Prosecution Insights
Last updated: July 17, 2026
Application No. 18/055,284

CYBERSECURITY THREAT MITIGATION FOR INDUSTRIAL NETWORKS

Final Rejection §103
Filed
Nov 14, 2022
Examiner
VO, ETHAN VIET
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Honeywell International Inc.
OA Round
4 (Final)
74%
Grant Probability
Favorable
5-6
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 74% — above average
74%
Career Allowance Rate
63 granted / 85 resolved
+16.1% vs TC avg
Strong +29% interview lift
Without
With
+28.9%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
13 currently pending
Career history
101
Total Applications
across all art units

Statute-Specific Performance

§101
1.2%
-38.8% vs TC avg
§103
84.6%
+44.6% vs TC avg
§102
1.5%
-38.5% vs TC avg
§112
12.7%
-27.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 85 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the amendments filed on January 5, 2026. Claims 1, 11, 15, 18, 22-24 have been amended. Claims 13-17, 19-20 are canceled. Claims 25-27 are new. Claims 1-12, 18, 21-27 are pending. Response to Arguments Applicant's arguments filed January 5, 2026 have been fully considered but they are not persuasive. Applicant argues in pages 13-14 of Remarks that prior art reference Dos Santos does not teach the newly amended limitations with regards to configuration parameter modification in combination with the other prior art. Examiner notes that this argument is moot as the previous office action relied on prior art reference Cortinas to teach limitations regarding configuration parameter modification, not Dos Santos. For these reasons, the rejections under 35 U.S.C. 103 are maintained as the Applicant does not address the prior art rejection made with regards to Cortinas. Moreover, previously for the purpose of compact prosecution, the different cybersecurity event levels/thresholds which the amendments are directed to were shown to be taught in the previous office action. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-7, 10-12, 18, 24, 27 are rejected under 35 U.S.C. 103 as being unpatentable over dos Santos et al. (U.S. Pub. No. 2021/0203673 A1), hereinafter referred to as “Dos Santos”, and in view of Hernandez Cortinas et al. (U.S. Pub. No. 2024/0098003 A1) hereinafter referred to as “Cortinas”, and further in view of C et al. (U.S. Pub. No. 2017/0289184 A1) hereinafter referred to as “C184”. Regarding Claim 1: Dos Santos teaches the following limitations: A system, comprising: one or more processors; a memory; and one or more programs stored in the memory, the one or more programs comprising instructions configured to (Par. [0205], Par. [0206], Par. [0207]). monitor, based on a networking event rule set related to defined networking events [predefined issues], network traffic data related to a set of asset devices [OT assets] in communication via an industrial network to determine a first networking event [issue determination] associated with the set of asset devices (Par. [0036], Par. [0048], Par. [0084]). Dos Santos teaches a network monitor device which groups/correlates network traffic data into distinct issues, i.e. networking events. in response to the first networking event: determine, (Par. [0055], Par. [0084], Par. [0163]). Dos Santos teaches calculating an issue priority/severity with multiple possible levels. and a second networking event associated with the set of asset devices (Par. [0070], Par. [0075], Par. [0084]). Dos Santos teaches handling multiple issues, i.e. a second networking event. and in response to a determination that the first cybersecurity event level for the first networking event satisfies a first predefined cybersecurity threat level threshold [only high priority] (Par. [0036], Par. [0056], Par. [0163]). Dos Santos teaches responding to high priority issues, suggesting a threshold between high/medium priority levels. (taught by Cortinas below) (taught by C184 below) in response to the second networking event: determine, (Par. [0055], Par. [0084], Par. [0163]). and in response to a determination that the second cybersecurity event level for the second networking event satisfies a second predefined cybersecurity threat level threshold different than the first predefined cybersecurity threat level threshold [critical] ((Par. [0036], Par. [0056], Par. [0163]). Dos Santos teaches responding to high priority issues and above in which there also exists critical issues which rank higher than high priority issues, suggesting a second threshold level. (taught by Cortinas below) (Par. [0198], Par. [0199]). Dos Santos teaches removing network access from a device as a remedial action. Cortinas teaches the following limitations: based on a comparison between a first networking event feature set [communication parameters] for the first networking event and a predefined cybersecurity event feature set [threshold parameters] for a set of predefined cybersecurity events (Par. [0031], Par. [0034]). Cortinas teaches an alternate form of anomaly detection by comparing current communication parameters with threshold parameters. cause a first modification to one or more first configuration parameters for a first asset device [change operating parameters of IEDs] from the set of asset devices associated with the first networking event (Par. [0037]). Cortinas further teaches that operating/configuration parameters of IEDs, i.e. intelligent electronic devices or asset devices of industrial network, can be changed in response to anomaly detection for the relevant devices. based on a second comparison between