Prosecution Insights
Last updated: July 17, 2026
Application No. 18/758,329

SYSTEM AND METHOD OF ADVANCED EVENT RANKING AND CORRELATION FOR THREAT DETECTION

Non-Final OA §103
Filed
Jun 28, 2024
Examiner
GREENE, JOSEPH L
Art Unit
2443
Tech Center
2400 — Computer Networks
Assignee
Acronis International GmbH
OA Round
3 (Non-Final)
63%
Grant Probability
Moderate
3-4
OA Rounds
1y 11m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 63% of resolved cases
63%
Career Allowance Rate
351 granted / 558 resolved
+4.9% vs TC avg
Strong +37% interview lift
Without
With
+36.7%
Interview Lift
resolved cases with interview
Typical timeline
3y 12m
Avg Prosecution
34 currently pending
Career history
602
Total Applications
across all art units

Statute-Specific Performance

§101
2.3%
-37.7% vs TC avg
§103
90.1%
+50.1% vs TC avg
§102
4.7%
-35.3% vs TC avg
§112
1.8%
-38.2% vs TC avg
Black line = Tech Center average estimate • Based on career data from 558 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 1. Claims 1 – 20 are currently pending in this application. Claims 1 and 11 are amended as filed on 02/23/2026. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Murphey et al. (Pre-Grant Publication No. US 2019/0098032 A1), hereinafter Murphey, in view of Hebbagodi et al. (Pre-Grant Publication No. US 2023/0396641 A1), hereinafter Heb, in view of Whalen et al. (Pre-Grant Publication No. US 2024/0430276 A1), hereinafter Whelan, in view of Thomas et al. (Pre-Grant Publication No. US 2023/0114821 A1), hereinafter Thomas, and in further view of Drexl et al. (Patent No. US 11,948,163 B2), hereinafter Drexl. 2. With respect to claims 1 and 11, Murphy taught a method for adaptive threat detection in a computing system comprising a microprocessor, memory, and a plurality of endpoints (0181, where the processor and memory are given and where the plurality of endpoints can be seen in the ETDRs of 0003-0004), the method comprising: collecting events on the endpoints and sending the events to an event router (0105); processing the events on the event router under program control of the microprocessor in the form of a persistent event stream (0129, where the real-time nature implicitly teaches the persistent stream), scoring the events from the persistent event stream using at least a lookup tables (0243. See also the database table of 0072); processing events in a detection engine (0075), wherein the processing includes: detecting a first detection in the persistent event stream within a first time window (0139), correlating the registered first detection with other events in the persistent event stream within a second time window (0238-0239), and detecting a second detection of correlation with higher severity than the first detection (0238-0239); and registering a security incident when the second detection has a severity higher than a predefined threshold (0016 & figure 9B, where the registering of the incident is given). However, Murphy did not explicitly state wherein the processing includes: normalizing the events and assigning topics to the events to prioritize event enrichment operations and subsequent detection engine operations based on event scores; enriching generic events at an event enrichment unit with event data correlated with the generic events using at least one of the lookup tables or a machine learning model, wherein the enriching is prioritized according to the event score and at least one related topic; processing enriched scored events in a detection engine. On the other hand, Heb did teach wherein the processing includes: normalizing the events and assigning topics to the events to prioritize event enrichment operations and subsequent detection engine operations based on event scores (0122-0127); enriching generic events at an event enrichment unit with event data correlated with the generic events using at least one of the lookup tables or a machine learning model, wherein the enriching is prioritized according to the event score and at least one related topic (0061-0062); processing enriched scored events in a detection engine (0064). Both of the systems of Murphy and Heb are directed towards managing security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy, to utilize the specifically listed normalization and enrichment operations, as taught by Heb, in order to efficiently detect security threats. However, the combination of Murphy and Heb did not explicitly state wherein the machine learning model utilized a serialized machine learning model or a baselining machine learning model [claim 11: both models required; wherein the baselining machine learning model, the serialized machine learning model, the lookup table, and the machine learning-based detection engine use the exact event data in exact event format. On the other hand, Whalen did teach wherein the machine learning model utilized a serialized machine learning model or a baselining machine learning model [claim 11: both models required] (0037, where the decision tree is a serialized machine learning model and K-means clustering is a baselining machine learning model); wherein the baselining machine learning model, the serialized machine learning model, the lookup table, and the machine learning-based detection engine use the exact event data in exact event format (0037, where the exact event data in exact event format is not a standardized term and generally refers to discrete, timestamped data and was thus, previously shown by Murphey: 0071). Both of the systems of Murphy and Whelan are directed towards managing security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy, to utilize the specifically listed machine learning models, as taught by Heb, in order to utilize efficient models that were contemporary to the time of the invention. However, Murphy did not explicitly state the use of persistent event streams and that that exact data format was a standardized format; wherein normalizing the events further comprises converting the events into a standardized event format; wherein each event is scored to indicate a likelihood that the event represents a security threat; wherein the enriching includes incorporating at least one additional context for a given generic event; wherein the enriching is prioritized according to at least one topic of the generic event to create enriched scored events; publishing, by the event enrichment unit, the enriched scored events to the persistent event stream by joining standardized event data with the at least one additional context, wherein the persistent event stream is at least partially organized by topics; detecting a first detection in the persistent event stream within a short-term time window, the first detection comprising an immediate potential threat, tagging the first detection with a temporal marker for association in an event correlation lifetime, retrieving other events in the persistent event stream, correlating the registered first