Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsLogistics And Supply Chain Multitech R&D Centre Limited › 18607739
Last updated: April 19, 2026
Application No. 18/607,739

Computer Implemented Method of Evaluating LLMs

Final Rejection §103
Filed
Mar 18, 2024
Examiner
VANG, MENG
Art Unit
2443
Tech Center
2400 — Computer Networks
Assignee
Logistics And Supply Chain Multitech R&D Centre Limited
OA Round
2 (Final)
77%
Grant Probability
Favorable
3-4
OA Rounds
2y 11m
To Grant
99%
With Interview

Interview Optional

+28.1% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 293 resolved cases, 2023–2026

Examiner Intelligence

VANG, MENG View full profile →
Grants 77% — above average
77%
Career Allow Rate
226 granted / 293 resolved
+19.1% vs TC avg
Strong +28% interview lift
Without
With
+28.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
28 currently pending
Career history
321
Total Applications
across all art units

Statute-Specific Performance

§101
15.4%
-24.6% vs TC avg
§103
45.8%
+5.8% vs TC avg
§102
11.8%
-28.2% vs TC avg
§112
17.1%
-22.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 293 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment This office action is in reply to Applicant’s Response dated 11/17/2025. Claims 1, 5, 7-8, 13 and 20 are amended. Claims 4 and 12 are canceled. Claims 1-3, 5-11 and 13-20 remain pending in the application. Response to Arguments In response to the Applicant’s argument (see page 6) with respect to the objection to the drawings, the objection to the drawings has been withdrawn in view of the replacement sheets submitted with the amendment. The Applicant argues (see pages 7-8) that in Haag “It reveals nothing to the user about the state of the second language model.” There is no suggestion or teaching in Haag to input anything other than the user's request into the reduced resources second language model to determine if the user's request is sufficient or not to pass on to the first language model. Haag clearly and unambiguously teaches that the reduced resources second LLM is designed to provide only a two-value response, i.e., a binary response. A person of ordinary skill in the art would not seriously contemplate taking attack response data from a first LLM to determine in a second reduced sources LLM if the attack response data is indicative of a successful or failed attack. The Applicant further argues (see page 9) that it is noted here that LLM hallucinations and 'text that can by-pass evaluation of the attack response data' comprise very different concepts. The Office cannot modify a base reference in such a way as to make unsatisfactory for its intended purpose. In response to the Applicant’s arguments, first claim 1 does not require nor does it recite that the state of the second language model be revealed to the user. Second, the terms “attack data” and “text that can by-pass evaluation of the attack response data” are not defined in the claim or specification. Third, claim 1 merely recites “the attack response data being processed to determine if the attack response data from the first LLM contains text that could by-pass evaluation of the attack response data by the second LLM, and” and “if it is determined that the received attack response data does not contain such text then inputting the attack response data to the second LLM”. Haag teaches that a result is provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced, for example by using a reduced number of neurons (layers), i.e., Parameters, and is designed to provide only a two-value response, for example, "sufficient" and "insufficient." If the response is "insufficient," then the request does not reach the first large language model at all. Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead (Haag, see page 2, paragraph 13 - page 3, paragraph 1). Clearly Haag teaches “the attack response data (response) being processed to determine if the attack response data from the first LLM contains text that could by-pass evaluation of the attack response data by the second LLM (evaluating whether the response contains “sufficient” or “insufficient”), and if it is determined that the received attack response data contains such text (contains “insufficient”), terminating the attack evaluation (request does not reach the LLM/ a fixed response or warning is output instead), and,” and “if it is determined that the received attack response data does not contain such text (does not contain “insufficient” ) then inputting the attack response data to the second LLM” (forward to the LLM). Accordingly, Haag teaches the claim limitations above and the combination of Pryzant, Haag and Rideout teaches all of the limitations of claim 1. In response to the Applicant’s argument that the Office cannot modify a base reference in such a way as to make unsatisfactory for its intended purpose, Pryzant discloses that quality-assurance testing such software has become more cumbersome and time-consuming, and hardening the software against attackers has similarly increased in complexity (Pryzant, see paragraph 0001). Haag discloses that depending on the load, users may have to wait a long time for a response (Haag, see page 2, paragraph 4). Incorporating Haag’s features in Pryzant would not make Pryzant’s system unsatisfactory for its intended purpose. Instead, the incorporation would further address the cumbersome and time-consuming issue disclose by Pryzant by making Pryzant’s system use “significantly fewer resources” while still being as “helpful” for the users (Haag, see page 3, paragraph 1). Accordingly, the combination/modification is proper. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation is: “module” in claims 13, 18 and 20. Because this claim limitation is being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph limitation: "include a processor, memory” (see page 4, lines 20-25 of the specification as filed), “ processors and memory devices comprise part of the system 10” (see page 10, lines 15-20 of the specification as filed). If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5, 7-8, 13-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pryzant et al. (U.S. PGPub 2024/0330165) in view of Haag et al. (DE 102023211799, see the English translated copy) further in view of Rideout et al. (U.S. Patent No. 12,248,883). Regarding claims 1 and 13, Pryzant teaches A computer implemented method of evaluating attacks on a first large language model (LLM) comprising: inputting attack data to the first LLM; (Pryzant, see figs. 3A-4; see paragraph 0100 where a first prompt (e.g., an attacker prompt) is generated...the first prompt is provided as input to a first LLM that is operating as the actor/attacker (e.g., an LLM attacker)...) receiving attack response data from the first LLM in response to the inputted attack data; (Pryzant, see figs. 3A-4; see paragraph 0101 where first LLM processes and generates outputs (e.g., interactive content) based on the first prompt….) processing the attack response data at a processor of a system for evaluating attacks on LLMs, said system being connected to said first LLM and a second LLM, (Pryzant, see figs. 3A-4; see paragraph 0101-0104 where first LLM processes and generates outputs (e.g., interactive content) based on the first prompt….Based on the evaluation of the responses, the second LLM may also generate a third prompt for revising the actions that are being taken by, or the outputs from, the first LLM to achieve the objective in the first prompt...) receiving an evaluation of the attack response data from the second LLM. (Pryzant, see figs. 3A-4; see paragraph 0103 where the evaluation results are received from the second LLM…) However, Pryzant does not explicitly teach the attack response data being processed to determine if the attack response data from the first LLM contains text that could by-pass evaluation of the attack response data by the second LLM, and, if it is determined that the received attack response data contains such text, terminating the attack evaluation, and, if it is determined that the received attack response data does not contain such text then inputting the attack response data to the second LLM Haag teaches the attack response data being processed to determine if the attack response data from the first LLM contains text that could by-pass evaluation of the attack response data by the second LLM, and, (Haag, see page 2, paragraph 13 - page 3, paragraph 1 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all. Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...) if it is determined that the received attack response data contains such text, terminating the attack evaluation, and, (Haag, see page 2, paragraph 13 - page 3, paragraph 1 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all (terminated). Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...) if it is determined that the received attack response data does not contain such text then inputting the attack response data to the second LLM (Haag, see page 2, paragraph 13 - page 3, paragraphs 1-4 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all. Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...request can be forwarded to the second language model...) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant and Haag to provide the technique of the attack response data being processed to determine if the attack response data from the first LLM contains text that could by-pass evaluation of the attack response data by the second LLM, and, if it is determined that the received attack response data contains such text, terminating the attack evaluation, and, if it is determined that the received attack response data does not contain such text then inputting the attack response data to the second LLM of Haag in the system of Pryzant in order to use fewer resources to provide a helpful response to a user request (Haag, see page 3, paragraph 1). However, Pryzant-Haag does not explicitly teach which is configured to evaluate the attack response data against a plurality of attack severity categories; and Rideout teaches which is configured to evaluate the attack response data against a plurality of attack severity categories; and (Rideout, see fig. 11; see col. 2, lines 22-39 where generative artificial intelligence (GenAI) model (e.g., MLA 130, a large language model, etc.)...categories can take varying forms. As one example, the category can specify a threat severity for the prompt (malicious, suspicious, unknown, or benign, etc.).; see col. 10, lines 7-27 where determined, at 1120, whether the prompt comprises or otherwise attempts to elicit malicious content or actions based on an output of a prompt injection classifier. The prompt injection classifier can be a binary classifier which indicates whether the prompt is malicious or benign...; see also col. 8, lines 57-64 different sets of prompts for each category (i.e., severity level, type of attack, etc.) which are labeled with their category (e.g., security level, type of attack, etc.).) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant-Haag and Rideout to provide the technique of evaluating the attack response data against a plurality of attack severity categories of Rideout in the system of Pryzant in order to provide enhanced visibility into the health and security of an enterprise's machine learning assets (Rideout, see col. 3, lines 32-39). Regarding claims 2 and 14, Pryzant-Haag-Rideout teaches wherein the first LLM comprises a generative pre-trained transformer (GPT) model and (Pryzant, see fig. 1; see paragraph 0017 where LLMs include the GPT-3 model from OpenAI…) the second LLM comprises a moderation application. (Pryzant, see figs. 3A-4; see paragraph 0083 where the second prompt 335a to the evaluator [E] (moderation application)…) Regarding claim 3, Pryzant-Haag-Rideout teaches wherein the moderation application is configured to use natural language processing (NLP) to detect any one or more of: inappropriate generated content; prohibited generated content; incitement generated content; hate-speech generated content; seditious generated content; obfuscated generated content; and generated content configured to by-pass evaluation by the moderation application. (Pryzant, see figs. 3A-4; see paragraph 0027 where text prompts or natural language (“NL”) prompts from a user 210; see paragraph 0067 where natural language instructions…; see paragraph 0082 where outputs of the chatbot are safe, unsafe, and/or contain hallucinated content (e.g., content that is not supported by the inputs, such as the prompts or interactions, or additional content that is not supported by the inputs)...; see paragraph 0092 where content that is prejudiced against real people) Regarding claim 5, Pryzant-Haag-Rideout teaches wherein the second LLM assigns a value indicative of a level of severity for each of said plurality of attack severity categories. (Rideout, see fig. 11; see col. 2, lines 22-39 where generative artificial intelligence (GenAI) model (e.g., MLA 130, a large language model, etc.)...categories can take varying forms. As one example, the category can specify a threat severity for the prompt (malicious, suspicious, unknown, or benign, etc.).; see col. 10, lines 7-27 where determined, at 1120, whether the prompt comprises or otherwise attempts to elicit malicious content or actions based on an output of a prompt injection classifier. The prompt injection classifier can be a binary classifier which indicates whether the prompt is malicious or benign...; see also col. 8, lines 57-64 different sets of prompts for each category (i.e., severity level, type of attack, etc.) which are labeled with their category (e.g., security level, type of attack, etc.).) The motivation regarding to the obviousness to claim 1 is also applied to claim 5. Regarding claim 7, Pryzant-Haag-Rideout teaches wherein, prior to inputting the attack response data into the second LLM, determining if the attack response data is indicative of a new or unknown attack purpose; and, (Pryzant, see figs. 3A-4; see paragraph 0083 where , the first prompt 315a to the actor [A] 320a may include the following NL prompt either from an orchestrator and/or a user: “You are a user trying to corrupt the chatbot...the third prompt 350a to the actor [A] 320a may include the following NL prompt from the evaluator [E] 340a: “You are going on a tangent. Please focus on the following topics in your attempts to corrupt the chatbot by...) if it is determined that the attack response data is indicative of a new or unknown attack purpose, defining severity categories for said new or unknown attack purpose. (Rideout, see fig. 11; see col. 2, lines 22-39 where generative artificial intelligence (GenAI) model (e.g., MLA 130, a large language model, etc.)...categories can take varying forms. As one example, the category can specify a threat severity for the prompt (malicious, suspicious, unknown, or benign, etc.).; see col. 10, lines 7-27 where determined, at 1120, whether the prompt comprises or otherwise attempts to elicit malicious content or actions based on an output of a prompt injection classifier. The prompt injection classifier can be a binary classifier which indicates whether the prompt is malicious or benign...; see also col. 8, lines 57-64 different sets of prompts for each category (i.e., severity level, type of attack, etc.) which are labeled with their category (e.g., security level, type of attack, etc.).) The motivation regarding to the obviousness to claim 1 is also applied to claim 7. Regarding claim 8, Pryzant-Haag-Rideout teaches wherein, prior to inputting the attack response data into the second LLM, constructing a severity evaluation prompt for the attack response data and (Pryzant, see figs. 3A-4; see paragraph 0101 where first LLM processes and generates outputs (e.g., interactive content) based on the first prompt….; see paragraphs 0102-0103 where a second prompt (e.g., an evaluator prompt) is generated … the second prompt includes at least the responses from the software and/or the outputs from the first LLM... the second prompt is provided as input to a second LLM (e.g., an LLM evaluator) that is operating as an evaluator...) inputting the severity