Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsSophos Limited › 18772026
Last updated: April 19, 2026
Application No. 18/772,026

SECURE FIREWALL CONFIGURATIONS

Non-Final OA §103§112
Filed
Jul 12, 2024
Examiner
ZARRINEH, SHAHRIAR
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Sophos Limited
OA Round
1 (Non-Final)
79%
Grant Probability
Favorable
1-2
OA Rounds
2y 8m
To Grant
87%
With Interview

Interview Optional

+7.8% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 433 resolved cases, 2023–2026

Examiner Intelligence

ZARRINEH, SHAHRIAR View full profile →
Grants 79% — above average
79%
Career Allow Rate
341 granted / 433 resolved
+20.8% vs TC avg
Moderate +8% lift
Without
With
+7.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
59 currently pending
Career history
492
Total Applications
across all art units

Statute-Specific Performance

§101
7.4%
-32.6% vs TC avg
§103
52.2%
+12.2% vs TC avg
§102
11.9%
-28.1% vs TC avg
§112
16.2%
-23.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 433 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to the application filed on 02/06/2025. Claims 1-20 are cancelled. Claims 21-40 newly added. Claims 21-40 are pending. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Terminal Disclaimer The terminal disclaimer filed on 11/12/2025 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent application No. 12039036, 11620396, and 11093624 have been reviewed and is accepted. The terminal disclaimer has been recorded. Specification The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant's cooperation is requested in correcting any errors of which applicant may become aware in the specification. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION. —The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 21-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. The claims 21, 23, and 38 recites “compute instance of an enterprise network”, and “tamper protection cache shadowing information”, and “security state of the compute instance”, which renders the claim indefinite. because they are not clearly defined in the Applicant claimed limitations, such as what the compute instance means? What/which cache, the cache shadowing, shadows? What is the security state of the compute instance means? One of ordinary skill in the art would not be reasonably apprised of the scope of the invention, since the intended scope of the invention is not clear. As a result, the metes and bounds of the claim are not clear and the examiner is unable to search for appropriate prior art. Examiner maps the limitations under the broadest reasonable interpretation. Claims 22, 24-37, and 39-40 do not cure the deficiency of claims 21, 23, and 38 and are rejected under 35 USC 112, 2nd paragraph, for their dependency upon claims 21, 23, and 38. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL. —The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 21-40 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims 21, 23, and 38 recites “compute instance of an enterprise network”, and “tamper protection cache shadowing information”, and “security state of the compute instance”, and claim 1 recite” aggregating the process activity recorded in the number of process caches into an enterprise network process record,…” , and claim 23 recite “aggregating the process activity recorded in at least one of the number of process caches into a security state for the compute instance”, and 38 recite “a memory configured to store a security state for the compute instance based on the process activity recorded in the number of process caches”, which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA the inventor(s), at the time the application was filed, had possession of the claimed invention. Applicant is kindly requested to show the examiner support in the original disclosure for the new or amended claims. See MPEP 714.02 and 2163.06 (“Applicant should specifically point out the support for any amendments made to the disclosure"). Claims 22, 24-37, and 39-40 do not cure the deficiency of claims 21, 23, and 38 and are rejected under 35 USC 112, 1st paragraph, for their dependency upon claims 21, 23, and 38. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 21-25, and 29-40 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 2011/0010723 issued to OKABE, and in view of US Patent application no. 2017/0249462 issued to permeh, and further in view of US Patent No.2017/0237749 issued to Wood, and further in view of US Patent No.2010/0212010 issued to Stringer. Regarding claim 21, OKABE discloses monitoring a number of process caches on a compute instance of an enterprise network [ Abstract, an information processing apparatus has a communication unit to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space, and a log recording unit to record a log of the inter-process communication within the kernel space., and [ see FIG. 5. log buffer(#500)]; and [¶¶16-17, According to one aspect of the present invention, there is provided an information processing apparatus comprising a communication unit configured to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording unit configured to record a log of the inter-process communication within the kernel space]; and wherein the number of process caches record process activity for a number of user- space processes executing on the compute instance [¶¶16-17, According to one aspect of the present invention, there is provided an information processing apparatus comprising a communication unit configured