Prosecution Insights
Last updated: July 17, 2026
Application No. 18/745,304

METHODS, SYSTEMS AND DEVICES TO DETECT A DATA TRAFFIC ANOMALY AS MALICIOUS TO IMPROVE NETWORK SECURITY

Final Rejection §101§103
Filed
Jun 17, 2024
Examiner
ALI, AFAQ
Art Unit
2434
Tech Center
2400 — Computer Networks
Assignee
AT&T Intellectual Property I L.P.
OA Round
2 (Final)
90%
Grant Probability
Favorable
3-4
OA Rounds
4m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
123 granted / 137 resolved
+31.8% vs TC avg
Moderate +13% lift
Without
With
+13.3%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
18 currently pending
Career history
168
Total Applications
across all art units

Statute-Specific Performance

§101
2.2%
-37.8% vs TC avg
§103
90.8%
+50.8% vs TC avg
§102
0.6%
-39.4% vs TC avg
§112
2.5%
-37.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 137 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Claims 1, 11, and 20 are amended Claims 1-20 are pending Priority This application claims no priority. Therefore, the effective filing date of this application is 06/17/2024. Response to Arguments Applicant’s arguments filed on 02/17/2026 have been fully considered With respect to the objection to claims 1, 11, and 20. The objection has been overcome due to applicant’s amendments With respect to the USC 112(b) rejection for claim 20. The rejection has been overcome due to applicant’s amendments With respect to the USC 101 abstract rejection for claim 1-20 Applicant has argued that the rejection with respect to independent claim 1 is improper. Examiner respectfully disagrees. With respect to Step 1 analysis. Claim 1 satisfies the statutory category requirement because it is directed to a device comprising a processor and memory under 35 U.S.C. 101(a). With respect to Step 2A, prong 1 Judicial Exception the claim recites limitations of (1) monitoring data traffic based on inputs, (2) determining a data traffic anomaly within the group of data traffic, (3) requesting a group of parameters from a computing device, (4) determining a first parameter from the group of parameters does not satisfy a first parameter threshold, (5) and identifying the data traffic anomaly is associated with a malicious traffic. All the limitations currently drafted are a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually monitor data traffic based on various inputs, a user can manually determine a data traffic anomaly within the group of data traffic, a user can manually request a group of parameters, a user can manually determine a first parameter from the group of parameters does not satisfy a threshold, and a user can manually identify a data traffic anomaly is associated with a malicious traffic signature. With respect to Step 2A prong 2 Integration into a practical application this judicial exception is not integrated into a practical application. The claim only recites of monitoring, determining a data traffic anomaly, requesting a group of parameters, determining a first parameter does not satisfy a threshold, and identify the data traffic is associated with a malicious signature. Merely identifying the data traffic is associated with a malicious signature does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim does not recite what happens after the data traffic is associated with a malicious traffic signature. The claim is directed to an abstract idea. With respect to Step 2B Significantly More the claim only recites additional elements of “processor” and “memory” recited at a high-level of generality (i.e., as a generic processor) such that it amounts no more than mere instructions to apply the exception using a generic processor. Mere instructions to apply an exception using a generic processor cannot provide an inventive concept. The claim is not patent eligible. Similar arguments apply for claims 11 and 20. Therefore, the rejection for claims 1-20 under USC 101 Abstract is maintained. With respect to the amendment for claims 1 and similar limitations in claim 11 reciting the limitation “wherein the monitoring of the data traffic is based on inputs that include: a data traffic rate, packet headers, an indication of an average packet size, and an indication of whether respective data traffic of the data traffic is prompted by a respective computing device of the group of computing devices” Examiner is relying on a new reference ROSENDAHL to teach this limitation. With respect to the amendment for claim 20 reciting the limitation “wherein the monitoring of the data traffic is based on inputs that include: an indication of a central processing unit (CPU) usage relative to a first threshold, an indication of a memory usage relative to a second threshold, an indication of temperature relative to a third threshold, and an indication of a fan noise relative to a fourth threshold” Examiner is relying on a new reference CASSINI to teach this limitation. Additional arguments are moot in view of new grounds of rejection necessitated by the claim amendments. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because they directed to an abstract idea. Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites of a device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: monitoring data traffic to each computing device of a group of computing devices resulting in a group of data traffic, wherein the monitoring of the data traffic is based on inputs that include: a data traffic rate, packet headers, an indication of an average packet size, and an indication of whether respective data traffic of the data traffic is prompted by a respective computing device of the group of computing devices; determining a data traffic anomaly within the group of data traffic resulting in a first determination; requesting a group of a-parameters from a computing device of the group of computing devices based on the first determination; determining a first parameter from the group of parameters does not satisfy a first parameter threshold resulting in a second determination; and identifying the data traffic anomaly as associated with a malicious traffic signature based on the second determination resulting in an identification. The limitation of device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: monitoring data traffic to each computing device of a group of computing devices resulting in a group of data traffic, wherein the monitoring of the data traffic is based on inputs that include: a data traffic rate, packet headers, an indication of an average packet size, and an indication of whether respective data traffic of the data traffic is prompted by a respective computing device of the group of computing devices, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually monitor data traffic to each computing device of a group of computing devices based on various inputs. The limitation of determining a data traffic anomaly within the group of data traffic resulting in a first determination, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually determine a data traffic anomaly within the group of data traffic. The limitation of requesting a group of a parameters from a computing device of the group of computing devices based on the first determination, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually request a group of a parameters from a computing device. The limitation of determining a first parameter from the group of parameters does not satisfy a first parameter threshold resulting in a second determination, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually determine a first parameter from the group of parameters does not satisfy a first parameter threshold. The limitation of and identifying the data traffic anomaly as associated with a malicious traffic signature based on the second determination resulting in an identification, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually identify the data traffic anomaly as associated with a malicious traffic. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic statement such as “device, comprising: a processing system including a processor”, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element of computer implemented method. The “processor” recited at a high-level of generality (i.e., as a generic processor performing the method) such that it amounts no more than mere instructions to apply the exception using a generic processor. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claim 2 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the determining of the data traffic anomaly comprises determining the data traffic anomaly within the group of data traffic utilizing a deep neural network (DNN), wherein the identifying of the data traffic anomaly comprises identifying the data traffic anomaly as associated with the malicious traffic signature utilizing the DNN. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually utilize a DNN to determine a data traffic anomaly. Claim 3 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise receiving a first confirmation that the data traffic anomaly is associated with the malicious traffic signature. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually receive a first confirmation that the data traffic anomaly is associated with the malicious traffic signature. Claim 4 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise adjusting a first group of weights associated with the DNN based on the first confirmation resulting in a first weight adjustment. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually adjust a first group of weights associated with the DNN. Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise adjusting a first number of layers associated with the DNN based on the first confirmation resulting in a first layer adjustment. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually adjust a first number of layers associated with the DNN. Claim 6 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise receiving a second confirmation that the data traffic anomaly is not associated with the malicious traffic signature. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually receive a second confirmation that the data traffic anomaly is not associated with the malicious traffic signature. Claim 7 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise adjusting a second group of weights associated with the DNN based on the second confirmation resulting in a second weight adjustment. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually adjust a second group of weights associated with the DNN. Claim 8 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise adjusting a second number of layers associated with the DNN based on the second confirmation resulting in a second layer adjustment. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually adjust a second number of layers associated with the DNN. Claim 9 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the DNN comprise an unsupervised deep reinforcement learning DNN. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually use unsupervised deep reinforcement learning for a DNN. Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the operations comprise: determining a processor utilization associated with the computing device; and determining the group of parameters to request from the computing device based on the processor utilization. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually determine a processor utilization and determine a group of parameters to request based on the utilization. Regarding claim 11, the claim is a non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor performs features similar to those of device claim 1. Therefore, claim 11 is rejected in a similar manner as in the rejection of claim 1. Furthermore, as for the limitation of utilizing a deep neural network (DNN). A user can manually utilize a deep neural network. Claims 12-19 are parallel claims to claims 3-10. Therefore, claims 12-19 are rejected in a similar manner. Regarding claim 20, this claim recites of a method claim that performs the features of device claims 1 and 10. Therefore, claim 20 is rejected in a similar manner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over BOTT (US-20160072834-A1) in view of HAMDI (US-20180124094-A1), and further in view of ROSENDAHL (US-20200110873-A1), hereinafter BOTT-HAMDI-ROSENDAHL. Regarding claim 1, BOTT teaches “A device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: monitoring data traffic to each computing device of a group of computing devices resulting in a group of data traffic; ([BOTT, para. 0011] “According to one embodiment of the present invention, a method for data traffic signature-based malware protection is disclosed. The method includes monitoring data traffic and behavior associated with a computing device.”) ([BOTT, para. 0016] “This abstraction can be translated into a device activity signature associated with a particular computing device, such as a mobile phone. This device activity signature can then be compared with other similar devices or with future device activity signatures from the same device.”) determining a data traffic anomaly within the group of data traffic resulting in a first determination; ([BOTT, para. 0017] “The event trigger can include, for example, an anomalous rise in data traffic associated with malware or opening an unexpected communications port. The paired action for each event trigger can be different depending on the seriousness of the triggered event. For example, the paired action can range from noting the event in a log file to the immediate blocking of all activity associated with an application”) … and identifying the data traffic anomaly as associated with a malicious traffic signature based on the second determination resulting in an identification. ([BOTT, para. 0025] “At step 104, a classification of the device activity signature is determined. For example, the device activity signature may be compared with a reference device activity signature and classified as either normal or anomalous based on the comparison. In addition to classifying the device activity signature as either normal or anomalous, other suitable classifications can be determined.”) ([BOTT, para. 0036] “For example, policy decision module 210 may compare the device activity signature with a reference device activity signature. If the device activity signature is sufficiently different from the reference device activity signature (e.g., larger that a predetermined threshold value), then the policy decision module 210 may classify the traffic signature as anomalous.”). However, BOTT does not teach “requesting a group of a parameters from a computing device of the group of computing devices based on the first determination; determining a first parameter from the group of parameters does not satisfy a first parameter threshold resulting in a second determination;”. In analogous teaching HAMDI teaches “requesting a group of a parameters from a computing device of the group of computing devices based on the first determination; ([HAMDI, para. 0131] “the controller engine 310 can detect that a given requirement (e.g., compliance, security, legal, business or other requirement) of the computing and network system 210 may be violated, and identify one or more assets associated with that requirement for profiling. …in response, instruct the asset profiling engine 312 to profile the firewall, a gateway, a router, one or more other assets, or a combination thereof.”) ([HAMDI, para. 0133] “The method 900 can include the asset profiling engine 312 determining a set of profiling