Prosecution Insights
Last updated: July 17, 2026
Application No. 18/745,652

CONTROLLER-BASED NETWORK ROUTING BASED ON NETWORK DEVICE SECURITY CAPABILITIES

Final Rejection §101§103
Filed
Jun 17, 2024
Examiner
ZOUBAIR, NOURA
Art Unit
2434
Tech Center
2400 — Computer Networks
Assignee
NVIDIA Corporation
OA Round
2 (Final)
73%
Grant Probability
Favorable
3-4
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 73% — above average
73%
Career Allowance Rate
262 granted / 360 resolved
+14.8% vs TC avg
Strong +62% interview lift
Without
With
+61.7%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
12 currently pending
Career history
377
Total Applications
across all art units

Statute-Specific Performance

§101
0.8%
-39.2% vs TC avg
§103
90.9%
+50.9% vs TC avg
§102
5.8%
-34.2% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 360 resolved cases

Office Action

§101 §103
DETAILED ACTION -Claims 1, 3, 5-7, 9, 14, and 16 are amended. -Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s Remarks filed on 3/9/2026 have been fully considered. With respect to the 101 rejection, the arguments were not found to be persuasive because the amendments do not integrate the abstract ideas into a practical application and do not add elements that amount to significantly more than the abstract ideas. With respect to the 103 rejection, the arguments are moot in view of the new ground of rejection. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 USC 101 because they are directed to abstract ideas without significantly more. The claims recite sending and receiving data between generic computer elements. This judicial exception is not integrated into a practical application because receiving a routing table in itself does not provide a benefit or a practical application. Although Claims 12-13 recite modifying a routing table based on security capabilities, it is not clear how the routing table is modified or how that would help avoid a threat or risk or ensure safe communication. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Agrawal et al (US Pub.No.2023/0054738) in view of Ravinoothala et al (US Pub.No.2016/0294612), hereinafter Ravi. Re Claim 1. Agrawal discloses a system for a first network device comprising: a memory; and one or more processors, coupled to the memory, to: determine, at the first network device, security capabilities of the first network device; transmit the security capabilities of the first network device to a centralized network controller (i.e. when a device boots up, the device can identify different security features of the network device (e.g., file system level security, hardware level security, image security etc.) and generate security information to be stored in the TPM. A verifier device ensures that information in the TPM is secured. As an example, a verifier device can be a separate device that analyzes hashes of the software identities loaded from firmware, hashes of loaded operating system files, specific log information, …………….. the verifier device may advertise the security information of the network device to other nodes (e.g., network nodes)…….) [Agrawal, para.0049, Note: the TPM may be interpreted as a centralized network controller]; and receive, from the [centralized] network controller, a first routing table [generated by the centralized controller for the first network device], and reflecting the security capabilities of the first network device (i.e. determine whether one or more neighboring network nodes that satisfies the security requirement based on the security information (e.g., which can be received from the verifier device) that corresponds to the respective neighbor network node……………….when the one or more network nodes satisfies the security requirement, advertise the route to the one or more network nodes that satisfy the security requirement. When a route is not advertised to a particular network node, a route to that particular network node is not stored in the corresponding routing table) [Agrawal, para.0054-0056, Note: Examiner interprets the node that determines and advertises the route as a network controller node; also note that the nodes listed in the routing table will receive the routing table from the controller node, and the table reflects the security capabilities of the network nodes in the table because nodes in the table are those that have the required security capabilities]. Agrawal does not explicitly disclose that the verifier device is the same as the node device that identifies its security features, however Agrawal, as cited above, states that verifier device can be a separate device, therefore it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Agrawal to include that that the verifier device and the node device are the same because the above statement of Agrawal suggests that it may or may not be the same device. The same rationale applies also to the dependent claims. Agrawal does not explicitly disclose whereas Ravi does: receive, from the centralized network controller, a first routing table generated by the centralized