Prosecution Insights
Last updated: July 17, 2026
Application No. 18/615,765

TRANSPARENT AND KEY-LESS INSPECTION OF SSL/TLS-ENCRYPTED NETWORK TRAFFIC AND SOCKET ASSOCIATION USING EBPF

Final Rejection §103
Filed
Mar 25, 2024
Priority
Apr 06, 2023 — provisional 63/457,477
Examiner
VAUGHAN, MICHAEL R
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Threat X Inc.
OA Round
2 (Final)
78%
Grant Probability
Favorable
3-4
OA Rounds
8m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
638 granted / 813 resolved
+20.5% vs TC avg
Strong +31% interview lift
Without
With
+30.9%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
9 currently pending
Career history
827
Total Applications
across all art units

Statute-Specific Performance

§101
3.4%
-36.6% vs TC avg
§103
73.5%
+33.5% vs TC avg
§102
17.7%
-22.3% vs TC avg
§112
3.9%
-36.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 813 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION The instant application having Application No. 18/615,765 is presented for examination by the examiner. Claims 1 and 13 are amended. Claims 1-24 are pending. Response to Arguments Applicant’s arguments with respect to claim(s) 1 and 13 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-24 are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication 2020/0193017 to Bannister et al., hereinafter Bannister in view of NPL “eCapture: capture plaintext from TLS/SSL traffic using eBPF”, hereinafter eCapture. This particular file is in the Github repository for eCapture as the README.MD file. The rejection will make reference to one of the files which shows some of the actual code referenced in the README.MD file. That file, openssl.h, is cited on the 892 and will be used as ancillary evidence to show how eCapture works. As per claims 1 and 13, Bannister teaches a method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising: (A) intercepting a first call to a function in an encryption library, for creating a network entity according to a network protocol [at the time of creating a connection; 41-43 and 0065]; (B) extracting unencrypted data from the first call (0044 and 0045); (C) correlating the extracted unencrypted data from the first call with information about a socket associated with the created network entity [the function and encryption library are correlated together along with the key that decrypts the encrypted data of that socketed session; 0042, 0043, and 0053-0055]. Bannister is silent in explicitly teaching correlating the unencrypted data with stored socket information comprising a socket file descriptor and at least one of an IP address or a port extracted from a network system call. Bannister uses a EBPF program to grab unencrypted keys used for SSL communications. eCapture uses EBPF function to hook TLS/SSL reads and writes to capture unencrypted data (see first figure and section on uprobe HOOK). By using the function SSL_write eCapture obtains the socket file descriptor from ssl->wbio->num, obtains the plaintext buffer pointer from the second argument to SSL_write, stores both in a mapping keyed by thread id, and on return retrieves that stored fd/buffer. The emitted TLS event then links the fd to the plaintext that was in the SSL_write buffer. The details of SSL_write are shown in the source code for that function. Furthermore, in the source code for eCapture, probe_connect hook captures a connect(fd, sockaddr, len) call to read the fd and sockaddr which establishes an association with the socket file descriptor and the socket address. These two functions establish a correlation between the file descriptor with the plaintext and the file descriptor with the socket address. Thus, the extracted unencrypted data is correlated with stored socket information. This makes sense in terms of monitoring a connection so in the case of Bannister where the unencrypted data is the SSL key, the system needs to be able to recognize communications that use that key. Each prior art uses an EBPF program to grab unencrypted data. Correlating the key with the SSL traffic needs to be identifiable since only one given connection will use that key. The system can obviously use the socket file description and socket address as a way to identify the key used to encrypt those messages. The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which produce predictable results. Bannister needs to track keys to packets and eCapture provides one way of doing so. As per claims 2 and 14, Bannister teaches the network entity comprises a context (0044 and 0065). As per claims 3 and 15, Bannister teaches the network entity comprises a session (0065). As per claims 4 and 16, Bannister teaches the network entity comprises a connection (0042 and 0065). As per claims 5 and 17, Bannister teaches (B) comprises extracting the unencrypted data from the first call before the encrypted data is encrypted to generate encrypted data (before; 0045). As per claims 6 and 18, Bannister teaches (B) comprises extracting the unencrypted data from the first call after encrypted data has been decrypted to generate the encrypted data [after encryption the key is used to decrypt the traffic; 0042 and 0045]. As per claims 7 and 19, Bannister teaches the network protocol comprises SSL/TLS (0057 and 0065). As per claims 8 and 20, Bannister teaches intercepting the first call comprises intercepting the first call using an extended Berkeley packet filter (eBPF) subsystem (0042). As per claims 9 and 21, Bannister teaches extracting the unencrypted data from the first call comprises extracting the unencrypted data from the first call using an extended Berkeley packet filter (eBPF) subsystem (0042). As per claims 10 and 22, Bannister teaches (D) intercepting a second call to a function other than a function in the encryption library that does not create a network entity [subsequent call; 0043]; and (E) extracting unencrypted data from the second call (0057); (F) correlating the extracted unencrypted data from the second call with information about the socket associated with the created network entity [all types of functions after the creation of the network entity can be intercepted. These are referred to as subsequent calls made after the first call established a communication; 0043 and 0057]. As per claims 11 and 23, Bannister teaches intercepting the second call comprises intercepting the second call using an extended Berkeley packet filter (eBPF) subsystem (0042). As per claims 12 and 24, Bannister teaches extracting the unencrypted data from the second call comprises extracting the unencrypted data from the second call using an extended Berkeley packet filter (eBPF) subsystem (0042). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316. The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL R VAUGHAN/ Primary Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Mar 25, 2024
Application Filed
Oct 22, 2025
Non-Final Rejection mailed — §103
Mar 08, 2026
Response Filed
Jun 03, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682117
SECURITY-BY-DESIGN METHODOLOGY USING EVIDENCE-BASED SECURITY APPROACH
3y 5m to grant Granted Jul 14, 2026
Patent 12682065
TRUSTED ACCESS CONTROL FOR SECURE BOOT PROCESS FOR STORAGE CONTROLLERS OR DRIVERS
3y 7m to grant Granted Jul 14, 2026
Patent 12682072
SYSTEM AND METHOD FOR GENERATION AND DISTRIBUTION OF SECURITY MODELS
3y 2m to grant Granted Jul 14, 2026
Patent 12664475
SYSTEM AND METHOD FOR DETERMINING WHEN AN UPDATE OF AN ONLINE FRAUD DETECTION MACHINE LEARNING (ML) MODEL IS REQUIRED
2y 9m to grant Granted Jun 23, 2026
Patent 12665880
WEBSOCKET CONNECTIONS SUPPORTING SYSTEM MANAGEMENT COMMUNICATIONS
1y 7m to grant Granted Jun 23, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+30.9%)
3y 0m (~8m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 813 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month