Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsArista Networks, Inc. › 18493437
Last updated: May 29, 2026
Application No. 18/493,437

IDENTIFICATION OF THREATS VIA TLS CERTIFICATE ANALYSIS

Final Rejection §103§112
Filed
Oct 24, 2023
Examiner
LITTLE, VANCE M
Art Unit
2494
Tech Center
2400 — Computer Networks
Assignee
Arista Networks, Inc.
OA Round
3 (Final)
84%
Grant Probability
Favorable
4-5
OA Rounds
0m
Est. Remaining
99%
With Interview

Interview Optional

+24.9% interview lift. Interview already conducted in this application's prosecution history. This examiner has a 84% grant rate with +24.9% interview lift. Since an interview has already been tried, recommend written response with narrowed claims based on precedent claim evolution patterns.
Based on 399 resolved cases, 2023–2026

Examiner Intelligence

LITTLE, VANCE M View full profile →
Grants 84% — above average
84%
Career Allowance Rate
333 granted / 399 resolved
+25.5% vs TC avg
Strong +25% interview lift
Without
With
+24.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
26 currently pending
Career history
424
Total Applications
across all art units

Statute-Specific Performance

§101
3.6%
-36.4% vs TC avg
§103
86.1%
+46.1% vs TC avg
§102
3.7%
-36.3% vs TC avg
§112
3.8%
-36.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 399 resolved cases