evaluation prompt to the second LLM. (Pryzant, see figs. 3A-4; see paragraph 0101 where first LLM processes and generates outputs (e.g., interactive content) based on the first prompt….; see paragraphs 0102-0103 where a second prompt (e.g., an evaluator prompt) is generated … the second prompt includes at least the responses from the software and/or the outputs from the first LLM... the second prompt is provided as input to a second LLM (e.g., an LLM evaluator) that is operating as an evaluator...) Regarding claim 15, Pryzant-Haag-Rideout teaches wherein the moderation application comprises an application programming interface (API). (Pryzant, see paragraph 0021 where a web-based portal, an application programming interface (“API”)….) Regarding claim 16, Pryzant-Haag-Rideout teaches wherein the moderation application comprises OpenAITM API. (Pryzant, see paragraph 0021 where a web-based portal, an application programming interface (“API”)…; see fig. 1; see paragraph 0017 where LLMs include the GPT-3 model from OpenAI…) Regarding claim 19, Pryzant-Haag-Rideout teaches wherein the system is a web server-based computer system. (Pryzant, see paragraph 0021 where a web-based portal, an application programming interface (“API”)….) Regarding claim 20, Pryzant teaches A system for evaluating an attack on a large language model (LLM) comprising: a module for receiving attack response data from a first LLM in response to attack data inputted to said first LLM; (Pryzant, see figs. 3A-4; see paragraph 0100 where a first prompt (e.g., an attacker prompt) is generated...the first prompt is provided as input to a first LLM that is operating as the actor/attacker (e.g., an LLM attacker)...) a module for receiving evaluation data from a second LLM in response to said attack response data being inputted to said second LLM, and (Pryzant, see figs. 3A-4; see paragraphs 0102-0103 where a second prompt (e.g., an evaluator prompt) is generated … the second prompt includes at least the responses from the software and/or the outputs from the first LLM... the second prompt is provided as input to a second LLM (e.g., an LLM evaluator) that is operating as an evaluator...; see paragraph 0103 where the evaluation results are received from the second LLM…) However, Pryzant does not explicitly teach a processor for processing the attack response data from the first LLM to determine if the attack response data contains text that could by-pass evaluation of the attack response data by a second LLM, the processor being configured to terminate the attack evaluation if the processor determines that the received attack response data contains such text, and the processor being configured to pass the attack response data to a module for inputting the attack response data to the second LLM Haag teaches a processor for processing the attack response data from the first LLM to determine if the attack response data contains text that could by-pass evaluation of the attack response data by a second LLM, (Haag, see page 2, paragraph 13 - page 3, paragraph 1 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all. Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...) the processor being configured to terminate the attack evaluation if the processor determines that the received attack response data contains such text, and (Haag, see page 2, paragraph 13 - page 3, paragraph 1 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all (terminated). Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...) the processor being configured to pass the attack response data to a module for inputting the attack response data to the second LLM (Haag, see page 2, paragraph 13 - page 3, paragraphs 1-4 where provided precisely for this type of request text, bypassing the first large language model by evaluating the request in the second language model. The second language model is resource-reduced...If the response is "insufficient," then the request does not reach the first large language model at all. Instead of a result that would be provided specifically for the request by the large language model, a fixed response or warning is output instead...request can be forwarded to the second language model...) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant and Haag to provide the technique of a processor for processing the attack response data from the first LLM to determine if the attack response data contains text that could by-pass evaluation of the attack response data by a second LLM, of the processor being configured to terminate the attack evaluation if the processor determines that the received attack response data contains such text, and the processor being configured to pass the attack response data to a module for inputting the attack response data to the second LLM of Haag in the system of Pryzant in order to use fewer resources to provide a helpful response to a user request (Haag, see page 3, paragraph 1). However, Pryzant-Haag does not explicitly teach configured to evaluate the attack response data against a plurality of attack severity categories; a module for determining a severity level of the attack on the first LLM based on the evaluation data received from the second LLM. Rideout teaches configured to evaluate the attack response data against a plurality of attack severity categories; (Rideout, see fig. 11; see col. 2, lines 22-39 where generative artificial intelligence (GenAI) model (e.g., MLA 130, a large language model, etc.)