Prosecution Insights
Last updated: July 17, 2026
Application No. 18/400,117

TRANSPORT LAYER TIME-ALIGNMENT CHARACTERIZATION FOR SCHEDULED TRAFFIC IN TIME SYNCHRONIZED NETWORKS

Final Rejection §103
Filed
Dec 29, 2023
Examiner
NAJI, YOUNES
Art Unit
2445
Tech Center
2400 — Computer Networks
Assignee
Intel Corporation
OA Round
4 (Final)
75%
Grant Probability
Favorable
5-6
OA Rounds
4m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
332 granted / 443 resolved
+16.9% vs TC avg
Strong +73% interview lift
Without
With
+73.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
31 currently pending
Career history
494
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
94.3%
+54.3% vs TC avg
§102
2.4%
-37.6% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 443 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Applicant's submission filed on 03/10/2026 has been entered. Claims 1,3-8,10-15,17-20 have been examined. Claims 2, 9, 16 are cancelled. Allowable Subject Matter Claims 6-7,13-14,19-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Response to Arguments Applicant’s argument #1: Applicant argues that Perez-Ramirez does not explicitly teach receiving a diagnostic message comprising diagnostic information to detect misalignment of timing windows in a time-synchronized network (TSN) Examiner Response to Applicant’s argument #1 The Examiner respectfully disagrees. Perez- Ramirez teaches receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI . Some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. L AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined. (See Claim 1 & ¶0040). Perez Ramirez further teaches clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack. TC and non-TC traffic starts to flow in the TSN network 500. During this time, measurements ( e.g., KPis) are collected in each capable network device (e.g., router 504, AP 506a to access point (AP) 506c, STA 508a to 508/, etc.). Measurements are time stamped and stored in each network device and sent to the controller, periodically, upon request, at a fixed interval, upon occurrence of a condition (See ¶0036, ¶0041 – ¶0042) . Therefore, Perez Ramirez teaches that the received packet functions as a diagnostic message that wrap diagnostic information inside a dedicated monitoring stream. The message can be IEEE 1102.1 AS message that include Key performance indicators (KPIs) (diagnostic information) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI and when the node’s clock is attacked causing misalignment of scheduled timing windows.. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1,3,5,8,10,12,15,17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Perez-Ramirez et al. Publication No. US 2022/0014532 A1 (Perez-Ramirez hereinafter) in view of Rivers et al. Patent No. US 12,368,568 B1 ( Rivers hereinafter) Regarding claim 1, Perez-Ramirez teaches a method (Fig.1 &3) comprising: receiving a diagnostic message comprising diagnostic information to detect misalignment of timing windows in a time-synchronized network (TSN) by a security monitor for a diagnostic stream consumer of the TSN, the diagnostic message to comprise an alignment check packet (ACP) for a diagnostic stream producer (¶0027 - , To facilitate transmission of packets (e.g., packet 114, etc.) during protected windows (e.g., Qbv window 112a, etc.), nodes in network 100a are time synchronized and scheduled to transmit TC packets (e.g., packet 114, etc.) using non overlapping protected windows (e.g., Qbv window 112a, etc.). It is to be appreciated that providing latency bounded communication ( e.g., as depicted in timing diagram 100b) requires tight synchronization of time between nodes in network 100a – ¶ 0040 -¶ 0042- TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. l AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined. – ¶ 0044 - Logic flow 600 can be implemented by a system providing TSN capabilities, such as, network 100a and/or TSN network 500. Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established - Claim 1 - receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI -.¶ 0036 - Some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. L AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined See Also claim 1, ¶ 0040). determining whether the ACP aligns with boundaries of a first time window; generating a security alert to indicate a desynchronization event for the TSN when the ACP is misaligned with the boundaries of the first time window;(¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0051 - the present disclosure provides that small increments in clock speed that are introduced ( e.g., by an attacker) causing misalignment of scheduling (e.g., Qbv schedule, or the like) and transmitted packets are captured as increase or decrease events 706 – ¶ 0049 - logic flow 600 can return to block 606 from decision block 608 based on a determination that the KPI(s) do not indicate a possible timing attack while logic flow 600 can continue to block 610 from decision block 608 based on a determination that the KPI(s) do indicate a possible timing attack. At block 610 "trigger detection of possible timing attack" controller 502 can trigger a detection of a possible timing attack. For example, controller 502 can create and send an alert to a monitoring entity (not shown) that a timing attack is detected). determining the ACP is received in a time slot of a second time window when the ACP is misaligned with the boundaries of the first time window (¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0029 FIG. 2B depicts timing diagram 200b illustrating Qbv window 112b misaligned with Qbv window 112a and Qbv window 112c and overlapping with Qbv window 112a. As a result, packets ( e.g., packet 116 in the figure) arrive too late with respect to the attacked switch protected window (e.g., Qbv window 112b) causing them to be buffered and sent in the next protected window. As a result of the delay in transmitting packet 116, switch node 106 breaks the latency bound of the stream that it is serving and can result in errors or comprise the safety of the system in which the nodes are operating ); and identifying a TSN node as a source of the desynchronization event based on the time slot of the second time window (¶ 0030 - The present disclosure provides to detect attacks against networks operating under TSN protocols, such as, networks operating in accordance with IEEE 802.lQbv. In particular, the present disclosure provides systems and methods to detect attacks that directly affect IEEE 802.lQbv scheduling. In general, the present disclosure provides detection of time synchronization misbehavior in networks operating in accordance with TSN protocols based on attributes associated with a key performance indicator (KPI) or KPis, or the TSN protocol - ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack- ¶ 0069 - determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI comprising: determining a mean of the values of the KPI over the second time period; determining whether the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value); However, Perez-Ramirez does not explicitly teach wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer; Rivers teaches wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer (Col.2, lines 45-65, Col.6,lines 60-70 A packet is sent from the clock switching circuit 180 to a neighbor device in the clock distribution network 150 and then returned via the loop back signal 182 to the clock switching circuit 180. The loopback signal 182 is shown separately but can be in the same cable 181 as the clock signals from the clock switching circuit 180. The clock switching circuit 180 can include a timer (shown in FIG. 4) that tracks a time for the roundtrip return of the packet- Col.7,lines 10-64 - the clock switching circuit 180 can generate the PPS signal in the form of a packet that includes not only a clock pulse, but additional metadata, which can provide information about the PPS signal. In a simple example, the packet can include identification information, status information, authentication information, encryption information, etc. The identification information as follows mac address, IP address, Model number, host name and UUID. The authentication can include a Cyclic Redundancy Check (CRC), a sequence number or Hash-based Message Authentication Code (HMAC). The encryption can relate to standards used, such as IEEE 802.IAE. The clock signal can be a single bit within the packet and the timing of how the bit is transmitted can align with the reference time clock 152 – See Also Col.9, lines 25-30, Col.11, lines 55-65). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Perez-Ramirez to include the teachings of Rivers. The motivation for doing so is to allow a device to analyze the metadata within the received packets and determine whether the received packets are authenticated, validated, or otherwise usable (Rivers- Col.9, lines 29-31). Regarding claim 3, Perez-Ramirez further teaches identifying the TSN node associated with the time slot as the source of the desynchronization event when the ACP is misaligned with boundaries of the time slot (¶0028 FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 0029, ¶ 0051, ¶ 0069).)). Regarding claim 5, Perez-Ramirez further teaches determining a desynchronization time for the desynchronization event using a probe operation and the first time window or the second time window ( ¶ 0040 - Controller 502 can be configured to detect abnormal behavior of clock synchronization in network devices, such as, router 504, AP 506a to AP 506c, and STA 508a to STA 508/ With some examples, TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring – ¶ 0044 - Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established. For example, as outlined above, multiple data streams in a TSN network can be established where some data streams provide monitoring of KPis ( e.g., delay time 316 and/or time buffer 318) – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 29, ¶ 0051, ¶ 0069). ). Regarding claim 8, Perez-Ramirez teaches a non-transitory computer-readable storage medium, the computer-readable storage medium including instructions that when executed by processing circuitry, cause the processing circuitry to receiving a diagnostic message comprising diagnostic information to detect misalignment of timing windows by a security monitor for a diagnostic stream consumer of the TSN, the diagnostic message to comprise an alignment check packet (ACP) for a diagnostic stream producer (¶ 0027 - , To facilitate transmission of packets (e.g., packet 114, etc.) during protected windows (e.g., Qbv window 112a, etc.), nodes in network 100a are time synchronized and scheduled to transmit TC packets (e.g., packet 114, etc.) using non overlapping protected windows (e.g., Qbv window 112a, etc.). It is to be appreciated that providing latency bounded communication ( e.g., as depicted in timing diagram 100b) requires tight synchronization of time between nodes in network 100a – ¶ 0040 - ¶ 0042 - TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102.1 AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined. – ¶ 0044 - Logic flow 600 can be implemented by a system providing TSN capabilities, such as, network 100a and/or TSN network 500. Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established - Claim 1 - receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI -.¶ 0036 - Some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. L AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined – See Also Caim1, ¶ 0040). determine whether the ACP aligns with boundaries of a first time window; generate a security alert to indicate a desynchronization event for the TSN when the ACP is misaligned with the boundaries of the first time window;(¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0051 - the present disclosure provides that small increments in clock speed that are introduced ( e.g., by an attacker) causing misalignment of scheduling (e.g., Qbv schedule, or the like) and transmitted packets are captured as increase or decrease events 706 – ¶ 0049 - logic flow 600 can return to block 606 from decision block 608 based on a determination that the KPI(s) do not indicate a possible timing attack while logic flow 600 can continue to block 610 from decision block 608 based on a determination that the KPI(s) do indicate a possible timing attack. At block 610 "trigger detection of possible timing attack" controller 502 can trigger a detection of a possible timing attack. For example, controller 502 can create and send an alert to a monitoring entity (not shown) that a timing attack is detected). determine the ACP is received in a time slot of a second time window when the ACP is misaligned with the boundaries of the first time window (¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0029 FIG. 2B depicts timing diagram 200b illustrating Qbv window 112b misaligned with Qbv window 112a and Qbv window 112c and overlapping with Qbv window 112a. As a result, packets ( e.g., packet 116 in the figure) arrive too late with respect to the attacked switch protected window (e.g., Qbv window 112b) causing them to be buffered and sent in the next protected window. As a result of the delay in transmitting packet 116, switch node 106 breaks the latency bound of the stream that it is serving and can result in errors or comprise the safety of the system in which the nodes are operating ). ; and identify a TSN node as a source of the desynchronization event based on the time slot of the second time window (¶ 0030 - The present disclosure provides to detect attacks against networks operating under TSN protocols, such as, networks operating in accordance with IEEE 802.lQbv. In particular, the present disclosure provides systems and methods to detect attacks that directly affect IEEE 802.lQbv scheduling. In general, the present disclosure provides detection of time synchronization misbehavior in networks operating in accordance with TSN protocols based on attributes associated with a key performance indicator (KPI) or KPis, or the TSN protocol - ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack- ¶ 0069 - determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI comprising: determining a mean of the values of the KPI over the second time period; determining whether the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value); However, Perez-Ramirez does not explicitly teach wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer; Rivers teaches wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer (Col.2, lines 45-65, Col.6,lines 60-70 A packet is sent from the clock switching circuit 180 to a neighbor device in the clock distribution network 150 and then returned via the loop back signal 182 to the clock switching circuit 180. The loopback signal 182 is shown separately but can be in the same cable 181 as the clock signals from the clock switching circuit 180. The clock switching circuit 180 can include a timer (shown in FIG. 4) that tracks a time for the roundtrip return of the packet- Col.7,lines 10-64 - the clock switching circuit 180 can generate the PPS signal in the form of a packet that includes not only a clock pulse, but additional metadata, which can provide information about the PPS signal. In a simple example, the packet can include identification information, status information, authentication information, encryption information, etc. The identification information as follows mac address, IP address, Model number, host name and UUID. The authentication can include a Cyclic Redundancy Check (CRC), a sequence number or Hash-based Message Authentication Code (HMAC). The encryption can relate to standards used, such as IEEE 802.IAE. The clock signal can be a single bit within the packet and the timing of how the bit is transmitted can align with the reference time clock 152 – See Also Col.9, lines 25-30, Col.11, lines 55-65). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Perez-Ramirez to include the teachings of Rivers. The motivation for doing so is to allow a device to analyze the metadata within the received packets and determine whether the received packets are authenticated, validated, or otherwise usable (Rivers- Col.9, lines 29-31). Regarding claim 10, Perez-Ramirez further teaches the processing circuitry to identify the TSN node associated with the time slot as the source of the desynchronization event when the ACP is misaligned with boundaries of the time slot (¶0028 FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 29, ¶ 0051, ¶ 0069).)). Regarding claim 12, Perez-Ramirez further teaches the processing circuit to determine a desynchronization time for the desynchronization event using a probe operation and the first time window or the second time window ( ¶ 0040 - Controller 502 can be configured to detect abnormal behavior of clock synchronization in network devices, such as, router 504, AP 506a to AP 506c, and STA 508a to STA 508/ With some examples, TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring – ¶ 0044 - Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established. For example, as outlined above, multiple data streams in a TSN network can be established where some data streams provide monitoring of KPis ( e.g., delay time 316 and/or time buffer 318) – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 29, ¶ 0051, ¶ 0069). Regarding claim 15, Perez-Ramirez teaches a computing apparatus comprising: processing circuitry; and a memory storing instructions that, when executed by the processing circuitry, causes the processing circuitry to receiving a diagnostic message comprising diagnostic information to detect misalignment of timing windows by a security monitor for a diagnostic stream consumer of the TSN, the diagnostic message to comprise an alignment check packet (ACP) for a diagnostic stream producer (¶ 0027 - To facilitate transmission of packets (e.g., packet 114, etc.) during protected windows (e.g., Qbv window 112a, etc.), nodes in network 100a are time synchronized and scheduled to transmit TC packets (e.g., packet 114, etc.) using non overlapping protected windows (e.g., Qbv window 112a, etc.). It is to be appreciated that providing latency bounded communication ( e.g., as depicted in timing diagram 100b) requires tight synchronization of time between nodes in network 100a – ¶ 0040 -¶0042 TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. l AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined. – ¶ 0044 - Logic flow 600 can be implemented by a system providing TSN capabilities, such as, network 100a and/or TSN network 500. Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established). determine whether the ACP aligns with boundaries of a first time window; generate a security alert to indicate a desynchronization event for the TSN when the ACP is misaligned with the boundaries of the first time window;(¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0051 - the present disclosure provides that small increments in clock speed that are introduced ( e.g., by an attacker) causing misalignment of scheduling (e.g., Qbv schedule, or the like) and transmitted packets are captured as increase or decrease events 706 – ¶ 0049 - logic flow 600 can return to block 606 from decision block 608 based on a determination that the KPI(s) do not indicate a possible timing attack while logic flow 600 can continue to block 610 from decision block 608 based on a determination that the KPI(s) do indicate a possible timing attack. At block 610 "trigger detection of possible timing attack" controller 502 can trigger a detection of a possible timing attack. For example, controller 502 can create and send an alert to a monitoring entity (not shown) that a timing attack is detected - Claim 1 - receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI -.¶ 0036 - Some of the data streams are selected to also provide network KPI monitoring. In one example, IEEE 1102. L AS packets used for time synchronization can have a dedicated Qbv schedule for the dual purpose of avoiding interference with other TC traffic and enable KPI monitoring of time synchronization. In another example, TC streams with the sole purpose of monitoring KPis of the TSN network 500 can be defined). determine the ACP is received in a time slot of a second time window when the ACP is misaligned with the boundaries of the first time window (¶ 0028 - FIG. 2A depicts a network 200a, which is like network 100a except that switch node 106 is depicted as compromised. In particular, the clock (not shown) of switch node 106 can be attacked and compromised, thereby causing the Qbv window 112b associated with switch node 106 to be misaligned with respect to, and even overlap with, the protected windows of the other switch nodes in the data stream path (e.g., along communication channel 110 – ¶ 0029 FIG. 2B depicts timing diagram 200b illustrating Qbv window 112b misaligned with Qbv window 112a and Qbv window 112c and overlapping with Qbv window 112a. As a result, packets ( e.g., packet 116 in the figure) arrive too late with respect to the attacked switch protected window (e.g., Qbv window 112b) causing them to be buffered and sent in the next protected window. As a result of the delay in transmitting packet 116, switch node 106 breaks the latency bound of the stream that it is serving and can result in errors or comprise the safety of the system in which the nodes are operating ). ; and identify a TSN node as a source of the desynchronization event based on the time slot of the second time window (¶ 0030 - The present disclosure provides to detect attacks against networks operating under TSN protocols, such as, networks operating in accordance with IEEE 802.lQbv. In particular, the present disclosure provides systems and methods to detect attacks that directly affect IEEE 802.lQbv scheduling. In general, the present disclosure provides detection of time synchronization misbehavior