Prosecution Insights
Last updated: July 17, 2026
Application No. 18/365,352

INTELLIGENT, ENTERPRISE RANSOMWARE DETECTION AND MITIGATION FRAMEWORK

Final Rejection §103
Filed
Aug 04, 2023
Examiner
MARTINEZ, TOMMY NMN
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Dell Products L.P.
OA Round
4 (Final)
14%
Grant Probability
At Risk
5-6
OA Rounds
0m
Est. Remaining
-6%
With Interview

Examiner Intelligence

Grants only 14% of cases
14%
Career Allowance Rate
1 granted / 7 resolved
-43.7% vs TC avg
Minimal -20% lift
Without
With
+-20.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 4m
Avg Prosecution
24 currently pending
Career history
39
Total Applications
across all art units

Statute-Specific Performance

§103
97.8%
+57.8% vs TC avg
§102
1.4%
-38.6% vs TC avg
§112
0.7%
-39.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 7 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on November 17, 2025 has been entered. Response to Arguments Applicant's arguments filed November 17, 2025 have been fully considered but they are not persuasive. In page 1 of the remarks, Applicant states that Examiner objected to the specification because MITRE ATT&CK was not identified as a trademark. In response, Applicant amends the specification to identify MITRE ATT&CK as a trademark. As a result, Examiner withdraws the objection of the Specification regarding the use of a trademarked term. In page 2 of the remarks, Applicant states that the previous Office Action ("OA") rejected claim(s) 1-20 under 35 U.S.C. § 112(a) as failing to comply with the written description requirement, and 35 U.S.C. § 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter, with Applicant disagreeing with the rejections, and amending claims 1 and 11 to remove the language that was rejected in the Office Action, and requests that the rejections under 35 U.S.C. § 112 be withdrawn. Examiner states that as the amendments in claims 1 and 11 eliminate the aspect of “MITRE ATT&CK” and add further aspects that are described in the Specification of the Applicant, Examiner withdraws the rejections made under 112(a) and 112(b). In pages 2-4 of the remarks, Applicant states that the previous OA rejected claim(s) 1-3, 7-13 and 17-20 under 35 U.S.C. § 103 as being unpatentable over Chen (US 2022/0318387) in view of Caspi (US 10,193,902) and Suh (US 2022/0292137). Claim(s) 4, 5, 14 and 15 were rejected over Chen in view of Caspi and Suh, further in view of Rokka Chhetri (US 2022/0253691), hereinafter Chhetri. Claims 6 and 16 were rejected over Chen in view of Caspi and Suh, further in view of DaBoll-Lavoie (US 2019/0108274), hereinafter Lavoie. Applicant further states the claimed invention is directed to a computer-implemented method for structured ransomware threat modeling and lifecycle-stage prediction using a labeled property graph (LPG), and describes the limitation of the independent claims, including amended portions, including "extracted entities and relationships are modeled as interconnected nodes and typed edges in a labeled property graph stored in a graph database, where specific edge types ("uses," "precursor," and "has") encode functional and ordered relationships between attack techniques across successive stages of a ransomware attack lifecycle", and a "threat prediction engine [...] predicts a ransomware threat classification corresponding to a specific lifecycle stage based on received security sensor data, the sensor data is mapped to attack technique nodes in the LPG by matching detected events to entities represented in the graph, and a mitigation node associated with the predicted stage is retrieved by traversing a typed "has" relationship from the corresponding attack technique node to generate a mitigation recommendation". Applicant states that Chen is concerned with learning correspondences between malware behaviors and execution traces, operates on dynamic execution traces and uses neural attention mechanisms to associate API calls and resources with techniques, and is a neural embedding model built around execution trace sequences. Chen, however, does not build a persistent labeled property graph representing ransomware variants, techniques, vulnerabilities, assets, and mitigation nodes across ordered lifecycle stages, and furthermore, does not map external security sensor data to technique nodes within a graph structure and does not retrieve mitigation nodes through typed graph traversal. Chen, overall, contains a model that operates in embedding space, not in a graph database that encodes stage ordering and mitigation linkage. Applicant also states that Caspi discloses malware detection using deep learning and feature-based dictionaries derived from file content, transforms files into feature vectors and trains a deep learning classifier, and identifies malware versus non-malware or malware categories based on file characteristics. However, Caspi does not disclose generating a labeled property graph, does not model ransomware lifecycle stages, and does not define typed relationships such as "precursor" encoding stage transitions between attack techniques, never maps security sensor events to technique nodes in a graph, and never retrieves mitigation nodes by traversing graph edges. Applicant further states that Sun discloses constructing and updating a knowledge graph in a cybersecurity domain and inferring relevance among information objects. Sun's graph comprises taxonomy and entity graphs, and performs relevance inference based on graph relationships. However, Sun's knowledge graph is not a lifecycle model of ransomware attack stages, and inference is general relevance reasoning across graph nodes. The present claims, by contrast, require stage prediction within a structured ransomware lifecycle model and mitigation retrieval via explicit typed graph traversal, and it is respectfully submitted that claim(s) 1 and 11 are patentable over the cited references, and requests withdrawal of the present rejections for obviousness. Examiner disagrees, with respect to the amended claims 1 and 11 present, which are now rejected over Chen in view of Caspi, Suh, and Crabtree et al. (US 20200358804 A1), hereinafter Crabtree, as Applicant’s arguments with respect to claims 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. In particular, the amendments of “threat context across multiple ordered stages of a ransomware attack lifecycle including initial access, malware execution, privilege escalation, internal discovery, lateral movement, persistence, and ransomware deployment, and wherein the edges comprise typed relationships including "uses," "precursor," and "has," the precursor relationship encoding ordering between attack technique nodes corresponding to successive stages of the ransomware attack lifecycle” is taught by Crabtree in paragraph [0071] Fig. 1D shows typical method of cyber attack, including installation, execution, privilege escalation, delivery, lateral movement, target manipulation, and delivery, with paragraph [0067] also describes ransomware disk attacks as being part of cyber attacks that can be detected, and [0090] Fig. 23 shows a graph diagram for cyber-physical graph 2300, showing a cyber attack progressing through a network with several paths shown in the figure. Included are edges/paths that contain relationship indicators such as "CanExploit", "HasSession", and "ForcePWChange", which shows actions taken by a cyber attack at different stages in the attack itself. Furthermore, Crabtree also teaches the amended limitation of “lifecycle based on received security sensor data, wherein the received security sensor data is mapped to one or more attack technique nodes in the LPG based on matching between detected events and entities represented in the LPG” as described in paragraph [0090] Fig. 23 shows a graph diagram for cyber-physical graph 2300, showing a cyber attack progressing through a network with several paths shown in the figure. Included are edges/paths that contain relationship indicators such as "CanExploit", "HasSession", and "ForcePWChange", which shows actions taken by a cyber attack at different stages in the attack itself. As a result of the new grounds of rejection being utilized to teach the amended limitations of the independent claims, claims 1-3, 7-13, and 17-20 are rejected under 103 over Chen in view of Caspi, Suh, and Crabtree. Claims 4-5, and 14-15 are rejected under Chen in view of Caspi, Suh, and Crabtree, further in view of Chhetri. Claims 6 and 16 are rejected under Chen in view of Caspi, Suh, and Crabtree, further in view of Lavoie. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 7-13, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al. (US 20220318387 A1), hereinafter Chen, in view of Caspi et al. (US 10193902 B1), hereinafter Caspi, Suh et al. (US 20220292137 A1), hereinafter Suh, and Crabtree et al. (US 20200358804 A1), hereinafter Crabtree. Regarding claim 1, Chen discloses “a method, comprising: extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat“ ([0066] Fig. 2, JCry file analyzed is a ransomware disguised as an installer. [0081] Fig. 4, execution trace is extracted from malware in a sandbox, and corresponds to which corresponds to one or more relationships of one or more entities of the applicant, as an execution trace contains information about a ransomware threat, including related resources in an execution trace, where the resources correspond to metadata about one or more entities of a ransomware threat of the applicant.); “threat context, wherein the nodes comprise at least ransomware variant nodes, attack technique nodes, vulnerability nodes, asset nodes, and mitigation nodes” ([0067] Fig. 4, in extraction phase, a MITRE ATT&CK framework has knowledge extraction performed along with execution trace is extracted from malware from a sandbox. Fig. 3 shows a visualization of tactics and techniques, along with how they affect software, and shows relationships between the malware, techniques, and what occurs in the software, as described in paragraph [0077].); “comprising a graph database and storing the metadata