detection with the other events in the persistent event stream within a long-term time window according to the event correlation lifetime, wherein the registered first detection has a relationship to the other events by at least one of the standardized event data or the at least one additional context, and detecting a second detection using the correlating, wherein the second detection comprises a more complex potential threat with higher severity than the first detection. On the other hand, Thomas did teach the use of persistent event streams (0289) and that that exact data format was a standardized format (0270); wherein normalizing the events further comprises converting the events into a standardized event format (0270); wherein each event is scored to indicate a likelihood that the event represents a security threat (0265); wherein the enriching includes incorporating at least one additional context for a given generic event (0266); wherein the enriching is prioritized according to at least one topic of the generic event to create enriched scored events (0273); publishing, by the event enrichment unit, the enriched scored events to the persistent event stream by joining standardized event data with the at least one additional context, wherein the persistent event stream is at least partially organized by topics (0276-0277. See also, 0357); detecting a first detection in the persistent event stream within a short-term time window, the first detection comprising an immediate potential threat, tagging the first detection with a temporal marker for association in an event correlation lifetime, retrieving other events in the persistent event stream, correlating the registered first detection with the other events in the persistent event stream within a long-term time window according to the event correlation lifetime (0175, where the time window would include both short term and long term events based on the persistent stream under broadest reasonable interpretation), wherein the registered first detection has a relationship to the other events by at least one of the standardized event data or the at least one additional context, and detecting a second detection using the correlating, wherein the second detection comprises a more complex potential threat with higher severity than the first detection (0175, where, at least, the correlated malware event is the second event). Both of the systems of Murphy and Thomas are directed towards systems for detecting security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy to utilize specific event streaming and enrichment, as taught by Thomas, in order to more efficiently detect security threats. However, Murphy did not explicitly state wherein a first event having an event score higher than a second event is processed before the second event, and the publishing being such that at least one event when at least partially organized by topics is in a different order than as originally added to the persistent event stream by the grouping of the at least one event with one or more events having the same specific key corresponding to the organization by topic. On the other hand, Drexl did teach wherein a first event having an event score higher than a second event is processed before the second event (38:1-13), and the publishing being such that at least one event when at least partially organized by topics is in a different order than as originally added to the persistent event stream by the grouping of the at least one event with one or more events having the same specific key corresponding to the organization by topic (38:47-58). Both of the systems of Murphey and Drexl are directed towards systems for detecting managing event streams and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy to utilize specific event stream prioritization, as taught by Drexl, in order to more efficiently organizing event data for management/monitoring. 3. As for claims 2 and 12, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the events collected on endpoints include process start, file access, network connections, and registry changes (0103 & 0095). 4. As for claims 3 and 13, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the topics assigned to events include event attribute source, type, score or severity (0233, where this, at least, teaches the severity limitation). 5. As for claims 4 and 14, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the lookup tables used for scoring are generated based on historical event data stored in an event database configured to collect all events processed in the persistent event stream (0071-0072, the stored events in the database table). 6. As for claims 5 and 15, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Whelan taught wherein the baselining machine learning model is trained using historical event data to recognize normal behavior patterns and detect deviations (0037, where the K-means clustering and the apriori algorithms both use historical data as their input data sets and the detected normal behavior patterns is implicitly taught by a system that is looking for security threats, which are abnormal behavior patterns). 7. As for claims 6 and 16, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Heb taught wherein the event enrichment unit uses additional data sources including third-party threat intelligence feeds, system logs, network traffic data, and user behavior analytics for event enrichment (0107 & 0096: third-party sources and network traffic data, 0021: logs, 0070: behavior). 8. As for claims 7 and 17, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the first detection is registered based on predefined security rules applied to the enriched scored events (figure 9B, where the security rules are, at least, taught by the registered urgency). 9. As for claims 8 and 18, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the second time window for correlating events is dynamically adjusted based on the severity of the first engine detection (0184, where the urgency is based on threat detection algorithms. See also, the proactive severity monitoring tree of 0190 or 0233). 10. As for claims 9 and 19, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the second detection of higher severity is based on the aggregation of multiple correlated events and correlated events scores (0229). 11. As for claims 10 and 20, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Heb taught wherein the event enrichment unit prioritizes the enrichment of events based on event scores and related event topics (0061-0062). Response to Arguments Applicant’s arguments with respect to the claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (a) Martin et al. (Patent No. US 12,335,348 B1), 65:12-30, 93:54-67. (b) Brooks et al. (Patent No. US 10,109,021 B2), 1:51-67. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JOSEPH L GREENE/Primary Examiner, Art Unit 2443
Read full office action

