during packet processing, real-time state mutation tied to packet inspection and/or closed-loop feedback between detection and enforcement) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). The claims do not recite dynamic recategorization of domains during packet processing, real-time state mutation tied to packet inspection and/or closed-loop feedback between detection and enforcement. Applicant discloses that Taniguchi does not function as or within a network security appliance that provides live packet inspection. The claim does not recites a live packet inspection. Furthermore, Neel and Pan discloses a network security appliance acting as a gateway. Therefore, the references discloses determining domain characteristic changes while processing a network communication at a gateway. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e. modifying a domain status during the same packet processing event that triggers the change) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). The claims do not recite dynamic recategorization of domains during packet processing, real-time state mutation tied to packet inspection and/or closed-loop feedback between detection and enforcement. In response to applicant’s argument that the resulting combination cannot teach or suggest the limitation of the current claims, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). Therefore, the 35 USC 103 rejection is maintained. Claim Objections Claim 1, 10 and 19 are objected to because of the following informalities: the claims recite “applying, by the hardware processor of the network security appliance, a second security process to a second network communication received subsequent to the first network communication by the same network security appliance based at least in part on the second status as indicated by the web-domain security database”. The claim limitation “the same network security” should be written as “the network security appliance”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-12 and 14-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Re. claims 1, 10 and 19; the claims recite “wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input”. The specification does not have support of the network security appliance to automatically enforce a different security policy for the second network communication and without requiring external input. Nowhere in the specification mentions automatic, enforce, policy and without requiring. Claims 2-9, 11-12, 14-18 and 20 fall together accordingly as they do not cure the deficiencies of the independent claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 6-7, 10-12, 15-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Taniguchi (GB 2604207) in view of Neel (US 11457022) and in further view of Pan (US 20210203698). Re. claim 1, Taniguchi discloses a method, the method comprising: determining, by a network security appliance, a change in at least one characteristic of a web-domain, wherein the web-domain is identified as having a first status, wherein the change in the at least one characteristic is detected during processing of the first network communication by the network security appliance (Taniguchi discloses the information processing device 100 is applied to a situation for determining whether or not the behavior of the object domain corresponds to the behavior of the legitimate domain or which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0056]. the information processing device 100 determines which type of attack among the plurality of types of attacks a malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0049][0146]); applying, by the hardware processor of the network security appliance (Taniguchi discloses the information processing device includes a central processing unit [0074][0075]), a security process to a first network communication based at least in part on the first status (Taniguchi discloses the information processing device 100 may be applied to a situation in which the object domain is considered to be a malicious domain and it is determined which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0057]. When it is determined that the behavior of the object domain corresponds to the behavior of the malicious domain used for any type of attack, the information processing device 100 transmits a feature utilized in the determination to the client device 201 that is the transmission source of the object behavior data, in association with the object domain [0064][0067-0068]. Output unit allow to notify the user of the processing result of at least one of the functional unites [0131]. The output unit 405 may make it easier for the security officer to take countermeasures against the attack, or make it easier for the security officer to explain to the responsible party the attack [0132][0037]). Although Taniguchi discloses first and second status based on the change of the web-domain and hardware processor of the network security appliance, Taniguchi does not explicitly teach but Neel teaches wherein the web-domain is identified as having a first status as indicated by a web-domain security database (Neel teaches a security server 101 may receive and analyze network traffic logs containing domain names to identify potentially malicious or otherwise problematic domains [Col 5 lines 40-67]) and the web-domain is accessible by the network security appliance via at least one network connection (Neel teaches proxy server 103 is a computing device configured to manage network communications between enterprise computing devices, such as client computer workstations, and external resources accessible via the network 110, such as websites or web-based applications