Prosecution Insights
Last updated: July 17, 2026
Application No. 18/677,486

METHOD TO MONITOR AND DETECT NETWORK ANOMALIES IN BUILDING MANAGEMENT SYSTEMS AND PROVIDE A RESPONSIVE DEFENSE

Final Rejection §103
Filed
May 29, 2024
Examiner
BROWN, CHRISTOPHER J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Trane Technologies plc
OA Round
2 (Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
1y 3m
Est. Remaining
88%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
536 granted / 711 resolved
+17.4% vs TC avg
Moderate +13% lift
Without
With
+13.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
34 currently pending
Career history
753
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
92.8%
+52.8% vs TC avg
§102
3.5%
-36.5% vs TC avg
§112
1.3%
-38.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 711 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Examiner has included Clarke US 2017/0048815 to meet the amended claims of record including determining whether to store or communicate a plurality of packets. Applicant argues that the art of the prior office action fails to anticipate the claims as amended because that art is “directed to authentication of a user and not to a packet level decision as claimed”. Examiner finds this argument unpersuasive. Examiner asserts that nowhere in the claim language is “packet level” authentication or a decision required. Examiner also asserts that it is well known that user authentication may be in part decided on a users location. Examiner asserts that a well known user authentication method is of users location or IP address, and said IP address is location based. Examiner appreciates that Applicant has included “the communication includes a plurality of packets”. Examiner points out however, that the claims fail to recite that the location is determined based on each of the plurality of packets. The claims maintain that a geolocation assessment is based on “incoming network traffic communications”. Examiner has incorporated Clarke US 2017/0048815 in an attempt to expedite prosecution, however, Examiner also asserts that the claims have not materially changed, and that network communications are well known to have packets of data. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-7, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eltoft US 10,909240 in view of Zellner US 2005/0272445 in view of Crabtree US 2025/0039228 in view of Clarke US 2017/0048815. As per claim 1. Eltoft teaches A network monitor to provide network security specific to equipment of a building automation system (BAS) and server assessment of network communication directed thereto, comprising: a server configured to couple to a building management network of the building automation system; the server configured to monitor communication that is on the building management network and determine whether such communication is directed to specific devices of the building automation system; (Column 2 lines 36-55) (Column 4 lines 12-40)(Column 10 lines 25-40) (Column 14 lines 42-63) (Column 16 lines 45-Column 17 line 8) (Column 18 line 34-60) (Column 19 lines 1-6) (teaches a building management system with network security that monitors users, and contains user profiles to determine whether to carry forth user instructions to specific devices based on user ID, authority status, time, and user location, in addition to importance of the specific device) Zellner teaches the server configured to determine and perform at least one of store or communicate, for each of a plurality of incoming network traffic communications that is determined directed to one or more specific devices of the building automation system, a geo-location-based assessment of a server that originated said each of the plurality of incoming network traffic communications directed to the one or more specific devices of the building automation system. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Zellner with the prior art because it more specifically tailors security settings to increase network security. Crabtree explicitly teaches that the incoming traffic is from a “server” [0088]. Examiner argues that one of ordinary skill in the art would equate a server and user terminal, and is described in Eltoft but includes Crabtree for explicit clarity. It would have been obvious to one of ordinary skill in the art to use the teaching of Crabtree at the time the invention was filed with the prior art of record because it improves security to protect networks against malicious servers. Clarke teaches communication includes a plurality of packets and based on the plurality of packets determining whether to store or communicate the based on a geolocation assessment of the traffic. [0012][0013][0014] (teaches classification and routing of packets based in part on packet metadata including location data, in order to enforce security policy) It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the current invention to use the teaching of Clarke with the prior art because it enhances security. As per claim 2. Zellner teaches The network monitor of claim 1, wherein the geo-location-based assessment of the server comprises: determination of an origin server of the incoming communication and a corresponding geo-location-based characterization of the origin server. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 3. Zellner teaches The network monitor of claim 1, wherein the geo-location-based assessment of the server comprises: a determination of geo-location of an origin server of said each of a plurality of incoming network traffic communications; and a determination of geo-location proximity of the origin server to the one or more specific devices of the building automation system. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 4. Zellner teaches The network monitor of claim 1, wherein the geo-location-based assessment of the server comprises: comparison of geo-location proximity an origin server of said each of a plurality of incoming network traffic communications and at least one approved geo-location proximity range relative to the one or more specific devices of the building automation system. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 5. Zellner teaches The network monitor of claim 1, wherein the geo-location-based assessment of the server comprises: comparison of geo-location of an origin server of the incoming communication and approved geo-location ranges of service providers for the building automation system. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 6. Zellner teaches The network monitor of claim 1, wherein the geo-location-based assessment of the server comprises: comparison of geo-location of an origin server of the incoming communication and one or more unapproved geo-location ranges for origins of communication to the building automation system. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 7. Zellner teaches The network monitor of claim 1, further comprising: the server configured to determine, for each of the plurality of incoming network traffic communications that is determined directed to the one or more specific devices of the building automation system, whether to block or allow connection based on the geo-location-based assessment. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) As per claim 19. Zellner teaches The processor-based method of claim 18, wherein: the determining and performing at least one of store or communicate comprises: determining and storing a geo-location-based server assessment of the server that originated said each of a plurality of incoming network traffic communications directed to the one or more specific devices of the building automation system; and determining whether to block or allow connection based on the stored geo-location-based server assessment. [0116]-[0117]; [0122] Table 2. (teaches different authentication procedures depending on security configuration, including location authentication, and being in the same office or building to access certain resources; additionally teaches blocking access to resources in different restricted locations which are user configured) Claim(s) 8-10, 12, 13, 15-18, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eltoft US 10,909240 in view of Crabtree US 2025/0039228 in view of Clarke US 2017/0048815. As per claim 8. Eltoft teaches A network monitor to provide network security specific to equipment of a building automation system (BAS) and server assessment of network communication directed thereto, comprising: a server configured to couple to a building management network of the building automation system; the server configured to monitor communication that is on the building management network and determine whether such communication is directed to specific devices of the building automation system; (Column 2 lines 36-55) (Column 4 lines 12-40)(Column 10 lines 25-40) (Column 14 lines 42-63) (Column 16 lines 45-Column 17 line 8) (Column 18 line 34-60) (Column 19 lines 1-6) (teaches a building management system with network security that monitors users, and contains user profiles to determine whether to carry forth user instructions to specific devices based on user ID, authority status, time, and user location, in addition to importance of the specific device) Crabtree teaches the server configured to determine and perform at least one of store or communicate, for each of a plurality of incoming network traffic communications that is determined directed to one or more specific devices of the building automation system, a security assessment of a server that originated said each of the plurality of incoming network traffic communications directed to the one or more specific devices of the building automation system. [0030] [0094][0095] [0083]-[0085][0088][0089] (teaches security assessment of incoming traffic, including servers, and taking remedial action) Clarke teaches communication includes a plurality of packets and based on the plurality of packets determining whether to store or communicate the based on a geolocation assessment of the traffic. [0012][0013][0014] (teaches classification and routing of packets based in part on packet metadata including location data, in order to enforce security policy) It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the current invention to use the teaching of Clarke with the prior art because it enhances security. As per claim 9. Crabtree teaches The network monitor of claim 8, wherein the security assessment of the server comprises: an assessment relative to external server anomalies. [0030] [0094][0095] [0083]-[0085] [0088][0089] (assessment of incoming external traffic) As per claim 10. Crabtree teaches The network monitor of claim 8, wherein the security assessment of the server comprises: an assessment relative to whitelist or blacklist of server IP addresses. [0088] (whitelist blacklist) As per claim 12. Crabtree teaches The network monitor of claim 8, wherein the security assessment of the server comprises: an assessment relative to identified servers that respond with malicious traffic. [0088][0089] (whitelist blacklist, known malicious) As per claim 13. Crabtree teaches The network monitor of claim 8, further comprising: the server configured to perform network governance of the one or more specific devices of the building automation system, the network governance comprising authenticating network access only of authorized devices to operate and communicate in the network. [0089] (only authorized entities permitted) As per claim 15. Crabtree teaches The network monitor of claim 8, further comprising: the server configured to perform network governance of the one or more specific devices of the building automation system, the network governance comprising blocking access to the building management network by denying communication between an unauthorized device and the building management network. [0088][0089] (whitelist blacklist, blocking known malicious) As per claim 16. Crabtree teaches The network monitor of claim 8, further comprising: the server configured to perform network governance of the one or more specific devices of the building automation system, the network governance comprising monitoring and controlling connectivity of devices and networks of the building automation system with external networks. [0030] [0094][0095] [0104]-[0106] (controlling