a second networking event feature set for the second networking event and the predefined cybersecurity event feature set for the set of predefined cybersecurity events (Par. [0031], Par. [0034]). This feature comparison can be applied to the second networking event as taught by Dos Santos above. cause a second modification to one or more second configuration parameters for a second asset device from the set of asset devices associated with the second networking event (Par. [0037]). This parameter modification can be applied to the second networking event as taught by Dos Santos above. wherein the second modification to the one or more second configuration parameters for the second asset device (Par. [0037]). Dos Santos does not teach comparing features for determining a cybersecurity event level nor modifying configuration parameters. Cortinas however teaches that parameter comparison is an alternative for anomaly detection, and that modifying configuration parameters can be performed as a response to network anomalies. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos with the threshold comparison/parameter modification of Cortinas in order to gain the predictable result of the claimed invention. One of ordinary skill in the art would have recognized that the communication parameter comparison of Cortinas would have been an alternative method for risk determination and is compatible with the system of Dos Santos which categorizes issues using features. Furthermore, one of ordinary skill in the art would have recognized that changing the operational parameters of asset devices as in Cortinas would have been an appropriate response to high priority issues such as in Dos Santos and gain the predictable result of the claimed invention. C184 teaches the following limitation: wherein the first modification to the one or more configuration parameters for the first asset device causes the first asset device to be temporarily decommissioned [temporarily blacklist] such that the first asset device is unable to communicate via the industrial network until at least a status associated with the first networking event is updated [until pattern ceases] (Par. [0104], Par. [0112], Par. [0127]). Previously Cortinas was shown to teach modifying operational parameters of IEDs as an execution of a remedial action for cybersecurity threat detection. C184 teaches a remedial action for cybersecurity threat detection taking the form of device blacklisting/decommissioning, and this can be done until a security administrator reapproves the device or until erroneous behavior ceases. Dos Santos/Cortinas teaches modifying the operational parameters of devices in a network as a remedial action due to cybersecurity threat detection, i.e. the operation of devices within the system, but does not teach temporarily decommissioning a device specifically. C184 however teaches that a remedial action can take the form of temporarily blacklisting a device, and that this has the advantage of preventing a misbehaving device from flooding a network (Par. [0025]. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortinas with the device blacklisting of C184 in order to gain the benefit of preventing flooding in a communications network. One of ordinary skill in the art would have recognized that the device blacklisting of C184 is a predictable implementation of a remedial action which is compatible with the operational parameter modification of Dos Santos/Cortinas, as they both regard modifying the operation of devices within the system as a response to cybersecurity threats. Furthermore, one of ordinary skill in the art would have recognized that performing such blacklisting further has the benefit of preventing a misbehaving device from flooding the network by preventing the device from further communication. Regarding Claims 2, 12: Dos Santos teaches the following limitation: trigger an alarm [alert] associated with the first networking event in response to the determination that the first cybersecurity event level for the networking event satisfies the first predefined cybersecurity threat level threshold (Par. [0036], Par. [0164], Par. [0171]). Dos Santos teaches displaying only high priority issues to reduce the number of alerts to a user, i.e. meeting the threat level threshold. Regarding Claim 3: Cortinas teaches the following limitations: wherein at least a portion of the network traffic data is related to radio frequency signals transmitted by the set of asset devices (Par. [0019], Par. [0030]). Cortinas further teaches network traffic being on a cellular network, i.e. radio frequency. and wherein the radio frequency signals are captured via a set of wireless sensors communicatively coupled to an edge gateway device (Par. [0022], Par. [0030]). Cortinas further teaches gateway devices with multiple interfaces as being part of a cellular network, suggesting wireless sensors. The reasons for motivation/combination of references remain the same as in Claim 1. Regarding Claims 4: Dos Santos teaches the following limitation: wherein the defined networking events related to the networking event rule set are related to at least one of signal strength data associated with one or more asset devices of the set of asset devices, a type of wireless protocol employed by the one or more asset devices, an event associated with respective radio frequency signals transmitted by the one or more asset devices, a beacon event associated with the one or more asset devices, a probing event associated with the one or more asset devices, an