hosted on the external servers 112 [Col 6 lines 26-38]. the proxy server 103 may receive and forward a request for a webpage hosted on a particular external server 112a, where the request originated from a client computer of the enterprise. In this example, the proxy server 103 may generate a data record in a log file containing the source domain name (e.g., DomainA.com), and the source IP address (e.g., the IP address of the client computer or an enterprise IP address) [Col 6 line 48 -Col 7 line 3][Col 12 line 55 – Col 13 line 2]); modifying, by the hardware processor of the network security appliance, the first status to a second status in the web-domain security database in real-time during processing of the first network communication based at least in part on the change in the at least one characteristic of the web-domain identified from the first network communication (Neel teaches the security server 101 upon determining that the credibility score for the unique domain name fails an acceptability threshold, the security server 101 may update the case management database with the details of the unique domain names that failed the acceptability threshold. [Col 8 lines 11-25]. The security server 101 is a computing device including a processor capable of performing the various tasks and processes [Col 6 lines 6-17][Col 3 lines 14-52]); and applying, by the hardware processor of the network security appliance, a second security process to a second network communication received subsequent to the first network communication by the same network security appliance based at least in part on the second status as indicated by the web-domain security database (Neel teaches the security server 101 may transmit an alert to one or more administrator devices 111 identifying the unique domain names that failed the acceptability threshold [Col 8 lines 11-25][Col 5 lines 19-39][Col 12 lines 1-11]. The security server 101 is a computing device including a processor capable of performing the various tasks and processes [Col 6 lines 6-17]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include wherein the web-domain is identified as having a first status as indicated by a web-domain security database and the web-domain is accessible by the network security appliance via at least one network connection; modifying, by the hardware processor of the network security appliance, the first status to a second status in the web-domain security database by the processing resource based at least in part on the change in the at least one characteristic of the web-domain; and applying, by the hardware processor of the network security appliance, a second security process to a second network communication based at least in part on the second status as indicated by the web-domain security database as disclosed by Neel. One of ordinary skill in the art would have been motivated for the purpose of prevent the user from accessing the website of domain that have been identified as malicious, improves cybersecurity (Neel [Col 2 lines 40-67][Col 13 lines 3-19]). Taniguchi discloses a web-domain re-categorization application ([0039][0042-0043][0088]) and a web-domain security database ([0064][0143][0146]), the combination of Taniguchi-Neel do not explicitly teach but Pan teaches a network security appliance operating as a gateway between a secured network and an outside network (Pan teaches a system 102 is implemented in a network security device 104 (e.g., a firewall and/or a content filtering device) protecting a private network 106 [0034]. Data packet receiving engine 212 receives a packet associated with a network traffic flow between a source computing device external to a private network and a destination computing device within the private network [0043] Figs 1 and 2), the network security appliance having a hardware processor with access to at least a web-domain re-categorization application and network access to a web-domain security database (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]. Engine(s) 218 can implement functionalities that supplement applications or functions performed by management device 102 or processing engine 208 [0042]); wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input (Pan teaches system 102 receives a packet associated with a network traffic flow between an external source computing device 112 and an internal destination computing device 106. Determine whether the packet is a first packet or not [0036]. System 102 implements an anti-replay policy [0036]. The anti-replay policy may indicate a type of anti-replay checking to be performed on a matching network traffic flow in terms of “default,” “disable,” “loose,” or “tight.” [0037]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include a network security appliance operating as a gateway between a secured network and an outside network, the network security appliance having a hardware processor with access to at least a web-domain re-categorization application and network access to a web-domain security database; wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input as disclosed by Pan. One of ordinary skill in the art would have been motivated for the purpose of protecting a private network (Pan [0005]). Re. claim 2, the combination of Taniguchi-Neel-Pan teach the method of claim 1, the method further comprising: accessing, by the processing resource, the at least one characteristic of the web- domain (Taniguchi discloses collect WHO'S history data relating to the legitimate domain from a WHOIS history data DB 515, and saves the collected WHOIS history data in the basic data management table 521 and the registrar management table 522. The WHOIS history