Prosecution Insights
Last updated: July 17, 2026
Application No. 18/566,938

SYSTEM AND METHOD FOR DETECTING VULNERABILITIES IN OBJECT-ORIENTED PROGRAM CODE USING AN OBJECT PROPERTY GRAPH

Non-Final OA §103
Filed
Dec 04, 2023
Priority
Jun 02, 2021 — provisional 63/195,991 +1 more
Examiner
HAJIABBASI, AMIR MAHDI
Art Unit
2407
Tech Center
2400 — Computer Networks
Assignee
The Johns Hopkins University
OA Round
3 (Non-Final)
86%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 86% — above average
86%
Career Allowance Rate
24 granted / 28 resolved
+27.7% vs TC avg
Moderate +9% lift
Without
With
+8.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
9 currently pending
Career history
39
Total Applications
across all art units

Statute-Specific Performance

§103
87.0%
+47.0% vs TC avg
§112
8.7%
-31.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 28 resolved cases

Office Action

§103
CTNF 18/566,938 CTNF 99716 DETAILED ACTION Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. Claims 12-20, 23-30, and 32-34 are pending. Claims 1-11, 21-22, 31 are canceled. Claims 12, 23, 32 are independent. Claims 12, 19, 23, 30, and 32-34 are amended. No claims are new. Amendments to the claims have been accepted. Continued Examination Under 37 CFR 1.114 07-42-04 AIA A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/23/2026 has been entered. Response to Arguments 07-38-02 AIA Applicant’s arguments, see pp. 8-9 (pp.1-2 of Remarks) , filed 02/23/2026 , with respect to the rejection(s) of claim(s) under 12, 23, and 32 under 35 U.S.C § 103 of 11/21/2025 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art (Ionescu in view of Abraham) . Claim Objections 07-29-01 AIA Claim 19 objected to because of the following informalities: C19, Line 4: "… wherein the method comprise:… ". 'Comprise' is the plural verb form of 'to comprise' (i.e., the operations comprise), whereas 'the method' is in singular subject form. Suggestions to amend the informality include, "… wherein the method comprises…" Appropriate correction is required. Claim Rejections - 35 USC § 103 07-103 AIA The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. 07-21-aia AIA Claim s 12, 23, 32, and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Ionescu (Ionescu et al., US 20180349614 A1) in view of Abraham (Abraham et al., US 20190050574 A1) . Regarding Claim 12, and substantially claims 23 and 32, Ionescu teaches a method for detecting vulnerabilities in object-oriented program code, the method comprising: generating, by one or more computers, a query that is configured to search a data structure (¶29, "Passes over the CPG may allow inspection of the base code structure, control flow, and data dependencies of each node, and thus traversing and/or making queries into the CPG may give better understanding of the code base (e.g. by identifying vulnerability patterns)." ) representing the object-oriented program code ( ¶71, "In one implementation, classifying can use information based on class naming, object instance naming… and/or other aspects of the codebase." , the invention is implemented on a codebase with object-oriented code ) for a template pattern of generated graph nodes and graph edges ( ¶24, a CPG (data structure) is a code property graph that's traversed to identify vulnerabilities . ¶27, the CPG has nodes connected by edges. ¶30, the CPG is scanned for vulnerability patterns using the generated query containing formulated data-flow patterns (i.e. a template pattern for vulnerabilities) ), wherein the data structure comprises: an abstract syntax tree that was generated based on the semantics of the object-oriented program code (¶25, the CPG contains an abstract syntax tree (AST). ¶26, the AST characterizes the syntax (i.e. semantics) of the code); executing, by one or more computers, the generated query against the generated data structure; and determining, by one or more computers and based on results of the executed query, whether one or more vulnerabilities exist in the object-oriented program code ( ¶29, ¶30, the CPG is scanned for vulnerabilities by executing the query ). Ionescu further teaches a system comprising one or more computers; and one or more computer-readable storage devices storing instructions that, when executed by the one or more computers, cause the one or more computers to perform operations comprising the method above, as well as one or more computer-readable storage media storing instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising the method above (¶84, “The systems and methods of the embodiments can be embodied and/or implemented at least in part as a machine configured to receive a computer-readable medium storing computer-readable instructions. The instructions can be executed by computer-executable components… ” ) . Although Ionescu teaches a set of graph nodes, separate from the abstract syntax tree, and one or more graph edges that each (i) begin at a node of the abstract syntax tree and terminates at one of the set of graph nodes, and (ii) represent a use, by the object-oriented program code, of the code represented by the graph node where the generated graph edge terminates ( Ionescu, ¶29, “The AST, CFG, and DFG are preferably combined into a joint data structure as the CPG. The three graphs AST, CFG and DFG each have nodes that exist for each statement and predicate of the source code. The statement and predicate nodes can serve as a connection point of the three graphs when joining to form the CPG.” , places where the code is used acts as a connection ( one or more graph edges ) between the AST and a data flow graph ( one or more graph nodes, separate from the abstract syntax tree ), where each have node representing the code ), Ionescu doesn't teach but, in