parameters (step 930). The set of profiling parameters can represent parameters to be requested from the target asset, such as asset information (e.g., IP address, MAC address, NetBIOS, etc.), asset configuration parameters, asset communication logs, asset CPU usage, packet drop rate, the like, or a combination thereof.”) determining a first parameter from the group of parameters does not satisfy a first parameter threshold resulting in a second determination; ([HAMDI, para. 0135] “The method 900 can include the asset profiling engine 312 comparing the one or more parameter values to one or more criteria or respective threshold values (step 960) … Threshold values can include, for example, benchmark parameter values to determine whether an asset is under stress. For example, a CPU usage level of 95% or more for a period of time equal to or exceeding 10 mins can imply that the corresponding asset is under computational stress. Also, a packet drop rate threshold value that is exceeded for a respective threshold time period can imply (or be interpreted by the asset profiling engine) that the corresponding asset is under communication”). Thus, given the teaching of HAMDI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of requesting a group of a parameters by HAMDI into a device for monitoring data traffic to each computing device of a group of computing devices by BOTT. One of ordinary skill in the art would have been motivated to do so because HAMDI recognizes the need to improve cyber security ([HAMDI, para. 0003] “The functional importance and business value of computer systems for respective institutions and their customers call for operational reliability and enhanced cyber security of such computer systems.”) ([HAMDI, para. 0001] “The present application relates generally to systems and methods for monitoring and managing the security health of a computer environment”). However, BOTT-HAMDI does not teach “wherein the monitoring of the data traffic is based on inputs that include: a data traffic rate, packet headers, an indication of an average packet size, and an indication of whether respective data traffic of the data traffic is prompted by a respective computing device of the group of computing devices”. In analogous teaching ROSENDAHL teaches “wherein the monitoring of the data traffic is based on inputs that include: a data traffic rate, packet headers, an indication of an average packet size, ([ROSENDAHL, para. 0038] “The threat database 132 lists one or more potential threats that may be discovered in the container system 102. These threats may include both vulnerabilities and/or benchmark settings, and may also include network attack signatures.”) ([ROSENDAHL, para. 0040] “the threat database 132 also includes a list of network attack signatures. These signatures describe network activity that may indicate a potential malicious activity on the network. The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data, packet size, time of network activity, content of network data, and other information within the network data, that when detected, may indicate an attack. The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted, a pattern in the network addresses that receive/send the data, a pattern in the types of systems or containers that send/receive the data, a pattern in the ownership of containers that are receiving/sending certain data, a pattern in the amount of data that is being sent/received, a pattern in the content of the data that is being sent/received and so on. … When the patterns and information for a signature are detected in the network traffic, then malicious activity may be indicated. For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack).”) ([ROSENDAHL, para. 0043] “The network probe 124 probes the network activity 108 of the app containers 104 as well as the overall network of the container system 102 for any threats indicated in the threat database 132. … The network probe 122 checks the signatures for vulnerabilities and benchmark settings listed in the threat database 132 to see if there are any matches to the signatures. The network probe 122 may check a section of the threat database 132 specific to network-related activities.”) and an indication of whether respective data traffic of the data traffic is prompted by a respective computing device of the group of computing devices” ([ROSENDAHL, para. 0040] “The signatures may indicate some information about the network traffic, such as a source “) ([ROSENDAHL, para. 0042] “If any of the signatures are matched to various sources within the app container 104, then the container probe 122 records the specific source from which the signature was detected.”) ([ROSENDAHL, para. 0065] “For a selected app container in the container list 202, the user interface 200 also displays the detected threats list 216 for the app container. … The threat severity level 218 of each threat is listed, with a threat individual score 220 for each threat, threat package location 222 indicating a program library or source where the threat is found”) ([ROSENDAHL, para. 0028] “the app containers 104 are shown to be within a monolithic container system 102, in practice they may be spread