Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsInvisinet Technologies LLC › 18235682
Last updated: April 19, 2026
Application No. 18/235,682

STATISTICAL OBJECT IDENTIFICATION

Final Rejection §103
Filed
Aug 18, 2023
Examiner
BAZNA, JUDY
Art Unit
2495
Tech Center
2400 — Computer Networks
Assignee
Invisinet Technologies LLC
OA Round
2 (Final)
67%
Grant Probability
Favorable
3-4
OA Rounds
3y 1m
To Grant
90%
With Interview

Interview Optional

+22.9% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 24 resolved cases, 2023–2026

Examiner Intelligence

BAZNA, JUDY View full profile →
Grants 67% — above average
67%
Career Allow Rate
16 granted / 24 resolved
+8.7% vs TC avg
Strong +23% interview lift
Without
With
+22.9%
Interview Lift
resolved cases with interview
Typical timeline
3y 1m
Avg Prosecution
19 currently pending
Career history
43
Total Applications
across all art units

Statute-Specific Performance

§101
4.6%
-35.4% vs TC avg
§103
77.2%
+37.2% vs TC avg
§102
9.7%
-30.3% vs TC avg
§112
5.9%
-34.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 24 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment Applicant argues: “Gudov describes "Control module 320 monitors the operability of all the other modules (primarily collectors 310) by tracking their utilization. Control module 320 can track network utilization statistics (e.g., daily, weekly, monthly) and collect information about malicious activity on the Internet, which makes it possible to plot the geography of current attacks and store and collect statistics about known attacks (e.g., number of attacks, duration of attack, peak and average network load during the attack). In the present application, "The statistical object matcher communicates an attack measurement to the attack measurement accumulator when the first statistical object matches none of the plurality of statistical objects in the table" and "The accumulated attack measurement 13A is the sum of the plurality of attack measurements 13P". Effectively, this same function is recited in claim 1. Gudov does not disclose, teach, or suggest using an accumulated attack measurement that is the sum of the plurality of attack measurements. Gudov does not disclose, teach, or suggest using an accumulated attack measurement that is the sum of the plurality of attack measurements” Examiner respectively disagrees. Gudov teaches in col 4, the information module 320 adjusts the filtering rules, which are stored in filtering profiles, which are used by the filtering centers 210. To accomplish this, control module 320 monitors the attacks and accumulate number of the attacks as sum of the monitored attacks and send them to information module 32 in order to generate the filter the use to characterized the attacks. Regarding applicant argument: “Gudov does not disclose, teach, or suggest “where an attack is a failed authentication as recited in claim 1.””. Argument regarding amendment to claim 1 “attack is a failed authentication” is moot in view of new rejection made in response to the amendment which their argument is directed towards. Applicant argues: “In the present application, "the probability calculator determines a calculated probability of guessing the accumulated statistical object based on the accumulated statistical object and a number of statistical objects in the plurality of statistical objects and the accumulated attack measurement". The present application operates using principles of probability. Gudov does not disclose, teach, or suggest using probability or using probability in the determination of an attack. While the term statistics may be found in Godov, their use is quite different than as used in claim 1.” Examiner respectively disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references (Hayes in view of Gudov). See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Hayes teaches using said probability calculator (30) to determine a calculated probability of guessing said accumulated statistical object (14A) based on said accumulated statistical object (14A) and a number of statistical objects in said plurality of said statistical objects (14P) (Para [0277]-[0279]). Gudov does not disclose, teach, or suggest using probability or using probability in the determination of an attack. While, Gudov teaches only said accumulated attack measurement (13A) (Col 4 lines 50-67). Therefore, in combination of Hayes in view of Gudov teaches using said probability calculator (30) to determine a calculated probability of guessing said accumulated statistical object (14A) based on said accumulated statistical object (14A) and a number of statistical objects in said plurality of said statistical objects (14P) and said accumulated attack measurement (13A) in order to detect and prevent attacks. Applicant argues: “In the present application, "The present disclosure provides a method for discarding bad communications without blocking good communications when both communications have the same source network address". Gudov describes "If the source address is blacklisted, the data traffic from that address is automatically blocked". Using blacklists of source addresses prevents, "discarding bad communications without blocking good communications when both communications have the same source network address." In this respect, Gudov specifically teaches away from the function expected from the method of claim 1.” Examiner respectfully disagrees. Applicant appear to be arguing limitations that are not supported by the claim language. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-43 are rejected under 35 U.S.C. 103 as being unpatentable over Hayes (US 20210314366 A1) in view of Gudov (US 8302180 B1) In view of KASMAN (US 20160173526 A1). Regarding claim 1, Hayes teaches a method, comprising: accepting as input to a device (10) communication of a first statistical object (14F) having communications characteristics (22) (Para [0248]-[0249]), the device (10) comprising a table storing a plurality of statistical objects (14P) each corresponding to a respective one of a plurality of original objects (12P) (Para [0243]. Para [0252]-[0254]), a statistical object matcher (18) (Para [0253], After a first statistical object 1014F has been received, using a statistical matcher 1018, the first statistical object 1014F is compared against the plurality of statistical objects 1014P.), an accumulated statistical object selector (20) (Para [0253]: The accumulated statistical object selector 1020.), an original object identifier (26) (Para [0253]: the original object identifier 1026.), a probability calculator (30) (Para [0250]: the probability calculator 1030.), and a threshold comparator (32) (Para [0250]: the threshold comparator 1032.); using said statistical object matcher (18) to determine if said first statistical object (14F) matches at least one of said plurality of statistical objects (14P) in said table (Para [0277]: Ben sends communication containing Ben's current statistical object to device 110. Device 110 receives Ben's communication using a communications receiver 116. Ben's communication includes Ben's statistical object 114F and communications characteristics 122. The communications receiver 116 sends the received communications characteristics 122 and Ben's statistical object 114F to the statistical object matcher 118. The statistical object matcher 118 compares Ben's statistical object 114F with the plurality of statistical objects 114P and determines that there it matches two statistical objects, Ben's and Sally's.); using said accumulated statistical object selector (20) to obtain and accumulate said first statistical object (14F) and a plurality of matched statistical objects (14MP) in an accumulated statistical object (14A) identified by said communications characteristics (22) when said first statistical object (14F) matches at least one of said plurality of statistical objects (14P) (Para [0277]: Ben sends communication containing Ben's current statistical object to device 110. Device 110 receives Ben's communication using a communications receiver 116. Ben's communication includes Ben's statistical object 114F and communications characteristics 122. The communications receiver 116 sends the received communications characteristics 122 and Ben's statistical object 114F to the statistical object matcher 118. The statistical object matcher 118 compares Ben's statistical object 114F with the plurality of statistical objects 114P and determines that there it matches two statistical objects, Ben's and Sally's.); using said original object identifier (26) to determine if said accumulated statistical object (14A) can be produced by exactly one original object (12S) of said plurality of original objects (12P), and selecting the exactly one original object (12S) from said plurality of original objects (12P) (Para [0277]: the accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 1014F. The accumulated statistical object 1014A is passed to the original object identifier 1026. The original object identifier 1026 takes the given accumulated statistical object 1014A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 1012S.); using said probability calculator (30) to determine a calculated probability of guessing said accumulated statistical object (14A) based on said accumulated statistical object (14A) and a number of statistical objects in said plurality of said statistical objects (14P) (Para [0277]-[0279]: original object 1012S is now indicated as selected original object 1012SEL, and is passed to the probability calculator 1030. The probability calculator 1030 takes the given accumulated statistical object 1014A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 1014A and the number of statistical objects in the plurality of statistical objects 1014P, calculates the probability of guessing the accumulated statistical object information.); using said threshold comparator (32) to determine if said calculated probability is less than a threshold value (27) (Para [0280]: with only a few original objects (e.g., one hundred) and a relatively large amount of accumulated statistical object information, the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero. This calculated probability 1036 and the accumulated statistical object 1022 are passed to the threshold comparator 1032. The threshold comparator 1032 takes the calculated probability 1036 and compares