authentication event associated with the one or more asset devices, a data frame event associated with the one or more asset devices and, a network address sharing event associated with the one or more asset devices (Par. [0126], Par. [0174]). Dos Santos teaches issues related to failed logins/authentication. Regarding Claims 5: Dos Santos teaches the following limitation: the one or more programs further comprising instructions configured to: determine the first networking event based on at least one of a new asset device [new host] being added to the industrial network and a mapping of network switches in the industrial network (Par. [0150]). Dos Santos teaches a new host, i.e. device, being added to the network as a possible event. Regarding Claims 6: Dos Santos teaches the following limitation: (Par. [0036], Par. [0101]). Dos Santos teaches issue determination being further based on log information. Cortinas teaches the following limitations: compare a (Par. [0031], Par. [0034]). In conjunction with the history log information collected by Dos Santos taught above, Cortinas teaches the feature set comparison as argued previously. The reasons for motivation/combination of references remain the same as in Claim 1. Regarding Claims 7: Dos Santos teaches the following limitation: render, on an interactive user dashboard of a user computing device, visualization data related to one or more networking events (Fig. 4, Par. [0164], Par. [0170]). Dos Santos teaches visualizing the issue on a display with a graphical user interface. and generate, based on an interaction [slider] with the visualization data, a networking event report [associated details] related to the one or more networking events (Par. [0166], Par. [0167]). Dos Santos teaches using a slider GUI element to view issue details, i.e. generate a report, at different times. Regarding Claim 10: Dos Santos teaches the following limitations: wherein the first networking event feature set comprises data associated with a networking event type (Par. [0120], event type). Dos Santos teaches a variety of event features which can be extracted from traffic data. an asset device identifier (Par. [0092], unique identifiers) an asset device address (Par. [0092], media access control (MAC) address) a cybersecurity event level (Par. [0120], severity). a networking event description (Par. [0120], transmitted and received bytes). Under the broadest reasonable interpretation, the bytes transmitted and received can be considered a type of event description. networking event timestamp data (Par. [0120], time stamp). a networking event status (Par. [0120], service (e.g., combination of protocol and destination port)). Under the broadest reasonable interpretation, the service of an event can be considered a type of event status as it describes its state. and an administrator identifier [manufacturer information] (Par. [0120]). Under the broadest reasonable interpretation, the manufacturer information of the entity can be considered a type of administrator identifier, since an administrator is not defined in the Applicant’s specification. Regarding Claim 11: Dos Santos teaches the following limitations: A computer-implemented method, the computer-implemented method comprising: monitoring, based on a networking event rule set related to defined networking events, network traffic data related to a set of asset devices in communication via an industrial network to determine a first networking event associated with the set of asset devices (Par. [0036], Par. [0048], Par. [0084]). and a second networking event associated with the set of asset devices (Par. [0070], Par. [0075], Par. [0084]). in response to the first networking event: determining, (Par. [0055], Par. [0084], Par. [0163]). and in response to a determination that the first cybersecurity event level for the first networking event satisfies a first predefined cybersecurity threat level threshold [only high priority] (Par. [0036], Par. [0056], Par. [0163]). (taught by Cortinas below) (taught by C184 below) in response to the second networking event: determining, (Par. [0055], Par. [0084], Par. [0163]). and in response to a determination that the second cybersecurity event level for the second networking event satisfies a second predefined cybersecurity threat level threshold different than the first predefined cybersecurity threat level threshold (Par. [0036], Par. [0056], Par. [0163]). (taught by Cortinas below) wherein (Par. [0198], Par. [0199]). Cortinas teaches the following limitations: based on a first comparison between a first networking event feature set for the first networking event and a predefined cybersecurity event feature set for a set of predefined cybersecurity events (Par. [0031], Par. [0034]). causing a first modification to one or more first configuration parameters for a first asset device from the set of asset devices associated with the first networking event (Par. [0037]). based on a second comparison between a second networking event feature set for the second networking event and the predefined cybersecurity event feature set for the set of predefined cybersecurity events (Par. [0031], Par. [0034]). causing a second modification to one or more second configuration parameters for a second asset device from the set of asset devices associated with the second networking event (Par. [0037]). the second modification to the one or more second configuration parameters for the second asset device (Par. [0037]). Dos Santos does not teach comparing features for determining a cybersecurity event level nor modifying configuration parameters. Cortinas however teaches that parameter comparison is an alternative for anomaly detection, and that modifying configuration parameters can be performed as a response to network anomalies. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos with the threshold comparison/parameter modification of Cortinas in order to gain the predictable result of the claimed invention. One of ordinary skill in the art would have recognized that the communication parameter comparison of Cortinas would have been an alternative method for risk determination and is compatible with the system of Dos Santos which categorizes issues using features. Furthermore, one of ordinary skill in the art would have recognized that changing the operational parameters of asset devices as in Cortinas would have been an appropriate response to high priority issues such as in Dos Santos and gain the predictable result of the claimed invention. C184 teaches the following limitation: wherein the first modification to the one or more first configuration parameters for the first asset device causes the first asset device to be temporarily decommissioned [temporarily blacklist] such that the first asset device is unable to communicate via the industrial network until at least a status associated with the first networking event is updated [until pattern ceases] (Par. [0104], Par. [0112], Par. [0127]). Dos Santos/Cortinas teaches modifying the operational parameters of devices in a network as a remedial action due to cybersecurity threat detection, i.e. the operation of devices within the system, but does not teach temporarily decommissioning a device specifically. C184 however teaches that a remedial action can take the form of temporarily blacklisting a device, and that this has the advantage of preventing a misbehaving device from flooding a network (Par. [0025]. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortinas with the device blacklisting of C184 in order to gain the benefit of preventing flooding in a communications network. One of ordinary skill in the art would have recognized that the device blacklisting of C184 is a predictable implementation of a remedial action which is compatible with the operational parameter modification of Dos Santos/Cortinas, as they both regard modifying the operation of devices within the system as a response to cybersecurity threats. Furthermore, one of ordinary skill in the art would have recognized that performing such blacklisting further has the benefit of preventing a misbehaving device from flooding the network by preventing the device from further communication. Regarding Claim 18: Dos Santos teaches the following limitations: A computer program product comprising at least one non-transitory computer-readable storage medium having program instructions embodied thereon, the program instructions executable by a processor to cause the processor to (Par. [0205], Par. [0206], Par. [0207]). monitor, based on a networking event rule set related to defined networking events [predefined issues], network traffic data related to a set of asset devices [OT assets] in communication via an industrial network to determine a first networking event [issue determination] associated with the set of asset devices (Par. [0036], Par. [0048], Par. [0084]). and a second networking event associated with the set of asset devices (Par. [0070], Par. [0075], Par. [0084]). in response to the first networking event: determine, (Par. [0055], Par. [0084], Par. [0163]). and in response to a determination that the cybersecurity event level for the networking event satisfies a predefined cybersecurity threat level threshold [only high priority] (Par. [0036], Par. [0056], Par. [0163]). (taught by Cortinas below) (taught by C184 below) response to the second networking event: determine, (Par. [0055], Par. [0084], Par. [0163]). and in response to a determination that the second cybersecurity event level for the second networking event satisfies a second predefined cybersecurity threat level threshold different than the first predefined cybersecurity threat level threshold (Par. [0036], Par. [0056], Par. [0163]). (taught by Cortinas below) wherein (Par. [0198], Par. [0199]). Cortinas teaches the following limitations: based on a first comparison between a first networking event feature set [communication parameters] for the first networking event and a predefined cybersecurity event feature set [threshold parameters] for a set of predefined cybersecurity events (Par. [0031], Par. [0034]). cause a first modification to one or more first configuration parameters for a first asset device [change operating parameters of IEDs] from the set of asset devices associated with the first networking event (Par. [0037]). based on a second comparison between a second networking event feature set for the second networking event and the predefined cybersecurity event feature set for the set of predefined cybersecurity events (Par. [0031], Par. [0034]). cause a second modification to one or more second configuration parameters for a second asset device from the set of asset devices associated with the second networking event (Par. [0037]). the second modification to the one or more second configuration parameters for the second asset device (Par. [0037]). Dos Santos does not teach comparing features for determining a cybersecurity event level nor modifying configuration parameters. Cortinas however teaches that parameter comparison is an alternative for anomaly detection, and that modifying configuration parameters can be performed as a response to network anomalies. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos with the threshold comparison/parameter modification of Cortinas in order to gain the predictable result of the claimed invention. One of ordinary skill in the art would have recognized that the communication parameter comparison of Cortinas would have been an alternative method for risk determination and is compatible with the system of Dos Santos which categorizes issues using features. Furthermore, one of ordinary skill in the art would have recognized that changing the operational parameters of asset devices as in Cortinas would have been an appropriate response to high priority issues such as in Dos Santos and gain the predictable result of the claimed invention. C184 teaches the following limitation: wherein the first modification to the one or more first configuration parameters for the first asset device causes the first asset device to be temporarily decommissioned [temporarily blacklist] such that the first asset device is unable to communicate via the industrial network until at least a status associated with the first networking event is updated [until pattern ceases] (Par. [0104], Par. [0112], Par. [0127]). Dos Santos/Cortinas teaches modifying the operational parameters of devices in a network as a remedial action due to cybersecurity threat detection, i.e. the operation of devices within the system, but does not teach temporarily decommissioning a device specifically. C184 however teaches that a remedial action can take the form of temporarily blacklisting a device, and that this has the advantage of preventing a misbehaving device from flooding a network (Par. [0025]. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortinas with the device blacklisting of C184 in order to gain the benefit of preventing flooding in a communications network. One of ordinary skill in the art would have recognized that the device blacklisting of C184 is a predictable implementation of a remedial action which is compatible with the operational parameter modification of Dos Santos/Cortinas, as they both regard modifying the operation of devices within the system as a response to cybersecurity threats. Furthermore, one of ordinary skill in the art would have recognized that performing such blacklisting further has the benefit of preventing a misbehaving device from flooding the network by preventing the device from further communication. Regarding Claim 24: Dos Santos teaches the following limitation: trigger an alarm [alert] associated with the first networking event in response to the determination that the first cybersecurity event level for the networking event satisfies the first predefined cybersecurity threat level threshold (Par. [0036], Par. [0164], Par. [0171]). receive a responsive instruction from a user device in response to the alarm associated with the first networking event (Par. [0029], Par. [0044], Par. [0055], Par. [0074]). Dos Santos teaches a graphical user interface for alerts, and this is for the user responding manually to high priority events. and remove the first asset device from the industrial network based on the responsive instruction (Par. [0198], Par. [0199]). Remediation actions include removing network access. Regarding Claim 27: Dos Santos teaches the following limitation: the one or more programs further comprising instructions configured to: in response to detecting a new asset device communicating via the industrial network (Par. [0150]). Dos Santos teaches detecting a new device. Cortinas teaches the following limitations: configure a new asset device instance corresponding to the new asset device (Par. [0027], Par. [0037]-Par. [0039], Par. [0040]). Cortinas teaches recording information regarding network events. In conjunction with the new host detection of Dos Santos above, this can be considered a type of configuration of a new asset device instance under the broadest reasonable interpretation, as such an instance is not defined, and this record of a new host can be considered an instance. and wherein determining the first networking event is based at least in part on an update to baseline asset data caused by configuring the new asset device instance (Par. [0027], Par. [0040]). Cortinas further teaches that the events encountered by the system can be used to train and update a baseline model. The reasons for motivation/combination of references remain the same as in Claim 1. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Dos Santos/Cortinas/C184 and further in view of Isola et al. (U.S. Pub. No. 2017/0339153 A1) hereinafter referred to as “Isola”. Regarding Claim 8: Dos Santos teaches the following limitation: wherein the instructions configured to determine the first networking event associated with the set of asset devices further comprise instructions configured to: identify a respective network protocol being used by one or more asset devices of the set of asset devices (Par. [0053], Par. [0089]). Dos Santos teaches monitoring protocols used. (taught by Isola below) Isola teaches the following limitation: and classify the one or more asset devices as wireless devices or wired devices (Par. [0044]). Isola teaches monitoring a network connection determine whether a device has a wired or wireless connection. Dos Santos/Cortinas/C184 do not teach classifying devices as wired or wireless. Isola however teaches that in network security, monitoring the type of data connection as wired or wireless improves the accuracy in properly identifying the connection point of a device and is useful for future device blocking (Par. [0006]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortinas/C184 with the wired/wireless device classification of Isola in order to gain the benefit of additional security. One of ordinary skill in the art would have recognized that the wired/wireless network classification tracking of Isola is compatible with the feature extraction in Dos Santos/Cortinas/C184 in anomaly detection, and that the additional tracking of the type of network connection would provide additional accuracy for preventing future malicious device connections, thereby increasing network security. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Dos Santos/Cortinas/C184 and further in view of Thom et al. (U.S. Pub. No. 2018/0077184 A1) hereinafter referred to as “Thom”. Regarding Claim 9: Dos Santos teaches the following limitations: (taught by Thom below) update metadata [automatic risk score determination] associated with a current status of the one or more asset devices (Par. [0031], Par. [0033], Par. [0039]). Dos Santos teaches automatically determining, i.e. updating risk scores of entities, i.e. current status of asset devices. This is similar to the trust taught by Thom below. (taught by Thom below) and in response to a determination that the one or more asset devices is a trusted device, updating baseline asset data [data model] associated with the industrial network to include metadata [risk score] associated with the one or more asset devices (Par. [0033], Par. [0039], Par. [0041], Par. [0158]). Dos Santos teaches determining a data model which represents the network behavior, i.e. baseline data, according to these risk scores. In conjunction with the automatic risk score determination taught earlier, this suggests a response according to a determination of trustedness. Thom teaches the following limitations: determine whether one or more asset devices of the set of asset devices communicating via the industrial network is a trusted device for the industrial network (Par. [0021], Par. [0031]). Thom teaches a network security system in which devices are determined to be trusted according to their reputation. wherein the current status describes whether the one or more asset devices have been approved to communicate on the industrial network (Par. [0032]). Thom teaches devices that are considered no longer trusted being removed from the network. Dos Santos/Cortinas/C184 do not teach considered devices to be trusted. Thom however teaches that in network security, devices can be considered trusted by proving their reputation, and can be used to distribute tamper-proof logs in a trusted network for additional security (Par. [0020], Par. [0055]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortinas/C184 with the trusted device classification of Thom in order to gain the benefit of additional security. One of ordinary skill in the art would have recognized that the trusted device classification of Thom is compatible with the network monitoring of Dos Santos/Cortinas/C184 as both are directed towards network security in log data, and that the additional trusted device classification would provide additional security by establishing a system for distributed tamper-proof data logging. Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Dos Santos/Cortinas/C184 as applied to Claim 1 above, and further in view of Ward et al. (U.S. Pub. No. 2019/0245879 A1) hereinafter referred to as “Ward”. Regarding Claim 21: Ward teaches the following limitation: wherein temporarily decommissioning the first asset device comprises depowering the first asset device [remotely power off] ([0046], Par. [0055]). Ward teaches that blocking a device as a remediation action can include powering off the device. Dos Santos/Cortinas/C184 teaches temporarily blocking a device, but does not teach depowering a device as a remedial action. Ward however teaches that removing a device’s access to a network can alternatively include remotely powering off the device (Par. [0046], Par. [0055]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute the device blocking of Dos Santos/Cortina/C184 with the remote powering off a device of Ward in order to gain the predictable result of temporarily decommissioning the first asset device by depowering it. One of ordinary skill in the art would have recognized that the remote powering off a device in Ward is a predictable substitute for blocking device access as a remedial action performed as in Dos Santos/Cortinas/C184 for detected vulnerabilities, so it would have been a predictable result to alternatively decommission a device temporarily by powering off the device. Claims 22-23 is rejected under 35 U.S.C. 103 as being unpatentable over Dos Santos/Cortinas/C184 as applied to Claim 1 above, and further in view of Hadden et al. (U.S. Pub. No. 2016/0127394 A1) hereinafter referred to as “Hadden”. Regarding Claim 22: Hadden teaches the following limitations: the one or more programs further comprising instructions configured to: determine a user account associated with the second asset device (Par. [0096], Par. [0097], Par. [0098]). Hadden teaches that in addition to removing a device due to it being a threat, a user account can be blacklisted as a response. and reconfigure the user account by adding a removal flag object to the user account (Par. [0096], Par. [0097], Par. [0098]). This blacklisting can be considered as adding a removal flag object under the broadest reasonable interpretation. Dos