Prosecution Insights
Last updated: July 17, 2026
Application No. 18/604,091

IDENTIFYING AND HANDLING VULNERABLE INFORMATION IN LOG FILES USING LARGE LANGUAGE MODELS

Final Rejection §103
Filed
Mar 13, 2024
Examiner
MOLES, JAMES P
Art Unit
2494
Tech Center
2400 — Computer Networks
Assignee
T-Mobile USA Inc.
OA Round
2 (Final)
61%
Grant Probability
Moderate
3-4
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 61% of resolved cases
61%
Career Allowance Rate
25 granted / 41 resolved
+3.0% vs TC avg
Strong +38% interview lift
Without
With
+38.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
7 currently pending
Career history
55
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
90.1%
+50.1% vs TC avg
§102
1.8%
-38.2% vs TC avg
§112
7.2%
-32.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 41 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the applicant’s filing on 03/13/2024. Claims 1-20 are pending. Claims 1, 8, and 15 are independent. Information Disclosure Statement The information disclosure statement (IDS) submitted on 03/13/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Objections Claims 8 and 15 are objected to because of the following informalities: Claims 8 and 15 appear to be missing a semicolon at the end of the wherein clause and before the create first embeddings clause. See “wherein … of the first set of log files create first …” should read “wherein … of the first set of log files; create first …”. Appropriate correction is required. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 4-8, 11-15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rodriguez Bravo et al. (US PGPub No. 2025/0148075; hereinafter “Rodriguez Bravo”), in view of Engel et al. (US Patent No. 12487874; hereinafter “Engel”), in view of BULUT et al. (US PGPub No. 2024/0427879; hereinafter “BULUT”), in view of Bao et al. (US PGPub No. 2025/0245120; hereinafter “Bao”). As per claim 1: Rodriguez Bravo discloses a method for identifying and handling vulnerable information in log files of an enterprise, the method comprising: receiving a first set of obfuscated log files from a log storage or an application that generated log files in the first set (the procedural steps executed for generating obfuscation patterns within system log files. The sequence of operations commences at reference point 400 and elucidates the functionalities performed by an algorithmic process aimed at generating Obfuscation Patterns [Rodriguez Bravo ¶ 0064, Fig. 3]; These types encompass event logs, server logs, system logs, authorization and access logs, change logs, availability logs, resource logs, threat logs, and others. These selected “dirty” log files are subsequently fetched from a data repository, denoted as data store 410, and stored in a separate data repository, designated as data store 420 [Rodriguez Bravo ¶ 0065]); and [processing the first set of obfuscated log files using a large language model (LLM) to identify a subset of the first set of obfuscated log files that contain a vulnerability, wherein processing the first set of obfuscated log files using the LLM comprises applying engineered prompts to the log files in the first set to identify contents of the first set of obfuscated log files]; [creating first embeddings representing the subset of the first set of obfuscated log files in a vector space and inserting the first embeddings into a vector database]; receiving a second set of log files from the log storage or an application that generated log files in the second set (These types encompass event logs, server logs, system logs, authorization and access logs, change logs, availability logs, resource logs, threat logs, and others. These selected “dirty” log files are subsequently fetched from a data repository, denoted as data store 410, and stored in a separate data repository, designated as data store 420 [Rodriguez Bravo ¶ 0065]); [creating second embeddings representing the second set of log files in the vector space and inserting the second embeddings into the vector database]; and [comparing the first embeddings and the second embeddings using a distance algorithm to determine whether the vulnerability exists in the second set of log files]. Rodriguez Bravo discloses the claimed subject matter as discussed above but does not explicitly disclose processing the first set of obfuscated log files using a large language model (LLM) to identify a subset of the first set of obfuscated log files that contain a vulnerability, wherein processing the first set of obfuscated log files using the LLM comprises applying engineered prompts to the log files in the first set to identify contents of the first set of obfuscated log files. However, Engel teaches processing the first set of obfuscated log files using a large language model (LLM) to identify a subset of the first set of obfuscated log files that contain a vulnerability, wherein processing the first set of obfuscated log files using the LLM comprises applying engineered prompts to the log files in the first set to identify contents of the first set of obfuscated log files (The computer system 108 is further communicatively coupled to an incident detection system 112, which is programmed to continuously monitor the