an analogous art, Abraham teaches that for each object of the object-oriented program code, one, and only one, graph node represents the given object, and that the set of graph edges represent a use, by the object-oriented program code, of an object represented by the graph node where the generated graph edge terminates (Abraham, ¶35, "The graph (or graphical-style) database may represent each extracted software object as a node and each relationship between the extracted software objects as a connector between nodes." (for each object of the code, one graph node represents the given objects ). ¶72, "(each respective node representing a corresponding one of the objects), where the nodes are connected to one another based on relationships, functional or otherwise, between the corresponding objects ,", ¶10, "In a typical implementation, the software objects generally are or represent elements of the target business-critical application computer system whose graphical representation as nodes connected to one another based on relationships, functional or otherwise, between the corresponding elements is desirable in view of a particular goal of the analysis. Each respective one of the elements of the target business-critical application computer system may be a unique piece of code, a file, a data string, or other aspect of the target business-critical application computer system." , each node respectively corresponds to a given object (only one ), and the edges represent functional relationships (a use of an object represented by the graph node where the generated graph edge terminates ). ¶302, the code is object-oriented, and the objects represent specific objects of the language ). One of ordinary skill in the art could have modified the control flow or data flow graph of Ionescu using the object graph of Abraham to achieve predictable results, such that the abstract syntax tree connects to an object graph, where each object uniquely represents an object of the source code, connected by how the objects relate to one another. One of ordinary skill in the art prior to the effective filing date of the claimed invention could modify Ionescu using Abraham to have each object of the object-oriented code be represented by one, and only one, graph node, where the set of graph edges represent a use of those objects because it facilitates query and visualization of the software objects and their relationships to each other (Abraham, ¶16) , which makes is easier to find vulnerabilities in the connections between objects (Abraham, ¶38) Regarding claim 34, Ionescu in view of Abraham teaches the method of claim 12, wherein the method comprises: detecting, using the abstract syntax tree, each object of the object-oriented program code (Ionescu, ¶71, "The CPG can be used in identifying associated elements in the code for processing when classifying a data object." , the CPG (which contains the abstract syntax tree) is used to classify data objects (such that they must be detected first) . ¶29, "The three graphs AST, CFG and DFG each have nodes that exist for each statement and predicate of the source code. The statement and predicate nodes can serve as a connection point of the three graphs when joining to form the CPG. Through the three subcomponents, CPG may contain information about the processed code on different levels of abstraction, from dependencies, to type hierarchies, control flow, data flow, and instruction-level information ", all subcomponents of the CPG, including the AST, have nodes for each statement and predicate of the source code, containing information on different levels of abstraction, such as type hierarchies (such that the type of the object, and thus the object itself, is identified by each subcomponent, including the AST)) . Abraham further teaches generating, for each detected object of the object-oriented program code, each of the one, and only one, graph nodes representing each object of the object-oriented program code ( Abraham, ¶35, ¶72, ¶10, the graph nodes represent by respectively corresponding to each object of the object-oriented program code )(see claim 12 for motivation to combine) . 07-22-aia AIA Claim s 13 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Ionescu in view of Abraham as applied to claim s 12 and 23 above, and further in view of CodeQL (“Remote property injection”, published May 5, 2021) . Regarding Claim 13, and substantially claim 24, Ionescu in view of Abraham teaches the method of claim 12, wherein the query is configured to search the data structure for a template pattern that indicates a vulnerability ( Ionescu, ¶30 ). Ionescu in view of Abraham does not teach but, in an analogous art, CodeQL teaches that the vulnerability is (i) a vulnerable assignment statement controllable by an adversary and (ii) an object property lookup after the vulnerable assignment statement ('Remote property injection', "Dynamically computing object property names from untrusted input may have multiple undesired consequences. For example, if the property access is used as part of a write, an attacker may overwrite vital properties of objects, such as __proto__. This attack is known as prototype pollution attack and may serve as a vehicle for denial-of-service attacks. A similar attack vector, is to replace the toString property of an object with a primitive. Whenever toString is then called on that object, either explicitly or implicitly as part of a type coercion, an exception will be raised." ). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham using CodeQL to search the data structure for a template pattern that indicates a remote property injection because remote property injection can serve as a vehicle for denial-of-service attacks ( CodeQL, 'Remote property injection' ) . 