Prosecution Insights
Last updated: July 17, 2026
Application No. 18/047,334

SYSTEM AND METHODS FOR DYNAMIC ORCHESTRATION OF DEEP PACKET INSPECTION PROBES

Final Rejection §103
Filed
Oct 18, 2022
Priority
Aug 22, 2022 — IN 202241047611
Examiner
DOAN, HIEN VAN
Art Unit
2449
Tech Center
2400 — Computer Networks
Assignee
Verizon Communications Inc.
OA Round
2 (Final)
51%
Grant Probability
Moderate
3-4
OA Rounds
5m
Est. Remaining
86%
With Interview

Examiner Intelligence

Grants 51% of resolved cases
51%
Career Allowance Rate
93 granted / 181 resolved
-6.6% vs TC avg
Strong +35% interview lift
Without
With
+35.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 2m
Avg Prosecution
12 currently pending
Career history
199
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
88.4%
+48.4% vs TC avg
§102
8.1%
-31.9% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 181 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Response to Arguments 112 Rejection: The applicant's amendment and remarks filed on 02/02/2026. Therefore the 35 U.S.C. 112 rejection of the previous rejection is withdrawn. Prior Art Reiection: Applicant's arguments to claim 1 have been fully considered but they are deemed not persuasive. Please see the new mapping in below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1,148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under pre- AIA 35 U.S.C. 103(a) are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 3, 5, 7-10, 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Delatorre (US20130333032) in view of Harrison (US20170235951). Regarding claim 1: Delatorre teaches A method, comprising: receiving, by a network device, a first event report for a critical severity event in a network ([0004] malware or social engineering event or combination of events will be collectively called a "security attack. [0048] CRM server 41 receives information from the correlation engine 40 and the logic engine 42 … The information from the correlation engine 40 and the logic engine 42 may include the nature of the security attack) storing, by the network device, the first event report with other event reports to form an event data set ([0048] CRM server 41 receives information … stores the information in a record for the respective account. The information from the correlation engine 40 and the logic engine 42 may include the nature of the security attack. [0033] analyzes the information received from the computing device 13d and identifies the website as being one that hosts phishing scams. Accordingly, since the signature of the information (i.e., nefarious website) is consistent with a list of blacklisted websites stored in a database of the server 39 (i.e., predefined criterion), this is considered a single security event. The user may be warned of the security risk but may still be allowed to access the site. This event may be recorded and added to the respective client's records for further evaluation and/or notification of the client. Consider this as a first event); correlating, by the network device, the event data set with a monitoring condition ([0030] Patterns that are common to a security attack are evaluated … signatures based on malware indicia may be based on prior knowledge of malware (e.g., predefined criterion) … data may be correlated against predetermined signatures in a database of the correlation engine 40. If the correlation matches identically to one of the signatures in the database, then a predefined criterion is met, rendering the data as a security attack and the computing device as possibly malware infected. [0052] When an event is detected by the malware detection server 39, the event information (e.g., type, date/time, etc.) are sent to the correlation engine … the signature of an event pattern is compared to predetermined criteria stored in a database of the correlation engine 40 … if a predetermined threshold of correspondence is met, it is indicative that there is a strong likelihood that malware is present); Delatorre does not explicitly disclose selecting, by the network device, a first workflow for a deep packet inspection (DPI) probe deployment that corresponds to the monitoring condition and sending, by the network device and to a service orchestrator device, a call to deploy a DPI probe in the network based on the first workflow. Harrison teaches selecting, by the network device, a first workflow for dynamically deploying a deep packet inspection (DPI) probe that corresponds to the monitoring condition (Harrison, fig. 5 [0130-0131] If the antivirus scanner identifies a malware component, the method 500 may proceed to step 508, which includes selecting one of a plurality of tools for malware-specific remediation of the malware component, thereby providing a selected tool. Selection of the tool may be performed by the secure virtual machine … remediate the malware component … installing the rootkit … a file deletion, a process termination, a removal of registry keys, and the like scanner. [0132] a specific removal tool is selected based upon an identified known malware component. Note: select a tool based on identified malware is selecting a first workflow for dynamically deploying) wherein the first workflow