computer system and identify service issues, errors, failures, attacks, or other incidents [Engel, Column 8, lines 34-45]; accessing one or more data sets of information associated with an incident event corresponding to an incident associated with a computer system; generating a prompt based on the one or more data sets of information, wherein generating the prompt comprises generating a plurality of sub-prompts to be provided to a machine-learning model for generating a report of the incident event in accordance with a predetermined criteria; inputting the prompt into a machine-learning model that has been trained to generate a report of the incident event based on the prompt [Engel, abstract, Fig. 6]; the machine learning model can comprise one or more large language models (LLMs) or an interface to an application programming interface (API) of a generative AI system [Engel, Column 9, lines 11-14]; a “prompt” may refer to any text or set of textual data that may be provided to a language model (LM) or LLM to elicit a response from the LM or LLM in accordance with user intent. For example, in one embodiment, the “prompt” may be sent to an API of the LM or LLM, in which the prompt may be utilized to instruct the LM or LLM and guide the response of the LM or LLM toward a specific content, specific intent, and/or specific context [Engel, Column 9, lines 15-23; Column 9-10]). Rodriguez Bravo and Engel are analogous art because they are from the same field of endeavor of security information processing. Therefore, based on Rodriguez Bravo in view of Engel, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Engel to the system of Rodriguez Bravo in order to process the log information through an LLM for security incident response. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. Rodriguez Bravo in view of Engel discloses the claimed subject matter as discussed above but does not explicitly disclose creating first embeddings representing the subset of the first set of obfuscated log files in a vector space and inserting the first embeddings into a vector database; creating second embeddings representing the second set of log files in the vector space and inserting the second embeddings into the vector database; comparing the first embeddings and the second embeddings using a distance algorithm. However, BULUT teaches creating first embeddings representing the subset of the first set of obfuscated log files in a vector space and inserting the first embeddings into a vector database (a first natural language description corresponding with the first log line and a second natural language description corresponding with the second log line are generated. The natural language descriptions are generated using a natural language generation engine, such as the natural language generation engine 192 in FIG. 1A. In step 410, a first log line embedding is generated using the first natural language description and a second log line embedding is generated using the second natural language description [BULUT ¶ 0085]; a distance metric for measuring the proximity between two vectors in a vector space [BULUT ¶ 0085]; all security data can be stored in a vector storage and be retrieved using embeddings, which eliminates the need for parsers for complex feature engineering or database table designs [BULUT ¶ 0021]); creating second embeddings representing the second set of log files in the vector space and inserting the second embeddings into the vector database (a first natural language description corresponding with the first log line and a second natural language description corresponding with the second log line are generated. The natural language descriptions are generated using a natural language generation engine, such as the natural language generation engine 192 in FIG. 1A. In step 410, a first log line embedding is generated using the first natural language description and a second log line embedding is generated using the second natural language description [BULUT ¶ 0085]; all security data can be stored in a vector storage and be retrieved using embeddings, which eliminates the need for parsers for complex feature engineering or database table designs [BULUT ¶ 0021]); comparing the first embeddings and the second embeddings using a distance algorithm to (a first embedding distance between the query embedding and the first log line embedding is determined and a second embedding distance between the query embedding and the second log line embedding is determined. In some cases, the embedding distance corresponds with a Euclidean distance, a cosine similarity distance, or a distance metric for measuring the proximity between two vectors in a vector space [BULUT ¶ 0085]; A technical benefit of identifying a set of relevant log lines (e.g., based on embedding distances and a threshold prompt length) out of a very large number of log lines within security data (e.g., within a set of security documents) is that a generative model with a limited context window can be utilized to provide responses (e.g., search results and summaries). By identifying relevant log lines based on embedding distances generated using a security embedding generation LLM, such as the security embedding generation