Prosecution Insights
Last updated: July 17, 2026
Application No. 18/676,422

SYSTEMS AND METHODS FOR NETWORK TRAFFIC FINGERPRINTING AND ASSOCIATED SECURITY ACTIONS

Final Rejection §103
Filed
May 28, 2024
Priority
May 25, 2023 — provisional 63/468,970 +5 more
Examiner
CHOY, KA SHAN
Art Unit
2435
Tech Center
2400 — Computer Networks
Assignee
Foxio LLC
OA Round
2 (Final)
94%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 94% — above average
94%
Career Allowance Rate
253 granted / 270 resolved
+35.7% vs TC avg
Moderate +10% lift
Without
With
+9.9%
Interview Lift
resolved cases with interview
Fast prosecutor
2y 1m
Avg Prosecution
14 currently pending
Career history
283
Total Applications
across all art units

Statute-Specific Performance

§101
4.5%
-35.5% vs TC avg
§103
69.6%
+29.6% vs TC avg
§102
4.5%
-35.5% vs TC avg
§112
14.0%
-26.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 270 resolved cases

Office Action

§103
DETAILED ACTION This office action is in response to the correspondence filed on 04/21/2026. Claims 1-11 are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Response to Arguments Applicant’s arguments with respect to claims 1, 10, and 11 have been considered but are moot because the arguments do not apply to the new combination of the references being used in the current rejection. The new reference(s) was/were necessitated by the amendment filed by the applicant. The rejection is presented below. The newly amended claims are rejected below in view of Gancheva et al. (NPL – “TLS Fingerprinting Techniques”, referred to as Gancheva). Applicant’s arguments with respect to claims 1, 10, and 11 have been considered. The following are the applicant arguments recited in the Remarks followed by Examiner's response: Applicant argues that the Office has failed to make a prima facie case of obviousness with respect to independent claims 1, 10 and 11, because Nanda is non-analogous art. (Remarks, pg. 2-3) Applicant's arguments have been fully considered but they are not persuasive. In response to applicant's argument that Nanda is nonanalogous art, it has been held that a prior art reference must either be in the field of the inventor’s endeavor or, if not, then be reasonably pertinent to the particular problem with which the inventor was concerned, in order to be relied upon as a basis for rejection of the claimed invention. See In re Oetiker, 977 F.2d 1443, 24 USPQ2d 1443 (Fed. Cir. 1992). In this case, both ALTHOUSE and Nanda disclose communication network fingerprinting. This fingerprinting or just a general kind of identification information can be used for various purposes and it is also not limited by the claim language because it only recites obtaining fingerprinting information for a non-specific kind of analysis. Moreover, Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action with the new prior art Gancheva which makes this argument moot. Applicant argues that there is no motiviation to combine Althouse and Nanda in the manner proposed . (Remarks, pg. 5-6) Applicant's arguments have been fully considered but they are not persuasive. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Nanda discloses in [0008]) that it can improve power consumption and battery life for mobile devices by intelligently searching for available wireless LANs by using fingerprinting information. Fingerprinting in this case can just be interpreted as a general kind of identification information. Moreover, Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action with the new prior art Gancheva which makes this argument moot. Examiner encourages applicant to further amend the claims to distinguish the invention and clarify the difference with support by the specification. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE et al. (US Pub No. 2018/0324153 A1 per IDS, referred to as ALTHOUSE), in view of Gancheva et al. (NPL – “TLS Fingerprinting Techniques”, referred to as Gancheva). Regarding claims 1, 10, and 11, taking claim 1 as exemplary, ALTHOUSE discloses, 1. A method of categorizing computer network communications, comprising: receiving data related to a communication over a computer network; (ALTHOUSE: [0051]; the first step calls for monitoring packet data traffic over a network, step 302 ...Next is detecting (receiving) a client hello packet CHP received from a client seeking to begin a session, step 304.) extracting information from said communication; (ALTHOUSE: [0051]; the process then extracts selected data from the CHP at step 306.) organizing said information into at least one digital machine-readable component fingerprint, said at least one component fingerprint comprising: (ALTHOUSE: [0051]; at step 308, the method processes the extracted data to form a client ID string. Next, the client ID string is mapped to form a client fingerprint (processing the extracted data).) a …text string …wherein at least one of said sections is human-readable; and (ALTHOUSE: [0051]; the mapping of step 310 may apply a hash function to the client TD to form the client fingerprint. In one embodiment, the hash function may return a fingerprint (a string of characters) 32 characters long (a human-readable text string); [0051]; next these strings are hashed, preferably using the MD5 algorithm, to produce the SSL Client Fingerprint. It is 128 bits long or 32 hex characters. 