in networks operating in accordance with TSN protocols based on attributes associated with a key performance indicator (KPI) or KPis, or the TSN protocol - ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack- ¶ 0069 - determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI comprising: determining a mean of the values of the KPI over the second time period; determining whether the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value); However, Perez-Ramirez does not explicitly teach wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer; Rivers teaches wherein the ACP comprises a node identifier for the diagnostic stream producer, an ACP sequence number, and an authentication code for the diagnostic stream producer (Col.2, lines 45-65, Col.6,lines 60-70 A packet is sent from the clock switching circuit 180 to a neighbor device in the clock distribution network 150 and then returned via the loop back signal 182 to the clock switching circuit 180. The loopback signal 182 is shown separately but can be in the same cable 181 as the clock signals from the clock switching circuit 180. The clock switching circuit 180 can include a timer (shown in FIG. 4) that tracks a time for the roundtrip return of the packet- Col.7,lines 10-64 - the clock switching circuit 180 can generate the PPS signal in the form of a packet that includes not only a clock pulse, but additional metadata, which can provide information about the PPS signal. In a simple example, the packet can include identification information, status information, authentication information, encryption information, etc. The identification information as follows mac address, IP address, Model number, host name and UUID. The authentication can include a Cyclic Redundancy Check (CRC), a sequence number or Hash-based Message Authentication Code (HMAC). The encryption can relate to standards used, such as IEEE 802.IAE. The clock signal can be a single bit within the packet and the timing of how the bit is transmitted can align with the reference time clock 152 – See Also Col.9, lines 25-30, Col.11, lines 55-65). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Perez-Ramirez to include the teachings of Rivers. The motivation for doing so is to allow a device to analyze the metadata within the received packets and determine whether the received packets are authenticated, validated, or otherwise usable (Rivers- Col.9, lines 29-31). Regarding claim 17, Perez-Ramirez further teaches the processing circuitry to identify the TSN node associated with the time slot as the source of the desynchronization event when the ACP is misaligned with boundaries of the time slot or identify the TSN node associated with a time slot preceding the time slot as the source of the of the desynchronization event when the ACP does align with boundaries of the time slot. ( ¶ 0040 - Controller 502 can be configured to detect abnormal behavior of clock synchronization in network devices, such as, router 504, AP 506a to AP 506c, and STA 508a to STA 508/ With some examples, TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring – ¶ 0044 - Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established. For example, as outlined above, multiple data streams in a TSN network can be established where some data streams provide monitoring of KPis ( e.g., delay time 316 and/or time buffer 318) – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 29, ¶ 0051, ¶ 0069). Regarding claim 18, Perez-Ramirez further teaches the processing circuit to determine a desynchronization time for the desynchronization event using a probe operation and the first time window or the second time window ( ¶ 0040 - Controller 502 can be configured to detect abnormal behavior of clock synchronization in network devices, such as, router 504, AP 506a to AP 506c, and STA 508a to STA 508/ With some examples, TSN network 500 configured to provide a number of data streams (not shown) and further to provide QoS requested by each such data stream. Further, some of the data streams are selected to also provide network KPI monitoring – ¶ 0044 - Logic flow 600 can begin at block 602 "establish data streams with KPI monitoring in a TSN network" data streams with KPI monitoring in a TSN network can be established. For example, as outlined above, multiple data streams in a TSN network can be established where some data streams provide monitoring of KPis ( e.g., delay time 316 and/or time buffer 318) – ¶ 0036 - As can be seen, clock synchronization of nodes in a network (e.g., network 200a) and particularly the clock synchronization of switch node 106 affects KPis associated with that node. As can be observed in FIG. 4A and FIG. 4B, an increase in the clock of switch node 106 causes its Qbv windows 112b to be shifted to the left. This shift or misalignment causes the KPis to increase and decrease, respectively, over time. The present disclosure provides that these unexpected changes in one or both KPis are used to detect malfunctioning nodes in a network, or nodes that may be under a time synchronization attack _See Also ¶ 29, ¶ 0051, ¶ 0069). Claims 4,11 are rejected under 35 U.S.C. 103 as being unpatentable over Perez-Ramirez in view of Rivers further in view of Opshaug et al. Publication No. US 2019/0313416 A1 ( Opshaug hereinafter) Regarding claim 4, Perez-Ramirez does not explicitly teach identifying the TSN node associated with a time slot preceding the time slot as the source of the of the desynchronization event when the ACP does align