Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsCrowdstrike Inc. › 18649748
Last updated: April 19, 2026
Application No. 18/649,748

Machine Learned Contextual Cybersecurity Threat Prioritization

Final Rejection §103§112
Filed
Apr 29, 2024
Examiner
HUANG, KAYLEE J
Art Unit
2447
Tech Center
2400 — Computer Networks
Assignee
Crowdstrike Inc.
OA Round
2 (Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
2y 8m
To Grant
99%
With Interview

Interview Optional

+51.2% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 349 resolved cases, 2023–2026

Examiner Intelligence

HUANG, KAYLEE J View full profile →
Grants 75% — above average
75%
Career Allow Rate
262 granted / 349 resolved
+17.1% vs TC avg
Strong +51% interview lift
Without
With
+51.2%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
32 currently pending
Career history
381
Total Applications
across all art units

Statute-Specific Performance

§101
5.2%
-34.8% vs TC avg
§103
47.8%
+7.8% vs TC avg
§102
9.0%
-31.0% vs TC avg
§112
30.2%
-9.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 349 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The amendment filed on 11/28/2025 has been entered. Applicant amended claims 1-4, 6-12, 14-20 in the amendment. Claims 1-20 remain pending. Response to Arguments Applicant’s arguments with respect to claims 1-20 filed on 11/28/2025 have been considered but they are deemed to be moot in view of new grounds of rejection. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 6, 8-15, 17, and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 6 recites the limitation "the detection priority" in lines 1-2. There is insufficient antecedent basis for this limitation in the claim. Regarding claim 8, claim limitation recites “receiving the cybersecurity detection reported via a cloud computing environment by a cybersecurity sensory agent monitoring installed at a client device” in lines 6-7, which renders the claim vague and indefinite. The examiner is unable to determine the scope of the claim. Claim 17 recites the limitation "the machine contexts" in line 3. There is insufficient antecedent basis for this limitation in the claim. Claim 18 recites the limitation "the machine contexts" in line 3. There is insufficient antecedent basis for this limitation in the claim. All dependent claims are rejected as having the same deficiencies as the claims they depend from. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Matos et al. (US 2024/0427916 A1), hereinafter Matos, in view of Beauchesne et al. (US 12,182,670 B1), hereinafter Beauchesne. Regarding claim 1, Matos discloses A method executed by a computer system that prioritizes a cybersecurity detection based on a machine context, comprising: pre-screening the cybersecurity detection by routing, by the computer system, the machine context to a cybersecurity detection prediction service that compares the machine context to a cybersecurity machine contextual profile generated by a machine learning model trained using machine contexts ([0032]: receive internal data from one or more internal systems or devices; the data may be used to train a machine learning model, generate dynamic variable profiles; & [0034]: based on generated dynamic variable profiles (e.g., each profile being associated with a different user variable), the machine learning model may be trained to compare user specific data related to a user event request to one or more dynamic variable profiles associated with the user to determine whether the user event request includes an anomaly or potential unauthorized activity); receiving, by the computer system, a detection prediction output by the cybersecurity detection prediction service that pre-screens the cybersecurity detection as a true positive report based on a statistical non-conformance of the machine context to the cybersecurity machine contextual profile ([0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & [0038]: identify one or more mitigating actions based on an output indicating unauthorized activity or potential unauthorized activity); and in response to the detection prediction of the true positive report, queueing, by the computer system, the cybersecurity detection for a human expert cybersecurity assessment ([0038]: mitigation action module 112f may identify that the anomaly should be assigned to an analyst for review; & [0063]: forwarding the event request to an analyst computing device for evaluation). Matos does not explicitly disclose a machine learning model trained using detection priorities. However, Beauchesne discloses a machine learning model trained using detection priorities (Col. 42, lines 46-55: a subset of the features is selected to train a machine learning model; the feature variability metric values of all features are ranked, and a specified number of the highest or lowest ranked features are selected for the subset). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Lim in Matos because Matos discloses training a machine learning model ([0032]) and Beauchesne further suggests training a machine learning model with ranked features (Col. 42, lines 46-55). One of ordinary skill in the art would be motivated to utilize the teachings of Beauchesne in Matos system in order to increase model accuracy. Regarding claim 2, Matos and Beauchesne disclose the method as described in claim 1. Matos further discloses associating the machine context with a normal operation in response to determining that the machine context conforms to the cybersecurity machine contextual profile generated by the machine learning model ([0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity). Regarding claim 3, Matos and Beauchesne disclose the method as described in claim 1. Matos further discloses associating the machine context with an abnormal normal operation in response to determining that the machine context fails to conform to the cybersecurity machine contextual profile generated by the machine learning model ([0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity). Claim(s) 4, 5, and 8-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Matos in view of Beauchesne, and further in view of Bazalgette (EP 3,528,463 A1). Regarding claim 4, Matos and Beauchesne disclose the method as described in claim 1. Matos further discloses receiving the machine context from a client device ([0022]: receive user specific data associated with a user; the user specific data may be associated with a requested user event, such as opening a new account, obtaining a product, or the like; & [0027]: the remote user computing device 150 and/or remote user computing device 155 may be used to request a service or product, request a transaction, or request another type of user event; & [0035]: receive, as inputs, user specific data associated with a user request). Matos and Beauchesne do not explicitly disclose executing a cybersecurity sensory agent installed at the client device. However, Bazalgette discloses receiving the machine context from a client device executing a cybersecurity sensory agent installed at the client device ([0103]: raw data required to obtain theses metrics may be collected via a passive fiber or copper connection to the networks internal switch gear, from virtual switching implementations, from cloud based systems, or from communicating devices themselves; & [0062]: computer on the first computer system has the threat detection system and therefore runs the threat detection method for detecting threats to the first computer system; as such, it comprises a processor arranged to run the steps of the process described herein, memory required to store information related to the running of the process, as well as a network interface for collecting the required information). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Bazalgette in Matos and Beauchesne because Matos and Beauchesne disclose receiving user request from user device ([0027]), and Bazalgette further suggests run steps of process in computer ([0103]). One of ordinary skill in the art would be motivated to utilize the teachings of Bazalgette in the Matos and Beauchesne system in order to provide faster performance. Regarding claim 5, Matos and Beauchesne disclose the method as described in claim 1. Matos and Beauchesne do not explicitly disclose determining a detection count specified by the machine context. However, Bazalgette discloses determining a detection count specified by the machine context ([0103]: raw data required to obtain these metrics may be collected via a passive fiber or copper connection to the networks internal switch gear, from virtual switching implementations, from cloud based systems, or from communicating devices themselves). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Bazalgette in Matos and Beauchesne because Matos and Beauchesne disclose determine whether an anomaly exists in the user specific data ([0006]), and Bazalgette further suggests obtain metrics ([0103]). One of ordinary skill in the art would be motivated to utilize the teachings of Bazalgette in the Matos and Beauchesne system in order to better organize data. Regarding claim 8, Matos discloses A computer system (dynamic variable control computing platform 110, FIG. 1B) that prioritizes a cybersecurity detection based on a client machine context, comprising: at least one central processing unit (FIG. 1B & [0030]: one or more processors 111); and at least one memory device (FIG. 1B & [0030]: memory 112) storing instructions that, when executed by the at least one central processing unit, perform operations, the operations comprising: receiving the client machine context from the client device ([0022]: receive user specific data associated with a user; the user specific data may be associated with a requested user event, such as opening a new account, obtaining a product, or the like; & [0027]: the remote user computing device 150 and/or remote user computing device 155 may be used to request a service or product, request a transaction, or request another type of user event; & [0035]: receive, as inputs, user specific data associated with a user request); pre-screening the cybersecurity detection by routing the client machine context to a cybersecurity detection prediction service that compares the client machine context to a cybersecurity machine contextual profile generated by a machine learning model trained using client machine contexts ([0032]: receive internal data from one or more internal systems or devices; the data may be used to train a machine learning model, generate dynamic variable profiles; & [0034]: based on generated dynamic variable profiles (e.g., each profile being associated with a different user variable), the machine learning model may be trained to compare user specific data related to a user event request to one or more dynamic variable profiles associated with the user to determine whether the user event request includes an anomaly or potential unauthorized activity); receiving a detection prediction output by the cybersecurity detection prediction service that predicts the cybersecurity detection as a true positive report based on a statistical non-conformance of the client machine context to the cybersecurity machine contextual profile ([0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & [0038]: identify one or more mitigating actions based on an output indicating unauthorized activity or potential unauthorized activity); and in response to the detection prediction of the true positive report, queueing the cybersecurity detection for a human expert cybersecurity assessment ([0038]: mitigation action module 112f may identify that the anomaly should be assigned to an analyst for review; & [0063]: forwarding the event request to an analyst computing device for evaluation). Matos does not explicitly disclose a machine learning model trained using detection priorities. However, Beauchesne discloses a machine learning model trained using detection priorities (Col. 42, lines 46-55: a subset of the features is selected to train a machine learning model; the feature variability metric values of all features are ranked, and a specified number of the highest or lowest ranked features are selected for the subset). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Lim in Matos because Matos discloses training a machine learning model ([0032]) and Beauchesne further suggests training a machine learning model with ranked features (Col. 42, lines 46-55). One of ordinary skill in the art would be motivated to utilize the teachings of Beauchesne in Matos system in order to increase model accuracy. Matos and Beauchesne do not explicitly disclose receiving the cybersecurity detection reported via a cloud computing environment by a cybersecurity sensory agent monitoring installed at a client device; receiving the client machine context associated with the cybersecurity sensory agent. However, Bazalgette discloses receiving the cybersecurity detection reported via a cloud computing environment by a cybersecurity sensory agent monitoring installed at a client device ([0097]: the raw data sources include, but are not limited to: machine generated log files; individual machine, peripheral or component power usage; machine level performance data taken from on-host source (CPU usage/memory usage/disk usage/disk free space/network usage/etc. & [0037]: the pattern of the behavior of the activities/events/alerts that are left, after the filtering, can be analyzed to determine whether that pattern is indicative of a behavior of a malicious actor – human, program, or other threat; & [0027]: a trigger module may detect timestamped data indicating an event is occurring and then triggers that something unusual is happening; the gatherer module is triggered by a specific events or alerts of i) an abnormal behavior, ii) a suspicious activity, and iii) any combination of both; the received data is passed to the cyber security analyst, which may be hosted on a device, on one or more servers, and/or in its own cyber threat appliance platform; & [0062]: computer on the first computer system has the threat detection system and therefore runs the threat detection method for detecting threats to the first computer system; as such, it comprises a processor arranged to run the steps of the process described herein, memory required to store information related to the running of the process, as well as a network interface for collecting the required information; & [0063]: the computer builds and maintains a dynamic, ever-changing model of the ‘normal behavior’ of each user and machine within the system); receiving the client machine context associated with the cybersecurity sensory agent ([0111]: the step of computing the threat involves comparing current data collected in relation to the user with the model of normal behavior of the user and system being analyzed; the current data collected relates to a period in time, this could be in relation to a certain influx of new data or a specified period of time from a number of seconds to a number of days; & [0112]: the system uses machine learning/AI to understand what is normal inside a company’s network, and when something’s not normal). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Bazalgette in Matos and Beauchesne because Matos and Beauchesne disclose receiving user request from user device ([0027]), and Bazalgette further suggests run steps of process in computer ([0103]). One of ordinary skill in the art would be motivated to utilize the teachings of Bazalgette in the Matos and Beauchesne system in order to provide faster performance. Regarding claim 9, Matos, Beauchesne, and Bazalgette disclose the computer system as described in claim 8. Matos further discloses determining the client machine context is abnormal operation based on the cybersecurity machine contextual profile ([0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity; & [0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & [0038]: identify one or more mitigating actions based on an output indicating unauthorized activity or potential unauthorized activity). Regarding claim 10, Matos, Beauchesne, and Bazalgette disclose the computer system as described in claim 8. Matos further discloses determining the client machine context is normal operation based on the cybersecurity machine contextual profile ([0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity; & [0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity)). Regarding claim 11, Matos, Beauchesne, and Bazalgette discloses the computer system as described in claim 8. Matos, Beauchesne, and Bazalgette further disclose ranking the cybersecurity detection (Bazalgette: [0079]: rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach; & [0111]: comparing current data collected in relation to the user with the model of normal behavior of the user and system being analyzed). Therefore, the limitations of claim 11 are rejected in the analysis of