includes a deployment location and a type of the DPI probe ([0134-0135] receiving the selected tool at the virtual machine … installing the tool on the virtual machine. [0148-150] receiving a rootkit scanner at the virtual machine. The rootkit scanner may be configured to detect and identify rootkits, i.e. malicious software … The rootkit scanner may detect rootkits through behavioral-based, signature-based … installing the rootkit scanner. [0187] an on-demand scanning module may be sent from the secure virtual machine 1006 to the guest virtual machine 1008 for installation on the guest virtual machine 1008. Also see fig. 10, 1016. Note: install on virtual machine is a deployment location; tool to malicious software is a type of the DPI probe), sending, by the network device and to a service orchestrator device, a call to deploy a DPI probe in the network based on the first workflow (Harrison [0148-150] a tool selected by the secure virtual machine includes an antivirus tool, … receiving a rootkit scanner at the virtual machine. The rootkit scanner may be configured to detect and identify rootkits, i.e. malicious software … The rootkit scanner may detect rootkits through behavioral-based, signature-based … installing the rootkit scanner. Also see fig. 10, 1016). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Harrison and apply them on the teachings of Delatorre to further implement selecting, by the network device, a first workflow for a deep packet inspection (DPI) probe deployment that corresponds to the monitoring condition and sending, by the network device and to a service orchestrator device, a call to deploy a DPI probe in the network based on the first workflow. One would be motivated to do so because in order to improve better system and method a tool selected by the secure virtual machine, installing the rootkit scanner to detect and identify rootkits, i.e. malicious software. The rootkit scanner may detect rootkits through behavioral-based, signature-based (Harrison [0148-150]) Regarding claim 3: Delatorre teaches The method of claim 1, Delatorre does not explicitly teach receiving, by the network device, a second event report that indicates the critical severity event in the network is cleared, determining, by the network device and based on receiving the second event report, if a removal condition is satisfied, selecting, by the network device, a second workflow to remove the DPI probe, sending, by the network device and to the service orchestrator device, a call to initiate removal of the DPI probe in the network based on the second workflow. Harrison teaches further comprising: receiving, by the network device, a second event report that indicates the critical severity event in the network is cleared (Harrison [0004] transmitting the file to a secure virtual machine hosted by a hypervisor for the virtual machine, and analyzing the file with an antivirus scanner on the secure virtual machine. When the antivirus scanner identifies a known malware component. [0120] The secure virtual machine 407 hosted by the hypervisor 406 may receive the execution status 426 from the agent 410 for the selected tool 424. When the execution status 426 indicates a successful remediation); determining, by the network device and based on receiving the second event report, if a removal condition is satisfied (Harrison [0004] transmitting the file to a secure virtual machine hosted by a hypervisor for the virtual machine, and analyzing the file with an antivirus scanner on the secure virtual machine. When the antivirus scanner identifies a known malware component, the secure virtual machine may perform the steps of selecting one of a plurality of tools for malware-specific remediation of the known malware component [0120] The secure virtual machine 407 hosted by the hypervisor 406 may receive the execution status 426 from the agent 410 for the selected tool 424. When the execution status 426 (of secure VM 407 – see fig.4) indicates a successful remediation); selecting, by the network device, a second workflow to remove the DPI probe (Harrison [0151-0152] uninstalling the rootkit scanner … whether the rootkit scan was: a success, i.e. the rootkit scan was executed and returned a reliable result).; and sending, by the network device and to the service orchestrator device, a call to initiate removal of the DPI probe in the network based on the second workflow (Harrison [0148-0152] a tool selected by the secure virtual machine includes a rootkit removal tool … receiving a rootkit scanner at the virtual machine … uninstalling the rootkit scanner … whether the rootkit scan was: a success, i.e. the rootkit scan was executed and returned a reliable result). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Harrison and apply them on the teachings of Delatorre to further implement receiving, by the network device, a second event report that indicates the critical severity event in the network is cleared, determining, by the network device and based on receiving the second event report, if a removal condition is satisfied, selecting, by the network device, a second workflow to remove the DPI probe, sending, by the network device and to the service orchestrator device, a call to initiate removal of the DPI probe in the network based on the second workflow. One would be motivated to do so because in order to improve better system and method transmitting the file to a secure virtual machine hosted by a hypervisor for the virtual machine, and analyzing the file with an antivirus scanner on the secure virtual machine. When the antivirus scanner identifies a known malware component, the secure virtual machine may perform the steps of selecting one of a plurality of tools for malware-specific remediation of the known malware component, uninstalling the scanner whether the scan was a success (Harrison [0004] [0151-0152]) Regarding claim 5: Delatorre teaches The method of claim 1, wherein the network is a traffic network, and wherein the network device is in a service assurance platform that is separate from the traffic network (Delatorre, see fig. 1). Regarding claim 7: Delatorre teaches The method of claim 1, Delatorre does not explicitly disclose fetching, by the service orchestrator device and in response to the call, a software image for the DPI probe, notifying, by the service orchestrator device, the network device of a successful DPI probe deployment Harrison teaches further comprising: fetching, by the service orchestrator device and in response to the call, a software image for the DPI probe (Harrison [0187] an on-demand scanning module may be sent from the secure virtual machine 1006 to the guest virtual machine 1008 for installation on the guest virtual machine 1008. Note: it would be obvious in art that any software module is software image ); and notifying, by the service orchestrator device, the network device of a successful DPI probe deployment (Harrison [0187] an on-demand scanning module may be sent from the secure virtual machine 1006 to the guest virtual machine 1008 for installation on the guest virtual machine 1008 [0191] As shown by arrow 1024, the guest virtual machine 1008 may notify the secure virtual machine 1006 when the scan is complete). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Harrison and apply them on the teachings of Delatorre to further implement fetching, by the service orchestrator device and in response to the call, a software image for the DPI probe, notifying, by the service orchestrator device, the network device of a successful DPI probe deployment. One would be motivated to do so because in order to improve better system and method an on-demand scanning module may be sent from the secure virtual machine to the guest virtual machine for installation on the guest virtual machine, the guest virtual machine 1008 may notify the secure virtual machine 1006 when the scan is complete (Harrison [0187][0191]) Regarding claim 8: Delatorre teaches The method of claim 1, Delatorre does not explicitly disclose wherein selecting the first workflow for the DPI probe deployment includes selecting the first workflow, from multiple stored workflows, based on the monitoring condition Harrison teaches wherein selecting the first workflow for the DPI probe deployment includes: selecting the first workflow, from multiple stored workflows, based on the monitoring condition (Harrison. See fig. 5. [0128] As shown in step 506, the method 500 may include analyzing the file, e.g., with an antivirus scanner … If the antivirus scanner does not identify a malware component, the method 500 may proceed to step 509 where the file is allowed to be accessed/run/executed on the virtual machine … If the antivirus scanner identifies a malware component, the method 500 may proceed to step 508, which includes selecting one of a plurality of tools for malware-specific remediation of the malware component) . It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Harrison and apply them on the teachings of Delatorre to further implement wherein selecting the first workflow for the DPI probe deployment includes selecting the first workflow, from multiple stored workflows, based on the monitoring condition. One would be motivated to do so because in order to improve better system and method selecting one of a plurality of tools for malware-specific remediation of the malware component (Harrison [0128]) Regarding claim 9: Delatorre teaches The method of claim 1, Delatorre does not explicitly disclose wherein sending the call to deploy the DPI probe includes: sending a deployment location and a type of the DPI probe wherein the deployment location includes: Harrison teaches one or more of a region, a cluster, a namespace, or a tenant space for the network (Harrison [0187] an on-demand scanning module may be sent from the secure virtual machine 1006 to the guest virtual machine 1008 for installation on the guest virtual machine 1008. Note: the guest virtual machine is a tenant space) It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Harrison and apply them on the teachings of Delatorre to further implement wherein wherein the deployment location includes: one or more of a region, a cluster, a namespace, or a tenant space for the network. One would be motivated to do so because in order to improve better system and method scanning module may be sent from the secure virtual machine to the guest virtual machine or installation