it with the probability threshold value 1027. In our example, the probability threshold value 1027 is 1 in a million. The threshold comparator 1032 determines that our calculated probability 1027 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 1027, the threshold comparator 1032 makes an indication 1030 that includes the selected original object 1012SEL Ben. This indication 1030 communicates to other functions within the device 1010 that the communication was sent by Ben and has not exceeded the probability threshold value 1027, and that the device 1010 should now respond to Ben's communication.); and generating an indication (34) of said selected original object (12SEL) (Para [0280]: with only a few original objects (e.g., one hundred) and a relatively large amount of accumulated statistical object information, the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero. This calculated probability 1036 and the accumulated statistical object 1022 are passed to the threshold comparator 1032. The threshold comparator 1032 takes the calculated probability 1036 and compares it with the probability threshold value 1027. In our example, the probability threshold value 1027 is 1 in a million. The threshold comparator 1032 determines that our calculated probability 1027 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 1027, the threshold comparator 1032 makes an indication 1030 that includes the selected original object 1012SEL Ben. This indication 1030 communicates to other functions within the device 1010 that the communication was sent by Ben and has not exceeded the probability threshold value 1027, and that the device 1010 should now respond to Ben's communication.). Hayes does not explicitly disclose an attack measurement accumulator; using said statistical object matcher (18) to communicate an attack measurement (13) to said attack measurement accumulator when said first statistical object (14F) matches none of said plurality of statistical objects (14P); generating an accumulated attack measurement (13A) from a plurality of attack measurements (13P) created by accumulating each attack measurement (13) generated during a time period in which said accumulated statistical object (14A) is accumulated; and said accumulated attack measurement (13A). Gudov teaches an attack measurement accumulator (Col 4 lines 50-67: control module 320); using said statistical object matcher (18) to communicate an attack measurement (13) to said attack measurement accumulator when said first statistical object (14F) matches none of said plurality of statistical objects (14P) (Col 4 lines 50-67: control module 320 also stores lists of black and white addresses (or, simply, blacklists and whitelists) to identify network devices traffic from which is either automatically blocked, as being originated from a known bot 120, or automatically forwarded to service 130, as being originated from a known legitimate user 220. Whitelists and blacklists can be generated manually by the system administrator or automatically on the basis of statistical and behavioral criteria collected by the control module 320. Behavioral criteria might include, for example, analysis of the number of queries and sessions from one IP address, the number of unconfirmed queries from one IP address, the number of queries for data of the same type from one IP address, and the number of connections without continuation of information exchange, and other criteria.); generating an accumulated attack measurement (13A) from a plurality of attack measurements (13P) created by accumulating each attack measurement (13) generated during a time period in which said accumulated statistical object (14A) is accumulated (Col 4 lines 31-49: Control module 320 monitors the operability of all the other modules (primarily collectors 310) by tracking their utilization. Control module 320 can track network utilization statistics (e.g., daily, weekly, monthly) and collect information about malicious activity on the Internet, which makes it possible to plot the geography of current attacks and store and collect statistics about known attacks (e.g., number of attacks, duration of attack, peak and average network load during the attack). This information may be used to generate the descriptive characteristics of each attack, for example: the number of botnets involved, time from the start of the attack, geography of the attack. On the basis of this information module 320 adjusts the filtering rules, which are stored in filtering profiles, which are used by the filtering centers 210. To accomplish this, control module 320 computes allowable amount of data traffic transmitted to the service 130, the allowable number of packets as a function of the protocol used, and other network parameter. Examples of various types of network parameters are presented in Table 1 below.); and said accumulated attack measurement (13A) (Col 4 lines 50-67: control module 320). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hayes with the teachings of Gudov to include an attack measurement accumulator; using said statistical object matcher (18) to communicate an attack measurement (13) to said attack measurement accumulator when said first statistical object (14F) matches none of said plurality of statistical objects (14P); generating an accumulated attack measurement (13A) from a plurality of attack measurements (13P) created by accumulating each attack measurement (13) generated during a time period in which said accumulated statistical object (14A) is accumulated; and said accumulated attack measurement (13A) in order to detect and prevent attacks by extracting network traffic information (Gudov Col 1 lines 52-62). Hayes in view of Gudov does not explicitly disclose the attack measurement representing a failed authentication attempt. KASMAN does disclose the attack measurement representing a failed authentication attempt (Para [0040]: The IP address of the client users' device 401 is within the untrusted lists maintained by the detection filter 202, the data access frequency is above the blocking threshold value, or the user of the client users' device 401 has consecutively failed to authenticate the DDoS attack mitigation challenge a number of times above the retry limit. In this case, a DDoS attack is detected, and the client users' device 401 is denied access to the intended service or resource.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hayes in view of Gudov with the teachings of KASMAN to include the attack measurement representing a failed authentication attempt in order to detect a DDoS attack and deny access to the intended service or resource (KASMAN Para [0044]). Regarding claim 2, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein the probability of guessing said first statistical object (14F) remains constant, while the number of statistical objects in said plurality of statistical objects (14P) varies (Hayes Para [0255]-[0256]: the present probability of guessing an accumulated statistical object 1022 based on the number of statistical objects present in the plurality of statistical objects 1014P, the probability of guessing an accumulated statistical object is held constant while the number of statistical objects present in the plurality of statistical objects 1014P can vary. Likewise, the probability of guessing a first statistical object 1014F is also held constant.). Regarding claim 3, Hayes in view of Gudov in view of KASMAN in view of KASMAN teaches the method of claim 1, wherein the probability of guessing said accumulated statistical object (14A) remains constant, while the number of statistical objects in said plurality of statistical objects (14P) varies (Hayes Para [0255]-[0256]: the present probability of guessing an accumulated statistical object 1022 based on the number of statistical objects present in the plurality of statistical objects 1014P, the probability of guessing an accumulated statistical object is held constant while the number of statistical objects present in the plurality of statistical objects 1014P can vary. Likewise, the probability of guessing a first statistical object 1014F is also held constant. Regarding claim 4, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said accumulated statistical object (14A) in said plurality of accumulated statistical objects (14AP) is removed after a period of inactivity pertaining to said accumulated statistical object (14A) (Hayes Para [0251]: the plurality of statistical objects 1014P may be individually or as a group, periodically removed.). Regarding claim 5, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said threshold value (27) can be changed without coordination with the source of said first statistical object (14F) (Hayes Para [0256]: this effectively allows the statistical object identification system to silently increase or decrease the probability threshold value 1027 without providing any detectable indication of the change in the probability threshold value 1027.). Regarding claim 6, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said threshold value (27) can be changed without communication with the source of said first statistical object (14F) (Hayes Para [0256]: this effectively allows the statistical object identification system to silently increase or decrease the probability threshold value 1027 without providing any detectable indication of the change in the probability threshold value 1027.). Regarding claim 7, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said threshold value (27) is associated with said selected original object (12SEL) (Hayes Para [0176]. Para [0183]-[0185]: The device 110 has generated the plurality of statistical objects 114P corresponding to the plurality of original objects 112P. This calculated probability 136 and the accumulated statistical object 122 are passed to the threshold comparator 132. The threshold comparator 132 takes the calculated probability 136 and compares it with the probability threshold value 127. This indication 130 communicates to other functions within the device 110 that the communication was send by Ben and has not exceeded the probability threshold value 127). Regarding claim 8, Hayes in view of Gudov in view of KASMAN teaches the method of Claim 1, wherein said threshold value (27) is associated with said device (10) (Hayes Para [0255]: the threshold value may be associated with the device 