Office Action Predictor
Last updated: April 17, 2026
Application No. 18/522,456

SYSTEMS AND METHODS FOR DETECTING MALICIOUS ACTIVITY WITH A FOUNDATIONAL LANGUAGE MODEL

Final Rejection §103
Filed
Nov 29, 2023
Examiner
NAHAR, SAYEDA S
Art Unit
2491
Tech Center
2400 — Computer Networks
Assignee
acronis international GmbH
OA Round
2 (Final)
67%
Grant Probability
Favorable
3-4
OA Rounds
3y 5m
To Grant
99%
With Interview

Examiner Intelligence

Grants 67% — above average
67%
Career Allow Rate
18 granted / 27 resolved
+8.7% vs TC avg
Strong +36% interview lift
Without
With
+35.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
25 currently pending
Career history
52
Total Applications
across all art units

Statute-Specific Performance

§101
14.0%
-26.0% vs TC avg
§103
61.6%
+21.6% vs TC avg
§102
4.4%
-35.6% vs TC avg
§112
17.6%
-22.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 27 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment 2. This is in response to the amendments filed on 10/21/2025. Claims 1-21 are currently pending and have been considered below. Response to Arguments 3. Applicant’s arguments filed on 10/21/2025 have been fully considered but they are not persuasive. On the Remarks, Applicant argues that Ladnai does not disclose "detecting a plurality of trigger actions in the provenance graph" as recited in claims 1, 11, and 21. The plurality of trigger actions are not actually detected in the event graph, Ladnai does not teach that training data or features are derived from the event/provenance graph, nor that sequences or subgraphs from the event graph are used to train models. Ducau does not disclose a "foundational language model" and Ladnai and Ducau fail to render obvious "training, using sequences of events generated for the plurality of trigger actions, a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity". The examiner respectfully disagrees. First, in response to applicant's argument that Ladnai does not disclose "detecting a plurality of trigger actions in the provenance graph", it is noted that, Ladnai at Para.0088, Para.0089, Para.0090 and Para.0108 discloses, “provided by the event graph ….. the detected security event …. include the action ….associated with the first application …. e.g., accessing the URL …. the URL ….may be …. malicious URL or a URL ….. associated with malware”, “security event ….. based on the sequence of events included in the event graph ….”, “the security event …. (the action …. of accessing the potentially malicious or otherwise unwanted URL”, “event on the endpoint ……may be a ….. detection of a compromise or other malicious activity”, which the examiner interpreted as being the claimed "detecting a plurality of trigger actions in the provenance graph" because the broadest reasonable interpretation of the claimed "detecting a plurality of trigger actions in the provenance graph" includes detected security events based on the sequence of events including the action of accessing the potentially malicious or unwanted URL. Sequence of security events/the action of accessing the potentially malicious or unwanted URL which is included in the event graph of Ladnai is equivalent to the claimed ‘detecting a plurality of trigger actions in the provenance graph’. Also, from the citation in [Para.0089; “security event ….. based on the sequence of events included in the event graph ….”], it is indicated that Sequence of security events/the action of accessing the malicious URL [claimed ‘plurality of trigger actions’] are detected in the event graph. Second, in response to applicant's argument that Ladnai does not teach that training data or features are derived from the event/provenance graph, nor that sequences or subgraphs from the event graph are used to train models, it is noted that, Ladnai at Para.0120, Para.0046 and Para.0159 discloses “training a …. machine learning model to identify malicious code in the training set …to identify …. threat samples that are … malicious”, “the training data may include …. malicious files …. the training data may include …. a family or type of malware”, “the security event …. (the action …..of accessing the potentially malicious or otherwise unwanted URL”, which the examiner interpreted as being the claimed "training, using sequences of events generated for the plurality of trigger actions, a …. model to predict …. events for a sequence of ….. events" because the broadest reasonable interpretation of the claimed “training, using sequences of events generated for the plurality of trigger actions, a …. model to predict …. events for a sequence of ….. events" includes training a machine learning model with training data which includes malicious files or malware. As sequence of events/the