claim 8 above, and the claim is rejected on that basis. Regarding claim 12, Matos, Beauchesne, and Bazalgette discloses the computer system as described in claim 8. Matos, Beauchesne, and Bazalgette further disclose ranking the cybersecurity detection based on the detection prediction output by the cybersecurity detection prediction service (Bazalgette: [0079]: rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach). Therefore, the limitations of claim 12 are rejected in the analysis of claim 8 above, and the claim is rejected on that basis. Regarding claim 13, Matos, Beauchesne, and Bazalgette discloses the computer system as described in claim 8. Matos, Beauchesne, and Bazalgette further disclose training the machine learning model using historical detection priorities associated with historical machine contexts (Bazalgette: [0034]: the analyzer module also may utilize repetitive feedback, as time goes on, for the AI models trained with machine learning on possible cyber threats via viewing a subsequent resulting analysis of the supported possible cyber threat hypothesis and supply that information to the training of the AI models trained with machine learning on possible cyber threats in order to reinforce the model’s finding as correct or inaccurate; & [0039]: each analyzer instance ranks incidents by a severity level of that threat and optional hypothesis confidence level; & [0045]: once the AI cyber-security analyst has decided an incident is reportable, the formatting model may generate a textual write up of an incident report in a human readable, formalized report format for a wide range of breaches of normal behavior, used by the AI models trained with machine learning on the normal behavior of the system). Therefore, the limitations of claim 13 are rejected in the analysis of claim 8 above, and the claim is rejected on that basis. Regarding claim 14, the limitations of claim 14 are rejected in the analysis of claim 5 above and this claim is rejected on that basis. Claim(s) 6 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mato in view of Beauchesne, in view of Bazalgette, and further in view of Lim et al. (US 12,124,573 B1), hereinafter Lim. Regarding claim 6, Matos, Beauchesne, and Bazalgette disclose the method as described in claim 5. Matos, Beauchesne, and Bazalgette further disclose generating the detection priority by comparing the machine context and the detection count to the cybersecurity machine contextual profile generated by the machine learning model trained using the machine contexts and detection counts sampled from client devices (Bazalgette: [0111]: comparing current data collected in relation to the user with the model of normal behavior of the user and system being analyzed; the expected behavior is then compared with actual behavior in order to determine whether there is a threat; & [0016]: identify abnormal behavior with one or more AI models trained with machine learning on a normal behavior of the system). Matos, Beauchesne, and Bazalgette do not explicitly disclose comparing the detection count to their corresponding detection counts sampled from client devices. However, Lim discloses generating the detection priority by comparing the machine context and the detection count to the cybersecurity machine contextual profile generated by the machine learning model trained using the machine contexts and their corresponding detection counts sampled from client devices (Col. 7, line 65 - Col. 8, line 2: determine whether the number of occurred events exceeds the event processing threshold of the security equipment by comparing the number of events that can be processed simultaneously by the security equipment with the number of occurred events). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Lim in Matos, Beauchesne, and Bazalgette because Matos, Beauchesne, and Bazalgette disclose receive a request for a user event ([0006]) and Lim further suggests compare number of events that can be processed simultaneously by the security equipment with the number of occurred events (Col. 7, line 65 - Col. 8, line 2). One of ordinary skill in the art would be motivated to utilize the teachings of Lim in Matos, Beauchesne, and Bazalgette system in order to allow organization to focus limited resources on the most significant threats. Regarding claim 15, the limitations of claim 15 are rejected in the analysis of claim 6 above and this claim is rejected on that basis. Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Matos in view of Beauchesne, and further in view Schmitt (US 2016/0110549 A1). Regarding claim 7, Matos and Beauchesne disclose the method as described in claim 1. Matos and Beauchesne do not explicitly disclose adding entries to a database that logs the detection prediction to the machine context. However, Schmitt discloses adding entries to a database that logs the detection prediction to the machine context ([0031]: the security flaw prioritization information obtained by the security flaw prioritization model is stored in a data storage device such as, for example, the data storage device of the computing device, or the historical scan database). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Schmitt in Matos and Beauchesne because Matos and Beauchesne discloses store user information ([0024]) and Schmitt further suggests storing security flaw prioritization information in a data storage device ([0031]). One of ordinary skill in the art would be motivated to utilize the teachings of Schmitt in Matos and Beauchesne system in order to maintain data integrity. Claim(s) 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Matos in view of Bazalgette. Regarding claim 16, Matos discloses A non-transitory memory device storing instructions that, when executed by at least one central processing unit, perform operations, comprising: pre-screening the cybersecurity detection by routing the client machine contexts to a cybersecurity detection prediction service that compares the client machine contexts to a cybersecurity machine contextual profile generated by a machine learning model trained using historical client machine contexts sampled from the client devices ([0021]: receive historical data associated with a plurality of users; & [0032]: receive internal data from one or more internal systems or devices; the data may be used to train a machine learning model, generate dynamic variable profiles; & [0034]: based on generated dynamic variable profiles (e.g., each profile being associated with a different user variable), the machine learning model may be trained to compare user specific data related to a user event request to one or more dynamic variable profiles associated with the user to determine whether the user event request includes an anomaly or potential unauthorized activity; & [0070]: the computing platform may train a machine learning model using the received historical data); receiving detection predictions output by the cybersecurity detection prediction service that predict the cybersecurity detections as a true positive report based on a statistical non-conformance of the client machine contexts to the cybersecurity machine contextual profile ([0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & [0038]: identify one or more mitigating actions based on an output indicating unauthorized activity or potential unauthorized activity); and in response to the detection prediction of the true positive report, queueing, by the computer system, the cybersecurity detection for a human expert cybersecurity assessment ([0038]: mitigation action module 112f may identify that the anomaly should be assigned to an analyst for review; & [0063]: forwarding the event request to an analyst computing device for evaluation). Matos does not explicitly disclose monitoring cybersecurity detections reported via a cloud computing environment by cybersecurity sensory agents sampling client devices for client machine contexts. However, Bazalgette discloses monitoring cybersecurity detections reported via a cloud computing environment by cybersecurity sensory agents sampling client devices for client machine contexts ([0097]: the raw data sources include, but are not limited to: machine generated log files; individual machine, peripheral or component power usage; machine level performance data taken from on-host source (CPU usage/memory usage/disk usage/disk free space/network usage/etc. & [0037]: the pattern of the behavior of the activities/events/alerts that are left, after the filtering, can be analyzed to determine whether that pattern is indicative of a behavior of a malicious actor – human, program, or other threat; & [0027]: a trigger module may detect timestamped data indicating an event is occurring and then triggers that something unusual is happening; the gatherer module is triggered by a specific events or alerts of i) an abnormal behavior, ii) a suspicious activity, and iii) any combination of both; the received data is passed to the cyber security analyst, which may be hosted on a device, on one or more servers, and/or in its own cyber threat appliance platform; & [0062]: computer on the first computer system has the threat detection system and therefore runs the threat detection method for detecting threats to the first computer system; as such, it comprises a processor arranged to run the steps of the process described herein, memory required to store information related to the running of the process, as well as a network interface for collecting the required information; & [0063]: the computer builds and maintains a dynamic, ever-changing model of the ‘normal behavior’ of each user and machine within the system). It would have been obvious to a person with ordinary skill in the art before the effective filing date of the claimed invention to incorporate feature of Bazalgette in Matos because Matos discloses receiving user request from user device ([0027]), and Bazalgette further suggests run steps of process in computer ([0103]). One of ordinary skill in the art would be motivated to utilize the teachings of Bazalgette in the Matos system in order to provide faster performance. Regarding claim 17, Matos and Bazalgette disclose the non-transitory memory device as described in claim 16. Matos and Bazalgette further disclose determining a malicious operation associated with at least one of the client devices based on a corresponding machine context of the machine contexts (Matos: [0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity; & [0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & Bazalgette:[0043]: one or more unsupervised machine learning models trained to perform anomaly detection verses a normal pattern of life to determine whether the abnormal behavior and/or suspicious activity is malicious or benign when the cyber threat is previously unknown; & [0079]: rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach; & [0091]: the result is a system that is able to identify subtle variations in machine events within a computer networks behavioral history that may indicate cyber-threat or compromise). Regarding claim 18, Matos and Bazalgette disclose the non-transitory memory device as described in claim 16. Matos and Bazalgette further disclose determining a normal operation associated with at least one of the client