Office Action

§103 §112
DETAILED ACTION Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 4/30/2026 has been entered. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment Applicant presents amendments to claims 1, 11, and 20. All amendments have been fully considered. Applicant’s amendments to independent claims 1, 11, and 20 include language that is not clear. The Examiner was unable to discern precisely all the limitations of the claims resulting in the rejections under 35 U.S.C. 112(b) below. While the language of independent claims 1 and 20, under the broadest reasonable interpretation, was able to be interpreted as reading on the primary reference, Moore, the Examiner suspects that (based upon the previous discussion in the recent interview), a Certificate Authority (as disclosed by the reference) is not what Appliant intends for the recited out-of-band network device. Similarly in claim 11, in light of the indefinite subject matter, the Examiner concluded that the claimed subject matter, for the most part, reads on the Moore reference. However, overcoming the indefinite rejection would likely go a long way to overcoming the applied art. The Examiner notes that there may be issues with support for these amendments, particularly since the term “out-of-band” is only recited a single time in Applicant’s specification (See Spec. at 44). The Examiner is available for an interview to discuss moving this application forward if Applicant so desires. Response to Arguments Applicant presents arguments with respect to claims 9, 13, and 18. All arguments have been fully considered. Applicant’s arguments do not appear to address either the previous rejection or the amended subject matter. The arguments are unpersuasive. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1–20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Applicant amends claims 1 and 20 to recite, “obtaining a first network communication transmitted via a network at an out-of-band network device”, which is unclear. The general meaning of “out-of-band” implies that the out-of-band device is not a party to the communication transmission between communication endpoints. The language of this limitation indicates that the recited “out-of-band network device” obtains or receives the network communication via a network but plays a role in the transmission. This is contradictory and places the limitation in question and a review of the specification provides no adequate clarification. The Examiner reconciles the meaning of the limitation to mean that the “out-of-band network device obtains information related to the transmission and examines the claim accordingly. If Applicant intends some other meaning, assuming it is supported by the specification, Applicant should explain or amend the claim. Claim 11 recites, “…the processor adapted to obtain static context data associated with the network at the wherein the static context data includes data determined in association with activity in the network…”, which is unclear. There appears to be words missing from the amended claims. Static context data associated with the network at the (?), which probably is intended to mirror the language about “an out-of-band device” as recited in the other independent claims 1 and 20. As such, the actual meaning cannot be determined from the language of the amended claims and the Examiner is forced to apply prior art according to the interpretation described above. The dependent claims of these rejected independent claim inherit the deficiencies of the parent claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1–8, 10–12, 14–17, 19–20 rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 2020/0287888 A1, published Sep. 10, 2020, See IDS filed 5/21/2025) in view of Krishan (US 2024/0163271 A1, published May 61, 2024). Regarding claims 1 and 20, Moore discloses: a method for detecting threats comprising: (a) obtaining a first network communication transmitted via a network at an out-of-band network device (the CA uses information obtained about the certificate to generate and maintain Certificate Revocation Lists (CRL). Moore ¶ 32); (b) obtaining a certificate in a Transport Layer Security (TLS) handshake of the first network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.); (d) obtaining static context data associated with the network, the static context data including data determined in association with activity in the network by capturing and analyzing network traffic on the network at the out-of-band network device, wherein at least some of the static context data is obtained prior to the TLS handshake (the packet filtering device obtains certificate revocation information with other threat intelligence data by downloading the information from the CA’s CRL. Moore ¶ 32 and 64. Certificate authority (CA) would not be considered to be “in-band” since their function is to generate and disseminate certificates and the information used to generate and maintain Certificate Revocation Lists (CRL) would be obtained from published lists prior to the TLS handshake that uses the issued certificate. Moore ¶ 64.) and (f) in response to the one or more analyses resulting in detection of a threat, taking one or more actions based on the one or more analyses (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Moore discloses some of, but does not disclose all of: (c) parsing the certificate to obtain corresponding certificate field values; (e) performing one or more analyses of the obtained certificate field values against the static context data associated with TLS activity. However, Krishan does disclose: (c) parsing the certificate to obtain corresponding certificate field values (receiving the SAN extension parameters in the received TLS certificate during the TLS handshake. Krishan ¶ 27.); (e) performing one or more analyses of the obtained certificate field values against the static context data associated with TLS activity (comparing the TLS parameter associated with the owner of the access token with the value of the TLS parameter in the TLS certificate received from the handshake. Krishan ¶ 27.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining certificate data and TLS context data and performing analysis on the data based upon the teachings of Krishan. The motivation being to verify whether the access token was sent by its owner. Krishan ¶ 27. Regarding claim 2, Moore in view of Krishan discloses the limitations of claim 1, further comprising: monitoring all network communications in the network, including the first network communication (Moore ¶ 30.); and for each of the network communications, performing steps (b)-(f) (See Moore ¶¶ 93, 95, and 108.). Regarding claim 3, Moore in view of Krishan discloses the limitations of claim 1, wherein receiving the first network communication comprises intercepting the TLS handshake of the first network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.). Regarding claim 4, Moore in view of Krishan discloses the limitations of claim 3, wherein receiving the first network communication comprises receiving the intercepted TLS handshake of the first network communication at a network appliance other than a destination device associated with the first network communication (at the Packet Filtering Device 112, filtering TLS certificates as components to TLS handshake sessions. Moore figure 1 and ¶¶ 34 and 94.). Regarding claim 5, Moore in view of Krishan discloses the limitations of claim 4, wherein transmission of the first network communication to the destination device is uninterrupted by interception of the first network communication (at the Packet Filtering Device 112, filtering TLS certificates as components to TLS handshake sessions. Moore figure 1 and ¶¶ 34 and 94.). Regarding claim 6, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise a common name (CN) of a certificate holder of the certificate and one or more subject alternative names (SANs) of corresponding alternative domains that use the certificate (Moore ¶ 108.). Regarding claim 7, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise an issuing organization and information corresponding to the issuing organization (Moore ¶ 108.). Regarding claim 8, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise a set of validity dates (Moore ¶ 68.). Regarding claim 10, Moore in view of Krishan discloses the limitations of claim 1, wherein taking the one or more actions comprises providing an alert in response to detecting that the certificate is invalid (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Regarding claim 11, Moore discloses: a network appliance adapted to be coupled to a network, the network appliance comprising: a processor and a memory; the processor adapted to obtain static context data associated with the network at the wherein the