action of accessing the potentially malicious or unwanted URL of Ladnai is used as training data to train the machine learning model to identify threat samples that are malicious, thus it is indicated that Ladnai teaches that training data or features are derived from the event/provenance graph and the sequences or subgraphs from the event graph are used to train models. Finally, in response to applicant's argument that Ducau does not disclose a "foundational language model" and Ladnai and Ducau fail to render obvious "training, using sequences of events generated for the plurality of trigger actions, a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity", it is noted that, Ducau at Para.0038, Para.0029, Para.0153, Para.0163 discloses; “The machine learning model … receive … an analysis object, and output an analysis result, … The machine learning model may provide an output indicating a threat classification…. indicate an evaluation of the likelihood that the analysis object is a threat”, “a machine learning model…. trained for a security recognition task …. The object of recognition tasks may be any suitable artifact, for example, files …. processes….”, “event graph …generated …. upon the occurrence of an event,… for example, when a …. event … is detected on an endpoint….based on a data log”, “C Language Integrated Production System (CLIPS) is a … software tool …. for analysis of a …. event graph …..”, which is equivalent to the claimed “training…. a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity”. Because, in Ducau, C Language Integrated Production System is used for analysis of an event graph and event graph is used for detection of event, as a machine learning model is trained to detect security threat, this machine learning model is equivalent to the claimed "foundational language model". Also, the analysis result including a sequence of computing objects related by a number of events are equivalent to the claimed ‘resultant events’, analysis object/ files and Processes are equivalent to the claimed ‘sequence of lead up events’. Thus, it is clearly indicated that Ladnai discloses “training, using sequences of events generated for the plurality of trigger actions, a …. model to predict …. events”, Ducau discloses "training…. a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity". Therefore, Ladnai and Ducau render obvious "training, using sequences of events generated for the plurality of trigger actions, a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity". It is clearly indicated that Ladnai and Ducau fully disclose all the limitations of claim 1. Thus, in view of the above, the examiner maintains that Ladnai and Ducau fully disclose all the limitations of claim 1 and the rejection of such is sustained below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. Claims 1-3,5-13 and 15-21 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Ladnai et al (US 20200076834 A1 in view of Ducau et al. (US 20200364338 A1) Regarding Claim 1: Ladnai discloses: a. A method for detecting malicious activity using a …. model, (Para.0121; “the method …. that evaluates …. an unknown threat …is malicious based on a … machine learning model”) the method comprising: receiving a plurality of logs indicative of software behavior from an endpoint device; (Para.0075, Para.0074, Para.0073, Abstract; “The endpoint 302… manage a flow of information from the data recorder 304 to a remote …. threat management facility 308…. log of events …. on each endpoint” 304 is inside 302, “log events occurring on …. Endpoint….include events associated with computing objects …such as file manipulations, software installations”, “the endpoint 302 … monitor behavior of computing objects such as executables”, “selecting objects ….. a …. data stream of information …. provided from an endpoint to a …. threat management facility” threat management facility receives log events associated with computing objects indicating software behavior or related with software installations of an endpoint device) b. generating, based on the plurality of logs, a provenance graph (Para.0086, Para.0113; “The event graph …. include a sequence of computing objects ….related by a number of events…. The event graph …. generated… based on a data log …..” event graph is construed as a provenance graph, “The data log ….include data from a single endpoint …. or from a number of endpoints ….”) that represents relationships between different types of data objects on the endpoint device by linking a plurality of data objects by a plurality of actions; (Para.0086, Para.0087; “The event graph …. include a sequence of computing objects …. related by a number of events, and which provide … computing activity on one or more endpoints”, “a