devices based on a corresponding machine context of the machine contexts (Matos: [0034]: the machine learning model may be trained (e.g., using data received from one or more internal data sources, external data sources, and the like) to identify patterns or sequences in data to identify or generate a plurality of dynamic variable profiles and identify patterns or sequences in data that may indicate potential unauthorized activity; & [0035]: the user request data, as well as user specific data received from the user and, in some examples, retrieved from internal sources (e.g., internal entity computing system 120) and/or external sources (e.g., external entity computing system 160, external entity computing system 165, or the like) may be input into the machine learning model and, based on execution of the model, an output indicating whether an anomaly is detected (e.g., an anomaly in the current user data as compared to the one or more dynamic variable profiles associated with the user that may indicate potential unauthorized activity); & Bazalgette:[0043]: one or more unsupervised machine learning models trained to perform anomaly detection verses a normal pattern of life to determine whether the abnormal behavior and/or suspicious activity is malicious or benign when the cyber threat is previously unknown; & [0079]: rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach; & [0091]: the result is a system that is able to identify subtle variations in machine events within a computer networks behavioral history that may indicate cyber-threat or compromise). Regarding claim 19, Matos and Bazalgette disclose the non-transitory memory device as described in claim 16. Matos and Bazalgette further disclose ranking the cybersecurity detections (Bazalgette: [0079]: rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach). Therefore, the limitations of claim 19 are rejected in the analysis of claim 16 above, and the claim is rejected on that basis. Regarding claim 20, Matos and Bazalgette disclose the non-transitory memory device as described in claim 16. Matos and Bazalgette further disclose training the machine learning model using historical detection priorities associated with historical client machine contexts (Bazalgette: [0034]: the analyzer module also may utilize repetitive feedback, as time goes on, for the AI models trained with machine learning on possible cyber threats via viewing a subsequent resulting analysis of the supported possible cyber threat hypothesis and supply that information to the training of the AI models trained with machine learning on possible cyber threats in order to reinforce the model’s finding as correct or inaccurate; & [0039]: each analyzer instance ranks incidents by a severity level of that threat and optional hypothesis confidence level; & [0045]: once the AI cyber-security analyst has decided an incident is reportable, the formatting model may generate a textual write up of an incident report in a human readable, formalized report format for a wide range of breaches of normal behavior, used by the AI models trained with machine learning on the normal behavior of the system). Therefore, the limitations of claim 20 are rejected in the analysis of claim 16 above, and the claim is rejected on that basis. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kiebtreiber et al. (US 8,978,094 B2). Providing a rules database for determining outcomes of security assessments, the rule database comprises an authority table for storing a first plurality of entries, each entry is associated with a priority value and rules that implement security policies of the operating system. Kubota (US 2006/0288413 A1). Compare the count value stored on the counter with attack suspicion threshold value and the attack determination threshold value retained on the threshold retaining unit. Lietz et al. (US 2015/0347750 A1). Provide a security threat scoring service to identify and prioritize potential security threats; maintain a database of security threat patterns. Bush et al. (US 2014/0013431 A1). Prioritize a threat by comparing the threats determined to be relevant to a threat tree model stored on a threat tree database. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAYLEE J HUANG whose telephone number is (571)272-0080. The examiner can normally be reached Monday-Friday 9AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Kaylee Huang 03/07/2026 /KAYLEE J HUANG/Primary Examiner, Art Unit 2447
Read full office action

Prosecution Timeline

Apr 29, 2024
Application Filed
Sep 02, 2025
Non-Final Rejection — §103, §112
Oct 28, 2025
Examiner Interview Summary
Oct 28, 2025
Applicant Interview (Telephonic)
Nov 28, 2025
Response Filed
Mar 07, 2026
Final Rejection — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/780,389
Patent 12603902
APPARATUS AND METHOD FOR CONSTRUCTING INTRUSION DETECTION SYSTEM APPLIED TO CAN COMMUNICATION USING DETECTION POLICY RULE
2y 5m to grant Granted Apr 14, 2026
18/235,108
Patent 12568038
DYNAMIC ANYCAST CLIENT ROUTING AND HEALTH MANAGEMENT
2y 5m to grant Granted Mar 03, 2026
18/785,623
Patent 12562933
Limited Communications Threads Associated with Construction Based Data Objects
2y 5m to grant Granted Feb 24, 2026
18/171,453
Patent 12556574
USING CROSS WORKLOADS SIGNALS TO REMEDIATE PASSWORD SPRAYING ATTACKS
2y 5m to grant Granted Feb 17, 2026
18/237,848
Patent 12554878
PHONE NUMBER OBFUSCATION IN SOCIAL MEDIA PLATFORMS
2y 5m to grant Granted Feb 17, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
99%
With Interview (+51.2%)
2y 8m
Median Time to Grant
Moderate
PTA Risk
Based on 349 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month