to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording unit configured to record a log of the inter-process communication within the kernel space. According to one aspect of the present invention, there is provided an information processing method, comprising performing, by a computer, an inter-process communication via a kernel space among a plurality of processes existing in a user space; and recording, by the computer, a log of the inter-process communication within the kernel space], and [ Abstract, and see FIG5. And corresponding text for more details, user space (#130]; and the number of user-space processes are related to an application executing on the compute instance [¶5, An information processing apparatus is not formed by a single program set but is segmented into a plurality of modules that are called processes and execute coordinated operations. The processes communicate with each other in order to execute the coordinated operations. Such a communication between the processes is referred to as an Inter-Process Communication (IPC), and a socket is one type of implementation (API: Application Programming Interface) of the IPC. , and [¶18, According to one aspect of the present invention, there is provided a computer-readable storage medium that stores a program which, when executed in a computer, causes the computer to perform a process comprising a communication procedure causing the computer to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording procedure causing the computer to record a log of the inter-process communication within the kernel space], and [ see FIGs 4, and 6 and corresponding text for more detail, [ FIG. 6 , FTP, HHTP,NFS, smb ( name of the application]; and the process activity includes at least a name, a process identifier, and a path for each of the number of user-space processes, a first one of the numbers of process caches is an operating system process cache for an operating system of the compute instance [see FIG 5 and corresponding text for more details, ¶¶35-36, a description will be given of a socket log acquisition within the Operating System (OS), that is, the kernel 170. In this embodiment, the log is acquired in a kernel space 140 within the OS. Various IPC implementation systems exist, but it is assumed for the sake of convenience that this embodiment uses a Berkeley Software Distribution (BSD) socket. FIG. 5 is a diagram for explaining an operation of the information processing apparatus 100 in this embodiment. When the client process 150 sends a message to a server process 160, the client process 150 first prepares a message packet, as indicated by "write()". The message packet is not sent from the client process 150 within a user space 130 directly to the server process 160 but is first delivered to a reception buffer 111 of a socket 110 of an Operating System (OS) within the kernel space 140. The kernel includes the message packet by a mbuf buffer 180, as indicated by "include message by mbuf"…], and [see FIG 2 and corresponding text for more details, ¶7, FIG. 2 is a diagram illustrating an example of the external structure of the message packet. The message packet illustrated in FIG. 2 is formed by an IPC packet that includes a header part and a message part. The header part precedes the message part and includes a type indicating an API identification number (API-ID number) of the server authoriprocess 12 that is called by the IPC, a packet size indicating an overall size of the IPC packet, and a sender indicating a process number of the source that sent the message packet. The message part includes a body of data to be sent (that is, sending data)]; and aggregating the process activity recorded in the number of process caches into an enterprise network process record [ see FIGs 5, 9, and corresponding text for more detail, LOG BUFFER (# 500), ¶61, FIG. 9 illustrates an example where the upper mbuf buffer 180 includes no log mark and data of a format other than IPC, and the lower mbuf buffer 180 includes a log mark and IPC format data. No log is recorded at a log point for the upper mbuf buffer 180, while a log is recorded at the log point for the lower mbuf buffer 180 and recorded in the log buffer 500. By employing such a log acquisition and recording system, it is possible to make only the IPC packet related to the IPC the log acquisition target, among the packets passing the general socket system]. OKABE does not explicitly disclose, however, Permeh discloses: a second one of the number of process caches is a tamper protection cache shadowing information in the operating system process cache, and the second one of the number of process caches is cryptographically secured against tampering with reference to a trust authority external to the operating system [¶14, The tamper resistant feature can include data compression and signing with a public key and/or enciphering of a combination of the data container plus a signature comprising the public key…. Each data container of the series of data containers in the audit log can be encrypted and the forensic data can be written to the current data container in an append-only manner.], and [ ¶¶31-32, , the local data store (e.g. an audit log) can be encrypted such that the harvested data contained therein are protected from alteration and so that the data cannot be readily accessed or otherwise compromised during or after a threat or other event that may require further analysis. A local audit log consistent with implementations of the current subject matter can also be protected against tampering (e.g. deletion