07-22-aia AIA Claim s 14-17 and 25-28 are rejected under 35 U.S.C. 103 as being unpatentable over Ionescu in view of Abraham as applied to claim s 12 and 23 above, and further in view of Dickson (Ben Dickson, ‘Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications’, The Daily Swig, published August 26, 2020) . Regarding Claim 14, and substantially claim 25, Ionescu in view of Abraham teaches the method of claim 12, wherein the query is configured to search the data structure for a template pattern that indicates a vulnerability ( Ionescu, ¶30 ). Ionescu in view of Abraham does not teach but, in an analogous art, Dickson teaches that the vulnerability is alteration of a built-in function following a prototype chain ( Dickson, 'What is prototype pollution?', the example shows the prototype pollution vulnerability used to alter the toString() function of the prototype chain ). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham using Dickson to have the vulnerability of the template pattern be the alteration of a built-in function following a prototype chain because the prototype pollution vulnerability can lead to popular vulnerabilities such as remote code execution (RCE), cross-site scripting, (XSS), and SQL injection (Dickson, 'What is the impact of prototype pollution ?') Regarding Claim 15, and substantially claim 26, Ionescu in view of Abraham teaches the method of claim 12, wherein the query is configured to search the data structure for a vulnerability ( Ionescu, ¶30 ). Ionescu in view of Abraham does not teach but, in an analogous art, Dickson teaches that the vulnerability is an alteration of a built-in function of the object-oriented program code that occurs after a field indicating an occurrence of a prototype chain ( Dickson, 'What is prototype pollution?', the example shows the prototype pollution vulnerability used to alter the toString() function of the prototype chain, the prototype chain indicated by the occurrence of the 'customer.__proto__' field with the indication being followed by the assignment/alteration of the toString() function ). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham using Dickson to have the vulnerability be an alteration of a built-in function of the object-oriented program code that occurs after a node indicating an occurrence of a prototype chain because the prototype pollution vulnerability can lead to popular vulnerabilities such as remote code execution (RCE), cross-site scripting, (XSS), and SQL injection (Dickson, 'What is the impact of prototype pollution ?') . Regarding Claim 16, and substantially claim 27, Ionescu in view of Abraham and Dickson teaches the method of claim 15. Dickson further teaches that the node indicating an occurrence of a prototype chain is a prototype node ( Dickson, 'What is prototype pollution?', 'customer.__proto__' is the property used to access the prototype chain ) ( see claim 15 for motivation to combine ). Regarding Claim 17, and substantially claim 28, Ionescu in view of Abraham and Dickson teaches the method of claim 15. Dickson further teaches that the node indicating an occurrence of a prototype chain is a constructor node ( Dickson, 'How to harden applications against prototype pollution attacks', "For instance, with the aforementioned Lodash vulnerability, developers initially checked strings against the field __proto__, but then realized that constructor was also a potential target for prototype pollution .", the constructor field (i.e. property) is one that can indicate the usage of a prototype chain for prototype pollution ) ( see claim 15 for motivation to combine ) . 07-22-aia AIA Claim s 18 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Ionescu in view of Abraham and Dickson as applied to claim s 17 and 28 above, and further in view of Arteau (Olivier Arteau, “Prototype pollution attack in NodeJS application”, published May 15, 2018) . Regarding Claim 18, and substantially claim 29, Ionescu in view of Abraham and Dickson teaches the method of claim 17. Ionescu in view of Abraham and Dickson does not teach but, in an analogous art, Arteau teaches that the constructor node is obj.constructor.prototype ('Magic property', "“constructor” is a magic property that returns the function used to create the object. What’s good to note is that on every constructor there is the property “prototype” which points to the prototype of the class… inst.constructor.prototype // returns the prototype of MyClass ", the usage of the prototype and its chain can be indicated by objectname.constructor.prototype. 'What is an object', "Let’s start with the simplest way to create an object. var obj = {};", the object name can be 'obj). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham and Dickson using Arteau to have the constructor node be obj.constructor.prototype because one of ordinary skill in the art could use obj.constructor.prototype as the constructor node of Ionescu in view of Abraham and Dickson to achieve the results of the invention of Ionescu in view of Abraham and Dickson with predictable results . 