static context data including includes data determined in association with activity in the network (the packet filtering device obtains certificate revocation information with other threat intelligence data by downloading the information from the CA’s CRL. Moore ¶ 32 and 64. Certificate authority (CA) would not be considered to be “in-band” since their function is to generate and disseminate certificates and the information used to generate and maintain Certificate Revocation Lists (CRL) would be obtained from published lists prior to the TLS handshake that uses the issued certificate. Moore ¶ 64.), the processor further adapted to, for each network communication: obtain a certificate in a Transport Layer Security (TLS) handshake of the network communication, wherein the network appliance is out-of-band with respect to the network communication (the CA uses information obtained about the certificate to generate and maintain Certificate Revocation Lists (CRL). Moore ¶ 32); parse the certificate to obtain corresponding certificate field values (values from the captured certificates are considered indicators of compromise. Moore ¶ 95.); wherein the static context data is obtained by capturing and analyzing network traffic on the network at the out-of-band network appliance, wherein at least some of the static context data is obtained prior to the TLS handshake (the packet filtering device obtains certificate revocation information with other threat intelligence data by downloading the information from the CA’s CRL. Moore ¶ 32 and 64. Certificate authority (CA) would not be considered to be “in-band” since their function is to generate and disseminate certificates and the information used to generate and maintain Certificate Revocation Lists (CRL) would be obtained from published lists prior to the TLS handshake that uses the issued certificate. Moore ¶ 64.); and in response to the one or more analyses resulting in detection of a threat, taking one or more actions based on the one or more analyses (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Moore discloses some of, but does not disclose all of: perform one or more analyses of the obtained certificate field values against the static context data associated with TLS activity. However, Krishan does disclose: perform one or more analyses of the obtained certificate field values against the static context data associated with TLS activity (comparing the TLS parameter associated with the owner of the access token with the value of the TLS parameter in the TLS certificate received from the handshake. Krishan ¶ 27.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining certificate data and TLS context data and performing analysis on the data based upon the teachings of Krishan. The motivation being to verify whether the access token was sent by its owner. Krishan ¶ 27. Regarding claim 12, Moore in view of Krishan discloses the limitations of claim 11, wherein receiving the network communication comprises intercepting the TLS handshake of network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.). Regarding claim 14, Moore in view of Krishan discloses the limitations of claim 12, wherein the network appliance is adapted to passively intercept each network communication, wherein transmission of the network communication to a destination device is uninterrupted by interception of the network communication (Moore ¶ 30.). Regarding claim 15, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including a common name (CN) of a certificate holder of the certificate and one or more subject alternative names (SANs) of corresponding alternative domains that use the certificate (Moore ¶ 108.). Regarding claim 16, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including an issuing organization and information corresponding to the issuing organization (Moore ¶ 108.). Regarding claim 17, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including a set of validity dates (Moore ¶ 68.). Regarding claim 19, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to, for each of the network communications: in response to the one or more analyses resulting in detection of a threat, providing an alert corresponding to the threat (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Claims 9, 18 rejected under 35 U.S.C. 103 as being unpatentable over Moore in view of Krishan in view of Ucci (US 2022/0407722 A1, published Dec. 22, 2022). Regarding claim 9, Moore in view of Krishan discloses the limitations of claim 1. Moore in view of Krishan does not disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate. However, Ucci does disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate (capture certificates in the chain of certificates associated with the TLS handshake procedure. Ucci ¶¶ 30–31.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining a last certificate of a chain and parsing the certificate based upon the teachings of Ucci. The motivation being to determine whether at least one certificate in a chain has an anomaly. Ucci ¶ 33. Regarding claim 18, Moore in view of Krishan discloses the limitations of claim 11. Moore in view of Krishan does not disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate. However, Ucci does disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate (capture certificates in the chain of certificates associated with the TLS handshake procedure. Ucci ¶¶ 30–31.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining a last certificate of a chain and parsing the certificate based upon the teachings of Ucci. The motivation being to determine whether at least one certificate in a chain has an anomaly. Ucci ¶ 33. Claim 13 rejected under 35 U.S.C. 103 as being unpatentable over Moore in view of Krishan in view of Reddy (US 2017/0339130 A1, published Nov. 23, 2017). Regarding claim 13, Moore in view of Krishan discloses the limitations of claim 1. Moore in view of Krishan does not disclose: wherein the processor is adapted to, for each of the network communications: decrypt the certificate of the network communication to obtain the corresponding certificate field values; and in response to determining that no threat is detected, re-encrypting the network communication and forwarding the network communication to a corresponding destination. However, Reddy does disclose: wherein the processor is adapted to, for each of the network communications: decrypt the certificate of the network communication to obtain the corresponding certificate field values (packets captured in network traffic are decrypted for threat analysis. Reddy ¶ 52.); and in response to determining that no threat is detected, re-encrypting the network communication and forwarding the network communication to a corresponding destination (the TLS proxy will re-encrypt analyzed data packets and forward the packets on to their destination. Reddy ¶ 52.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with the decryption and re-encryption of received TLS transmission packets to extract certificate data based upon the teachings of Reddy. The motivation being to be able to read the protocol required encrypted metadata in order to detect network anomalies. Reddy ¶ 3. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE LITTLE whose telephone number is (571) 270-0408. The examiner can normally be reached Monday - Friday 9:30am - 5:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung (Jay) Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /VANCE M LITTLE/Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Show 3 earlier events
Oct 29, 2025
Examiner Interview Summary
Oct 31, 2025
Response Filed
Jan 30, 2026
Final Rejection mailed — §103, §112
Apr 23, 2026
Applicant Interview (Telephonic)
Apr 23, 2026
Examiner Interview Summary
Apr 30, 2026
Request for Continued Examination
May 07, 2026
Response after Non-Final Action
May 19, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/298,237
Patent 12639458
IMAGE FORMING SYSTEM, IMAGE FORMING APPARATUS, IMAGE FORMING METHOD, AND NON-TRANSITORY STORAGE MEDIUM
3y 1m to grant Granted May 26, 2026
18/248,983
Patent 12625980
MAPPING A TANGIBLE INSTANCE OF A DOCUMENT
3y 1m to grant Granted May 12, 2026
18/370,221
Patent 12625986
INFORMATION PROCESSING METHOD AND INFORMATION PROCESSING SYSTEM
2y 7m to grant Granted May 12, 2026
18/510,229
Patent 12627713
SECURE SERVICE ADVERTISEMENT IN MULTICAST DNS
2y 5m to grant Granted May 12, 2026
18/526,235
Patent 12608495
SYSTEMS AND METHODS FOR EFFICIENT CONTENT PACKAGING
2y 4m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

4-5
Expected OA Rounds
84%
Grant Probability
99%
With Interview (+24.9%)
2y 6m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 399 resolved cases by this examiner. Grant probability derived from career allowance rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month