LLM 132 in FIG. 1B, a data security system, such as the data security system 120 in FIG. 2C, may have the ability to utilize a generative model with a limited context window to provide a response and perform security risk mitigation actions based on the response, thereby improving data security system performance and reducing the amount of time to perform security risk mitigation actions [BULUT ¶ 0021]; In some cases, the response is outputted as displayed text or an electronic transmission. In other cases, the response is stored using a data storage device or a data storage layer [BULUT ¶ 0103]; In some embodiments, a security risk mitigation action is performed by a data security system based on the response. In one embodiment, in response to detection that the response identifies that an unauthorized access to a computing system or electronic file has occurred [BULUT ¶ 0104]). Rodriguez Bravo in view of Engel and BULUT are analogous art because they are from the same field of endeavor of security information processing. Therefore, based on Rodriguez Bravo in view of Engel in view of BULUT, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of BULUT to the system of Rodriguez Bravo in view of Engel in order to compare log information with similar meaning for security response. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. Rodriguez Bravo in view of Engel in view of BULUT discloses the claimed subject matter as discussed above but does not explicitly disclose determine whether the vulnerability exists in the second set of log files. However, Bao teaches determine whether the vulnerability exists in the second set of log files (the LLM is used to generate embeddings that are used to identify two or more matched historical errors. The matched historical errors are potential matches to a current error that needs to be resolved. The entity matching model is used to determine a matched historical error from the two or more matched historical errors. The LLM is also used to generate a proposed solution to the current error based on a historical solution to the matched historical error [Bao, abstract]; Implementations can include actions of receiving, by a log analyzer, a current error log representative of one or more current errors that occurred during execution of a software application, providing, from the current error log, a current error historical sub-log that is representative of a current error that occurred during execution of the software application, generating a current error embedding for the current error historical sub-log, the current error embedding being generated by transmitting an embedding request including at least a portion of the current historical sub-log to a LLM system and receiving the current error embedding from the LLM system in response to the embedding request, determining a set of matched historical error sub-logs at least partially by comparing the current error embedding to historical error embeddings in a set of historical error embeddings, identifying, by an entity matching model, a matched historical error sub-log from the set of matched historical error sub-logs, retrieving a historical solution associated with the matched historical error sub-log, generating a proposed solution to the current error by transmitting a prompt including at least a portion of the historical solution to the LLM system and receiving the proposed solution from the LLM system in response to the prompt, and executing the proposed solution to mitigate the current error [Bao ¶ 0014]; to determine the top-k matches for a CEE, the CEE is compared to each HEE in the embedding datastore 204. In some examples, comparing can include determining a similarity between the CEE and each HEE. An example similarity can include, without limitation, a cosine similarity, which can be described as a measure of similarity between vectors (e.g., [CEE, HEE]) of an inner product space, and is calculated as a cosine of the angle between the vectors. In some examples, the cosine similarity can be in a range of [1,−1], inclusive. Here, if two vectors are identical, the cosine similarity is equal to 1. The cosine similarity is increasingly less than 1 as the vectors being compared are increasingly dissimilar. In some examples, a set of similarity scores is determined for each CEE, similarity scores in the set of similarity scores are put in rank order from highest to lowest, and the top-k similarity scores are selected. The HEEs that correspond to the top-k similarity scores are returned as a set of matching HEEs (top-k HEEs) for the CEE [Bao ¶ 0039]; a set of historical errors can be determined for each set of matching HEEs and can be associated with the current error represented by the respective CEE [Bao ¶ 0040]). Rodriguez Bravo in view of Engel in view of BULUT and Bao are analogous art because they are from the same field of endeavor of security information processing. Therefore, based on Rodriguez Bravo in view of Engel in view of BULUT in view of Bao, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Bao to the system of Rodriguez Bravo in view of Engel in view of BULUT in order to determine errors in current logs based on the history of previous errors and resolve them to mitigate the errors. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 4: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 1. Furthermore, Engel discloses further comprising: upon determining the vulnerability exists in the second set of log files, notifying a network node responsible for maintaining the log storage or handling the application that generated the second set of log files (The term “incident response” can refer to the actions, resources, services, messages, notifications, alerts, events, or the like related to resolving one or more incidents. Accordingly, services that a pending incident may impact may be added to the incident response associated with the incident. Likewise, resources responsible for supporting or maintaining the services may also be added to the incident response. Further, log entries, journal entries, notes, timelines, task lists, status information, or the like may be part of an incident response [Engel, Column 5, lines 39-48]; transmitting the report to one or more computing devices associated with the computer system [Engel, Column 6, lines 17-19; Fig. 1]; transmitting the report to one or more computing devices associated with the computer system. For example, in one embodiment, upon receiving as a response to the prompt the output of the machine-learning model (for example, LLM) corresponding to a report of the incident event, one or more processors 104 may then transmit the generated report to one or more computing devices associated with the computer system 108 [Engel, Column 24, lines 38-48]). As per claim 5: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 1. Furthermore, BULUT and Bao disclose wherein comparing the first embeddings and the second embeddings comprises: calculating a cosine similarity between the first embeddings and the second embeddings (In some cases, a sentence transformer is used to generate the embeddings that are compared (e.g., using cosine similarity) to identify sentences with similar meaning [BULUT ¶ 0040]); comparing the cosine similarity to a pre-determined threshold; and upon determining that the cosine similarity between the first embeddings and the second embeddings exceeds the pre-determined threshold (In step 484, at least one relevant log line out of the security data is identified based on the first embedding distance, the second embedding distance, and a threshold prompt length. In one example, the threshold prompt length corresponds with a maximum number of tokens allocated to log lines for a prompt or corresponds with a maximum number of log lines that are used by an input prompt for a generative model [BULUT ¶ 0103]), determining the vulnerability identified in the first set of obfuscated log files exists in the second set of log files (Here, if two vectors are identical, the cosine similarity is equal to 1. The cosine similarity is increasingly less than 1 as the vectors being compared are increasingly dissimilar. In some examples, a set of similarity scores is determined for each CEE, similarity scores in the set of similarity scores are put in rank order from highest to lowest, and the top-k similarity scores are selected. The HEEs that correspond to the top-k similarity scores are returned as a set of matching HEEs (top-k HEEs) for the CEE [Bao ¶ 0039]; a set of historical errors can be determined for each set of matching HEEs and can be associated with the current error represented by the respective CEE [Bao ¶ 0040]). As per claim 6: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 1. Furthermore, BULUT discloses wherein the vulnerability includes at least one of: login information, unique customer identifier, social security number, or personal identifiable information (Event logs record various types of security related information, such as information associated with login sessions, file deletions, failed password attempts, and account lockouts [BULUT ¶ 0001]; A security log includes records of security events, such as login/logout activity, including associated time stamps, locations, usernames, IP addresses, and computer names for each security event. As examples, a security log includes log lines that record security policy violations, file deletions, successful and unsuccessful login attempts, authentication successes and failures, changes in user privileges, and software installations and deletions. The security alerts include records of system and application errors and alerts. The threat intelligence documents include records of threat intelligence feeds. [BULUT ¶ 0026]). As per claim 7: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 1. Furthermore, Bao discloses wherein the obfuscated log files include at least one of: logs generated based on interactions between a user device and the application, server logs saved in the log storage of the enterprise, codebase of the application, or source files of the application (actions of receiving, by a log analyzer, a current error log representative of one or more current errors that occurred during execution of a software application [Bao ¶ 0014, Fig. 1]; In the depicted example, the example architecture 100 includes a client device 102, a network 106, and a server system 104 [Bao ¶ 0019]). As per