data indicates, for example, how domain registration has changed [0146-0148][0175-0178]. The data collection unit 500 collects WHOIS history data relating to the targeted malicious domain from the WHOIS history data DB 515. Based on the WHOIS history data relating to the targeted malicious domain, the data collection unit 500 sets the registration date and time when the above domain was registered by a registrar who first managed the above domain, in the field for registration in the basic data management table 521 [0185]). Re. claim 3, the combination of Taniguchi-Neel-Pan teach the method of claim 2, wherein accessing the at least one characteristic of the web-domain includes performing a whois query (Taniguchi discloses collect WHO'S history data relating to the legitimate domain from a WHOIS history data DB 515, and saves the collected WHOIS history data in the basic data management table 521 and the registrar management table 522. The WHOIS history data indicates, for example, how domain registration has changed [0146-0148][0175-0178]. The data collection unit 500 collects WHOIS history data relating to the targeted malicious domain from the WHOIS history data DB 515. Based on the WHOIS history data relating to the targeted malicious domain, the data collection unit 500 sets the registration date and time when the above domain was registered by a registrar who first managed the above domain, in the field for registration in the basic data management table 521 [0185]). Re. claim 4, the combination of Taniguchi-Neel-Pan teach the method of claim 1, wherein the at least one characteristic of the web- domain is one or more characteristics selected from a group consisting of: an administrative contact information for the web-domain, a technical contact information for the web-domain, a date the web domain was created, a date the web-domain last changed, and a name server for the web-domain (Taniguchi discloses consider web/internet domain management/administration behaviours (e.g. DNS, WHOIS) to determine whether domains are malicious and what type of attack they are associated with [Abstract]. The basic data management table 521 has fields for domain, registration, first seen, last seen, expiration, number of name server settings, and number of registrars. The field for domain is set with a domain. The field for registration is set with the registration date and time when the above domain was registered by a registrar who first managed the above domain. The field for first seen is set with a time point when the oldest address (A) record relating to the above domain was first observed by DNS forward lookup. The field for last seen is set with a time point when the latest A record relating to the above domain was observed most recently by DNS forward lookup [0171-0172]). Re. claim 6, the combination of Taniguchi-Neel-Pan teach the method of claim 1, wherein the first status is selected from a group consisting of: an indication that the web-domain is malicious, and an indication that the web- domain is safe (Taniguchi discloses the information processing device 100 determines which type of attack among the plurality of types of attacks the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain has been described. However, the present embodiment is not limited to this case. For example, there may be a case where the information processing device 100 further determines whether or not the behavior of the object domain corresponds to the behavior of the legitimate domain, based on the result of the analysis [0055]). Re. claim 7, the combination of Taniguchi-Neel-Pan teach the method of claim 1, wherein the second status is an indication that the web-domain is unknown (Taniguchi the diagnosis object domain list 562 indicates a diagnosis object domain, which is unknown as to whether or not to be a malicious domain, in a specifiable manner. The diagnosis object domain is a diagnosis object for whether or not the behavior of the diagnosis object domain corresponds to the behavior of the malicious domain [0164][0097]). Re. claim 10, Taniguchi discloses a network security appliance for performing network security, the network security appliance comprising: a processing resource; a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to (Taniguchi discloses the information processing device 100 includes a central processing unit (CPU) 301, a memory 302, a network interface (I/F) 303, a recording medium I/F 304, and a recording medium 305 [0074][0075]. A nonvolatile memory that stores data [0077]): determine a change in at least one characteristic of a web-domain, wherein the change in the at least one characteristic is detected during processing of the first network communication by the network security appliance, wherein the web-domain is identified as having a first status (Taniguchi discloses the information processing device 100 is applied to a situation for determining whether or not the behavior of the object domain corresponds to the behavior of the legitimate domain or which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0056]. the information processing device 100 determines which type of attack among the plurality of types of attacks a malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0049] [0146]); apply a security process to a first network communication based at least in part on the first status (Taniguchi discloses the information processing device 100 may be applied to a situation in which the object domain is considered to be a malicious domain and it is determined which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0057]. When it is determined that the behavior of the object domain corresponds to the behavior of the