connectivity, monitoring in realtime) As per claim 17. Crabtree teaches The network monitor of claim 8, further comprising: the server configured to perform network governance of the one or more specific devices of the building automation system, the network governance comprising providing real-time analysis of security alerts generated by devices and networks of the building automation system to contain and remediate security threats. [0030] [0094][0095] (real time security analysis and remediation) As per claim 18. Eltoft teaches A processor-based method to provide network security specific to equipment of a building automation system (BAS) and server assessment of network communication directed thereto, comprising: coupling a server to a building management network of the building automation system; monitoring, by the server, communication that is on the building management network; determining, by the server, whether such communication is directed to specific devices of the building automation system; (Column 2 lines 36-55) (Column 4 lines 12-40)(Column 10 lines 25-40) (Column 14 lines 42-63) (Column 16 lines 45-Column 17 line 8) (Column 18 line 34-60) (Column 19 lines 1-6) (teaches a building management system with network security that monitors users, and contains user profiles to determine whether to carry forth user instructions to specific devices based on user ID, authority status, time, and user location, in addition to importance of the specific device) Crabtree teaches determining and performing at least one of store or communicate, for each of a plurality of incoming network traffic communications that is determined directed to one or more specific devices of the building automation system, a security-centric assessment of a server that originated said each of a plurality of incoming network traffic communications directed to the one or more specific devices of the building automation system. [0030] [0094][0095] [0083]-[0085][0088][0089] (teaches security assessment of incoming traffic, including servers, and taking remedial action) It would have been obvious to one of ordinary skill in the art to use the teaching of Crabtree at the time the invention was filed with the prior art of record because it improves security to protect networks against malicious servers. Clarke teaches communication includes a plurality of packets and based on the plurality of packets determining whether to store or communicate the based on a geolocation assessment of the traffic. [0012][0013][0014] (teaches classification and routing of packets based in part on packet metadata including location data, in order to enforce security policy) It would have been obvious to one of ordinary skill in the art prior to the effective filing date of the current invention to use the teaching of Clarke with the prior art because it enhances security. As per claim 20. Crabtree teaches The processor-based method of claim 18, wherein: the determining and performing at least one of store or communicate comprises: performing the security assessment of the server at least one of: assessment relative to external server anomalies; assessment relative to whitelist or blacklist of server IP addresses; assessment relative to server signature or certificate-based verification; or assessment relative to identified servers that respond with malicious traffic; and determining whether to block or allow connection based on the stored security assessment of the server that originated said each of a plurality of incoming network traffic communications directed to the one or more specific devices of the building automation system. [0030] [0094][0095] [0083]-[0085] [0088][0089] (assessment of incoming external traffic, filtering and blocking via white list black list, server IP address, known malicious entities) Claim(s) 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eltoft US 10,909240 in view of Crabtree US 2025/0039228 in view of Clarke US 2017/0048815 in view of Barbosa De Moura US 2024/0244062. As per claim 11. Barbosa De Moura teaches The network monitor of claim 8, wherein the security assessment of the server comprises: an assessment relative to server signature or certificate-based verification. [0030][0070] (teaches verification of server certificate in order to prevent malicious connections) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching o f Barbosa De Moura with the prior art because it increases security. Claim(s) 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Eltoft US 10,909240 in view of Crabtree US 2025/0039228 in view of Clarke US 2017/0048815 in view of Ding US 2018/0063079 As per claim 14. Crabtree teaches The network monitor of claim 8, further comprising: the server configured to perform network governance of the one or more specific devices of the building automation system, the network governance comprising governing and regulating network communication to specific ports and protocols on authorized devices. [0050][0052][0053][0054] (monitors ports and protocols) Ding teaches filtering by specific ports to local devices to prevent unauthorized access. [0015][0045] It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the filter of Ding with the prior art to improve security. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

May 29, 2024
Application Filed
Oct 01, 2025
Non-Final Rejection mailed — §103
Feb 02, 2026
Response Filed
May 22, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12652290
CYBER SECURITY FOR SOFTWARE-AS-A-SERVICE FACTORING RISK
5y 3m to grant Granted Jun 09, 2026
Patent 12652315
REMOTE MONITORING OF A SECURITY OPERATIONS CENTER (SOC)
3y 8m to grant Granted Jun 09, 2026
Patent 12641111
Automated Security Analysis of Software Libraries
2y 5m to grant Granted May 26, 2026
Patent 12621339
SYSTEM AND METHOD FOR PROVIDING SECURITY POSTURE MANAGEMENT FOR AI APPLICATIONS
2y 5m to grant Granted May 05, 2026
Patent 12615280
DETECTING POLYMORPHIC BOTNETS USING AN IMAGE RECOGNITION PLATFORM
2y 9m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
88%
With Interview (+13.0%)
3y 5m (~1y 3m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 711 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month