claim 8: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 1. Furthermore, Rodriguez Bravo discloses a system for identifying and handling vulnerable information in log files of an enterprise, the system comprising: at least one hardware processor (These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks [Rodriguez Bravo ¶ 0026]); and at least one non-transitory memory storing instructions, which, when executed by the at least one hardware processor, cause the system to (A computer program product embodiment (“CPP embodiment” or “CPP”) is a term used in the present disclosure to describe any set of one, or more, storage media (also called “mediums”) collectively included in a set of one, or more, storage devices that collectively include machine readable code corresponding to instructions and/or data for performing computer operations specified in a given CPP claim. A “storage device” is any tangible device that can retain and store instructions for use by a computer processor. Without limitation, the computer readable storage medium may be an electronic storage medium, a magnetic storage medium, an optical storage medium, an electromagnetic storage medium, a semiconductor storage medium, a mechanical storage medium, or any suitable combination of the foregoing. Some known types of storage devices that include these mediums include: diskette, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or Flash memory), static random-access memory (SRAM), compact disc read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanically encoded device (such as punch cards or pits/lands formed in a major surface of a disc) or any suitable combination of the foregoing. A computer readable storage medium, as that term is used in the present disclosure, is not to be construed as storage in the form of transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide, light pulses passing through a fiber optic cable, electrical signals communicated through a wire, and/or other transmission media [Rodriguez Bravo ¶ 0031]): The limitations of claim 8 are substantially similar to claim 1 above, and therefore the claim is likewise rejected. As per claim 11: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 8. The limitations of claim 11 are substantially similar to claim 4 above, and therefore are likewise rejected. As per claim 12: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 8. The limitations of claim 12 are substantially similar to claim 5 above, and therefore are likewise rejected. As per claim 13: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 8. The limitations of claim 13 are substantially similar to claim 6 above, and therefore are likewise rejected. As per claim 14: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 8. The limitations of claim 14 are substantially similar to claim 7 above, and therefore are likewise rejected. As per claim 15: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 1. Furthermore, Rodriguez Bravo discloses a non-transitory, computer-readable storage medium storing executable instructions, the instructions, when executed by one or more processors, cause the one or more processors to (A computer program product embodiment (“CPP embodiment” or “CPP”) is a term used in the present disclosure to describe any set of one, or more, storage media (also called “mediums”) collectively included in a set of one, or more, storage devices that collectively include machine readable code corresponding to instructions and/or data for performing computer operations specified in a given CPP claim. A “storage device” is any tangible device that can retain and store instructions for use by a computer processor. Without limitation, the computer readable storage medium may be an electronic storage medium, a magnetic storage medium, an optical storage medium, an electromagnetic storage medium, a semiconductor storage medium, a mechanical storage medium, or any suitable combination of the foregoing. Some known types of storage devices that include these mediums include: diskette, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or Flash memory), static random-access memory (SRAM), compact disc read-only memory (CD-ROM), digital versatile disk (DVD), memory stick, floppy disk, mechanically encoded device (such as punch cards or pits/lands formed in a major surface of a disc) or any suitable combination of the foregoing. A computer readable storage medium, as that term is used in the present disclosure, is not to be construed as storage in the form of transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide, light pulses passing through a fiber optic cable, electrical signals communicated through a wire, and/or other transmission media [Rodriguez Bravo ¶ 0031]): The limitations of claim 15 are substantially similar to claim 1 above, and therefore the claim is likewise rejected. As per claim 18: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 15. The limitations of claim 18 are substantially similar to claim 4 above, and therefore are likewise rejected. As per claim 19: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 15. The limitations of claim 19 are substantially similar to claim 5 above, and therefore are likewise rejected. As per claim 