on the guest virtual machine (Harrison [0187]) Regarding to claim 16: [Rejection rational for claim 7 is applicable]. Regarding to claim 17: [Rejection rational for claim 9 is applicable]. Regarding to claims 10, 18: [Rejection rational for claim 1 is applicable]. Regarding to claim 11, 19: [Rejection rational for claim 3 is applicable]. Regarding to claim 14: Delatorre teaches The system of claim 10, wherein the network include at least one radio access network (RAN) and at least one core network (Delatorre. [0020] The system 10 allows users of the computing devices to initiate and receive telephone calls to each other. See fig. 1 for core network 21) Regarding to claim 15: Delatorre teaches The system of claim 10, wherein, when receiving the first event report, the processor of the network device is further configured to: receive the first event report via subscription a message bus topic ([0020] The system 10 allows users of the computing devices to initiate and receive telephone calls to each other as well as through the public switched telephone network (PSTN) 23 and telephone stations 25 connected thereto. The system 10 allows SMS type text messaging between mobile devices and similar messaging with other devices via the Internet. The system 10 typically offers a variety of other data services via the Internet 29, such as downloads, web browsing, e-mail, etc. Computing devices connected through the internet (e.g., 31) to the network 35 are also protected by the security and control). Claims 2, 13 are rejected under 35 U.S.C. 103 as being unpatentable over Delatorre (US20130333032) in view of Harrison (US20170235951), further in view of Fanton (US20110167261). Regarding claim 2: Delatorre-Harrison teaches The method of claim 1, further comprising: deploying, by the service orchestrator device, the DPI probe in the network (Harrison [0148-150] a tool selected by the secure virtual machine … receiving a rootkit scanner at the virtual machine. The rootkit scanner may be configured to detect and identify rootkits, i.e. malicious software … The rootkit scanner may detect rootkits through behavioral-based, signature-based … installing the rootkit scanner); and Delatorre-Harrison does not explicitly disclose updating a license count for the DPI probe in response to the deploying. Fanton teaches updating a license count for the DPI probe in response to the deploying (Fanton, [0060] enforce concurrent instance limitations on particular software applications ... a monitored application is launched, the vailable license count may be decremented. When that instance of the application terminates, the floating license server 120 is notified so that it can increment the available license count [0030] to malware protection … monitor and track software use activity; software license management. [0050] the code module is being monitored by a floating license server); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Fanton and apply them on the teachings of Delatorre-Harrison to further implement updating a license count for the DPI probe in response to the deploying. One would be motivated to do so because in order to improve better system and method enforce concurrent instance limitations on particular software applications, a monitored application is launched, the vailable license count may be decremented (Harrison [0148-150]) Regarding to claim 13: [Rejection rational for claim 2 is applicable]. Claims 4, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Delatorre (US20130333032) in view of Harrison (US20170235951), further in view of Tal (US11281442 B1). Regarding claim 4: Delatorre-Harrison teaches The method of claim 3, further comprising: removing, by the service orchestrator device, the DPI probe (Harrison [0151-0152] uninstalling the rootkit scanner … whether the rootkit scan was: a success, i.e. the rootkit scan was executed and returned a reliable result); and Delatorre-Harrison does not explicitly disclose updating a license count for the DPI probe in response to the removing the DPI probe. Tal teaches updating a license count for the DPI probe in response to the removing the DPI probe (Col 25 lines 56-60 “each entitlement can include a count of licenses (e.g., 1, 10, 50, etc.), and an entitlement with a count of n may be also referred to as n entitlements. An entitlement can refer to or be associated with a software model to specify the software application being licensed”. Col 21 lines 51-56 “assessment of the licensing status of these software applications. This assessment may involve recommendations to obtain more licenses, reduce the number of obtained licenses, change the license type for some installed software applications, remove some of these installation”. Note: Tal teaches an entitlement associated with a software model that include a license (see FIG. 9C), when uninstalling the software, the license would be uninstalled. Therefore the number of obtained licenses should be reduced ( see mapping above) It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Tal and apply them on the teachings of Delatorre-Harrison to further implement updating a license count for the DPI probe in response to the removing the DPI probe. One would be motivated