controller for the first network device (i.e. the routing protocol control plane is configured with an initial routing table (i.e., RIB) for the SRs generated by the centralized network controller) [Ravi, para.0070-0073]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Agrawal with Ravi in order to remove duplicative information and updates the respective routing tables [Ravi, para.0006]. Re Claim 2. Agrawal in view of Ravi discloses the system of claim 1, wherein the security capabilities of the first network device comprise at least one of: interface-level encryption capabilities; encryption-technology specific capabilities; secure boot capabilities; cryptographic signature capabilities; software version information; or firmware version information (i.e. sufficient security can be identified based various software and hardware analyses such as identification of authentic hardware, authentic firmware, boot integrity verification, file system verification, omission of content in a denial list, verification of a unique identity………..when a device boots up, the device can identify different security features of the network device (e.g., file system level security, hardware level security, image security etc.) and generate security information to be stored in the TPM. A verifier device ensures that information in the TPM is secured. As an example, a verifier device can be a separate device that analyzes hashes of the software identities loaded from firmware, hashes of loaded operating system files, specific log information, to generate a numeric score or numeric scores) [Agrawal, para.0043, 0049]. Re Claim 3. Agrawal in view of Ravi discloses the system of claim 1, wherein the one or more processors are further to receive, from the centralized network controller, a second routing table generated by the centralized network controller for a second network device, and reflecting the security capabilities of the first network device and security capabilities of a second network device (i.e. the switch 405 transmits a message 438 to the switch 415 advertising the route to the sensitive subnet 425…………………after the switch 415 determines it can route the traffic to the sensitive subnet 425 based on other intervening network nodes, which are not illustrated, the switch 415 responds to the routing advertisement in ROA request 432 to indicate that a path exists that satisfies the security requirement, thereby causing the switch 405 to record the route in its routing table) [Agrawal, para.0063, Fig.4, Note: in this embodiment the controller is switch 405, the first network node is switch 415 and the intervening nodes which are added to the routing table to obtain a second routing table are second network devices and therefore switch 415 will receive the second routing table that includes the new route and the second routing table reflects the security capabilities of all the nodes on the path, because only secure nodes are included in the path]. Re Claim 4. Agrawal in view of Ravi discloses the system of claim 3, wherein the second routing table further reflects security metrics of the second network device (i.e. the security requirement may require that network traffic be routed through switches having security features to prevent tampering with the network data. The switch 405 also determines whether to advertise the route to neighboring switches based on whether the switches have sufficient level of security) [Agrawal, para.0062, Note: the routing table reflects security features such as tamper proof and also reflects that the nodes in the routing table have a specific security level/metric]. Re Claim 5. Agrawal in view of Ravi discloses the system of claim 1, wherein the one or more processors are further to: determine, at the first network device, security metrics of the first network device; transmit the security metrics of the first network device to the centralized network controller (i.e. various network nodes (e.g. first edge switch 222, second edge switch 224, first edge switch 230, second edge switch 232, third edge switch 234, intradomain switch 240, intradomain switch 242, switch 250, etc.) can include a TPM module that securely stores security level information. The TPM securely stores artifacts (e.g., passwords, certificates, encryption keys, platform measurements, etc.) that are used to provide secure authentication (e.g., ensuring that the platform can prove that it is what it claims to be) and attestation (e.g., proving that a platform is trustworthy and has not been breached). In some examples, when a device boots up, the device can identify different security features of the network device (e.g., file system level security, hardware level security, image security etc.) and generate security information to be stored in the TPM. A verifier device ensures that information in the TPM is secured. As an example, a verifier device can be a separate device that analyzes hashes of the software identities loaded from firmware, hashes of loaded operating system files, specific log information, to