...categories can take varying forms. As one example, the category can specify a threat severity for the prompt (malicious, suspicious, unknown, or benign, etc.).; see col. 10, lines 7-27 where determined, at 1120, whether the prompt comprises or otherwise attempts to elicit malicious content or actions based on an output of a prompt injection classifier. The prompt injection classifier can be a binary classifier which indicates whether the prompt is malicious or benign...; see also col. 8, lines 57-64 different sets of prompts for each category (i.e., severity level, type of attack, etc.) which are labeled with their category (e.g., security level, type of attack, etc.).) a module for determining a severity level of the attack on the first LLM based on the evaluation data received from the second LLM. (Rideout, see fig. 11; see col. 2, lines 22-39 where generative artificial intelligence (GenAI) model (e.g., MLA 130, a large language model, etc.)...categories can take varying forms. As one example, the category can specify a threat severity for the prompt (malicious, suspicious, unknown, or benign, etc.).; see col. 10, lines 7-27 where determined, at 1120, whether the prompt comprises or otherwise attempts to elicit malicious content or actions based on an output of a prompt injection classifier. The prompt injection classifier can be a binary classifier which indicates whether the prompt is malicious or benign...; see also col. 8, lines 57-64 different sets of prompts for each category (i.e., severity level, type of attack, etc.) which are labeled with their category (e.g., security level, type of attack, etc.).) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant-Haag and Rideout to provide the technique of evaluating the attack response data against a plurality of attack severity categories and a module for determining a severity level of the attack on the first LLM based on the evaluation data received from the second LLM of Rideout in the system of Pryzant in order to provide enhanced visibility into the health and security of an enterprise's machine learning assets (Rideout, see col. 3, lines 32-39). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable Pryzant-Haag-Rideout in view of Lasso et al. (U.S. PGPub 2025/0168056). Regarding claim 6, Pryzant-Haag-Rideout teaches all of the features of claim 5. However, Pryzant-Haag-Rideout does not explicitly teach further comprising determining an average severity level for evaluated attack response data, the average severity level being determined from the indicative severity level values assigned by the second LLM for each of said plurality of attack severity categories. Lasso teaches further comprising determining an average severity level for evaluated attack response data, the average severity level being determined from the indicative severity level values assigned by the second LLM for each of said plurality of attack severity categories. (Lasso, see paragraph 0041 where generate an anomaly impact score based on the sub-scores. The anomaly impact score can be the weighted average of the sub-scores…; see paragraph 0045 where including but not limited to generative text models, such as conversational large language foundation models including GPT (“generative pre-training transformer”), including ChatGPT, GPT-4...) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant-Haag-Rideout and Lasso to provide the technique of determining an average severity level for evaluated attack response data, the average severity level being determined from the indicative severity level values assigned by the second LLM for each of said plurality of attack severity categories of Lasso in the system of Pryzant-Haag-Rideout in order to identify anomalies or attacks in real-time and notify users (Lasso, see paragraphs 0003). Claims 9 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Pryzant-Haag-Rideout in view of Murphy et al. (U.S. PGPub 2024/0291853). Regarding claims 9 and 17, Pryzant-Haag-Rideout teaches all of the features of claims 1 and 13. However, Pryzant-Haag-Rideout does not explicitly teach wherein the step of inputting attack data to a first LLM comprises selecting attack data defining a specified type of attack from a database storing attack data defining a plurality of types of attacks. Murphy teaches wherein the step of inputting attack data to a first LLM comprises selecting attack data defining a specified type of attack from a database storing attack data defining a plurality of types of attacks. (Murphy, see paragraph 0607 where working with large language models (e.g., large language model 308), as it provides a way to guide the AI model's responses and ensure that they are accurate; see paragraph 0654 where developed and trained using historical data, which includes both normal network behavior and various types of intrusions or attacks....; see also paragraphs 0729-0730) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant-Haag-Rideout and Murphy to provide the technique of selecting attack data defining a specified type of attack from a database storing attack data defining a plurality of types of attacks of Murphy in the system of Pryzant-Haag-Rideout in order to generate more natural and effective responses (Murphy, see paragraph 0459). Regarding claim 18, Pryzant-Haag-Rideout-Murphy further comprising a module for