malicious domain used for any type of attack, the information processing device 100 transmits a feature utilized in the determination to the client device 201 that is the transmission source of the object behavior data, in association with the object domain [0064][0067-0068]. Output unit allow to notify the user of the processing result of at least one of the functional unites [0131]. The output unit 405 may make it easier for the security officer to take countermeasures against the attack, or make it easier for the security officer to explain to the responsible party the attack [0132][0037]). Although Taniguchi discloses first and second status based on the change of the web-domain, Taniguchi does not explicitly teach but Neel teaches wherein the web-domain is identified as having a first status as indicated by a web-domain security database (Neel teaches a security server 101 may receive and analyze network traffic logs containing domain names to identify potentially malicious or otherwise problematic domains [Col 5 lines 40-67]) and the web-domain is accessible by the network security appliance via at least one network connection (Neel teaches proxy server 103 is a computing device configured to manage network communications between enterprise computing devices, such as client computer workstations, and external resources accessible via the network 110, such as websites or web-based applications hosted on the external servers 112 [Col 6 lines 26-38]. the proxy server 103 may receive and forward a request for a webpage hosted on a particular external server 112a, where the request originated from a client computer of the enterprise. In this example, the proxy server 103 may generate a data record in a log file containing the source domain name (e.g., DomainA.com), and the source IP address (e.g., the IP address of the client computer or an enterprise IP address) [Col 6 line 48 -Col 7 line 3][Col 12 line 55 – Col 13 line 2]); modify the first status to a second status in the web-domain security database in real-time during processing of the first network communication by the processing resource based at least in part on the change in the at least one characteristic of the web-domain identified from the first network communication (Neel teaches the security server 101 upon determining that the credibility score for the unique domain name fails an acceptability threshold, the security server 101 may update the case management database with the details of the unique domain names that failed the acceptability threshold. [Col 8 lines 11-25]); and apply a second security process to a second network communication received subsequent to the first network communication by the same network security appliance based at least in part on the second status as indicated by the web-domain security database (Neel teaches the security server 101 may transmit an alert to one or more administrator devices 111 identifying the unique domain names that failed the acceptability threshold [Col 8 lines 11-25][Col 5 lines 19-39][Col 12 lines 1-11]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include wherein the web-domain is identified as having a first status as indicated by a web-domain security database and the web-domain is accessible by the network security appliance via the network connection; modify the first status to a second status in the web-domain security database by the processing resource based at least in part on the change in the at least one characteristic of the web-domain; and apply a second security process to a second network communication received subsequent to the first network communication by the same network security appliance based at least in part on the second status as indicated by the web-domain security database as disclosed by Neel. One of ordinary skill in the art would have been motivated for the purpose of prevent the user from accessing the website of domain that have been identified as malicious, improves cybersecurity (Neel [Col 2 lines 40-67][Col 13 lines 3-19]). Taniguchi discloses a web-domain re-categorization application ([0039][0042-0043][0088]) and a web-domain security database ([0064][0143][0146]), the combination of Taniguchi-Neel do not explicitly teach but Pan teaches the network security appliance having access to at least a we-domain re-categorization application and a web-domain security database (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]. Engine(s) 218 can implement functionalities that supplement applications or functions performed by management device 102 or processing engine 208 [0042]); a network interface coupled with the processing resource (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]), the network interface to provide a network connection to the web-domain re-categorization application and the web-domain security database (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]. Engine(s) 218 can implement functionalities that supplement applications or functions performed by management device 102 or processing engine 208 [0042]); wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input (Pan teaches system 102 receives a packet associated with a network traffic flow between an external source computing device 112 and an internal destination computing device 106. Determine whether the packet is a first packet or not [0036]. System 102 implements an anti-replay policy [0036]. The anti-replay policy may indicate a type of anti-replay checking to be performed on a matching network traffic flow in terms of “default,” “disable,” “loose,” or “tight.” [0037]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include the network security appliance having access to at least a