generate a numeric score or numeric scores (e.g., a numeric score for each analysis). In some examples, the verifier device may advertise the security information of the network device to other nodes…………………….. the security requirement can be a Boolean flag requiring that each network node include a TPM. However, the security requirement can be any suitable value that can be used to facilitate identifying a score to identify a route. For instance, the switches may be located in particular countries, and the country can affect the score based on regulations, legislation, and other requirements. The security score can also be affected by hardware and software features) [Agrawal, para.0049, 0068]; and receive, from the centralized network controller, a second routing table reflecting the security capabilities of the first network device and the security metrics of the first network device (i.e. the switch 405 transmits a message 438 to the switch 415 advertising the route to the sensitive subnet 425…………………after the switch 415 determines it can route the traffic to the sensitive subnet 425 based on other intervening network nodes, which are not illustrated, the switch 415 responds to the routing advertisement in ROA request 432 to indicate that a path exists that satisfies the security requirement, thereby causing the switch 405 to record the route in its routing table) ……………the security requirement may require that network traffic be routed through switches having security features to prevent tampering with the network data. The switch 405 also determines whether to advertise the route to neighboring switches based on whether the switches have sufficient level of security) [Agrawal, para.0062-0063, Note: the routing table reflects security features such as tamper proof and also reflects that the nodes in the routing table have a specific security level/metric]. Re Claim 6. Agrawal in view of Ravi discloses the system of claim 5, wherein the one or more processors are further to: determine, at the first network device, second security metrics of the first network device; transmit the second security metrics of the first network device to the centralized network controller; and receive, from the centralized network controller, a third routing table reflecting the security capabilities of the first network device [Agrawal, para.0049, 0054-0056], and the second security metrics of the first network device, wherein the second security metrics of the first network device failed to satisfy a security metrics criterion (i.e. receiving instruction indicating that a certificate associated with the digital signature is revoked; and updating the routing table to exclude routes to the IP address prefix…………) [Agrawal, para.0016], (i.e. the security requirement can be any suitable value that can be used to facilitate identifying a score to identify a route) [Agrawal, para.0068]. Re Claim 7. In a manner similar to the rejection of claim 1, Agrawal in view of Ravi discloses the features of claim 7. Re Claim 8. Agrawal in view of Ravi discloses the system of claim 7, wherein the first security capabilities of the first network device comprise at least one of: interface-level encryption capabilities; encryption-technology specific capabilities; secure boot capabilities; cryptographic signature capabilities; software version information; or firmware version information (i.e. sufficient security can be identified based various software and hardware analyses such as identification of authentic hardware, authentic firmware, boot integrity verification, file system verification, omission of content in a denial list, verification of a unique identity………..when a device boots up, the device can identify different security features of the network device (e.g., file system level security, hardware level security, image security etc.) and generate security information to be stored in the TPM. A verifier device ensures that information in the TPM is secured. As an example, a verifier device can be a separate device that analyzes hashes of the software identities loaded from firmware, hashes of loaded operating system files, specific log information, to generate a numeric score or numeric scores) [Agrawal, para.0043, 0049]. Re Claim 9. Agrawal in view of Ravi discloses the system of claim 7, wherein the one or more processors are further to: receive, at the centralized network controller, second security capabilities of a second network device; generate a second routing table for the second network device based on the second security capabilities of the second network device; and transmit the second routing table to the second network device [Agrawal, 0049, 0054-0056, in the same manner as in the rejection of claim 1, teaches these features with respect to a second device of the devices in Fig.2 since the devices are similar]. Re Claim 10. Agrawal in view of Ravi discloses the system of claim 9, wherein the one or more processors are to generate the first routing table for the first network device further based on the second