Prosecution Timeline

Show 6 earlier events
Nov 26, 2025
Final Rejection mailed — §103
Feb 23, 2026
Response after Non-Final Action
Mar 23, 2026
Request for Continued Examination
Apr 09, 2026
Response after Non-Final Action
Apr 16, 2026
Non-Final Rejection mailed — §103
Jul 03, 2026
Interview Requested
Jul 13, 2026
Examiner Interview Summary
Jul 13, 2026
Applicant Interview (Telephonic)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682128
CONTROL SYSTEM WITH SECURITY MANAGEMENT DEVICE
3y 7m to grant Granted Jul 14, 2026
Patent 12659743
THIRD-PARTY CONTROL OF HEARING DEVICE, HEARING DEVICE AND RELATED METHODS
4y 0m to grant Granted Jun 16, 2026
Patent 12660134
VEHICULAR DRIVING ASSIST SYSTEM WITH INTEGRATED ADAS AND INFOTAINMENT CIRCUITRY
2y 9m to grant Granted Jun 16, 2026
Patent 12639799
FLIPPER APPARATUS AND OBJECT INSPECTION METHOD USING SAME
5y 5m to grant Granted May 26, 2026
Patent 12608503
SYSTEMS AND METHODS FOR SANITIZING SENSITIVE DATA AND PREVENTING DATA LEAKAGE USING ON-DEMAND ARTIFICIAL INTELLIGENCE MODELS
3y 6m to grant Granted Apr 21, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
63%
Grant Probability
99%
With Interview (+36.7%)
3y 12m (~1y 11m remaining)
Median Time to Grant
High
PTA Risk
Based on 558 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month