Santos/Cortinas/C184 teaches blocking a device, but does not teach flagging a user account as a remedial action. Hadden however teaches that a user account can be blacklisted in addition to removing a device detected as being a threat, and this prevents threats from a compromised account thereby improving security (Par. [0098]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortina/C184 with the user account blacklisting in order to gain the benefit of additional security. One of ordinary skill in the art would have recognized that the user account blacklisting of Hadden is compatible with the remedial actions of Dos Santos/Cortina/C184 as it is used in conjunction with blocking devices found to be a threat, and that such a user account blacklisting would improve security by preventing future threats from a compromised user account. Regarding Claim 23: Dos Santos teaches the following limitation: the one or more programs further comprising instructions configured to: identify new asset device being added to the industrial network (Par. [0150]). (taught by Hadden below) (taught by Hadden below) Hadden teaches the following limitations: determine that the new asset device is associated with the user account (Par. [0096], Par. [0097], Par. [0098]). Hadden teaches user account databases for blacklisting traffic from devices. and prevent the new asset device from joining the industrial network in response to determining that the new asset device is associated with the user account (Par. [0096], Par. [0097], Par. [0098]). Hadden taught account blacklisting, i.e. this suggests preventing access for the new device. The reasons for motivation/combination of references remain the same as in Claim 22. Claims 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Dos Santos/Cortinas/C184 as applied to Claim 1 above, and further in view of Sharan et al. (U.S. Pub. No. 2014/0156711 A1) hereinafter referred to as “Sharan”.Regarding Claim 25: Sharan teaches the following limitations: wherein determining the first networking event is based at least in part on a plurality of asset device instances corresponding to respective asset devices of the set of asset devices, wherein each asset device instance is configured based on an asset template for an asset device type and defines one or more attributes for a respective asset device (Par. [0010], Par. [0026], Par. [0034], Par. [0037]). Sharan teaches that information about asset devices can be collected and standardized based on templates, and these further include attributes. Dos Santos/Cortinas/C184 do not teach asset device templates. Sharan however teaches that XML templates can be used to collect and standardize asset device information and this can be used to provide a common standard for interfacing in information technology (Par. [0002]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the industrial network monitoring of Dos Santos/Cortina/C184 with the asset device templates of Sharan in order to gain the benefit of standardized communication for asset device information. One of ordinary skill in the art would have recognized that the templates of Sharan are compatible with the system of Dos Santos/Cortina/C184 as they are used for asset device information, and that such templates would have the benefit of normalized/standardized communication by following the template. Regarding Claim 26: Sharan teaches the following limitations: wherein each asset device instance is further configured based on a calculation template linked with the asset template, wherein the calculation template defines one or more calculations that use the one or more attributes (Par. [0010], Par. [0026], Par. [0031]-[0037]). Sharan further teaches that asset templates are further based on a determined operation, i.e. calculation template, to perform normalization. The reasons for motivation/combination of references remain the same as in Claim 25. Related Art The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant' s disclosure: Levy et al. (U.S. Patent. No. 11,556,664 B2) – Includes methods regarding event detection Lietz et al. (U.S. Pub. No. 2016/0197951 A1) – Includes methods regarding asset modeling Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ETHAN V VO whose telephone number is (571)272-2505. The examiner can normally be reached M-F 8am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /E.V.V./Examiner, Art Unit 2431 /LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Show 1 earlier event
Nov 25, 2024
Non-Final Rejection mailed — §103
Feb 25, 2025
Response Filed
Mar 18, 2025
Final Rejection mailed — §103
Aug 18, 2025
Request for Continued Examination
Aug 28, 2025
Response after Non-Final Action
Oct 01, 2025
Non-Final Rejection mailed — §103
Jan 05, 2026
Response Filed
May 29, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12645826
PRIVATE INFORMATION RETRIEVAL WITH HOMOMORPHIC ENCRYPTED INFORMATION
2y 2m to grant Granted Jun 02, 2026
Patent 12645801
FIRMWARE UPDATE METHOD AND SYSTEM
2y 1m to grant Granted Jun 02, 2026
Patent 12625983
ENCODING OF BINARY DATA FOR SECURE TRANSMISSION
2y 3m to grant Granted May 12, 2026
Patent 12608493
SYSTEMS AND METHODS FOR MUTUAL TRUST ESTABLISHMENT AMONG COMPONENTS OF AN INFORMATION HANDLING SYSTEM
2y 6m to grant Granted Apr 21, 2026
Patent 12602496
COMMANDS COMMUNICATIONS
2y 9m to grant Granted Apr 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
74%
Grant Probability
99%
With Interview (+28.9%)
3y 0m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 85 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month