with boundaries of the time slot. However, Opshaug teaches identifying the TSN node associated with a time slot preceding the time slot as the source of the of the desynchronization event when the ACP does align with boundaries of the time slot (¶0051 - Each device within a network may be synchronized in the time domain such that a clock in each base station (and possible in the UE) will be synchronized. The devices within the network are further configured to transmit in a synchronized manner such that any given slot begins at the same time for each device based upon the synchronized clock – ¶ 0053 - Slot boundaries may not be aligned when radio signal sources are not synchronized precisely or drift has caused a radio signal source to become out of alignment with other radio signal sources. the slot boundaries may not appear to be aligned because the UE may receive the signal from a first base station ( e.g., base station 1) earlier than the UE receives the signal from a second base station (e.g., base station 2). ¶ 0055 - at a first occasion 405, base station 1 transmits signal 410 at symbol 7. The slot boundaries of base station 2 do not match (are misaligned from) the slot boundaries of base station 1 during the first occasion 405. The slot boundaries for base station 2 precede (are earlier in time than) the slot boundaries for base station 1 (i.e., the slot boundary for base station 1 trails (follows in time) the slot boundary for base station 2). In this example, base station 1 can be the primary base station to which a UE is aligned). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Perez-Ramirez to include the teachings of Opshaug. The motivation for doing so is to allow a device to receive a signal from a source without the signal being impeded or drowned out by a stronger signal from another source, allowing for more accurate positioning and location of devices in network. (Opshaug - ¶ 0003). Regarding claim 11, Perez-Ramirez does not explicitly teach the processing circuitry to identify the TSN node associated with a time slot preceding the time slot as the source of the of the desynchronization event when the ACP does align with boundaries of the time slot. However, Opshaug teaches the processing circuitry to identify the TSN node associated with a time slot preceding the time slot as the source of the of the desynchronization event when the ACP does align with boundaries of the time slot (¶0051 - Each device within a network may be synchronized in the time domain such that a clock in each base station (and possible in the UE) will be synchronized. The devices within the network are further configured to transmit in a synchronized manner such that any given slot begins at the same time for each device based upon the synchronized clock – ¶ 0053 - Slot boundaries may not be aligned when radio signal sources are not synchronized precisely or drift has caused a radio signal source to become out of alignment with other radio signal sources. the slot boundaries may not appear to be aligned because the UE may receive the signal from a first base station ( e.g., base station 1) earlier than the UE receives the signal from a second base station (e.g., base station 2). ¶ 0055 - at a first occasion 405, base station 1 transmits signal 410 at symbol 7. The slot boundaries of base station 2 do not match (are misaligned from) the slot boundaries of base station 1 during the first occasion 405. The slot boundaries for base station 2 precede (are earlier in time than) the slot boundaries for base station 1 (i.e., the slot boundary for base station 1 trails (follows in time) the slot boundary for base station 2). In this example, base station 1 can be the primary base station to which a UE is aligned) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Perez-Ramirez to include the teachings of Opshaug. The motivation for doing so is to allow a device to receive a signal from a source without the signal being impeded or drowned out by a stronger signal from another source, allowing for more accurate positioning and location of devices in networks. (Opshaug - ¶ 0003). Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /YOUNES NAJI/Primary Examiner, Art Unit 2445
Read full office action

Prosecution Timeline

Show 6 earlier events
Oct 13, 2025
Response after Non-Final Action
Nov 18, 2025
Request for Continued Examination
Nov 26, 2025
Response after Non-Final Action
Dec 10, 2025
Non-Final Rejection mailed — §103
Mar 10, 2026
Response Filed
Jun 03, 2026
Final Rejection mailed — §103
Jun 24, 2026
Applicant Interview (Telephonic)
Jun 27, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665749
MIGRATING SECRETS FROM A CLOUD ENVIRONMENT TO A LOCAL SYSTEM
3y 3m to grant Granted Jun 23, 2026
Patent 12659322
Systems and methods for identifying legitimate network traffic imitation
2y 2m to grant Granted Jun 16, 2026
Patent 12647495
METHODS AND APPARATUS TO IDENTIFY MAIN PAGE VIEWS
1y 8m to grant Granted Jun 02, 2026
Patent 12640930
REDUCING NETWORK LOAD AND LEAD TIME FOR SIGNING A PACKAGE MANAGER FILE
2y 11m to grant Granted May 26, 2026
Patent 12627693
CYBER-ATTACK TRACKING METHOD AND DEVICE USING BEHAVIOR EVENT-BASED RELATIONSHIP DATA COLLECTED FROM MULTIPLE DOMAINS, AND STORAGE MEDIUM STORING INSTRUCTIONS TO PERFORM CYBER-ATTACK TRACKING METHOD
1y 11m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+73.1%)
2y 11m (~4m remaining)
Median Time to Grant
High
PTA Risk
Based on 443 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month