07-22-aia AIA Claim s 19, 30, and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Ionescu in view of Abraham as applied to claim s 12, 23 and 32 above, and further in view of Daymont (US 20200057856 A1) . Regarding Claim 19, and substantially claims 30 and 33, Ionescu in view of Abraham teaches the method of claim 12. Ionescu in view of Abraham does not teach the rest of the claimed invention. In an analogous art, Daymont teaches that the query is configured to search the data structure for two or more vulnerable assignment statements controllable by an adversary (¶18, ¶51, a data flow model is analyzed to record unsafe data during execution and is used to detect vulnerabilities. ¶60, Fig. 4, variable V2 of the data flow model contain unsafe data supplied by a user (vulnerable assignment statements controllable by an adversary ), assigned multiple times and used an input into an unsafe function such as strcpy, which can allow for additional variable assignments and injections), and wherein the method comprise: based on a determination that execution of the query detected two or more vulnerable assignment statements, correlating, by one or more computers, the vulnerable assignment statements based on object definitions and object use (¶71, the unsafe data can be objects such as strings run through unsafe functions such as subString. ¶74, the full execution trace (correlation) of the unsafe data goes through origin (object definition ) to its path toward termination (object use)). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham using Dayton to correlate two or more vulnerable assignment statements based on object definitions and use because it allows for the summarization of the vulnerability based on the object's, which is the unsafe data, definition (origin) and use (usage through multiple function until termination), into a security finding for further actions such as recommendations and risk ratings ( Daymont, ¶65 ) 07-22-aia AIA Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Ionescu in view of Abraham as applied to claim 12 above, and further in view of Allen (Allen et al., US 20200042706 A1) . Regarding Claim 20, Ionescu in view of Abraham teaches the method of claim 12. Ionescu in view of Abraham doesn’t teach but, in an analogous art, Allen teaches that the query is configured to search the data structure for a backward taint-flow from a sink ( ¶31, nodes of a supergraph are search for a backwards taint-flow from a sink to a source node ) to an adversary-controlled program ( ¶19, the source node refers to function calls from external users or systems that can be malicious ). It would be obvious to one of ordinary skill prior to the effective filing date of the claimed invention to modify Ionescu in view of Abraham using Allen to search the data structure for a backward taint-flow from a sink to an adversary-controlled program because it can allow for the identification of attacks that use the tainted data, such as a SQL injection attack or a cross-site scripting attack (Allen, ¶19) . Conclusion 07-96 AIA The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. KR 102014266 B1 teaches generating various graphs for analyzing security vulnerabilities from input source code, such as a control flow graph, data flow graph, and abstract syntax tree, and integrating them to form a composite graph ( p.5, para. 4 ) Steven (STEVEN et al., US 20170329582 A1) teaches the creation of an abstract syntax tree that represents input source code, before performing a property query on the AST to find vulnerabilities with the source code, such as a lack of sanitization ( ¶104-¶106 ) Moore (Moore et al., US 20040268325 A1) teaches a set of nodes, separate from the abstract syntax tree, representing objects of object-oriented code, connected to the abstract syntax tree ( ¶28, "Such objects are mapped to a much simpler representation of equivalent objects within the HLL compiler 112, and are represented as simple nodes within the AST of the probe program 102 and/or the probe expressions 202. This is accomplished by attaching opaque handles representing the gdb objects to the nodes of the AST, as well as caching frequently accessed values from the real objects in the corresponding fields of the AST nodes." ) Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIR MAHDI HAJIABBASI whose telephone number is (703)756-5511. The examiner can normally be reached M-F 7:30-5 EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at (571) 270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.M.H./ Amir Mahdi HajiabbasiExaminer, Art Unit 2407 /David Garcia Cervetti/Primary Examiner, Art Unit 2409 Application/Control Number: 18/566,938 Page 2 Art Unit: 2407 Application/Control Number: 18/566,938 Page 3 Art Unit: 2407 Application/Control Number: 18/566,938 Page 4 Art Unit: 2407 Application/Control Number: 18/566,938 Page 5 Art Unit: 2407 Application/Control Number: 18/566,938 Page 6 Art Unit: 2407 Application/Control Number: 18/566,938 Page 7 Art Unit: 2407 Application/Control Number: 18/566,938 Page 8 Art Unit: 2407 Application/Control Number: 18/566,938 Page 9 Art Unit: 2407 Application/Control Number: 18/566,938 Page 10 Art Unit: 2407 Application/Control Number: 18/566,938 Page 11 Art Unit: 2407 Application/Control Number: 18/566,938 Page 12 Art Unit: 2407
Read full office action

Prosecution Timeline

Dec 04, 2023
Application Filed
Jul 29, 2025
Non-Final Rejection mailed — §103
Oct 22, 2025
Response Filed
Nov 21, 2025
Final Rejection mailed — §103
Jan 21, 2026
Response after Non-Final Action
Feb 23, 2026
Request for Continued Examination
Mar 09, 2026
Response after Non-Final Action
Jun 02, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682071
Software Security Defect Prediction Methods and Devices
2y 5m to grant Granted Jul 14, 2026
Patent 12682045
FAULT-ATTACK ANALYSIS DEVICE AND METHOD
2y 7m to grant Granted Jul 14, 2026
Patent 12670266
SECURE MULTI-PARTY COMPUTATION
2y 9m to grant Granted Jun 30, 2026
Patent 12664270
CONNECTED ASSET RISK MANAGEMENT
2y 3m to grant Granted Jun 23, 2026
Patent 12647447
PREDICTIVE MODELS FOR EXTENDED DETECTION AND RESPONSE (XDR) SYSTEMS
2y 9m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
86%
Grant Probability
95%
With Interview (+8.9%)
2y 6m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 28 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month