of all or part of the data contained therein) by one or more tamper resistant features. Maintaining the audit log as a series or chain of linked data containers, each of which is encrypted and further secured by a cryptographic fingerprint, is one non-limiting example of a tamper resistant feature that can provide these protections….], and [¶56,Data containers (e.g. one or more files within which a local data store and/or audit log is maintained) can also be protected against tampering consistent with implementations of the current subject matter through kernel enforced access control], and [¶34, Other forms of tamper resistant features can also be used for the data containers. For example, each data container can also be compressed and signed with a public key (e.g. using RSA-4096 or some similar approach)], and [see Fig. 2, and corresponding text for more details, Audit log (105), local cache (220), ¶¶39-40], [ ¶¶ 10-12, 25-26] It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE with the teaching of Permeh in order for protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache and protect against tampering [Permeh, ¶14, 31]. OKABE, and Permeh do not explicitly disclose, however, Wood discloses: the enterprise network process record including a security state of the compute instance for use in selecting a firewall rule for a firewall for the compute instance and selecting a firewall rule for the firewall based on the enterprise network process record [ [abstract, The system uses a firewall to block data packets to and from web addresses that are not owned by the maker of the application, are not trusted by the consensus trusted computing devices, or are blocked by selection by a user of the computing device], and [¶8, the system also includes a firewall to intercept data packets sent to or from the browser software application. The firewall blocks data packets that are not being sent to or from the open web address or to or from the at least one connection of the open web address], and [¶17, The firewall blocks the at least one other connection if the at least one other connection does not meet a reputation threshold as determined by the reputation engine. The at least one other connection includes one or more connections that are not the open web address or the at least one connection to the open web address], and , and [¶126, The firewall component (901) can be implemented as a kernel driver; and the interface to the display (904) can be a higher-level process or program communicating with the kernel driver], and [¶¶7, 76,114]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Okabe and Permeh because the teaching of Wood would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Wood, ¶2]. OKABE, Permeh, and Wood do not explicitly disclose, however, Stringer discloses: A computer program product for process-based management of network traffic comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices of a threat management facility, causes the threat management facility to perform the steps of [see FIG. 1 and corresponding text for more detail, a block diagram of a threat management facility providing protection to an enterprise against a plurality of threats], [¶68, The security management facility 122 may be directed at preventing data leakage from an enterprise. The policy management facility 112 may be directed at maintaining and updating policies, rules, or the like and may include a database of such. The network access rules facility 124 may contain rules that are directed at controlling network traffic and network access]. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh, and Wood with the teaching of Stringer in order implement a threat management facility for providing protection to an enterprise against a plurality of threats [Stringer, ¶10]. Regarding claim 22, OKABE, Permeh , and Stringer do not explicitly disclose, however, Wood discloses wherein the firewall rule includes a network security rule applied to communications by the compute instance at the firewall based on the security state of the compute instance [abstract, The system uses a firewall to block data packets to and from web addresses that are not owned by the maker of the application, are not trusted by the consensus trusted computing devices, or are blocked by selection by a user of the computing device], and [¶8, the system also includes a firewall to intercept data packets sent to or from the browser software application. The firewall blocks data packets that are not being sent to or from the open web address or to or from the at least one connection of the open web address], and [¶17, The firewall blocks the at least one other connection if the at least one other connection does not meet a reputation threshold as determined by the reputation engine. The at least one other connection includes one or more connections that are not the open web address or the at least one connection to the open web address], and , and [¶126, The firewall component (901) can be implemented as a kernel driver; and the interface to the display (904) can be a higher-level process or program communicating with the kernel driver], and [¶¶7, 76,114]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Okabe and Permeh, and Stringer because the teaching of Wood would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Wood, ¶2]. Regarding claim 23, the claim is interpreted and rejected for the same rational set forth in claim 21. Regarding claim 24, OKABE, Permeh , and Stringer do not explicitly disclose, however, Wood