20: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teach all the limitations of claim 15. The limitations of claim 20 are substantially similar to claim 6 above, and therefore are likewise rejected. Claims 2-3, 9-10, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Rodriguez Bravo in view of Engel in view of BULUT in view of Bao, in view of Park et al. (US PGPub No. 2020/0104489; hereinafter “Park”). As per claim 2: The method of claim 1, further comprising: based on identifying the subset, [building a regular expression (“regex”) to be used for identifying the vulnerability in other sets of log files of the enterprise]. Rodriguez Bravo in view of Engel in view of BULUT in view of Bao discloses the claimed subject matter as discussed above but does not explicitly disclose building a regular expression (“regex”) to be used for identifying the vulnerability in other sets of log files of the enterprise. However, Park teaches building a regular expression (“regex”) to be used for identifying the vulnerability in other sets of log files of the enterprise (Network security engine 126 can include suspicious website database 122, suspicious script database 124, and REGEX analysis engine 144. REGEX analysis engine 144 can be configured to determine if a REGEX can identify a suspicious script and to create one or more REGEXs to identify a suspicious script [Park ¶ 0043]). Rodriguez Bravo in view of Engel in view of BULUT in view of Bao and Park are analogous art because they are from the same field of endeavor of security information processing. Therefore, based on Rodriguez Bravo in view of Engel in view of BULUT in view of Bao in view of Park, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Park to the system of Rodriguez Bravo in view of Engel in view of BULUT in view of Bao in order to use a regex for security detection which allows for general similarity as an improved detection technique over precise equality (¶ 0034). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 3: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao in view of Park teaches all the limitations of claim 2. Furthermore, Park and BULUT disclose further comprising: applying the regex to the second set of log files to identify a subset of the second set of log files that match the regex (Then, a regular expression (REGEX) analysis can be performed on the string format of the script to help determine if the script and/or website is associated with malware [Park ¶ 0032]); wherein creating the second embeddings representing the second set of log files comprises creating embeddings for the identified subset of the second set (a second natural language description corresponding with the second log line are generated. The natural language descriptions are generated using a natural language generation engine, such as the natural language generation engine 192 in FIG. 1A. In step 410, a first log line embedding is generated using the first natural language description and a second log line embedding is generated using the second natural language description [BULUT ¶ 0085]). As per claim 9: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 8. The limitations of claim 9 are substantially similar to claim 2 above, and therefore are likewise rejected. As per claim 10: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao in view of Park teaches all the limitations of claim 9. The limitations of claim 10 are substantially similar to claim 3 above, and therefore are likewise rejected. As per claim 16: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao teaches all the limitations of claim 15. The limitations of claim 16 are substantially similar to claim 2 above, and therefore are likewise rejected. As per claim 17: Rodriguez Bravo in view of Engel in view of BULUT in view of Bao in view of Park teaches all the limitations of claim 16. The limitations of claim 17 are substantially similar to claim 3 above, and therefore are likewise rejected. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES P MOLES whose telephone number is (703)756-1043. The examiner can normally be reached M-F 8:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAMES P MOLES/Examiner, Art Unit 2494 /SHANTO ABEDIN/Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Mar 13, 2024
Application Filed
Dec 30, 2025
Non-Final Rejection mailed — §103
Mar 30, 2026
Response Filed
Jul 14, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671592
METHOD AND APPARATUS FOR ESTABLISHING END-TO-END SECURITY IN WIRELESS COMMUNICATION SYSTEM
3y 6m to grant Granted Jun 30, 2026
Patent 12634112
HOMOMORPHIC ENCRYPTION OPERATOR, STORAGE DEVICE INCLUDING THE SAME, AND LEVEL CONFIGURATION METHOD THEREOF
3y 0m to grant Granted May 19, 2026
Patent 12627507
APPARATUS, SYSTEM, AND METHOD OF PROVIDING SERVICES
3y 8m to grant Granted May 12, 2026
Patent 12619738
GENERATING TEST DATA
2y 3m to grant Granted May 05, 2026
Patent 12603896
Agent prevention augmentation based on organizational learning
4y 1m to grant Granted Apr 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
61%
Grant Probability
99%
With Interview (+38.5%)
2y 11m (~7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 41 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month