769,47-53-5-10-49161-49162-49171-49172-50-56-19-4,0-10-11,23-24-25,0==ada70206e40642a3e4461f35503241d5) outputting said at least one component fingerprint for analysis. (ALTHOUSE: [0051]; finally, the fingerprint may be logged in a database (outputting the fingerprint).) ALTHOUSE does not explicitly disclose, however Gancheva teaches, a singular text string that is delimited into a plurality of sections, (Gancheva: P. 2-3, Fig. 2, 3. Fingerprinting; examination of network traffic has shown that clients can still be identified by capturing the unique set of plain text parameters (a singular text string made up of unique set of parameters i.e. delimited into sets of parameters) from the Client- and ServerHello messages (a singular text string of each Client- and ServerHello message).) It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Gancheva into the teachings of ALTHOUSE with a motivation to quickly identify known TLS connections and fingerprint new unknown ones by storing client records in a dictionary database. (Gancheva: P. 2-3, Fig. 2, 3. Fingerprinting.) Regarding the non-exemplary limitations of claim 11, ALTHOUSE discloses, 11. A computer system, comprising: a communicative connection to a network; (ALTHOUSE: [0017]) a memory for receiving data related to a communication over said network; and (ALTHOUSE: [0017]) a processor for extracting information from said communication and organizing said information into at least one digital component fingerprint, said at least one component fingerprint comprising: (ALTHOUSE: (ALTHOUSE: [0017]) Regarding claim 2, the combination of ALTHOUSE and Gancheva discloses, 2. The method of claim 1, ALTHOUSE does not explicitly disclose, however Gancheva teaches, further comprising: comparing said component fingerprint against a database of component fingerprints. (Gancheva: P. 2-3, 3. Fingerprinting; all the client records are stored in a dictionary database, as this serves to quickly identify (comparing fingerprint) known TLS connections and fingerprint new unknown ones. The same motivation that was utilized for combining ALTHOUSE and Gancheva as set forth in claim 1 is equally applicable to claim 2. Regarding claim 3, the combination of ALTHOUSE and Gancheva discloses, 3. The method of claim 1, ALTHOUSE further discloses, further comprising: initiating a security action based on a characteristic of said component fingerprint. (ALTHOUSE: [0042]; a database such as 210 may be used to generate or maintain a blacklist of clients (identified by fingerprints as described herein) to be denied access to an information system as they present a security risk (denying access constitutes a security action and a fingerprint being on the blacklist constitutes a characteristic of the fingerprint).) Regarding claim 4, the combination of ALTHOUSE and Gancheva discloses, 4. The method of claim 1, ALTHOUSE further discloses, wherein said component fingerprint is characterized as one from the list comprising: a Transport Layer Security (TLS) server response/session fingerprint; (ALTHOUSE: [0051]; FIG. 3 shows a simplified flow diagram of an example process for fingerprinting a client based on a Transport Layer Security (TLS) or SSL client hello packet. The first step calls for monitoring packet data traffic over a network, step 302 (fingerprinting based on TLS client constitutes a TLS server response/session fingerprint); a Hypertext Transfer Protocol (HTTP) client fingerprint; a latency measurement distance/location fingerprint; a passive Transmission Control Protocol (TCP) client fingerprint; a passive TCP server response fingerprint; a Secure Shell Protocol (SSH) traffic fingerprint; and an active TCP server fingerprint. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Gancheva and further in view of Anderson, et al. "OS fingerprinting: New techniques and a study of information gain and obfuscation." per IDS (hereinafter, "Anderson"). Regarding claim 5, the combination of ALTHOUSE and Gancheva discloses, 5. The method of claim 1, The combination of ALTHOUSE and Gancheva does not explicitly disclose, further comprising: combining a plurality of component fingerprints related to said communication to create a composite fingerprint. Anderson is in the field of OS fingerprinting (abstract) and teaches further comprising: combining a plurality of component fingerprints related to said communication to create a composite fingerprint (ln this work, we consider only passive fingerprinting, which we formalize as the process of assigning one or more categories C from a set of categories C={ c1, c2, ... } to some observed network traffic based on a vector of data features f={ fl, f2, ... } by an assignment function a: F-c*, where F denotes the set of possible feature vectors or fingerprints, pg. 2, col. 1, para 2, [F denoting possible fingerprints constitute a plurality of component fingerprints]; ln contrast to treating each network flow independently, this experiment collects all fingerprints from an endpoint within a 60 minute window, and then classifies that window ...For each fingerprint type, we created a binary feature vector by defining a feature for each unique fingerprint that had at least 100 occurrences in the training dataset, and we set the binary feature to 1 if the associated fingerprint was observed in the window ... We also introduce a fourth model that leverages all available fingerprints by concatenating all three feature vectors; this feature vector had a length of 615, pg. 5, col. 2, paras 2-3, [the binary feature vector for each fingerprint type being concatenated all together constitutes a composite fingerprint]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Gancheva with the fingerprinting of Anderson for the purpose of integrating all data types in a multi-session model to identify the major and minor versions of operating systems. This system accumulates data features within a fixed time window, and applies a machine learning classifier to utilize them (sec Anderson pg. 1, col. 2, para 4-pg. 2, col. 1, para 1). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Gancheva, in view of Nanda et al. (US Pub No. 2007/0021126 A1 per IDS, referred to as Nanda), and further in view of Wu, et al., "My site knows where you are: a novel browser fingerprint to track user position," (hereinafter, "Wu"). Regarding claim 6, the combination of ALTHOUSE and Gancheva discloses, 6. The method of claim 1, The combination of ALTHOUSE and Gancheva does not explicitly disclose, wherein said at least one component fingerprint is a latency measurement distance/location fingerprint, said method further comprising: using a plurality of said component fingerprints to determine the physical location of a client or a server. Nanda teaches using a plurality of said component fingerprints to determine the physical location of a client or a server (The information may be utilized as a conceptual a fingerprint, or a signature, of a location of the mobile device 102. Thus, if locations within the area 140 have a certain known fingerprint, then the mobile device can determine its current fingerprint and compare it to the known fingerprint to determine whether the mobile device is located within the area 140, para 0037, [the known fingerprints of locations being used to compare against a fingerprint of a mobile device to determine its location constitutes using a plurality of component fingerprints to determine a physical location of a client]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Gancheva with the fingerprint of Nanda for the purpose of improving power consumption and battery life for mobile devices by intelligently searching for available wireless LANs and searching efficiency is to adaptively refine the criteria used to determine whether or not a wireless LAN is close by (see Nanda, para 0008). Wu is in the field of user tracking (abstract) and teaches wherein said at least one component fingerprint is a latency measurement distance/location fingerprint (The physical location fingerprint on the browser utilizes the physical time delay, from the users' browsers to one or more web servers, to extract users' location fingerprint and determine their identity, pt. 1, col. 2, para 3, [the physical time delay constitutes a latency measure, therefore, the physical location fingerprint constitutes a latency measurement location fingerprint]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE, Gancheva and Nanda with the tracking of Wu for the purpose of utilizing the position information rather than browser information, which has less relevance to users' browsers. As a result, the physical location fingerprint can be more robust to identify the users using more than one browser platform (see Wu, pg. 1, col. 2, para 5). Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Gancheva and further in view of China Pat. No. CN 113037746 A per IDS, referred to as ICBC). Regarding claim 7, the combination of ALTHOUSE and Nanda discloses, 7. The method of claim 1, The combination of ALTHOUSE and Gancheva does not explicitly disclose, further comprising: analyzing said at least one component fingerprint to determine whether said communication is from a virtual private network (VPN) or a proxy server. ICBC is in the field of fingerprint extraction (abstract) and teaches further comprising: analyzing said at least one component fingerprint to determine whether said communication is from a virtual private network (VPN) or a proxy server (According to the network security detection method provided by the embodiment of the disclosure, the accuracy of user behavior analysis detection of an untrusted user (for example, a hacker accesses a webpage based on a dynamic proxy or a VPN) can be improved by 1.8% by using conventional TLS fingerprint data, para 0115, [using TLS fingerprint data to detect webpage access via VPN constitutes determining a communication is from a VPN]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Gancheva with the fingerprint extraction of ICBC for the purpose of providing a client identity recognition method where the dimensionality reduction processing is performed on the feature set of the TLS fingerprint based on the simhash algorithm, the target fingerprint obtained after the dimensionality reduction processing has a high fault tolerance rate, the similarity of the target fingerprint can be compared by calculating the distance (such as the Hamming distance), the same result can be obtained by recognizing the same client request in different scenes based on the target fingerprint, and the accuracy of client identity recognition and the fault tolerance rate in different scenes are improved (see ICBC para 0105). Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over ALTHOUSE, in view of Gancheva and further in view of Albanese, et al. "A deception based approach for defeating OS and service fingerprinting." (hereinafter, "Albanese"). Regarding claim 8, the combination of ALTHOUSE and Gancheva discloses, 8. The method of claim 1, The combination of ALTHOUSE and Gancheva does not explicitly disclose, further comprising: based on said at least one component fingerprint, initiating a security action to obscure a device/system from an internet scanner. Albanese is in the field of OS and service fingerprinting (abstract) and teaches further comprising: based on said at least one component fingerprint, initiating a security action to obscure a device/system from an internet scanner (Specifically, we implemented an operating system fingerprint module to modify the responses to the SinFP's probes and a service fingerprint module to modify banner information for specific services, pg. 257, col. 2, para 4; In the second set of experiments, we evaluated our approach from the point of view of an attacker trying to determine the operating system of a remote host or the type of services running on it...we deceived both OS and service fingerprinting by exposing a Windows 7/Vista OS fingerprint and an Apache 2.2.1 service fingerprint. When the deception mechanism is enabled, the OS is misidentified accordingly.. .2) Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobc++, which adopt a different probing scheme, pg. 259, col. 2, paras 1-4, f deceiving OS fingerprinting of a Windows 7 Nista OS by exposing a Windows 7/Vista OS fingerprint, this constitutes based on a fingerprint initiating obscuring a device system from an internet scanner since as a result of the deception, the Windows 7 /Vista OS is not detected and thus obscured from scanners such as Nessus, nmap, and Xprobe++ ]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Gancheva with the OS and service fingerprinting of Albanese for the purpose of deceiving potential intruders into making incorrect inferences about system characteristics without Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobe++, which adopt a different probing scheme (sec Albanese, pg. 253, col. 1, para 3-col. 2, para 1). Regarding claim 9, the combination of ALTHOUSE, Gancheva and Albanese discloses, 9. The method of claim 8, The combination of ALTHOUSE and Gancheva does not explicitly disclose, wherein said device/system remains visible to other devices/systems having a certain characteristic. Albanese teaches wherein said device/system remains visible to other devices/systems having a certain characteristic (Nessus: In order to test how our approach can deceive an attacker using Nessus, we audited the system with and without the deceptive Kernel Module enabled. Table II shows the results of the respective Nessus scans. The original system is a fully patched Ubuntu 12.04 server and has no known vulnerabilities. When no deception is used, the system is correctly identified, and all the information derived by Nessus is accurate. Next, we deceived both OS and service fingerprinting by exposing a Windows 7/Vista OS fingerprint and an Apache 2.2.1 service fingerprint. When the deception mechanism is enabled, the OS is misidentified accordingly. Moreover, deceiving service fingerprinting leads to false shows that for a general purpose computer running Windows Vista and using the deceptive Kernel, for low or critical risk, i.e., certain characteristics, Windows Vista is visible, but is deceived for other levels or risk]). It would have been obvious to one of ordinary skill in the art before the priority date to modify the combination of ALTHOUSE and Gancheva with the OS and service fingerprinting of Albanese for the purpose of deceiving potential intruders into making incorrect inferences about system characteristics without Fingerprinting Tools: Table III reports the results of scans performed with different fingerprinting tools. As one can see, our approach is able to effectively deceive several fingerprinting tools. For instance, we are able to alter the perception of the target system even when the attacker uses either nmap or Xprobe++, which adopt a different probing scheme (see Albanese, pg. 253, col. 1, para 3-col. 2, para 1). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. PASTORE; Nicolò et al. US-PGPUB US 20220131885 A1 Methods for tracing malicious endpoints in direct communication with application back ends using TLS fingerprinting techniques Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569. The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KA SHAN CHOY/Primary Examiner, Art Unit 2435
Read full office action

Prosecution Timeline

May 28, 2024
Application Filed
Oct 21, 2025
Non-Final Rejection mailed — §103
Apr 21, 2026
Response Filed
Jun 29, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676875
LEVERAGING GLOBAL EXPLANATIONS ON A RESTRICTED EDGE ENVIRONMENT
2y 2m to grant Granted Jul 07, 2026
Patent 12671701
SCRIPTING ATTACK DETECTION AND MITIGATION USING CONTENT SECURITY POLICY VIOLATION REPORTS
2y 2m to grant Granted Jun 30, 2026
Patent 12671715
DETECTING AND MITIGATING FORGED AUTHENTICATION ATTACKS WITHIN A DOMAIN
2y 1m to grant Granted Jun 30, 2026
Patent 12659298
SYSTEM, METHOD, AND DATA DIODE FOR SELECTIVE UNIDIRECTIONAL DATA TRANSFER
2y 1m to grant Granted Jun 16, 2026
Patent 12659334
METHOD AND DEVICE FOR PROCESSING A NETWORK DATA STREAM
2y 3m to grant Granted Jun 16, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
94%
Grant Probability
99%
With Interview (+9.9%)
2y 1m (~0m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 270 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month