security capabilities of the second network device (i.e. In some examples, the switch 405 may record the route when advertising the route, or may record the route when the switch 415 responds to the advertisement. For example, after the switch 415 determines it can route the traffic to the sensitive subnet 425 based on other intervening network nodes, which are not illustrated, the switch 415 responds to the routing advertisement in ROA request 432 to indicate that a path exists that satisfies the security requirement, thereby causing the switch 405 to record the route in its routing table) [Agrawal, para.0063, Note: a routing table for a current device is determined based on the security features of at least a next device that will receive the message ]. Re Claim 11. Agrawal in view of Ravi discloses the system of claim 9, wherein the one or more processors are to generate the second routing table for the second network device further based on the first security capabilities of the first network device (i.e. In some examples, the switch 405 may record the route when advertising the route, or may record the route when the switch 415 responds to the advertisement. For example, after the switch 415 determines it can route the traffic to the sensitive subnet 425 based on other intervening network nodes, which are not illustrated, the switch 415 responds to the routing advertisement in ROA request 432 to indicate that a path exists that satisfies the security requirement, thereby causing the switch 405 to record the route in its routing table) [Agrawal, para.0063, Note: a routing table for a current device is determined based on the security features of at least a previous device that will transmit the message ]. Re Claim 12. Agrawal in view of Ravi discloses the system of claim 9, wherein the one or more processors are further to: receive security metrics of the first network device; determine that the security metrics fail to satisfy a security metrics criterion; modify the first routing table for the first network device based on the security metrics; and transmit the modified first routing table to the first network device (i.e. receiving instruction indicating that a certificate associated with the digital signature is revoked; and updating the routing table to exclude routes to the IP address prefix……………….advertising the route to the one or more network nodes that satisfy the security requirement) [Agrawal, para.0016, 0023]. Re Claim 13. Agrawal in view of Ravi discloses the system of claim 12, wherein the one or more processors are further to: modify the second routing table for the second network device based on the security metrics of the first network device (i.e. the EE certificate that signs the ROA may be revoked for various reasons (e.g., an EE sub-divides its IP addresses and assigns the IP address to another EE, the certificate expires, the EE revokes the certificate due for security reasons, the CA issues a new CA certificate). To that end, it is desired that only the routes associated with that particular EE can be revoked without affecting other routes. Accordingly, a revocation message 448 may be received by the switch 405 and the switch 405 may revoke routes that correspond to the security requirement) [Agrawal, para.0046-0047, Note: it is interpreted that for routes containing node EE, all nodes that precede or that are subsequent to EE, in a particular route, would be revoked and modified because the existing route which contains EE would no longer be valid based on the certificate being revoked]; and transmit the modified second routing table to the second network device (i.e. advertising the route to the one or more network nodes that satisfy the security requirement) [Agrawal, para.0016, 0023]. Re Claims 14-20. These claims are similar to claims 7-13 and therefore they are similarly rejected. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Show 2 earlier events
Jan 29, 2026
Interview Requested
Feb 10, 2026
Applicant Interview (Telephonic)
Feb 10, 2026
Examiner Interview Summary
Mar 09, 2026
Response Filed
Apr 22, 2026
Final Rejection mailed — §101, §103
May 28, 2026
Interview Requested
Jun 10, 2026
Applicant Interview (Telephonic)
Jun 10, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682022
SYSTEM, METHOD, AND COMPUTER PROGRAM PRODUCT FOR WORKSPACE CREATION IN EMBEDDED APPLICATIONS
3y 6m to grant Granted Jul 14, 2026
Patent 12682389
SECURE EMAIL AUTHENTICATION SYSTEM FOR COMPLETING E-COMMERCE TRANSACTIONS
1y 7m to grant Granted Jul 14, 2026
Patent 12665934
CYBERSECURITY AI-DRIVEN WORKFLOW GENERATION USING POLICIES
2y 0m to grant Granted Jun 23, 2026
Patent 12647454
TIMEOUT HANDLING FOR VIRTUAL DEVICES
3y 9m to grant Granted Jun 02, 2026
Patent 12647459
HETEROGENOUS NETWORK DEVICE EXTENSION AND STANDARDIZATION WITH DEVICE INSTRUMENTATION
2y 10m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
73%
Grant Probability
99%
With Interview (+61.7%)
2y 8m (~7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 360 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month