discloses, further comprising applying the firewall rule at the firewall to manage network traffic by the compute instance [abstract, The system uses a firewall to block data packets to and from web addresses that are not owned by the maker of the application, are not trusted by the consensus trusted computing devices, or are blocked by selection by a user of the computing device], and [¶8, the system also includes a firewall to intercept data packets sent to or from the browser software application. The firewall blocks data packets that are not being sent to or from the open web address or to or from the at least one connection of the open web address], and [¶17, The firewall blocks the at least one other connection if the at least one other connection does not meet a reputation threshold as determined by the reputation engine. The at least one other connection includes one or more connections that are not the open web address or the at least one connection to the open web address], and , and [¶126, The firewall component (901) can be implemented as a kernel driver; and the interface to the display (904) can be a higher-level process or program communicating with the kernel driver], and [¶¶7, 76,114]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Okabe and Permeh because the teaching of Wood would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Wood, ¶2]. Regarding claim 25, OKABE discloses, wherein the security state includes an exposure state of the compute instance [¶55, By providing the log points C, S, and K described above, it becomes possible to debug the packet distribution state within the kernel space 140. In addition, it is possible to check whether the packet entering the kernel space 140 from the user space 130 has arrived with a correct (or normal) format, as described above under "(1) Location Where Packets Are Sent from Client Process 150 To Client End Socket 110 Within OS", for example. Regarding claim 29, OKABE, Wood, and Stringer, however, Permeh discloses: wherein a change to the security state is conditionally authorized on the compute instance only when the change is requested by a protected object identified in the tamper protection cache [¶14, The tamper resistant feature can include data compression and signing with a public key and/or enciphering of a combination of the data container plus a signature comprising the public key…. Each data container of the series of data containers in the audit log can be encrypted and the forensic data can be written to the current data container in an append-only manner.], and [ ¶¶31-32, , the local data store (e.g. an audit log) can be encrypted such that the harvested data contained therein are protected from alteration and so that the data cannot be readily accessed or otherwise compromised during or after a threat or other event that may require further analysis. A local audit log consistent with implementations of the current subject matter can also be protected against tampering (e.g. deletion of all or part of the data contained therein) by one or more tamper resistant features. Maintaining the audit log as a series or chain of linked data containers, each of which is encrypted and further secured by a cryptographic fingerprint, is one non-limiting example of a tamper resistant feature that can provide these protections….], and [¶56,Data containers (e.g. one or more files within which a local data store and/or audit log is maintained) can also be protected against tampering consistent with implementations of the current subject matter through kernel enforced access control], and [¶34, Other forms of tamper resistant features can also be used for the data containers. For example, each data container can also be compressed and signed with a public key (e.g. using RSA-4096 or some similar approach)], and [see Fig. 2, and corresponding text for more details, Audit log (105), local cache (220), ¶¶39-40], [ ¶¶ 10-12, 25-26] It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Wood, and Stringer with the teaching of Permeh in order for protection and/or other prevention of corruption of the forensic data that are used to generate the audit log and local cache and protect against tampering [Permeh, ¶14, 3 Regarding claim 30, OKABE, Permeh, and Stringer do not explicitly disclose, however, Wood discloses: wherein the security state identifies the firewall rule for use by the firewall [abstract, The system uses a firewall to block data packets to and from web addresses that are not owned by the maker of the application, are not trusted by the consensus trusted computing devices, or are blocked by selection by a user of the computing device], and [¶8, the system also includes a firewall to intercept data packets sent to or from the browser software application. The firewall blocks data packets that are not being sent to or from the open web address or to or from the at least one connection of the open web address], and [¶17, The firewall blocks the at least one other connection if the at least one other connection does not meet a reputation threshold as determined by the reputation engine. The at least one other connection includes one or more connections that are not the open web address or the at least one connection to the open web address], and , and [¶126, The firewall component (901) can be implemented as a kernel driver; and the interface to the display (904) can be a higher-level process or program communicating with the kernel driver], and [¶¶7, 76,114]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh, and Stringer because