among multiple hosts on multiple hardware devices,”) Thus, given the teaching of ROSENDAHL, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of monitoring of the data traffic is based on inputs by ROSENDAHL into a device for monitoring data traffic to each computing device of a group of computing devices by BOTT-HAMDI. One of ordinary skill in the art would have been motivated to do so because ROSENDAHL recognizes the need to improve security ([ROSENDAHL, para. 0003] “However, within such container systems, security and threat detection can be a more challenging issue. A container system includes many different components, in many cases more than a traditional system. … Therefore, what was lacking, inter alia, was a vertically integrated system to automatically determine, report, and respond to threats and security issues in all aspects of a container system.”) ([ROSENDAHL, para. 0018] “An advantage of such a container system 102 is that each container is isolated from other containers in the container system 102, increasing security. Scalability may also be improved, as containers can be easily added and removed without having to be customized for a specific physical resource layout.”) Regarding claim 10, BOTT-HAMDI-ROSENDAHL teach all limitations of claim 1. HAMDI further teaches “wherein the operations comprise: determining a processor utilization associated with the computing device; ([HAMDI, para. 0142] “FIG. 10 shows a diagram illustrating a decision profiling tree 1000 indicative of a context-based hierarchical profiling scheme. The parent node 1010 can be associated with a respective first set of profiling parameters or a first profiling template. The first set of profiling parameters or the first profiling template can be indicative of a query for cumulative CPU usage and cumulative network usage. If the cumulative CPU usage exceeds a first CPU usage threshold value, then the decision will be to move to the node 1020.”) and determining the group of parameters to request from the computing device based on the processor utilization. ([HAMDI, para. 0142] “Node 1020 can be associated with a second set of CPU profiling parameters or a second CPU profiling template. The second set of CPU profiling parameters or the second CPU profiling template can be indicative of a query for CPU usage per processor core. If CPU usage of a given processor core exceeds a third CPU usage threshold value, the decision will be to move to node 1040. Node 1040 can be associated with a third set of CPU profiling parameters or a third CPU profiling template. The third set of CPU profiling parameters or the third CPU profiling template can be indicative of a query for CPU usage per process with respect to the given processor core.”). The same motivation to modify BOTT with HAMDI as in the rejection of claim 1 applies. Claims 2-9 and 11-19 are rejected under 35 U.S.C. 103 as being unpatentable over BOTT-HAMDI-ROSENDAHL in view of VASU (US-20220014554-A1), hereinafter BOTT-HAMDI-ROSENDAHL-VASU. Regarding claim 2, BOTT-HAMDI-ROSENDAHL teach all limitations of claim 1. However, BOTT-HAMDI-ROSENDAHL does not teach “wherein the determining of the data traffic anomaly comprises determining the data traffic anomaly within the group of data traffic utilizing a deep neural network (DNN), wherein the identifying of the data traffic anomaly comprises identifying the data traffic anomaly as associated with the malicious traffic signature utilizing the DNN.”. In analogous teaching VASU teaches “wherein the determining of the data traffic anomaly comprises determining the data traffic anomaly within the group of data traffic utilizing a deep neural network (DNN), wherein the identifying of the data traffic anomaly comprises identifying the data traffic anomaly as associated with the malicious traffic signature utilizing the DNN.” ([VASU, para. 0014] “Embodiments of the present invention allow for a deep learning method for intrusion detection systems such as network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Embodiments of the present invention monitor and analyze network traffic and ports utilizing a signature-based detection and anomaly-based detection techniques”) ([VASU, para. 0006] “The one or more computer processors classify one or more synthesized network input images by identifying contained objects utilizing a trained convolutional neural network with rectified linear units, wherein the objects include patterns, sequences, trends, and signatures.”) ([VASU, para. 0023] “classifying one or more synthesized network input images by identifying contained objects utilizing a trained convolutional neural network with rectified linear units, wherein the objects include patterns, sequences, trends, and signatures; predicting a security profile of the one or more classified network input images and associated one or more network inputs, wherein the security profiles includes a set of rules and associated mitigation actions”). Thus, given the teaching of VASU, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of data traffic anomaly within the group of data traffic utilizing a deep neural network (DNN) by VASU into a device for monitoring data traffic to each computing