Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsInternational Business Machines Corporation › 18050900
Last updated: May 29, 2026
Application No. 18/050,900

THREAT RELEVANCY BASED ON USER AFFINITY

Final Rejection §103
Filed
Oct 28, 2022
Examiner
MAYE, AYUB A
Art Unit
2436
Tech Center
2400 — Computer Networks
Assignee
International Business Machines Corporation
OA Round
4 (Final)
58%
Grant Probability
Moderate
5-6
OA Rounds
11m
Est. Remaining
99%
With Interview

Interview Optional

+41.7% interview lift. Interview already conducted in this application's prosecution history. This examiner has a 58% grant rate with +41.7% interview lift. Since an interview has already been tried, recommend written response with narrowed claims based on precedent claim evolution patterns.
Based on 653 resolved cases, 2023–2026

Examiner Intelligence

MAYE, AYUB A View full profile →
Grants 58% of resolved cases
58%
Career Allowance Rate
377 granted / 653 resolved
At TC average
Strong +42% interview lift
Without
With
+41.7%
Interview Lift
resolved cases with interview
Typical timeline
4y 6m
Avg Prosecution
23 currently pending
Career history
685
Total Applications
across all art units

Statute-Specific Performance

§101
0.3%
-39.7% vs TC avg
§103
88.6%
+48.6% vs TC avg
§102
6.8%
-33.2% vs TC avg
§112
1.3%
-38.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 653 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 5-11, 13-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhise et al (2024/0054406) in views of Kapoor et al (2024/0106846), Nelson et al (2021/0382911) and Wolff et al (2020/0259852). For claim 1, Bhise teaches a method (abstract) comprising: accessing training data from a set of users within a security system, by a processor executing a security system platform in the security system,(Bhise teaches of accessing the training data system to update or check the data by extracting the training data as Bhise teaches in par.6, lines 1-4 and par.50, lines 1-3), the training data comprising at least one of: indicators of compromise (IoC), security observables, or artifacts (Bhise teaches that the training data comprises artifacts as Bhise teaches in par.54, lines 3-7 and par.58, lines 2-4); enriching the training data, by the processor executing the security system platform, to generate enriched training data (Bhise teaches of enriching the training data in order to generate enriched data as Bhise teaches in par.73, lines 1-6) by applying a first enrichment operation to the training data to generate initial enriched training data, (par.73, lines 3-6) wherein the first enrichment operation, the collected feature data comprising at least one of email addresses, uniform resource locators (URLs), internet protocol (IP) addresses, or countries of origin (Bhise teaches that AMLPG can provide representations of email and IP addresses as additional features as Bhise teaches in par.80); and applying a second enrichment operation to the initial enriched training data to generate the enriched training data (Bhise teaches that after the system went thru the original enrichment and validation, then the system will enrich the validation as Bhise teaches in par.74-75), wherein the second enrichment operation uses types of vulnerabilities (Bhise teaches AMLPG can enrich other variables that are known to be important for fraud, such as, for example, phone numbers and addresses as Bhise teaches in par.78). Bhise fails to teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, creating clusters of the users, by the processor executing the security system platform, based on similarity of the enriched training data between the users; and determining a risk posture, by the processor executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Kapoor teaches, similar system, creating clusters of the users, by the processor executing the security system platform, based on similarity of the enriched training data between the users (Kapoor teaches of creating clusters of the users that share common behavior or types as Kapoor teaches in par.253, lines 1-6 and par.294, lines 1-3); and determining a risk posture, by the processor executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster (Kapoor teaches that after the system clusters together will generate alerts based on the clusters as Kapoor teaches in par.208, lines 1-5 and par.209, lines 1-10, par. 638 risk behavior based security, fig 5, 15B). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include creating clusters of users as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). Bhise, as modified by Kapoor, does not explicitly teach providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Nelson teaches, similar system, providing proactive notifications, by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster (Nelson teaches that advisor Mode-Users can get an Improves communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations), administration Teams/Sales/ Users may not make changes CSMs have a way to proactively even with performance issues, and identify customers/clusters with The System can notify the user, bad schemas, so that they can take automatic action, and/or proactively reach out as Nelson teaches in par.40 Table A). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor, to include providing proactive notifications as taught and suggested by Nelson for purpose of Improving communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations) and Identifying problems to enable outside technical experts to proactively resolve them is an enhancement not available in many conventional approaches (Nelson, par.40). Bhise, as modified by Kapoor and Nelson, does not explicitly teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, and providing proactive notifications, without user input by the processor executing the security system platform. Wolff teaches, similar system, wherein the training data is automatically collected without any user interaction, and is based on an attack surface (Wolff teaches that the collected and analyzed data may be used to perform threat detection and to provide recommendations concerning appropriate responses to different categories of threats, analyzed (e.g., manually or automatically) to identify a baseline set of activities for specific users (or classes of users), provide visibility and auditing capabilities across an entire organization, and identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services, response, attack surface area optimization or minimization, community detection, anomaly detection, and general visibility and auditing as Wolff teaches in par.21, 36 and 39-40) and monitored user entered queries of each user of the set of users (Wolff teaches complete set of data collected by the system, a set of data transformations, queries, and/or models needed to determine optimal preventative controls that should be deployed into the cloud application as Wolff teaches in par.52), collected feature data associated with at least one of the loCs, security observables, or artifacts for the users (Wolff teaches that identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services as Wolff teaches in par.36 and 37), and providing proactive notifications, without user input by the processor executing the security system platform (Wolff teaches that initialize an alert (via an SMS message to a system administrator, for example) with respect to threats on certain cloud services and/or proactively secure cloud services on which a user maintains data by applying remedial measures, such as adding additional steps to authentication, changing passwords, blocking a particular IP address or addresses, blocking email messages or senders, and/or locking accounts as Wolff teaches in par.29). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor and Nelson, to include automatically collected without any user interaction, and is based on an attack surface and proactive notifications, without user input as taught and suggested by Wolff for purpose of increasing the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents (Wolff l, par.4). For claim 5, Bhise, as modified by Kapoor, Nelson and Wolff, further teaches splitting the enriched training data into sets based on a maliciousness, the sets comprising a first set corresponding to benign activities and a second set corresponding to malicious activities (Bhise teaches of dividing set of data in two 3 sets and labels the sets after the data is enriched as Bhise teaches in par.75-77). For claims 6, 13 and 18, Bhise, as modified by Kapoor Nelson and Wolff, further teaches of the enriched training data between the users (par.73, lines 3-6). But Bhise fails to teach wherein creating the clusters of users based on a similarity of the data between the users comprises identifying user affinity between users in a cluster of users. Kapoor further teaches wherein creating the clusters of users based on a similarity of the data between the users comprises identifying user affinity between users in a cluster of users (par.208, lines 1-5, par.209, lines 1-6 and par.253, lines 1-5). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include creating clusters of users as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). For claims 7, 14 and 19, Bhise, as modified by Kapoor, Nelson and Wolff, fails to teach wherein identifying the user affinity between users comprises identifying users having related attack surfaces in security operations. Kapoor further teaches wherein identifying the user affinity between users comprises identifying users having related attack surfaces in security operations (par.209, lines 1-6 and par.580, lines 3-6). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include related attack surfaces in security operations as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). For claim 8, Bhise, as modified by Kapoor, Nelson and Wolff, fails to teach wherein identifying the user affinity between users comprises identifying users having related missions in security operations. Kapoor further teaches wherein identifying the user affinity between users comprises identifying users having related missions in security operations (par.209, lines 1-6 and par.580, lines 3-6). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include identifying user affinity as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). For claim 9, Bhise, as modified by Kapoor, Nelson and Wolff, fails to teach wherein identifying the user affinity comprises identifying users targeted by a common malware campaign. Kapoor further teaches wherein identifying the user affinity comprises identifying users targeted by a common malware campaign (par.209, lines 1-6 and par.580, lines 3-6 and par.623). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include identifying user affinity as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). For claims 10, 15 and 20, Bhise, as modified by Kapoor, Nelson and Wolff, fails to teach wherein creating the clusters of users based on a similarity of the data between the users comprises: aggregating collected features for at least a first user; defining a first user profile of aggregated features for the first user; and creating the clusters based on the first user profile. Kapoor further teaches creating clusters of users based on a similarity of the data between the users comprises: aggregating collected features for at least a first user (par.211, lines 2-6 and par.232, lines 1-2); defining a first user profile of aggregated features for the first user (par.232, lines 1-3); and creating the clusters based on the first user profile (par.232, lines 2-6). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include creating clusters of users as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). For claim 11, Bhise teaches a system (abstract), comprising: a processor (par.115, lines 1-2); and a memory, wherein the memory includes a computer program product configured to perform operations for identifying threat relevancy based on user affinity within a security system (par.116, lines 1-6), the operations comprising: accessing training data from a set of users within the security system, by a processor executing a security system platform in the security system,(Bhise teaches of accessing the training data system to update or check the data by extracting the training data as Bhise teaches in par.6, lines 1-4 and par.50, lines 1-3), the training data comprising at least one of: indicators of compromise (IoC), security observables, or artifacts (Bhise teaches that the training data comprises artifacts as Bhise teaches in par.54, lines 3-7 and par.58, lines 2-4); enriching the training data, by the processor executing the security system platform, to generate enriched training data (Bhise teaches of enriching the training data in order to generate enriched data as Bhise teaches in par.73, lines 1-6) by applying a first enrichment operation to the training data to generate initial enriched training data, (par.73, lines 3-6) wherein the first enrichment operation uses the collected feature data comprising at least one of email addresses, uniform resource locators (URLs), internet protocol (IP) addresses, or countries of origin (Bhise teaches that AMLPG can provide representations of email and IP addresses as additional features as Bhise teaches in par.80); and applying a second enrichment operation to the initial enriched training data to generate the enriched training data (Bhise teaches that after the system went thru the original enrichment and validation, then the system will enrich the validation as Bhise teaches in par.74-75), wherein the second enrichment operation uses types of vulnerabilities (Bhise teaches AMLPG can enrich other variables that are known to be important for fraud, such as, for example, phone numbers and addresses as Bhise teaches in par.78). Bhise fails to teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, creating clusters of the users, by the processor executing the security system platform, based on similarity of the enriched training data between the users; and determining a risk posture, by the processor executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster, providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Kapoor teaches, similar system, creating clusters of users, by the processor executing the security system platform, based on similarity of the enriched training data between users (Kapoor teaches of creating clusters of users that share common behavior or types as Kapoor teaches in par.253, lines 1-6 and par.294, lines 1-3); and determining a risk posture, by the processor executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster (Kapoor teaches that after the system clusters together will generate alerts based on the clusters as Kapoor teaches in par.208, lines 1-5 and par.209, lines 1-10, par. 638 risk behavior based security, fig 5, 15B). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include creating clusters of users as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). Bhise, as modified by Kapoor, does not explicitly teach providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Nelson teaches, similar system, providing proactive notifications, by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster (Nelson teaches that advisor Mode-Users can get an Improves communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations), administration Teams/Sales/ Users may not make changes CSMs have a way to proactively even with performance issues, and identify customers/clusters with The System can notify the user, bad schemas, so that they can take automatic action, and/or proactively reach out as Nelson teaches in par.40 Table A). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor, to include providing proactive notifications as taught and suggested by Nelson for purpose of Improving communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations) and Identifying problems to enable outside technical experts to proactively resolve them is an enhancement not available in many conventional approaches (Nelson, par.40). Bhise, as modified by Kapoor and Nelson, does not explicitly teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, and providing proactive notifications, without user input by the processor executing the security system platform. Wolff teaches, similar system, wherein the training data is automatically collected without any user interaction, and is based on an attack surface (Wolff teaches that the collected and analyzed data may be used to perform threat detection and to provide recommendations concerning appropriate responses to different categories of threats, analyzed (e.g., manually or automatically) to identify a baseline set of activities for specific users (or classes of users), provide visibility and auditing capabilities across an entire organization, and identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services, response, attack surface area optimization or minimization, community detection, anomaly detection, and general visibility and auditing as Wolff teaches in par.21, 36 and 39-40) and monitored user entered queries of each user of the set of users (Wolff teaches complete set of data collected by the system, a set of data transformations, queries, and/or models needed to determine optimal preventative controls that should be deployed into the cloud application as Wolff teaches in par.52), collected feature data associated with at least one of the loCs, security observables, or artifacts for the users (Wolff teaches that identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services as Wolff teaches in par.36 and 37), and providing proactive notifications, without user input by the processor executing the security system platform (Wolff teaches that initialize an alert (via an SMS message to a system administrator, for example) with respect to threats on certain cloud services and/or proactively secure cloud services on which a user maintains data by applying remedial measures, such as adding additional steps to authentication, changing passwords, blocking a particular IP address or addresses, blocking email messages or senders, and/or locking accounts as Wolff teaches in par.29). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor and Nelson, to include automatically collected without any user interaction, and is based on an attack surface and proactive notifications, without user input as taught and suggested by Wolff for purpose of increasing the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents (Wolff l, par.4). For claim 16, Bhise teaches a computer program product for identifying threat relevancy based on user affinity within a security system (par.115, lines 1-2), the computer program product comprising: a computer-readable storage medium having computer-readable program code embodied therewith (par.116, lines 1-2), the computer-readable program code executable by one or more computer processors to perform operations (par.116, lines 2-6) comprising: accessing training data from a set of users within the security system, by one of the computer processors executing a security system platform in the security system,(Bhise teaches of accessing the training data system to update or check the data by extracting the training data as Bhise teaches in par.6, lines 1-4 and par.50, lines 1-3), the training data comprising at least one of: indicators of compromise (IoC), security observables, or artifacts (Bhise teaches that the training data comprises artifacts as Bhise teaches in par.54, lines 3-7 and par.58, lines 2-4); enriching the training data, by one of the computer processors executing the security system platform, to generate enriched training data (Bhise teaches of enriching the training data in order to generate enriched data as Bhise teaches in par.73, lines 1-6) by applying a first enrichment operation to the training data to generate initial enriched training data, (par.73, lines 3-6) wherein the first enrichment operation uses the collected feature data comprising at least one of email addresses, uniform resource locators (URLs), internet protocol (IP) addresses, or countries of origin (Bhise teaches that AMLPG can provide representations of email and IP addresses as additional features as Bhise teaches in par.80); and applying a second enrichment operation to the initial enriched training data to generate the enriched training data (Bhise teaches that after the system went thru the original enrichment and validation, then the system will enrich the validation as Bhise teaches in par.74-75), wherein the second enrichment operation uses types of vulnerabilities (Bhise teaches AMLPG can enrich other variables that are known to be important for fraud, such as, for example, phone numbers and addresses as Bhise teaches in par.78). Bhise fails to teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, creating clusters of the users, by one of the computer processors executing the security system platform, based on similarity of the enriched training data between the users; and determining a risk posture, by one of the computer processors executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster, providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Kapoor teaches, similar system, creating clusters of the users, by one of the computer processors executing the security system platform, based on similarity of the enriched training data between the users (Kapoor teaches of creating clusters of users that share common behavior or types as Kapoor teaches in par.253, lines 1-6 and par.294, lines 1-3); and determining a risk posture, by one of the computer processors executing the security system platform, of a cluster of users based on relevancy of a risk detected by a user in the cluster (Kapoor teaches that after the system clusters together will generate alerts based on the clusters as Kapoor teaches in par.208, lines 1-5 and par.209, lines 1-10, par. 638 risk behavior based security, fig 5, 15B). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise to include creating clusters of users as taught and suggested by Kapoor for purpose of providing visibility into a datacenter environment without requiring user specified labels and for allowing for changes to be detected and alerts to be generated (Kapoor, par.208). Bhise, as modified by Kapoor, does not explicitly teach providing proactive notifications, without user input by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster. Nelson teaches, similar system, providing proactive notifications, by the processor executing the security system platform, to the cluster of users based on the relevancy of the risk detected by the user in the cluster (Nelson teaches that advisor Mode-Users can get an Improves communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations), administration Teams/Sales/ Users may not make changes CSMs have a way to proactively even with performance issues, and identify customers/clusters with The System can notify the user, bad schemas, so that they can take automatic action, and/or proactively reach out as Nelson teaches in par.40 Table A). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor, to include providing proactive notifications as taught and suggested by Nelson for purpose of Improving communication and alert when a schema anti-patterns reduces user burden (e.g., in for applications in production is visiting the tool to see detected. recommendations) and Identifying problems to enable outside technical experts to proactively resolve them is an enhancement not available in many conventional approaches (Nelson, par.40). Bhise, as modified by Kapoor and Nelson, does not explicitly teach wherein the training data is automatically collected without any user interaction, and is based on an attack surface and monitored user entered queries of each user of the set of users, collected feature data associated with at least one of the loCs, security observables, or artifacts for the users, and providing proactive notifications, without user input by the processor executing the security system platform. Wolff teaches, similar system, wherein the training data is automatically collected without any user interaction, and is based on an attack surface (Wolff teaches that the collected and analyzed data may be used to perform threat detection and to provide recommendations concerning appropriate responses to different categories of threats, analyzed (e.g., manually or automatically) to identify a baseline set of activities for specific users (or classes of users), provide visibility and auditing capabilities across an entire organization, and identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services, response, attack surface area optimization or minimization, community detection, anomaly detection, and general visibility and auditing as Wolff teaches in par.21, 36 and 39-40) and monitored user entered queries of each user of the set of users (Wolff teaches complete set of data collected by the system, a set of data transformations, queries, and/or models needed to determine optimal preventative controls that should be deployed into the cloud application as Wolff teaches in par.52), collected feature data associated with at least one of the loCs, security observables, or artifacts for the users (Wolff teaches that identify various anomalies which may indicate malicious behavior emanating from within and/or directed at the organization through the various application services as Wolff teaches in par.36 and 37), and providing proactive notifications, without user input by the processor executing the security system platform (Wolff teaches that initialize an alert (via an SMS message to a system administrator, for example) with respect to threats on certain cloud services and/or proactively secure cloud services on which a user maintains data by applying remedial measures, such as adding additional steps to authentication, changing passwords, blocking a particular IP address or addresses, blocking email messages or senders, and/or locking accounts as Wolff teaches in par.29). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor and Nelson, to include automatically collected without any user interaction, and is based on an attack surface and proactive notifications, without user input as taught and suggested by Wolff for purpose of increasing the efficiency with which it detects and responds to various incidents, and also minimize or optimize its “attack surface area,” to make the organization less vulnerable to security incidents (Wolff l, par.4). Claim(s) 2-3, 12 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhise et al (2024/0054406) in views of Kapoor et al (2024/0106846) Nelson et al (2021/0382911) and Wolff et al (2020/0259852) as applied to claims above, and further in view of Scheideler et al (2022/0131889). For claims 2, 12 and 17, Bhise, as modified by Kapoor, Nelson and Wolff, teaches all the limitations as previously set forth except for collecting IoCs, security observables, and artifacts of users within the security system. Scheideler teaches, similar system, collecting IoCs, security observables, and artifacts of users within the security system (abstract)(par.24). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor, Nelson and Wolff, to include IoCs, security observables, and artifacts as taught and suggested by Kapoor for purpose of measuring a utilization of security measures in terms of their detection of the respective IoCs and their respective responses to the IoCs, measuring a resource consumption of the security measures, and determining a benefit value for at least one the security measure expressed by its utilization and a relevance value of the IoCs detected with it (Scheideler, abstract). For claim 3, Bhise, as modified by Kapoor and Nelson and Wolff, teaches all the limitations as previously set forth except for scanning enriched IoCs, security observables, and artifacts within the security system. Scheideler further teaches scanning enriched IoCs, security observables, and artifacts within the security system (par.46, lines 7-12, par.74, lines 1-3). It would have been obvious to one ordinary skill in the art before effective filling date to modify Bhise, as modified by Kapoor and Nelson and Agarwal, to include IoCs, security observables, and artifacts as taught and suggested by Kapoor for purpose of measuring a utilization of security measures in terms of their detection of the respective IoCs and their respective responses to the IoCs, measuring a resource consumption of the security measures, and determining a benefit value for at least one the security measure expressed by its utilization and a relevance value of the IoCs detected with it (Scheideler, abstract). Response to Amendments/Arguments Applicant’s arguments with respect to claim(s) 1-3, and 5-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. The applicant’s arguments regarding new in claims 1, 11 and 16, has been considered but is moot, because the examiner applied new art, Wolff et al (2020/0259852), that covers newly claimed limitation. Regarding dependent claims arguments, said arguments are moot because the applied references are not considered to have alleged differences, and therefore are considered to properly show that for which they were cited. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AYUB A MAYE whose telephone number is (571)270-5037. The examiner can normally be reached Monday-Friday 9AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AYUB A MAYE/Examiner, Art Unit 2436 /SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436
Read full office action