the teaching of Wood would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Wood, ¶2]. Regarding claim 31, OKABE discloses, wherein the security state includes at least one of an application name, an application family, an application path, and an application category for one of the numbers of user-space processes [¶5, An information processing apparatus is not formed by a single program set but is segmented into a plurality of modules that are called processes and execute coordinated operations. The processes communicate with each other in order to execute the coordinated operations. Such a communication between the processes is referred to as an Inter-Process Communication (IPC), and a socket is one type of implementation (API: Application Programming Interface) of the IPC. , and [¶18, According to one aspect of the present invention, there is provided a computer-readable storage medium that stores a program which, when executed in a computer, causes the computer to perform a process comprising a communication procedure causing the computer to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording procedure causing the computer to record a log of the inter-process communication within the kernel space], and [ see FIGs 4, and 6 and corresponding text for more detail, [ FIG. 6 , FTP, HHTP,NFS, smb ( name of the application]. Regarding claim 32, OKABE discloses wherein the process activity includes one or more supporting processes for one of the numbers of user-space processes [¶5, An information processing apparatus is not formed by a single program set but is segmented into a plurality of modules that are called processes and execute coordinated operations. The processes communicate with each other in order to execute the coordinated operations. Such a communication between the processes is referred to as an Inter-Process Communication (IPC), and a socket is one type of implementation (API: Application Programming Interface) of the IPC. , and [¶18, According to one aspect of the present invention, there is provided a computer-readable storage medium that stores a program which, when executed in a computer, causes the computer to perform a process comprising a communication procedure causing the computer to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording procedure causing the computer to record a log of the inter-process communication within the kernel space], and [ see FIGs 4, and 6 and corresponding text for more detail, [ FIG. 6 , FTP, HHTP,NFS, smb ( name of the application], and [ see FIG. 5, ¶¶35-36]. Regarding claim 33, OKABE discloses wherein the security state includes a process identifier for a process associated with a network communication at the firewall [¶5, An information processing apparatus is not formed by a single program set but is segmented into a plurality of modules that are called processes and execute coordinated operations. The processes communicate with each other in order to execute the coordinated operations. Such a communication between the processes is referred to as an Inter-Process Communication (IPC), and a socket is one type of implementation (API: Application Programming Interface) of the IPC. , and [¶18, According to one aspect of the present invention, there is provided a computer-readable storage medium that stores a program which, when executed in a computer, causes the computer to perform a process comprising a communication procedure causing the computer to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording procedure causing the computer to record a log of the inter-process communication within the kernel space], and [ see FIGs 4, and 6 and corresponding text for more detail, [ FIG. 6 , FTP, HHTP,NFS, smb ( name of the application], and [ see FIG. 5, ¶¶35-36]. Regarding claim 34, Permeh and stringer do not explicitly disclose, at the firewall, detecting a network communication between one of the number of user-space processes and a remote resource, and applying the firewall rule to the network communication. The combination of OKABE and Wood discloses: OKABE discloses: [¶¶5, 18, see FIG 4-6 and corresponding text, FIG. 6, FTP, HHTP, NFS, smb (name of the application, ¶¶35-36]. Wood discloses: [Abstract, ¶¶7-8, 17, 76, 114, 126]. Regarding claim 35, OKABE discloses wherein the process activity includes at least one user for at least one of the number of user-space processes [¶5, An information processing apparatus is not formed by a single program set, but is segmented into a plurality of modules that are called processes and execute coordinated operations. The processes communicate with each other in order to execute the coordinated operations. Such a communication between the processes is referred to as an Inter-Process Communication (IPC), and a socket is one type of implementation (API: Application Programming Interface) of the IPC. , and [¶18, According to one aspect of the present invention, there is provided a computer-readable storage medium that stores a program which, when executed in a computer, causes the computer to perform a process comprising a communication procedure causing the computer to perform an inter-process communication via a kernel space among a plurality of processes existing in a user space; and a log recording procedure causing the computer to record a log of the inter-process communication within the kernel space], and [ see FIGs 4, and 6 and corresponding text for more detail, [ FIG. 6 , FTP, HHTP,NFS, smb ( name of the application]. Regarding claim 36, OKABE discloses wherein the process activity