1010.). Regarding claim 9, Hayes in view of Gudov in view of KASMAN teaches the method of Claim 1, wherein said threshold value (27) is associated with said plurality of original objects (12P) (Hayes Para [0253]: the device 110 has generated the plurality of statistical objects 114P corresponding to the plurality of original objects 112P. This calculated probability 136 and the accumulated statistical object 122 are passed to the threshold comparator 132. The threshold comparator 132 takes the calculated probability 136 and compares it with the probability threshold value 127. This indication 130 communicates to other functions within the device 110 that the communication was send by Ben and has not exceeded the probability threshold value 127). Regarding claim 10, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said indication (34) includes clock information used in the generation of said first statistical object (14F) (Hayes Para [0251]: These additional inputs may include clock information.). Regarding claim 11, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said indication (34) includes keying information used in the generation of said first statistical object (14F) (Hayes Para [0023]: generates a statistical object using the keying information associated with the selected one of the plurality of original objects.) . Regarding claim 12, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said indication (34) includes state information used in the generation of said first statistical object (14F) (Hayes Para [0251]: these additional inputs may include clock information, keying information, state information, and other relevant and useful information.). Regarding claim 13, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said indication (34) includes additional information used in the generation of said first statistical object (14F) (Hayes Para [0251]: these additional inputs may include clock information, keying information, state information, and other relevant and useful information.). Regarding claim 14, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said communications characteristics (22) includes TCP/IP session information (Hayes Para [0276]: Ben's communication includes Ben's statistical object (first statistical object 1014F) and communications characteristics 1022. In this case, the communications occurred over a TCP/IP network and the IP source and destination addresses and the TCP source and destination port numbers are used as communications characteristics 1022.). Regarding claim 15, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said communications characteristics (22) includes addressing information (Hayes Para [0276]: Ben's communication includes Ben's statistical object (first statistical object 1014F) and communications characteristics 1022. In this case, the communications occurred over a TCP/IP network and the IP source and destination addresses and the TCP source and destination port numbers are used as communications characteristics 1022.). Regarding claim 16, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said communications characteristics (22) includes security association information (Hayes Para [0252]: communications characteristics 1022 may also include security association information.). Regarding claim 17, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein a probability of guessing said first statistical object (14F) remains constant (Hayes Para [0256]: the probability of guessing an accumulated statistical object is held constant while the number of statistical objects present in the plurality of statistical objects 1014P can vary. Likewise, the probability of guessing a first statistical object 1014F is also held constant.), while the number of attack measurements (13) in said plurality of attack measurements (13P) varies (Gudov Col 4 lines 31-49). Regarding claim 18, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein a probability of guessing said first statistical object (14F) accounts for brute force attacks (Hayes Para [0311]: The SOI system is vulnerable to brute force attacks unless defenses are made to detect and mitigate them. A brute force attack on SOI is when an attacker generates a large number of statistical objects 1014S in an attempt to guess a valid statistical object.). Regarding claim 19, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said communications characteristics (22) includes time information (Hayes Para [0252]: physical characteristics of communications characteristics 1022 may also include phase information, time information and amplitude information.). Regarding claim 20, Hayes in view of Gudov in view of KASMAN teaches the method of claim 1, wherein said selected original object (12SEL) is determined (22) with said communications characteristics (22) while said statistical object matcher (18) is creating said attack measurement (13) from communications with the same said communications characteristics (22) (Gudov Col 4 lines 50-67: control module 320 also stores lists of black and white addresses (or, simply, blacklists and whitelists) to identify network devices traffic from which is either automatically blocked, as being originated from a