we-domain re-categorization application and a web-domain security database; a network interface coupled with the processing resource, the network interface to provide a network connection to the web-domain re-categorization application and the web-domain security database; wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input as disclosed by Pan. One of ordinary skill in the art would have been motivated for the purpose of protecting a private network (Pan [0005]). Re. claim 11, rejection of claim 10 is included and claim 11 is rejected with the same rationale as applied in claim 2 above. Re. claim 12, rejection of claim 11 is included and claim 12 is rejected with the same rationale as applied in claim 3 above. Re. claim 15, rejection of claim 10 is included and claim 15 is rejected with the same rationale as applied in claim 6 above. Re. claim 16, rejection of claim 10 is included and claim 16 is rejected with the same rationale as applied in claim 7 above. Re. claim 19, Taniguchi discloses a non-transitory computer-readable storage medium embodying a set of instructions, which when executed by a processing resource, causes a network security appliance to (Taniguchi discloses the information processing device 100 includes a central processing unit (CPU) 301, a memory 302, a network interface (I/F) 303, a recording medium I/F 304, and a recording medium 305 [0074][0075]. A nonvolatile memory that stores data [0077]): determine, by a network security appliance, a change in at least one characteristic of a web-domain, wherein the change in the at least one characteristic is detected during processing of the first network communication by the network security appliance, wherein the web-domain is identified as having a first status (Taniguchi discloses the information processing device 100 is applied to a situation for determining whether or not the behavior of the object domain corresponds to the behavior of the legitimate domain or which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0056]. the information processing device 100 determines which type of attack among the plurality of types of attacks a malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0049] [0146]); apply a security process to a first network communication based at least in part on the first status (Taniguchi discloses the information processing device 100 may be applied to a situation in which the object domain is considered to be a malicious domain and it is determined which type of attack the malicious domain is used for with regard to the behavior of the object domain when corresponding to the behavior of the malicious domain [0057]. When it is determined that the behavior of the object domain corresponds to the behavior of the malicious domain used for any type of attack, the information processing device 100 transmits a feature utilized in the determination to the client device 201 that is the transmission source of the object behavior data, in association with the object domain [0064][0067-0068]. Output unit allow to notify the user of the processing result of at least one of the functional unites [0131]. The output unit 405 may make it easier for the security officer to take countermeasures against the attack, or make it easier for the security officer to explain to the responsible party the attack [0132][0037]). Although Taniguchi discloses first and second status based on the change of the web-domain, Taniguchi does not explicitly teach but Neel teaches wherein the web-domain is identified as having a first status as indicated by a web-domain security database (Neel teaches a security server 101 may receive and analyze network traffic logs containing domain names to identify potentially malicious or otherwise problematic domains [Col 5 lines 40-67]) and the web-domain is accessible by the network security appliance via at least one network connection (Neel teaches proxy server 103 is a computing device configured to manage network communications between enterprise computing devices, such as client computer workstations, and external resources accessible via the network 110, such as websites or web-based applications hosted on the external servers 112 [Col 6 lines 26-38]. the proxy server 103 may receive and forward a request for a webpage hosted on a particular external server 112a, where the request originated from a client computer of the enterprise. In this example, the proxy server 103 may generate a data record in a log file containing the source domain name (e.g., DomainA.com), and the source IP address (e.g., the IP address of the client computer or an enterprise IP address) [Col 6 line 48 -Col 7 line 3][Col 12 line 55 – Col 13 line 2]); modify the first status to a second status in the web-domain security database in real-time during processing of the first network communication by the processing resource based at least in part on the change in the at least one characteristic of the web-domain identified from the first network communication (Neel teaches the security server 101 upon determining that the credibility score for the unique domain name fails an acceptability threshold, the security server 101 may update the case management database with the details of the unique domain names that failed the acceptability threshold. [Col 8 lines 11-25][Col 6 lines 6-17][Col 3 lines 14-52]); and apply a second security process to a second network communication received subsequent to the first network communication by the same network security appliance based at least in part on the second status as indicated by the web-domain security database (Neel teaches the security server 101 may transmit an alert to one or more administrator devices 111 