in the LPG graphical form as the interconnected nodes and typed edges, the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat” ([0066] Fig. 2, JCry file analyzed is a ransomware disguised as an installer. [0079] OSINT databases is provided for MAMBA, which is the system described in the prior art, and particularly for Fig. 4, when extraction of execution trace is performed. Fig. 3, as described in paragraphs [0072]-[0077], shows a labeled property graph of the relation between the software, cybersecurity attack, and the effects of the attack itself.); “and predicting, by a threat prediction engine, based on the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat, a ransomware threat classification corresponding to a specific stage or variant of a ransomware attack included in received security sensor data, and wherein the method further comprises retrieving, from the LPG, a mitigation node associated with the predicted stage by traversing a typed "has" relationship from a corresponding attack technique node to generate a mitigation recommendation” ([0090] Fig. 4, threat identification phase is performed to identify malicious behaviors (TTP) from malware execution trace, which corresponds to predicting by a threat prediction engine, ransomware attack type in security sensor data, with paragraph [0066] describing a malware sample that is classified as a member of a JCry family, corresponding to ransomware threat classification to a variant of a ransomware attack. Malware execution trace in this limitation corresponds to security sensor data. Paragraph [0052] describes that once all malicious behaviors are compiled, a cybersecurity analyst correlates the behaviors to take necessary action to mitigate the attacks, with Fig. 3 showing how a cybersecurity attack/risk operates, allowing for a mitigation recommendation for how to resolve the cybersecurity attack.). Chen does not expressly disclose, but Caspi teaches the limitation of ‘storing, in a repository’ ([Col. 18, lines 16-23] Fig. 3, database 8 contains dictionary 11, used for converting files to a deep learning algorithm. In [Col. 19, lines 3-8], the database stores extracted features from files, malware/malicious and otherwise, and groups are stored in a dictionary, which corresponds to one or more relationships being stored in a repository according to the applicant.). ‘wherein the one or more entities comprise at least one ransomware variant, attack technique, asset, industry, or vulnerability identified using a Natural Language Processing (NLP) model applying Named Entity Recognition (NER) and Relationship Extraction (RE) to unstructured threat intelligence documents’ ([Col. 17, lines 59-65] Fig. 1, malware detector 7 comprises a deep learning module 9. [Col. 30, lines 23-28] Vectors are fed into a deep learning algorithm based on the strings/words that appeared in files, and by how often for each file, which helps in updating/training a deep learning algorithm, which corresponds to an NLP ML model. [Col. 18, line 63-Col. 19, line 1] Features are already known in files, corresponding to named entity recognition, and extraction is done on the features, and in conjunction with Fig. 11, pulls features from the header of the files. [Col. 17, lines 19-23] Relationships between features are also extracted.); Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Chen and Caspi before them, to include Caspi’s ‘storing, in a repository’ and ‘wherein the one or more entities comprise at least one ransomware variant, attack technique, asset, industry, or vulnerability identified using a Natural Language Processing (NLP) model applying Named Entity Recognition (NER) and Relationship Extraction (RE) to unstructured threat intelligence documents’ in Chen’s method performing ‘extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat’. One would have been motivated to make such a combination to increase efficiency by having a database that can also contain dictionaries, which can contain vectors or matrices of features and relationships of data regarding threats, as taught by Caspi [Col. 19, lines 3-8]. Chen in view of Caspi does not appear to teach, but Suh teaches the limitation of ‘generating a labeled property graph (LPG) based threat knowledge representation from the metadata by modeling the entities and relationships as interconnected nodes and edges that capture ransomware attack behaviors, associated vulnerabilities, and threat context’ ([0025] Fig. 2 creates a knowledge-based graph, corresponding to a labeled property graph, beginning with operation S210. Operation S270 uses the graph to perform analysis as stated in paragraph [0064]. [0029] Metadata of a node is also recorded by the data analysis system, and is recorded as the label of a node, shown in Figs. 4A-4C. [0037] Fig. 3 expands on S240, further explaining how natural language processing is used to extract information from a domain such as a cyber security and/or threat domain, stated in paragraph [0032], and standardize and recognize the information objects and apply to