device of a group of computing devices by BOTT-HAMDI-ROSENDAHL. One of ordinary skill in the art would have been motivated to do so because VASU recognizes the need to improve network efficiency ([VASU, para. 0041] “program 150 applies updated network input signature 524 to one or more network devices (IDS), reducing future false positives and improving network efficiency”). Regarding claim 11, this claim recites of a non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system performs the features of device claim 1 and 2. Therefore, claim 11 is rejected in a similar manner as in the rejection of claims 1 and 2. ROSENDAHL further teaches “packet headers including encrypted information, ([ROSENDAHL, para. 0040] “The signatures may indicate some information about the network traffic, such as a source, a destination, packet type, packet header data”) ([ROSENDAHL, para. 0087] “the connection of an app container 320 to the network 390. This connection may also be tunneled using an encryption protocol (e.g., secure sockets layer (SSL)).”) an indication of average packet arrival rate intervals” ([ROSENDAHL, para. 0040] “The signatures may indicate some information about the network traffic, such as … time of network activity … The signature may also indicate various patterns in the network activity, such as a pattern in the timing of data received/transmitted … For example, an amount of traffic that has a pattern exceeding a certain data rate, to a particular destination, may indicate an attack (e.g., a denial of service attack).” The same motivation to modify BOTT-HAMDI with ROSENDAHL as in the rejection of claim 1 applies. Regarding claims 3 and 12, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 2 and 11. BOTT further teaches “wherein the operations comprise receiving a first confirmation that the data traffic anomaly is associated with the malicious traffic signature.” ([BOTT, para. 0036] “For example, policy decision module 210 may compare the device activity signature with a reference device activity signature. If the device activity signature is sufficiently different from the reference device activity signature (e.g., larger that a predetermined threshold value), then the policy decision module 210 may classify the traffic signature as anomalous.”). Regarding claims 4 and 13, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 3 and 12. VASU further teaches “wherein the operations comprise adjusting a first group of weights associated with the DNN based on the first confirmation resulting in a first weight adjustment” ([VASU, para. 0021] “Network input image model 152 and network input classification model 154 are representative of a plurality of models utilizing deep learning techniques to train, calculate weights, ingest inputs, and output a plurality of solutions (e.g., packet prediction, sequence identification, image analysis, image generation, etc.).”) ([VASU, para. 0003] “Artificial neurons and edges, typically, have respective weights that adjust as learning proceeds. The respective weights increase or decrease a strength of a signal at a connection. Artificial neurons may have a threshold such that a signal is only sent if an aggregate signal crosses the threshold. Typically, artificial neurons are aggregated into layers where a plurality of layers perform a plurality of data transformations on inputs.”) ([VASU, para. 0014] “Embodiments of the present invention dynamically adjust one or more intrusion models based on specific network patterns unique to one or more networks, hosts, and/or applications.”). The same motivation to modify BOTT-HAMDI-ROSENDAHL with VASU as in the rejection of claim 2 applies. Regarding claims 5 and 14, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 3 and 12. VASU further teaches “wherein the operations comprise adjusting a first number of layers associated with the DNN based on the first confirmation resulting in a first layer adjustment.” ([VASU, para. 0003] “Artificial neurons and edges, typically, have respective weights that adjust as learning proceeds. The respective weights increase or decrease a strength of a signal at a connection. Artificial neurons may have a threshold such that a signal is only sent if an aggregate signal crosses the threshold. Typically, artificial neurons are aggregated into layers where a plurality of layers perform a plurality of data transformations on inputs”) ([VASU, para. 0032] “program 150 retrains a plurality of associated models and networks with the calculated prediction and associated feedback”) ([VASU, para. 0014] “Embodiments of the present invention dynamically adjust one or more intrusion models based on specific network patterns unique to one or more networks, hosts, and/or applications”). The same motivation to modify BOTT-HAMDI-ROSENDAHL with VASU as in the rejection of claim 2 applies. Regarding claims 6 and 15, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 2 and 11. BOTT further teaches “wherein the operations comprise receiving a second confirmation that the data traffic anomaly is not associated with the malicious traffic signature.” ([BOTT, para. 0036] “Conversely, if the device activity signature is sufficiently similar from the