identifying the unique domain names that failed the acceptability threshold [Col 8 lines 11-25][Col 5 lines 19-39][Col 12 lines 1-11]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include wherein the web-domain is identified as having a first status as indicated by a web-domain security database and the web-domain is accessible by the network security appliance via at least one network connection; modify the first status to a second status in the web-domain security database by the processing resource based at least in part on the change in the at least one characteristic of the web-domain; and apply, by the processing resource, a second security process to a second network communication based at least in part on the second status as indicated by the web-domain security database as disclosed by Neel. One of ordinary skill in the art would have been motivated for the purpose of prevent the user from accessing the website of domain that have been identified as malicious, improves cybersecurity (Neel [Col 2 lines 40-67][Col 13 lines 3-19]). Taniguchi discloses a web-domain re-categorization application ([0039][0042-0043][0088]) and a web-domain security database ([0064][0143][0146]), the combination of Taniguchi-Neel do not explicitly teach but Pan a network security appliance having access to at least a web-domain re-categorization application and network access to a web-domain security database (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]. Engine(s) 218 can implement functionalities that supplement applications or functions performed by management device 102 or processing engine 208 [0042]), the network security appliance having a hardware processor with access to at least a web-domain re-categorization application and network access to a web-domain security database (Pan teaches one or more Interface(s) 206. Interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like. Interface(s) 206 may facilitate communication of system 102 with various devices coupled to system 102. Interface(s) 206 may also provide a communication pathway for one or more components of system 102. Examples of such components include, but are not limited to, processing engine(s) 208 and database 210 [0040]. Engine(s) 208 may include a processing resource [0041]. Engine(s) 218 can implement functionalities that supplement applications or functions performed by management device 102 or processing engine 208 [0042]); wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input (Pan teaches system 102 receives a packet associated with a network traffic flow between an external source computing device 112 and an internal destination computing device 106. Determine whether the packet is a first packet or not [0036]. System 102 implements an anti-replay policy [0036]. The anti-replay policy may indicate a type of anti-replay checking to be performed on a matching network traffic flow in terms of “default,” “disable,” “loose,” or “tight.” [0037]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by Taniguchi to include a network security appliance operating as a gateway between a secured network and an outside network, the network security appliance having a hardware processor with access to at least a web-domain re-categorization application and network access to a web-domain security database; wherein modifying the first status to the second status causes the network security appliance to automatically enforce a different security policy for the second network communication at the network security appliance during forwarding of the second network communication between the secured network and the outside network without requiring external input as disclosed by Pan. One of ordinary skill in the art would have been motivated for the purpose of protecting a private network (Pan [0005]). Re. claim 20, rejection of claim 19 is included and claim 20 is rejected with the same rationale as applied in claim 4 above. Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Taniguchi (GB 2604207) in view of Neel (US 11457022) Pan (US 20210203698) and in further view of Beaumont et al. (US 10104103, hereinafter Beaumont). Re. claim 5, the combination of Taniguchi-Neel-Pan teach the method of claim 1, the combination of Taniguchi-Neel-Pan do not explicitly teach but Beaumont teaches wherein the at least one characteristic of the web- domain is an indication the web-domain is for sale (Beaumont teaches the system may be configured to assign a relatively low risk (e.g., a low risk level) to a domain that merely includes a placeholder site (e.g., advertising the site for sale), or is otherwise not utilizing the domain for malicious reasons (e.g., as a hate site, etc.) [Col 9 lines 54-63]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by the combination of Taniguchi-Neel-Pan to wherein the at least one characteristic of the web- domain is an indication the web-domain is for sale as disclosed by Beaumont. One of ordinary skill in the art would have been motivated for the purpose of indicating that the web-domain is at low risk (Beaumont [Col 9 lines 54-63]). Re. claim 14, rejection of claim 10 is included and claim 14 is rejected with the same rationale as applied in claim 5 above. Claims 8-9 and 17-18 rejected under 35 U.S.C. 103 as being unpatentable over Taniguchi (GB 2604207) in view of Neel (US 11457022) Pan (US 20210203698) and in further view of Mayer et al. (US 20230118679, hereinafter Mayer). Re. claim 8, the combination of Taniguchi-Neel-Pan teach the method of claim 1, the combination of Taniguchi-Neel-Pan do not explicitly teach but Mayer teaches wherein modifying the first status to the second status includes: writing the second status to a web-domain security