known bot 120, or automatically forwarded to service 130, as being originated from a known legitimate user 220. Whitelists and blacklists can be generated manually by the system administrator or automatically on the basis of statistical and behavioral criteria collected by the control module 320. Behavioral criteria might include, for example, analysis of the number of queries and sessions from one IP address, the number of unconfirmed queries from one IP address, the number of queries for data of the same type from one IP address, and the number of connections without continuation of information exchange, and other criteria. Hayes Para [0276]: the communications receiver 1016 sends the received communications characteristics 1022 and Ben's statistical object 1014F to the statistical object matcher 1018. The statistical object matcher 1018 compares Ben's statistical object 1014F with the plurality of statistical objects 1014P, and determines that there it matches two statistical objects, Ben's and Greg's. The statistical object matcher 1018 sends Ben's statistical object 1014F, the two matched statistical objects 1014M (Ben's and Greg's) and the communications characteristics 1022 to the accumulated statistical object selector 1020.). Regarding claim 21, Hayes teaches a method comprising: accepting as input to a device (10) communication of a first statistical object (14F) having communications characteristics (22) (Para [0248]-[0249]), the device (10) comprising therein a plurality of statistical objects (14P) (Para [0243]. Para [0252]-[0254]), each of the plurality of statistical objects comprising a statistical representation of a corresponding original object (12S) (Para [0243]. Para [0252]-[0254]), the device comprising storage for a plurality of attack objects (13P) (Para [0243]. Para [0252]-[0254]), each of the plurality of statistical objects (14P) (Para [0243]. Para [0252]-[0254]) and including a timestamp (15) (Para [0263]: each accumulated statistical object 1014A should have a timestamp), the device (10) comprising a statistical object matcher (18) (Para [0253], After a first statistical object 1014F has been received, using a statistical matcher 1018, the first statistical object 1014F is compared against the plurality of statistical objects 1014P.), an accumulated statistical object selector (20) (Para [0253]: the accumulated statistical object selector 1020.), an accumulated statistical object (14A) and a plurality of matching statistical objects (14MP) (Para [0253].), a first associated original object selector (24) (Para [0250]), a second associated original object identifier (28) (Para [0250]) and a table for storing the plurality of statistical objects (14P) and plurality of original objects (12P) (Para [0253]) and a probability calculator (30) ) (Para [0250]: the probability calculator 1030.); using the statistical object matcher (18) determining if said first statistical object (14F) matches at least one of said plurality of statistical objects (14P) (Para [0277]: Ben sends communication containing Ben's current statistical object to device 110. Device 110 receives Ben's communication using a communications receiver 116. Ben's communication includes Ben's statistical object 114F and communications characteristics 122. The communications receiver 116 sends the received communications characteristics 122 and Ben's statistical object 114F to the statistical object matcher 118. The statistical object matcher 118 compares Ben's statistical object 114F with the plurality of statistical objects 114P and determines that there it matches two statistical objects, Ben's and Sally's.); accumulating with the accumulated statistical object selector (20) said first statistical object (14F) and a plurality of matching statistical objects (14MP) in the accumulated statistical object (14A) identified by said communications characteristics (22) (Para [0277]: the accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 1014F. The accumulated statistical object 1014A is passed to the original object identifier 1026. The original object identifier 1026 takes the given accumulated statistical object 1014A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 1012S.); using the first associated original object selector (24) the select an original object (12SEL) identified by said communications characteristics (22) (Para [0277]: the accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 1014F. The accumulated statistical object 1014A is passed to the original object identifier 1026. The original object identifier 1026 takes the given accumulated statistical object 1014A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 1012S.); using the second associated original object identifier (28) to determine if said accumulated statistical object (14A) can be produced by said selected original object (12SEL) (Para [0277]: the accumulated statistical object information increases from 32 bits to 64 bits with the addition of statistical object 1014F. The accumulated statistical object 1014A is passed to the original object identifier 1026. The original object identifier 1026 takes the given accumulated statistical object 1014A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 