receiving a user selection of attack data defining a specified type of attack from the database. (Murphy, see paragraph 0529 where account history for the user who created the role to determine if this is normal behavior... any suspicious activity by leveraging tools such as IDS/IPS and Security Information and Event Management (SIEM) to identify any malicious network traffic...; see paragraph 0607 where working with large language models (e.g., large language model 308), as it provides a way to guide the AI model's responses and ensure that they are accurate; see paragraph 0654 where developed and trained using historical data, which includes both normal network behavior and various types of intrusions or attacks....; see also paragraphs 0729-0730) The motivation regarding to the obviousness to claim 17 is also applied to claim 18. Claims 10 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Pryzant-Haag-Rideout in view of Cui et al. (U.S. PGPub 2025/0077940). Regarding claim 10, Pryzant-Haag-Rideout teaches wherein, prior to inputting the attack response data into the second LLM, determining if the attack response data is indicative of a successful or failed attack; and, (Pryzant, see figs. 3A-4; see paragraph 0083 where , the first prompt 315a to the actor [A] 320a may include the following NL prompt either from an orchestrator and/or a user: “You are a user trying to corrupt the chatbot...the third prompt 350a to the actor [A] 320a may include the following NL prompt from the evaluator [E] 340a: “You are going on a tangent. Please focus on the following topics in your attempts to corrupt the chatbot by...include the following evaluation: “The chatbot produced content that is prejudiced against real people. Conclusion: The chatbot is unsafe. ) However, Pryzant-Haag-Rideout does not explicitly teach if the attack is deemed to be a failed attack, terminating the evaluation. Cui teaches if the attack is deemed to be a failed attack, terminating the evaluation. (Cui, see paragraph 0049 where the iterative verification and improvement process may terminate even without achieving a hallucination-free answer...the model 302 terminates the process and outputs an error message to the user…) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Pryzant-Haag-Rideout and Cui to provide the technique of if the attack is deemed to be a failed attack, terminating the evaluation of Cui in the system of Pryzant-Haag-Rideout in order to improve the cost in terms of resources for operating LLMs (Cui, see paragraph 0003). Regarding claim 11, Pryzant-Haag-Rideout-Cui teaches wherein, prior to determining if the attack response data is indicative of a successful or failed attack, determining if the attack response data contains obfuscated text; and, (Pryzant, see figs. 3A-4; see paragraph 0083 where , the first prompt 315a to the actor [A] 320a may include the following NL prompt either from an orchestrator and/or a user: “You are a user trying to corrupt the chatbot...the third prompt 350a to the actor [A] 320a may include the following NL prompt from the evaluator [E] 340a: “You are going on a tangent. Please focus on the following topics in your attempts to corrupt the chatbot by...include the following evaluation: “The chatbot produced content that is prejudiced against real people. Conclusion: The chatbot is unsafe. ) if it is determined that the attack response data contains obfuscated text, terminating the evaluation. (Cui, see paragraph 0049 where the iterative verification and improvement process may terminate even without achieving a hallucination-free answer (obfuscated text/answer)...the model 302 terminates the process and outputs an error message to the user…; see paragraph 0028 where a text output field configured to receive a final answer...; see paragraph 0002 where these occurrences of inaccurate or completely wrong answers are termed “hallucinations.”) The motivation regarding to the obviousness to claim 10 is also applied to claim 11. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG VANG whose telephone number is (571)270-7023. The examiner can normally be reached M-F 8AM-2PM, 3PM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NICHOLAS TAYLOR can be reached at (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG VANG/Primary Examiner, Art Unit 2443
Read full office action

Prosecution Timeline

Mar 18, 2024
Application Filed
Jul 15, 2025
Non-Final Rejection — §103
Nov 17, 2025
Response Filed
Mar 06, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/586,382
Patent 12602478
MALWARE MONITORING AND DETECTION
2y 5m to grant Granted Apr 14, 2026
18/444,639
Patent 12592834
SYSTEM AND METHOD FOR GENERATING A DIGITAL CERTIFICATE FOR A USER USING A DECENTRALIZED BLOCKCHAIN
2y 5m to grant Granted Mar 31, 2026
18/646,252
Patent 12592841
ACTIVE-ACTIVE REPLICATION IN BLOCKCHAIN TABLES WITH PRIMARY KEY CONSTRAINTS
2y 5m to grant Granted Mar 31, 2026
18/409,866
Patent 12586395
CREATING MACHINE LEARNING MODELS FOR DETECTING THE APPLICATION OF SPECIFIC DEEPFAKE TOOLS
2y 5m to grant Granted Mar 24, 2026
18/620,589
Patent 12587446
MANAGING NETWORK DEVICE CONFIGURATIONS BASED ON CONFIGURATION FRAGMENTS
2y 5m to grant Granted Mar 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
77%
Grant Probability
99%
With Interview (+28.1%)
2y 11m
Median Time to Grant
Moderate
PTA Risk
Based on 293 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month