the knowledge-based graph. [0064] Fig. 4C depicts a knowledge-based graph, which includes modeling entities and relationships, showing which exploit kits/malware exploit vulnerabilities, as depicted as CVEs and Internet Explorer vulnerabilities. Paragraph [0067] also describes a remittance amount-ransomware as a network graph, which corresponds to ransomware attacks being depicted as well.); Therefore, one of ordinary skill in the art would have been capable of applying this known method of "generating a labeled property graph (LPG) based threat knowledge representation from the metadata by modeling the entities and relationships as interconnected nodes and edges that capture ransomware attack behaviors, associated vulnerabilities, and threat context" in an invention to extract metadata about one or more entities of a ransomware threat and relationships between the threats and the results would have been predictable to one of ordinary skill in the art. The one of ordinary skill in the art would have been motivated to show which exploits or malware exploit certain vulnerabilities by mapping and visually linking the relationship between the exploit and the malware, such as by showing vulnerability relationships (Suh [0061]). Chen in view of Caspi, and Suh do not appear to teach, but Crabtree teaches “threat context across multiple ordered stages of a ransomware attack lifecycle including initial access, malware execution, privilege escalation, internal discovery, lateral movement, persistence, and ransomware deployment, and wherein the edges comprise typed relationships including "uses," "precursor," and "has," the precursor relationship encoding ordering between attack technique nodes corresponding to successive stages of the ransomware attack lifecycle” ([0071] Fig. 1D shows typical method of cyber attack, including installation, execution, privilege escalation, delivery, lateral movement, target manipulation, and delivery. Paragraph [0067] also describes ransomware disk attacks as being part of cyber attacks that can be detected. [0090] Fig. 23 shows a graph diagram for cyber-physical graph 2300, showing a cyber attack progressing through a network with several paths shown in the figure. Included are edges/paths that contain relationship indicators such as "CanExploit", "HasSession", and "ForcePWChange", which shows actions taken by a cyber attack at different stages in the attack itself.); and “lifecycle based on received security sensor data, wherein the received security sensor data is mapped to one or more attack technique nodes in the LPG based on matching between detected events and entities represented in the LPG” ([0090] Fig. 23 shows a graph diagram for cyber-physical graph 2300, showing a cyber attack progressing through a network with several paths shown in the figure. Included are edges/paths that contain relationship indicators such as "CanExploit", "HasSession", and "ForcePWChange", which shows actions taken by a cyber attack at different stages in the attack itself.); Therefore, one of ordinary skill in the art would have been capable of applying this known method of "threat context across multiple ordered stages of a ransomware attack lifecycle including initial access, malware execution, privilege escalation, internal discovery, lateral movement, persistence, and ransomware deployment, and wherein the edges comprise typed relationships including "uses," "precursor," and "has," the precursor relationship encoding ordering between attack technique nodes corresponding to successive stages of the ransomware attack lifecycle" and "lifecycle based on received security sensor data, wherein the received security sensor data is mapped to one or more attack technique nodes in the LPG based on matching between detected events and entities represented in the LPG" in a method for extracting metadata about one or more entities of a ransomware threat and relationships between the threats and the results would have been predictable to one of ordinary skill in the art. The one of ordinary skill in the art would have been motivated to have a cyber-physical graph to include network information and processes such as data flow, security protocols and procedures, and software versions and patch information, and indicate a likelihood of a successful attack gaining access from one node to another (Crabtree [0091]). Regarding claim 2, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses the limitation of ‘wherein the threat decipher engine comprises a Natural Language Processing (NLP) ML model’ ([0050] MAMBA system is a machine learning method for the invention of detecting malware/ransomware. [0067] Fig. 4, in extraction phase, a MITRE ATT&CK framework has knowledge extraction performed along with execution trace is extracted from malware from a sandbox.). Regarding claim 3, Chen in view of Caspi, Suh, and Crabtree teach the method of claims 1 and 2 as recited above. Chen also discloses the limitation of ‘wherein the NLP ML model uses Named Entity Recognition (NER) and Relationship