reference device activity signature (e.g., less that a predetermined threshold value), then the policy decision module 210 may classify the device activity signature as normal. Policy decision module may then apply a policy decision for the computing device based on the determined classification”). Regarding claims 7 and 16, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 6 and 15. VASU further teaches “wherein the operations comprise adjusting a second group of weights associated with the DNN based on the second confirmation resulting in a second weight adjustment.” ([VASU, para. 0021] “Network input image model 152 and network input classification model 154 are representative of a plurality of models utilizing deep learning techniques to train, calculate weights, ingest inputs, and output a plurality of solutions (e.g., packet prediction, sequence identification, image analysis, image generation, etc.).”) ([VASU, para. 0003] “Artificial neurons and edges, typically, have respective weights that adjust as learning proceeds. The respective weights increase or decrease a strength of a signal at a connection. Artificial neurons may have a threshold such that a signal is only sent if an aggregate signal crosses the threshold. Typically, artificial neurons are aggregated into layers where a plurality of layers perform a plurality of data transformations on inputs.”) ([VASU, para. 0014] “Embodiments of the present invention dynamically adjust one or more intrusion models based on specific network patterns unique to one or more networks, hosts, and/or applications.”). The same motivation to modify BOTT-HAMDI-ROSENDAHL with VASU as in the rejection of claim 2 applies. Regarding claims 8 and 17, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 6 and 15. VASU further teaches “wherein the operations comprise adjusting a second number of layers associated with the DNN based on the second confirmation resulting in a second layer adjustment.” ([VASU, para. 0003] “Artificial neurons and edges, typically, have respective weights that adjust as learning proceeds. The respective weights increase or decrease a strength of a signal at a connection. Artificial neurons may have a threshold such that a signal is only sent if an aggregate signal crosses the threshold. Typically, artificial neurons are aggregated into layers where a plurality of layers perform a plurality of data transformations on inputs.”) ([VASU, para. 0032] “program 150 retrains a plurality of associated models and networks with the calculated prediction and associated feedback.”) ([VASU, para. 0014] “Embodiments of the present invention dynamically adjust one or more intrusion models based on specific network patterns unique to one or more networks, hosts, and/or applications.”). The same motivation to modify BOTT-HAMDI-ROSENDAHL with VASU as in the rejection of claim 2 applies. Regarding claims 9 and 18, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claims 2 and 11. VASU further teaches “wherein the DNN comprise an unsupervised deep reinforcement learning DNN.” ([VASU, para. 0021] “In the depicted embodiment, network input classification model 154 is a CNN with a rectified linear unit (RELU) trained with supervised and/or unsupervised training methods. In this embodiment, program 150 utilizes network input classification model 154 to classify a network input as authorized, anomalous, or as a potential false positive.”). The same motivation to modify BOTT-HAMDI-ROSENDAHL with VASU as in the rejection of claim 2 applies. Regarding claim 19, BOTT-HAMDI-ROSENDAHL-VASU teaches all limitations of claim 11. Furthermore, this claim recites of limitations similar to that of claim 10. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 10. Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over BOTT (US-20160072834-A1) in view of HAMDI (US-20180124094-A1), and further in view of CASSINI (US-20170219240-A1) Regarding claim 20, this claim recites of a method that implements the steps of independent device claim 1 and claim dependent device claim 10. Therefore, claim 20 is rejected in a similar manner as in the rejection of claims 1 and 10. HAMDI further teaches “wherein the monitoring of the data traffic is based on inputs that include: an indication of a central processing unit (CPU) usage relative to a first threshold, ([HAMDI, para. 0065] “For example, a server 211 can be under computational stress when experiencing excessive CPU usage (e.g., beyond a given threshold value)”) ([HAMDI, para. 0058] “the status of one or more machines 102, 106 in the network 104 is monitored, generally as part of network management. In one of these embodiments, the status of a machine may include an identification of load information (e.g., the number of processes on the machine, central processing unit (CPU) and memory utilization)”) indication of a memory usage relative to a second threshold, ([HAMDI, para. 0058] “the status of one or more machines 102, 106 in the network 104 is monitored, generally as part of network management. In one of these embodiments, the status of a machine may include an identification of load information (e.g., the number of processes on the machine, central processing unit (CPU) and