to do so because in order to improve better system and method reduce the number of obtained licenses, when remove some of software installation (Tal Col 21 lines 51-56) Regarding to claim 12: [Rejection rational for claim 4 is applicable]. Claims 6, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Delatorre (US20130333032) in view of Harrison (US20170235951), further in view of Chaubey (US11258774B1). Regarding claim 6: Delatorre-Harrison teaches The method of claim 1, Delatorre-Harrison does not explicitly disclose normalizing, by the network device, the first event report to conform with the other event reports. Chaubey teaches further comprising: normalizing, by the network device, the first event report to conform with the other event reports (Col 6 lines 36-42 “the network device decrypts the record. The network device may decrypt the record to enable the record to be processed by the network device. For example, the network device may include a security device (e.g., a firewall) and may decrypt the record to enable a deep packet inspection and/or another process for identifying a security issue to be performed on the record”. Col 3 lines 44-47 “the network device may receive hundreds, thousands, tens of thousands, or even hundreds of thousands of encrypted TLS/SSL records” Col 8 lines 54-55 “The retransmission data structure may include TLS/SSL record meta-info entries for records decrypted. records decrypted. See Spec [0045] normalize the critical severity events obtained from message bus 270, such as formatting alarm data of network functions) It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention to take the teachings of Chaubey and apply them on the teachings of Delatorre-Harrison to further implement normalizing, by the network device, the first event report to conform with the other event reports. One would be motivated to do so because in order to improve better system and method to decrypt the record to enable a deep packet inspection and/or another process for identifying a security issue to be performed on the record (Chaubey Col 6 lines 36-42) Regarding to claim 20: [Rejection rational for claim 6 is applicable]. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. This action is a final rejection and is intended to close the prosecution of this application. Applicant’s reply under 37 CFR 1.113 to this action is limited either to an appeal to the Patent Trial and Appeal Board or to an amendment complying with the requirements set forth below. If applicant should desire to appeal any rejection made by the examiner, a Notice of Appeal must be filed within the period for reply identifying the rejected claim or claims appealed. The Notice of Appeal must be accompanied by the required appeal fee. If applicant should desire to file an amendment, entry of a proposed amendment after final rejection cannot be made as a matter of right unless it merely cancels claims or complies with a formal requirement made earlier. Amendments touching the merits of the application which otherwise might not be proper may be admitted upon a showing a good and sufficient reasons why they are necessary and why they were not presented earlier. A reply under 37 CFR 1.113 to a final rejection must include the appeal from, or cancellation of, each rejected claim. The filing of an amendment after final rejection, whether or not it is entered, does not stop the running of the statutory period for reply to the final rejection unless the examiner holds the claims to be in condition for allowance. Accordingly, if a Notice of Appeal has not been filed properly within the period for reply, or any extension of this period obtained under either 37 CFR 1.136(a) or (b), the application will become abandoned. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEN DOAN whose telephone number is 571 272-4317. The examiner can normally be reached on Monday-Thursday and biweekly Friday 9am-6pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SRIVASTAVA VIVEK can be reached on 571-272-7304(571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HIEN V DOAN/Examiner, Art Unit 2449 /VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449
Read full office action

Prosecution Timeline

Oct 18, 2022
Application Filed
Nov 20, 2025
Non-Final Rejection mailed — §103
Feb 02, 2026
Response Filed
Jun 08, 2026
Final Rejection mailed — §103
Jul 15, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12641141
IDENTIFYING AN HTTP RESOURCE USING MULTI-VARIANT HTTP REQUESTS
8y 2m to grant Granted May 26, 2026
Patent 12615317
INTERACTIVE CUSTOMIZED PUSH NOTIFICATIONS WITH CUSTOMIZED ACTIONS
7y 2m to grant Granted Apr 28, 2026
Patent 12542722
AUTOMATED INITIATION OF HELP SESSION IN A VIDEO STREAMING SYSTEM
4y 1m to grant Granted Feb 03, 2026
Patent 12470569
ANOMALY DETECTION RELATING TO COMMUNICATIONS USING INFORMATION EMBEDDING
3y 11m to grant Granted Nov 11, 2025
Patent 12443717
METHODS & PROCESSES TO SECURELY UPDATE SECURE ELEMENTS
3y 4m to grant Granted Oct 14, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
51%
Grant Probability
86%
With Interview (+35.0%)
4y 2m (~5m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 181 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month