includes at least one process privilege for at least one of the number of user-space processes [¶¶5, 18, see FIG 4-6 and corresponding text, FIG. 6, FTP, HHTP, NFS, smb (name of the application, ¶¶35-36). Regarding claim 37, OKABE, Wood , and Stringer do not explicitly disclose, however, Permeh discloses wherein the second one of the number of process caches persists one or more of the number of user-space processes after termination[ ¶¶31-32, , the local data store (e.g. an audit log) can be encrypted such that the harvested data contained therein are protected from alteration and so that the data cannot be readily accessed or otherwise compromised during or after a threat or other event that may require further analysis. A local audit log consistent with implementations of the current subject matter can also be protected against tampering (e.g. deletion of all or part of the data contained therein) by one or more tamper resistant features. Maintaining the audit log as a series or chain of linked data containers, each of which is encrypted and further secured by a cryptographic fingerprint, is one non-limiting example of a tamper resistant feature that can provide these protections….], and [¶56,Data containers (e.g. one or more files within which a local data store and/or audit log is maintained) can also be protected against tampering consistent with implementations of the current subject matter through kernel enforced access control], and [¶34, Other forms of tamper resistant features can also be used for the data containers. For example, each data container can also be compressed and signed with a public key (e.g. using RSA-4096 or some similar approach)], and [see Fig. 2, and corresponding text for more details, Audit log (105), local cache (220), ¶¶39-40], [ ¶¶ 10-12, 25-26] It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Wood, and Stringer with the teaching of Permeh application generate the audit log and local cache and protect against tampering [Permeh, ¶14, 31]. Regarding claim 38, the claim in interpreted and rejected for the same rational set forth in claim 21. Regarding claim 39, OKABE, Permeh, and Stringer do not explicitly disclose, however, Wood discloses, wherein the firewall includes at least one of an endpoint firewall, a gateway firewall, and an enterprise network firewall[ [abstract, The system uses a firewall to block data packets to and from web addresses that are not owned by the maker of the application, are not trusted by the consensus trusted computing devices, or are blocked by selection by a user of the computing device], and [¶8, the system also includes a firewall to intercept data packets sent to or from the browser software application. The firewall blocks data packets that are not being sent to or from the open web address or to or from the at least one connection of the open web address], and [¶17, The firewall blocks the at least one other connection if the at least one other connection does not meet a reputation threshold as determined by the reputation engine. The at least one other connection includes one or more connections that are not the open web address or the at least one connection to the open web address], and , and [¶126, The firewall component (901) can be implemented as a kernel driver; and the interface to the display (904) can be a higher-level process or program communicating with the kernel driver], and [¶¶7, 76,114]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh, and Stringer because the teaching of Wood would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Wood, ¶2] Regarding claim 40, OKABE, and Permeh do not explicitly disclose, wherein the firewall rule configuration facility executes on a threat management facility for the enterprise network, the threat management facility further comprising a communication interface that transmits the firewall rule to the firewall for use in managing the network traffic. However, the combination of Wood and Stinger discloses: Wood discloses: [Abstract, ¶¶7-8, 17, 76, 114, 126]. Stringer discloses: [ [see FIG. 1 and corresponding text for more detail, a block diagram of a threat management facility providing protection to an enterprise against a plurality of threats], [¶68, The security management facility 122 may be directed at preventing data leakage from an enterprise. The policy management facility 112 may be directed at maintaining and updating policies, rules, or the like and may include a database of such. The network access rules facility 124 may contain rules that are directed at controlling network traffic and network access], and [¶10]. Claims 26-28 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 2011/0010723 issued to OKABE, and in view of US Patent application no. 2017/0249462 issued to permeh, and further in view of US Patent No.2017/0237749 issued to Wood, and further in view of US Patent No. 2010/0212010 issued to Stringer, and futher in view of Shribman (US2015/0067819). Regarding claim 26, OKABE, Permeh, Wood, and Stringer do not explicitly disclose, however, Shribman discloses wherein the security state is transmitted to the firewall as a secure heartbeat [¶157, Hearbeat. A heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a system. Usually, a heartbeat is sent between machines at a regular interval of an order of seconds. If a heartbeat is not received for a time--usually a few heartbeat intervals--the machine that should have sent the heartbeat is assumed to have failed. As used herein, a heartbeat is a periodic message, such as a `ping`, generated by devices