1012S.); determining with the probability calculator (30) a calculated probability (36) of guessing said accumulated statistical object (14A) based on said accumulated statistical object (14A) and the number of statistical objects in said plurality of said statistical objects (14P) produced by original objects associated with said associated communications characteristics (22) (Para [0277]-[0279]: original object 1012S is now indicated as selected original object 1012SEL, and is passed to the probability calculator 1030. The probability calculator 1030 takes the given accumulated statistical object 1014A, and, based on the number of bits of statistical object information that has been accumulated in the accumulated statistical object 1014A and the number of statistical objects in the plurality of statistical objects 1014P, calculates the probability of guessing the accumulated statistical object information.); determining with a threshold comparator (32) if said calculated probability (36) is less than a threshold value (27) (Para [0280]: with only a few original objects (e.g., one hundred) and a relatively large amount of accumulated statistical object information, the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero. This calculated probability 1036 and the accumulated statistical object 1022 are passed to the threshold comparator 1032. The threshold comparator 1032 takes the calculated probability 1036 and compares it with the probability threshold value 1027. In our example, the probability threshold value 1027 is 1 in a million. The threshold comparator 1032 determines that our calculated probability 1027 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 1027, the threshold comparator 1032 makes an indication 1030 that includes the selected original object 1012SEL Ben. This indication 1030 communicates to other functions within the device 1010 that the communication was sent by Ben and has not exceeded the probability threshold value 1027, and that the device 1010 should now respond to Ben's communication.); associating said communications characteristics (22) with said selected original object (212SEL) (Para [0277]: the original object identifier 1026 takes the given accumulated statistical object 1014A and determines if the accumulated statistical information within the accumulated statistical object could only be generated by a single, unique original object 1012S.); and generating an indication (34) of said selected original object (12SEL) (Para [0280]: with only a few original objects (e.g., one hundred) and a relatively large amount of accumulated statistical object information, the probability of guessing those 64 bits of accumulated statistical object information is vanishingly small, approaching zero. This calculated probability 1036 and the accumulated statistical object 1022 are passed to the threshold comparator 1032. The threshold comparator 1032 takes the calculated probability 1036 and compares it with the probability threshold value 1027. In our example, the probability threshold value 1027 is 1 in a million. The threshold comparator 1032 determines that our calculated probability 1027 of zero is less than the probability threshold value of 1 in a million. Having not exceeded our probability threshold value 1027, the threshold comparator 1032 makes an indication 1030 that includes the selected original object 1012SEL Ben. This indication 1030 communicates to other functions within the device 1010 that the communication was sent by Ben and has not exceeded the probability threshold value 1027, and that the device 1010 should now respond to Ben's communication.). Hayes does not explicitly disclose the plurality of attack objects (13P); using the statistical object matcher (18) to generate an attack measurement (13) when the first statistical object (14F) matches none of said plurality of statistical objects; generating an accumulated attack measurement (13A) from said plurality of attack measurements (13P) that occurred during a time period during which said accumulated statistical object (14A) was accumulated; and said accumulated attack measurement (13A). Gudov teaches the plurality of attack objects (13P) (Col 4 lines 50-67: control module 320); using the statistical object matcher (18) to generate an attack measurement (13) when the first statistical object (14F) matches none of said plurality of statistical objects (Col 4 lines 50-67: control module 320 also stores lists of black and white addresses (or, simply, blacklists and whitelists) to identify network devices traffic from which is either automatically blocked, as being originated from a known bot 120, or automatically forwarded to service 130, as being originated from a known legitimate user 220. Whitelists and blacklists can be generated manually by the system administrator or automatically on the basis of statistical and behavioral criteria collected by the control module 320. Behavioral criteria might include, for example, analysis of the number of queries and sessions from one IP address, the number of unconfirmed queries from one IP address, the number of queries for data of the same type from one IP address, and the number of