Extraction (RE) techniques when extracting the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat’ ([0084] Fig. 4, technique extraction is done by extracting disclosed resource r in relation to a technique y as a tuple, and this is performed in conjunction with extracting execution traces in the same figure. The technique extraction of resources and tuples corresponds to NER and RE techniques of the applicant.). Regarding claim 7, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses ‘wherein the graphical form is a Labeled Property Graph (LPG)’ ([0077] Fig. 3 shows a labeled property graph where nodes are aspects of ransomware, and the lines connecting the nodes denote a relationship between these aspects.). Regarding claim 8, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses ‘wherein the LPG includes one or more nodes that represent the one or more entities of the ransomware threat and one or more connecting elements that connect the nodes and that represent the one or more relationships between the one or more entities of the ransomware threat’ ([0077] Fig. 3 shows a labeled property graph where nodes are aspects of ransomware, and the lines connecting the nodes denote a relationship between these aspects.). Regarding claim 9, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses the limitation of ‘wherein the ransomware threat classification corresponds to a specific stage or variant of the ransomware attack’ ([0066] Describing a malware sample that is classified as a member of a JCry family, corresponding to ransomware threat classification to a variant of a ransomware attack.). Regarding claim 10, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses the limitation of ‘recommending, by the threat prediction engine, a mitigation strategy based on the predicted ransomware attack type’ ([0052] When malicious behaviors are compiled and learned, a mitigation strategy is created based on the behaviors exhibited by the ransomware.). Regarding claim 11, Chen in view of Caspi, Suh, and Crabtree teach the limitations of independent claim 1 above, and Chen also discloses “a non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat” ([0140] Non-transitory memory can store instructions of the invention of Chen, executable by processors. [0066] Fig. 2, JCry file analyzed is a ransomware disguised as an installer. [0081] Fig. 4, execution trace is extracted from malware in a sandbox, and corresponds to which corresponds to one or more relationships of one or more entities of the applicant, as an execution trace contains information about a ransomware threat, including related resources in an execution trace, where the resources correspond to metadata about one or more entities of a ransomware threat of the applicant.); Regarding claim 12, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 2 recited above. Regarding claim 13, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 3 recited above. Regarding claim 17, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 7 recited above. Regarding claim 18, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 8 recited above. Regarding claim 19, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 9 recited above. Regarding claim 20, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree teach the limitations also present in dependent claim 10 recited above. Claims 4-5, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Caspi, Suh, and Crabtree, further in view of Rokka Chhetri et al. (US 20220253691 A1), hereinafter Chhetri. Regarding claim 4, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen in view of Caspi, Suh, and Crabtree do not appear to disclose, but Chhetri teaches the limitation of ‘wherein the threat prediction engine comprises a Categorical Boosting classifier ML model’ ([0025] Categorical boosting (CatBoost) boosting model is used to train and assist in detecting malware in the prior art.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Chen, Caspi, Suh, Crabtree and Chhetri before them, to include Chhetri’s ‘wherein the threat prediction engine comprises a Categorical Boosting classifier ML model’ in Chen’s method performing ‘extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat’. One would have been motivated to make such a combination to increase efficiency by having weak learners be implemented along with a learning model such that decisions can be made and assist in a neural network, as taught by Chhetri [0025]. Regarding claim 5, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen also discloses to ‘wherein the ML model is trained using the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat’ ([0013] Execution trace is applied to trained neural network, and as stated in [0081], execution traces are essentially one or more relationships between one or more entities, which are resources according to Chen.). Chen in view of Caspi, Suh, and Crabtree does not appear to disclose, but Chhetri teaches the limitation of ‘Categorical Boosting classifier’ ([0025] CatBoost model is used to train and assist in detecting malware in the prior art.