connected to the Internet to indicate being `online` (connected to the Internet) and normal operation, and if a heartbeat is not received for a time, the device is assumed to be `offline` (not connected to the Internet). A heartbeat protocol is generally used to negotiate and monitor the availability of a resource, such as a floating IP address. Typically, when a heartbeat starts on a machine, it will perform an election process with other machines on the network to determine which machine, if any, owns the resource. The IETF RFC 6520 describes Heartbeat operation for the Transport Layer Security (TLS) and is incorporated in its entirety for all purposes as if fully set forth herein]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh , Stringer, and Wood because the teaching of Shribman would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Shribman, ¶2]. Regarding claim 27, OKABE, Permeh, Wood, and Stringer do not explicitly disclose, however, Shribman discloses wherein the secure heartbeat is digitally signed [¶430, In another example, a VPN is formed between the devices, and the tunneling or the VPN establishment is performed as part of the pre-connection phase. The tunnel endpoints are authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication, or any other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates, and permanently stores the key in order to allow a tunnel to establish automatically, without intervention from a user]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh , Stringer, and Wood because the teaching of Shribman would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Shribman, ¶2]. Regarding claim 28, OKABE, Permeh, Wood, and Stringer do not explicitly disclose, however, Shribman discloses wherein the secure heartbeat is encrypted. [¶430, In another example, a VPN is formed between the devices, and the tunneling or the VPN establishment is performed as part of the pre-connection phase. The tunnel endpoints are authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication, or any other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates, and permanently stores the key in order to allow a tunnel to establish automatically, without intervention from a user]. It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of OKABE, Permeh , Stringer, and Wood because the teaching of Shribman would enable to provide system and method for detecting and blocking data packets to and from browser software application and/or non-browser software applications operating on a computing device [Shribman, ¶2]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See submitted 892 for more relevant references. Brandwine (US2014/ 0208097) discloses [¶14, Systems and methods in accordance with various embodiments of the present disclosure may overcome one or more of the foregoing or other deficiencies experienced in conventional approaches for securing data, such as the results obtained by performing operations in privileged systems (e.g., an operating system kernel, hypervisor etc.). In particular, various embodiments utilize a security scheme, such as asymmetric (or symmetric) cryptography, to secure data by including a key (e.g., public key) into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor can use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted or signed, such that any intermediate parties are not able to read the parameters and other information of the request unless those parties are authorized to view the request and/or have a copy of the key or other mechanism used to decrypt the request or otherwise tamper with the request. In accordance with an embodiment, the request is submitted to the kernel/hypervisor using a formalized set of interfaces (e.g., application programming interfaces (APIs)) that enables code to be securely added to and/or modified on the operating system (OS) kernel and/or the hypervisor. These interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime], and [See FIG.3 and corresponding text for more detail, kernel (306), Certificate Authority (310)]. Allen (US9507621) [ see FIGS. 4 and 5 and corresponding text for more detail, kernel data structure protection…. tamper-resistant kernel] PAL(US2015/0237025) [see FIGS.1, 2, 3 and 5 corresponding text for more details, Abstract]. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHAHRIAR ZARRINEH/ Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Jul 12, 2024
Application Filed
Nov 26, 2025
Non-Final Rejection — §103, §112
Mar 10, 2026
Applicant Interview (Telephonic)
Mar 21, 2026
Examiner Interview Summary
Mar 30, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

18/124,194
Patent 12587392
SECURE COMMUNICATION METHOD AND APPARATUS IN PASSIVE OPTICAL NETWORK
2y 5m to grant Granted Mar 24, 2026
17/802,909
Patent 12549527
MULTI-FACTOR AUTHENTICATION OF CLOUD-MANAGED SERVICES
2y 5m to grant Granted Feb 10, 2026
18/602,359
Patent 12547755
TECHNIQUES FOR SECURELY EXECUTING ATTESTED CODE IN A COLLABORATIVE ENVIRONMENT
2y 5m to grant Granted Feb 10, 2026
17/975,153
Patent 12543044
SYSTEMS AND METHODS OF AUTOMATIC OUT-OF-BAND (OOB) RESTRICTED CELLULAR CONNECTIVITY FOR SET UP PROVISIONING OF MANAGED CLIENT INFORMATION HANDLING SYSTEMS
2y 5m to grant Granted Feb 03, 2026
17/243,963
Patent 12511435
DEVICE AND METHOD FOR ENFORCING A DATA POLICY
2y 5m to grant Granted Dec 30, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
79%
Grant Probability
87%
With Interview (+7.8%)
2y 8m
Median Time to Grant
Low
PTA Risk
Based on 433 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month