connections without continuation of information exchange, and other criteria.); generating an accumulated attack measurement (13A) from said plurality of attack measurements (13P) that occurred during a time period during which said accumulated statistical object (14A) was accumulated (Col 4 lines 31-49: Control module 320 monitors the operability of all the other modules (primarily collectors 310) by tracking their utilization. Control module 320 can track network utilization statistics (e.g., daily, weekly, monthly) and collect information about malicious activity on the Internet, which makes it possible to plot the geography of current attacks and store and collect statistics about known attacks (e.g., number of attacks, duration of attack, peak and average network load during the attack). This information may be used to generate the descriptive characteristics of each attack, for example: the number of botnets involved, time from the start of the attack, geography of the attack. On the basis of this information module 320 adjusts the filtering rules, which are stored in filtering profiles, which are used by the filtering centers 210. To accomplish this, control module 320 computes allowable amount of data traffic transmitted to the service 130, the allowable number of packets as a function of the protocol used, and other network parameter. Examples of various types of network parameters are presented in Table 1 below.); and said accumulated attack measurement (13A) (Col 4 lines 50-67: control module 320). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hayes with the teachings of Gudov to include the plurality of attack objects (13P); using the statistical object matcher (18) to generate an attack measurement (13) when the first statistical object (14F) matches none of said plurality of statistical objects; generating an accumulated attack measurement (13A) from said plurality of attack measurements (13P) that occurred during a time period during which said accumulated statistical object (14A) was accumulated; and said accumulated attack measurement (13A) in order to detect and prevent attacks by extracting network traffic information (Gudov Col 1 lines 52-62) As per claims 22-24, the claims claim the computing system essentially corresponding to the system claims 2-4 above, and they are rejected, at least for the same reasons. Regarding claim 25, Hayes in view of Gudov in view of KASMAN teaches the method of claim 21, wherein said association of communications characteristics (22) with said original object (12S) is removed after a period of inactivity pertaining to said communications criteria (22) (Hayes Para [0265]: If an original object 1016 is inactive for a period of time, the association with communications characteristics 1022 may be removed from the original object 1016.). Regarding claim 26, Hayes in view of Gudov in view of KASMAN teaches the method of claim 21, wherein said association of communications criteria (22) with said original object (12S) is removed after a period of inactivity pertaining to said original object (12S) (Hayes Para [0265]: If an original object 1016 is inactive for a period of time, the association with communications characteristics 1022 may be removed from the original object 1016.). Regarding claim 27, Hayes in view of Gudov in view of KASMAN teaches the method of claim 21, wherein said association of communications criteria with said original object (12S) is created prior to receiving a first statistical object (14F) (Hayes Para [0252]: the association between an original object 1012S and communications characteristics 1022 can also be created prior to receiving a first statistical object 1014F.). As per claims 28-43, the claims claim the computing system essentially corresponding to the system claims 5-20 above, and they are rejected, at least for the same reasons. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDY BAZNA whose telephone number is (703)756-1258. The examiner can normally be reached Monday - Friday 08:30 AM-05:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUDY BAZNA/Examiner, Art Unit 2495 /PONNOREAY PICH/Primary Examiner, Art Unit 2495
Read full office action

Prosecution Timeline

Aug 18, 2023
Application Filed
Oct 31, 2025
Non-Final Rejection — §103
Nov 17, 2025
Response Filed
Mar 14, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/131,757
Patent 12585784
SYSTEM FOR COMPONENT-LEVEL THREAT ASSESSMENT IN A COMPUTING ENVIRONMENT
2y 5m to grant Granted Mar 24, 2026
18/678,569
Patent 12579261
MANAGING INFERENCE MODELS IN VIEW OF RECONSTRUCTABILITY OF SENSITIVE INFORMATION
2y 5m to grant Granted Mar 17, 2026
17/821,285
Patent 12572643
CIRCUIT AND METHOD FOR DETECTING A FAULT INJECTION ATTACK IN AN INTEGRATED CIRCUIT
2y 5m to grant Granted Mar 10, 2026
18/046,381
Patent 12549335
COORDINATING DATA ACCESS AMONG MULTIPLE SERVICES
2y 5m to grant Granted Feb 10, 2026
17/736,417
Patent 12536288
DETECTING BACKDOORS IN BINARY SOFTWARE CODE
2y 5m to grant Granted Jan 27, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
67%
Grant Probability
90%
With Interview (+22.9%)
3y 1m
Median Time to Grant
Moderate
PTA Risk
Based on 24 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month