Prosecution Timeline

Show 9 earlier events
Aug 19, 2025
Response after Non-Final Action
Sep 19, 2025
Request for Continued Examination
Sep 29, 2025
Response after Non-Final Action
Oct 02, 2025
Non-Final Rejection mailed — §103
Dec 19, 2025
Examiner Interview Summary
Dec 19, 2025
Applicant Interview (Telephonic)
Dec 22, 2025
Response Filed
May 14, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/872,108
Patent 12625987
METHOD AND SYSTEM FOR EXECUTING A SECURE FILE-LEVEL RESTORE FROM A BLOCK-BASED BACKUP
3y 9m to grant Granted May 12, 2026
17/725,337
Patent 12574211
PERSONAL PRIVATE KEY ENCRYPTION DEVICE
3y 10m to grant Granted Mar 10, 2026
17/978,147
Patent 12574247
DEVICE FOR COMPUTING SOLUTIONS OF LINEAR SYSTEMS AND ITS APPLICATION TO DIGITAL SIGNATURE GENERATIONS
3y 4m to grant Granted Mar 10, 2026
18/077,305
Patent 12547740
INFORMATION PROCESSING DEVICES AND INFORMATION PROCESSING METHODS
3y 2m to grant Granted Feb 10, 2026
18/093,124
Patent 12526274
Geolocated Portable Authenticator for Transparent and Enhanced Information-Security Authentication of Users
3y 0m to grant Granted Jan 13, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
58%
Grant Probability
99%
With Interview (+41.7%)
4y 6m (~11m remaining)
Median Time to Grant
High
PTA Risk
Based on 653 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month