computing object …. include one or more files and applications…. The first application …. perform one or more actions …. such as accessing a URL ….which in turn accesses one or more files”) c. detecting a plurality of trigger actions in the provenance graph; (Para.0088, Para.0090 and Para.0108; “provided by the event graph ….. the detected security event …. include the action ….associated with the first application …. e.g., accessing the URL …. the URL ….may be …. malicious URL or a URL ….. associated with malware”, “the security event …. (the action …. of accessing the potentially malicious or otherwise unwanted URL”, “event on the endpoint ……may be a ….. detection of a compromise or other malicious activity” detected security events including the action of accessing the potentially malicious or unwanted URL is construed as detecting a plurality of trigger actions in the provenance graph) d. generating, for each respective trigger action of the plurality of trigger actions, a sequence of events (Para.0089; “security event 502 based on the sequence of events included in the event graph …. the sequence of events preceding the detected security event 502”) that contributed to an occurrence of the respective trigger action based on the provenance graph; (Para.0090; “the security event …. (the action …. of accessing the potentially malicious or otherwise unwanted URL”) e. training, using sequences of events generated for the plurality of trigger actions, a … model to predict …. events for a sequence of …. events (Para.0120, Para.0046, Para.0159; “training a …. machine learning model to identify malicious code in the training set …to identify …. threat samples that are … malicious”, “the training data may include …. malicious files …. the training data may include …. a family or type of malware”, “the security event …. (the action …..of accessing the potentially malicious or otherwise unwanted URL”) and classify whether the ….. events indicate malicious activity; (Para.0184, Para.0124; “model based on…..event stream … for identifying … threat samples …. classified as safe or unsafe”, “a threat sample…include … computing object such as executable code ….. a process, a script”) and …. however, Ladnai does not explicitly disclose: a. …. a foundational language model, e. training…. a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity; [Ladnai discloses training, using sequences of events generated for the plurality of trigger actions, a …. model to predict …. events for a sequence of …. events, and classify whether the …... events indicate malicious activity but Ladnai does not disclose training…. a foundational language model to predict resultant events for a sequence of lead up events and classify whether the resultant events indicate malicious activity] f. detecting the malicious activity by applying the foundational language model on an input sequence of events. In an analogous reference Ducau discloses: a. …. a foundational language model, (Para.0029, Para.0153, Para.0163; “a machine learning model…. for a security recognition task …. recognition tasks may be any suitable artifact, for example, files …. processes….”, “event graph …generated …. upon the occurrence of an event,… for example, when a security event … is detected on an endpoint….based on a data log”, “C Language Integrated Production System (CLIPS) is a … software tool …. for analysis of a …. event graph …..”) e. training…. a foundational language model (Para.0029, Para.0153, Para.0163; “a machine learning model…. trained for a security recognition task …. The object of recognition tasks may be any suitable artifact, for example, files …. processes….”, “event graph …generated …. upon the occurrence of an event,… for example, when a security event … is detected on an endpoint….based on a data log”, “C Language Integrated Production System (CLIPS) is a … software tool …. for analysis of a …. event graph …..” C Language Integrated Production System is used for analysis of an event graph and event graph is used for detection of security event, as a machine learning model is trained to detect security threat, it is construed as a language model) to predict resultant events for a sequence of lead up events (Para.0038, Para.0153, Para.0029; “The machine learning model … receive … an analysis object, and output an analysis result, … The machine learning model may provide an output indicating a threat classification…. indicate an evaluation of the likelihood that the analysis object is a threat”, “the results of a machine learning model ….about ….an endpoint. …. include a sequence of computing objects …. related by a number of events, and which provide a …. computing activity on one or more endpoints”, “The object …. may be …. artifact, for example, files …. Processes…..” analysis result include a sequence of computing objects related by a number of events are construed as resultant events, analysis object/ files and Processes are construed as a sequence of lead up events) and classify whether the resultant events indicate malicious activity; (Para.0038, “The machine learning model …. output an analysis result, such as a score indicating whether the analysis object is…. potentially malicious…. indicating a threat classification…”) f. detecting the malicious activity (Para.0041, Para.0029; “The analysis object, shown as file… analyzed ….to identify whether the file is malicious”, “a machine learning model…. trained for …. detection of malware ….”) by applying the foundational language model on an input sequence of events. (Para.0046; “a machine learning … data used to train a detection model …. data …. include … set of input information …. The input information may include analysis objects”) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Ladnai’s method for computer assisted identification of intermediate threats by enhancing Ladnai’s method to include Ducau’s method for machine learning recognition of portable executable files as malware. The motivation: benefit of predicting resultant events for a sequence of lead up events in a language model is improved contextual understanding, enhanced causal reasoning and better predictive performance. With respect to independent claims 11 and 21, a corresponding reasoning was given earlier in this section with respect to claim 1; therefore, claims 11 and 21 rejected, for similar reasons, under the grounds as set forth for claim 1. Regarding Claim 2: Ladnai in view of Ducau discloses: g. The method of claim 1, …. … adjusting parameters of the …... model (Ladnai, Para.0147, Para.0129; “features that are most heavily weighted on a percentage basis toward safety or suspiciousness….”, “features …. used to identify suspicious features …. to identify … samples of …. unsafe code based on a model for one or more of a file path, a URL, an executable”) …. ….. each respective sequence of the sequences of events (Ducau, Para.0153; “event graph … used …. to record the results of a machine learning model …. about …. an endpoint. The event graph …. include a sequence of computing objects …. related by a number of events”) comprises a first plurality of lead up events (Para.0038, Para.0029; “machine learning model …. receive a feature vector associated with an analysis object….”, “The object … for example, …. documents, processes, network flows….. or any other suitable analysis object”) and a second plurality of resultant events, (Para.0038; “machine learning model ….. output an analysis result….”) and wherein training the foundational language model comprises: masking, for each respective sequence of the sequences of events, the second plurality of resultant events; (Ducau, Para.0161, Para.0038; “one or more computing objects or events ….. These computing objects or events …. filtered or ‘pruned’ ….”, “The machine learning model …. output an analysis result…. indicating whether the analysis object is, ….. type of malware” the machine learning model provides the output or resultant objects or events when the analysis object is malicious, the malicious computing objects or events are filtered or ‘pruned’ from the event graph, thus these resultant objects or events are construed as second plurality of resultant events are masked) and adjusting…. the foundational language model to output the second plurality of resultant events for an input comprising the first plurality of lead up events. (Ducau, Para.0040, Para.0029, Para.0034, Para.0038; “analyze an analysis object (for examples, weights associated with the machine learning model”, “a machine learning model…. include ….. analysis object”, “…. analysis object (e.g., one or more of a file, ….) as an input and output ….. associated with the analysis object”, “The machine learning model …. output an analysis result….”) With respect to dependent claim 12., a corresponding reasoning was given earlier in this section with respect to claim 2; therefore, claim 12 rejected, for similar reasons, under the grounds as set forth for claim 2. Regarding Claim 3: Ladnai in view of Ducau discloses: h. The method of claim 1, wherein generating the provenance graph comprises: identifying, in a first log, a source object, (Ducau, Para.0155, Para.0154; “event graph …. begins with a computing object that is a USB device … USB device …. include …. a first file 816…. and a first application 820…. first file …. associated with a first event 822”, “The event graph …. generated to serve as …. the data log”) an action performed by the source