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Chen, Caspi, Suh, Crabtree and Chhetri before them, to include Chhetri’s ‘Categorical Boosting classifier’ in Chen’s method performing ‘extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat’. One would have been motivated to make such a combination to increase efficiency by having weak learners be implemented along with a learning model such that decisions can be made and assist in a neural network, as taught by Chhetri [0025]. Regarding claim 14, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree, and further in view of Chhetri teach the limitations also present in dependent claim 4 recited above. Regarding claim 15, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree, and further in view of Chhetri teach the limitations also present in dependent claim 5 recited above. Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chen in view of Caspi, Suh, and Crabtree, further in view of DaBoll-Lavoie et al. (US 20190108274 A1), hereinafter Lavoie. Regarding claim 6, Chen in view of Caspi, Suh, and Crabtree teach the method of claim 1 as recited above. Chen does not appear to disclose, but Caspi teaches the limitation of ‘the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat’ ([Col. 31, lines 35-41] Fig. 28, being based off of Fig. 3, includes the elements from said figure. This includes the database 8, which stores the dictionaries, which can be a vector storing all extracted features from files and the relationships between the extracted features, including malware files, as described in [Col. 18, lines 15-19] and [Col. 19, lines 3-10].). and ‘repository is a database’ and ‘is stored in a database’ ([Col. 18, lines 16-23] Fig. 3, database 8 contains dictionary 11, used for converting files to a deep learning algorithm. In [Col. 19, lines 3-8], the database stores extracted features from files, malware/malicious and otherwise, and groups are stored in a dictionary, which corresponds to one or more relationships being stored in a repository according to the Applicant.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Chen and Caspi before them, to include Caspi’s ‘storing, in a repository’ in Chen’s method performing ‘extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat’. One would have been motivated to make such a combination to increase efficiency by having a database that can also contain dictionaries, which can contain vectors or matrices of features and relationships of data regarding threats, as taught by Caspi [Col. 19, lines 3-8]. Chen in view of Caspi, Suh, and Crabtree does not appear to disclose, but Lavoie teaches ‘stored in the graph database in graphical form’ ([0080] Semantic graph database is described. Terms are stored in a structure, using a 'Resource Description Framework' (RDF) configuration to also obtain relationships between the terms in graphical form.). Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Chen, Caspi, Suh, and Crabtree and Lavoie before them, to include Lavoie’s ‘stored in the graph database in graphical form’ in Chen’s method performing ‘wherein the repository is a database and the metadata about the one or more entities of the ransomware threat and the one or more relationships between the one or more entities of the ransomware threat is stored in the database’ and ‘extracting from received cyber threat intelligence data, by a threat decipher engine, metadata about one or more entities of a ransomware threat and one or more relationships between the one or more entities of the ransomware threat’. One would have been motivated to make such a combination to increase efficiency by having a database that is stored graphically for easier reading and provide relationships between entities, even at a cursory glance, along with providing search capabilities for the end users, as taught by Lavoie [0032]. Regarding claim 16, Chen in view of Caspi, Suh, and Crabtree teach the non-transitory storage medium of claim 11 as recited above. Chen in view of Caspi, Suh, and Crabtree, and further in view of Lavoie teach the limitations also present in dependent claim 6 recited above. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday 8AM-4PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624 on Monday thru Friday 7AM-7PM ET. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /T.M./ Examiner, Art Unit 2496 /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Show 3 earlier events
Sep 04, 2025
Final Rejection mailed — §103
Nov 17, 2025
Request for Continued Examination
Nov 22, 2025
Response after Non-Final Action
Dec 18, 2025
Non-Final Rejection mailed — §103
Mar 16, 2026
Applicant Interview (Telephonic)
Mar 16, 2026
Examiner Interview Summary
Mar 20, 2026
Response Filed
Jun 18, 2026
Final Rejection mailed — §103 (current)

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
14%
Grant Probability
-6%
With Interview (-20.0%)
2y 4m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 7 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month