memory utilization)”) ([HAMDI, para. 0138] “In response to the received parameter values (or the computed deviation values), the controller engine 310 (or asset profiling engine 312) can determine one or more states of operation of the target asset (step 970). The one or more states of operation can be indicative of whether the asset is under stress (e.g., one or more resources' usage exceeding threshold value(s) for at least a specified time duration)”) ([HAMDI, para. 0141] “perform a second comparison between the one or more second parameter values and one or more second criteria or threshold values (step 960).”) However, BOTT-HAMDI does not teach “an indication of temperature relative to a third threshold, and an indication of a fan noise relative to a fourth threshold” In analogous teaching CASSINI teaches “an indication of temperature relative to a third threshold, and an indication of a fan noise relative to a fourth threshold” ([CASSINI, abstract] “The disclosure is related to a cooling system that includes a thermal sensor to determine a temperature in an interior of the computational device, a sensor to determine at least one of a noise level in proximity to the computational device”) ([CASSINI, para. 0052] “When the sensed interior casing temperature is less than a first temperature threshold or the measured ambient noise level is no more than a first noise threshold, the fan is operated in accordance with the fan lookup table regardless of the measured ambient noise level.”) ([CASSINI, para. 0078] “the fan speed can be decreased in response to ambient noise falling below an ambient noise threshold or a person being sensed in spatial proximity to the computational device 100. This will reduce the fan noise when the user is most sensitive to noise.”). Thus, given the teaching of CASSINI, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of monitoring of the temperature and fan noise by CASSINI into a device for monitoring data traffic to each computing device of a group of computing devices by BOTT-HAMDI. One of ordinary skill in the art would have been motivated to do so because CASSINI recognizes the need to monitor temperature ([CASSINI, para. 0002] “As processors, graphics cards, RAM and other components in computers have increased in speed and power consumption, the amount of heat produced by these components, as a side-effect of normal operation, has also increased. These components need to be kept within a specified temperature range to prevent overheating”) ([CASSINI, para. 0015] “The present disclosure can provide a number of advantages depending on the particular aspect, embodiment, and/or configuration. The fan control system can selectively run at a certain fan noise level when there is ambient noise present, measured, and controlled by multiple sensors. The system can cool down computational devices and components thereof more than the conventional methodology”) Pertinent Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. WU (US-10917424-B2): This prior art teaches of computer-implemented systems for determination of anomalous data are provided. In a computer-implemented method, a plurality of data packets is received within a predetermined time period, the plurality of data packets comprising a data structure. A historical distribution of historical data including the data structure as the data packets is determined. The plurality of data packets is compared to the historical distribution to generate a comparison result. If it is determined that data anomaly exists in the plurality of data packets according to the comparison result, an alert indicating the data anomaly is generated. BALABINE (US-20180337836-A1): This prior art teaches of systems and methods for detecting anomalies in computer network traffic with fewer false positives and without the need for time-consuming and unreliable historical baselines. Upon detection, traffic anomalies can be processed to determine valuable network insights, including health of interfaces, devices and network services, as well as to provide timely alerts in the event of attack. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A./ 05/25/2026 /AFAQ ALI/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Jun 17, 2024
Application Filed
Nov 19, 2025
Non-Final Rejection mailed — §101, §103
Feb 17, 2026
Response Filed
May 29, 2026
Final Rejection mailed — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665926
System And Methods Of Defense Against DDoS Attacks For Applications On A Multi-Substrate Multi-Ingress Shared Infrastructure With Multiple Cloud Architectures
1y 9m to grant Granted Jun 23, 2026
Patent 12639404
Authorization of Access Rights Licenses
2y 2m to grant Granted May 26, 2026
Patent 12627679
CYBER SECURITY SYSTEM APPLYING NETWORK SEQUENCE PREDICTION USING TRANSFORMERS
2y 3m to grant Granted May 12, 2026
Patent 12585791
ENCRYPTED COMMUNICATION METHOD AND ELECTRONIC DEVICE
3y 7m to grant Granted Mar 24, 2026
Patent 12572656
CONTROL FLOW INTEGRITY MONITORING BASED INSIGHTS
3y 2m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+13.3%)
2y 5m (~4m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 137 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month