object, (Para.0156; “The first application 820 …. perform one or more actions … such as accessing a URL 830”) and a target object on which the action was performed; (Para.0156; “the URL 830 may download or run a second application 832 on the endpoint”) and linking, on the provenance graph, (Para.0153; “event graph … used … to record the results of a machine learning model ….about ….an endpoint. The event graph …. include a sequence of computing objects causally related by a number of events”) a first identifier of the source object, (Para.0048; “A detection name or names …. associated with the binary file ….”) a second identifier of the action, (Para.0048, Para.0052; “…. the binary file …. provide tags (labels) ….”, “the tags or labels …. related to malware families, in the sense that they attempt to describe how piece of malicious software executes and what is its intention”) and a third identifier of the target object. (Para.0049, Para.0145, Para.0116; “a target binary file …”, “Tags associated with … the target artifact”, “target vector for a …. file”) With respect to dependent claim 13, a corresponding reasoning was given earlier in this section with respect to claim 3; therefore, claim 13 rejected, for similar reasons, under the grounds as set forth for claim 3. Regarding Claim 5: Ladnai in view of Ducau discloses: j. The method of claim 1, wherein the sequences of events comprise ordered events capturing one or more of: (a) a process initiating or terminating, (Ladnai, Para.0065; “terminating or modifying an ongoing process or interaction”) (b) a file or directory being created, modified, deleted, or read, (Abstract, Para.0073; “creates … wider range of objects and changes”, “computing objects such as … files”) (c) a network connection being established, modified, or terminated, (d) a registry file being accessed. With respect to dependent claim 15., a corresponding reasoning was given earlier in this section with respect to claim 5; therefore, claim 15 rejected, for similar reasons, under the grounds as set forth for claim 5. Regarding Claim 6: Ladnai in view of Ducau discloses: k. The method of claim 1, wherein the plurality of trigger actions is indicative of malicious activity. (Ladnai, Para.0090; “the security event …. (the action …. of accessing the potentially malicious or otherwise unwanted URL”) With respect to dependent claim 16., a corresponding reasoning was given earlier in this section with respect to claim 6; therefore, claim 16 rejected, for similar reasons, under the grounds as set forth for claim 6. Regarding Claim 7: Ladnai in view of Ducau discloses: l. The method of claim 1, wherein the plurality of trigger actions comprise one or more of: (a) a malicious file being detected, downloaded, or executed, (disclosed in claim 1) (b) sensitive data being accessed, (c) an executable being started from a temporary folder location, (d) a DNS lookup is performed for a suspicious domain, (e) a PowerShell script being started with obfuscated parameters, (f) persistence being created via a registry key or via a startup folder, and (g) an upload size greater than a threshold data amount being performed. With respect to dependent claim 17, a corresponding reasoning was given earlier in this section with respect to claim 7; therefore, claim 17 rejected, for similar reasons, under the grounds as set forth for claim 7. Regarding Claim 8: Ladnai in view of Ducau discloses: m. The method of claim 1, wherein receiving the plurality of logs comprises: monitoring processes on the endpoint device using an agent locally installed on the endpoint device. (Ladnai, Para.0073, Para.0074; “the endpoint … include a security agent …. monitoring for malicious activity”, “log events occurring on … endpoint… include …. activities”) With respect to dependent claim 18, a corresponding reasoning was given earlier in this section with respect to claim 8; therefore, claim 18 rejected, for similar reasons, under the grounds as set forth for claim 8. Regarding Claim 9: Ladnai in view of Ducau discloses: n. The method of claim 8, wherein monitoring the processes comprises tracking kernel API calls (Ladnai, Para.0103, Para.0100; “the event ….may be, e.g., a kernel-level event”, “process or other computing object that performs an action, which may include a single event … or a collection or sequence of events …..”) and/or operating system calls. With respect to dependent claim 19, a corresponding reasoning was given earlier in this section with respect to claim 9.; therefore, claim 19 rejected, for similar reasons, under the grounds as set forth for claim 9. Regarding Claim 10: Ladnai in view of Ducau discloses: o. The method of claim 1, further comprising: removing personal identifiable information (PII) from the logs to maintain privacy of users of the endpoint device. (Ladnai, Para.0157, Para.0074; “an event stream may be … to remove personal identifying information, e.g., for compliance with data privacy regulations”, “log events occurring on … endpoint… include events associated with computing objects …”) With respect to dependent claim 20, a corresponding reasoning was given earlier in this section with respect to claim 10; therefore, claim 20 rejected, for similar reasons, under the grounds as set forth for claim 10. Claims 4 and 14 are rejected under AIA 35 U.S.C. 103 as being unpatentable over Ladnai et al (US 20200076834 A1 in view of Ducau et al. (US 20200364338 A1) and further in view of Yuile et. Al (US 20210157583 A1) Regarding Claim 4: Ladnai in view of Ducau discloses: i. The method of claim 3, wherein generating the provenance graph comprises: identifying, in a second log, the target object, (Para.0154, Para.0156; “The event graph …. generated to serve as….. the data log”, “a second application 832 on the endpoint…..”) another action performed by the target object, and a different target object on which the another action was performed; (Para.0156; “a second application ….accesses one or more files (e.g., the fourth file 834 ….) or is associated with other events (e.g., the third event”) and linking, on the provenance graph, the first identifier of the source object, the second identifier of the action, the third identifier of the target object, (disclosed in claim 1) …. however, Ladnai in view of Ducau does not explicitly disclose: linking, on the provenance graph…. a fourth identifier of the another action, and a fifth identifier of the different target object. In an analogous reference Yuile discloses: linking, on the provenance graph…. a fourth identifier of the another action, (Para.0013, Para.0038, Para.0107; “UPG generated for an …website defacement using write event”, “concept of the Universal Provenance Graph (UPG) combines ….the ….event logging activity of applications”, “timestamp of the event's occurrence …..,” timestamp of the event's occurrence/website defacement using write event is construed as fourth identifier of an action) and a fifth identifier of the different target object. (Para.0046, Para.0036; “consider a data exfiltration and defacement attack on an online shopping website as an example to … provenance tracking systems….”, “The provenance tracker …. add, to the respective event …. one of a process identifier (PID) ….” a process identifier (PID) is construed as fifth identifier) Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Ladnai in view of Ducau’s method for computer assisted identification of intermediate threats by enhancing Ladnai in view of Ducau’s method to include Yuile’s method for analyzing program code. The motivation: On a provenance graph, utilizing multiple identifiers for a target object offers several benefits, particularly in situations where an object may be known by different names or identifiers across various systems or contexts. With respect to dependent claim 14, a corresponding reasoning was given earlier in this section with respect to claim 4; therefore, claim 14 rejected, for similar reasons, under the grounds as set forth for claim 4. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAYEDA SALMA NAHAR whose telephone number is (703)756-4609. The examiner can normally be reached M-F 12:00 PM to 6:00 PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached on (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAYEDA SALMA NAHAR/Examiner, Art Unit 2491 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2491
Read full office action

Prosecution Timeline

Nov 29, 2023
Application Filed
Jul 16, 2025
Non-Final Rejection — §103
Oct 21, 2025
Response Filed
Jan 05, 2026
Final Rejection — §103
Mar 31, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12537850
CONCEALED MONITOR COMMUNICATIONS FROM A TASK IN A TRUSTED EXECUTION ENVIRONMENT
2y 5m to grant Granted Jan 27, 2026
Patent 12506751
METHOD AND SYSTEM FOR SCORING SEVERITY OF CYBER ATTACKS
2y 5m to grant Granted Dec 23, 2025
Patent 12493681
PUF-RAKE: A PUF-BASED ROBUST AND LIGHTWEIGHT AUTHENTICATION AND KEY ESTABLISHMENT PROTOCOL
2y 5m to grant Granted Dec 09, 2025
Patent 12457490
ON-DEMAND SUBSCRIPTION CONCEALED IDENTIFIER (SUCI) DECONCEALMENT FOR SELECT APPLICATIONS
2y 5m to grant Granted Oct 28, 2025
Patent 12445469
USING A THREAT INTELLIGENCE FRAMEWORK TO POPULATE A RECURSIVE DNS SERVER CACHE
2y 5m to grant Granted Oct 14, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
67%
Grant Probability
99%
With Interview (+35.8%)
3y 5m
Median Time to Grant
Moderate
PTA Risk
Based on 27 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month