database in relation to the web-domain (Mayer teaches the system may include lists in the datastores or databases of the system(s) 100/200. For example, a list of all determined variants of the seed domain (referenced in the top left box of FIG. 3) may be stored in a datastore of the system 100/200 and/or in a local datastore of a user. This may include datastores for each of the different categories within the list, such as a datastore (or database table, for example) for all domains recommended for purchase, a datastore (or database table) for all pre-malicious domains (and/or a datastore for all uncategorized domains, a datastore for all parked domains, etc.) and so forth [0075]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by the combination of Taniguchi-Neel-Pan to writing the second status to a web-domain security database in relation to the web-domain as disclosed by Mayer. One of ordinary skill in the art would have been motivated for the purpose of rank domains to determine relevant categories, resistant to malicious attacks and correctly identify malicious domains (Mayer [0075][0093-0094]). Re. claim 9, the combination of Taniguchi-Neel-Pan teach the method of claim 8, the combination of Taniguchi-Neel-Pan do not explicitly teach but Mayer teaches wherein applying the security process to the second network communication based at least in part on the second status includes accessing the second status from the web-domain security database (Mayer teaches web server 114 for providing access to the systems and methods through one or more websites; one or more application servers 116 for allowing the admin or users to access elements and/or services of system 100 [0047]). Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to modify the device and method disclosed by the combination of Taniguchi-Neel-Pan to wherein applying the security process to the second network communication based at least in part on the second status includes accessing the second status from the web-domain security database as disclosed by Mayer. One of ordinary skill in the art would have been motivated for the purpose of rank domains to determine relevant categories, resistant to malicious attacks and correctly identify malicious domains (Mayer [0075][0093-0094]). Re. claim 17, rejection of claim 10 is included and claim 17 is rejected with the same rationale as applied in claim 8 above. Re. claim 18, rejection of claim 17 is included and claim 18 is rejected with the same rationale as applied in claim 9 above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Chiba (US 20230308478) discloses the specifying device determines whether or not the domain name is a target of a re-determination as to whether or not the domain name is a malicious domain name on the basis of the specified candidates for the operation form of the domain name since the predetermined date and time. Moore (US 20150200820) discloses A load report is received from a client device, the load report indicating a result of an attempted loading of a web resource by an application on the client device. The web resource is hosted by a web server. A confidence score for the web server is adjusted based on the load report. The confidence score for the web server represents an operational state of the web server. If the result of the attempted loading of the web resource indicated by the load report is an unsuccessful result, a response is generated for the application on the client device, based on the confidence score for the web server, and the generated response is provided to the client device for processing by the application. Thayer (US 20140373097) discloses domain control validation is presented. At a certificate authority a request is received. The request includes a certificate signing request and a first Internet protocol address. The certificate signing request identifies a domain and a certificate. A second Internet protocol address for the domain is retrieved from a domain name system. When the first Internet protocol address is the same as the second Internet protocol address, the certificate is signed, and the signed certificate is transmitted to a requester of the request. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912. The examiner can normally be reached Monday-Thursday 8AM-5PM; Friday: Variable EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KEVIN AYALA/Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Show 6 earlier events
Jun 20, 2025
Response after Non-Final Action
Jul 23, 2025
Non-Final Rejection mailed — §103, §112
Oct 23, 2025
Response Filed
Jan 27, 2026
Final Rejection mailed — §103, §112
Mar 27, 2026
Response after Non-Final Action
Apr 27, 2026
Request for Continued Examination
May 03, 2026
Response after Non-Final Action
Jun 03, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683757
ADAPTIVE COUNTERMEASURE FOR BIT LEAKAGE IN LATTICE-BASED CRYPTOGRAPHY
3y 6m to grant Granted Jul 14, 2026
Patent 12659143
METHOD AND DEVICE FOR CORRECTING POLARIZATION DISTORTION OF FARADAY ROTATOR MIRROR FOR QUANTUM KEY DISTRIBUTION IN COMMUNICATION SYSTEM
3y 3m to grant Granted Jun 16, 2026
Patent 12549375
DEFINING AND MANAGING FORMS IN A DISTRIBUTED LEDGER TRUST NETWORK
4y 9m to grant Granted Feb 10, 2026
Patent 12542684
SOCIAL MEDIA CONTENT MANAGEMENT SYSTEMS
4y 8m to grant Granted Feb 03, 2026
Patent 12542675
SYSTEMS AND METHODS FOR ENCRYPTED MULTIFACTOR AUTHENTICATION USING IMAGING DEVICES AND IMAGE ENHANCEMENT
2y 2m to grant Granted Feb 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
64%
Grant Probability
93%
With Interview (+28.6%)
3y 5m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 169 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month