Prosecution Insights
Last updated: July 17, 2026
Application No. 18/788,700

ACCELERATED DATA MOVEMENT BETWEEN DATA PROCESSING UNIT (DPU) AND GRAPHICS PROCESSING UNIT (GPU) TO ADDRESS REAL-TIME CYBERSECURITY REQUIREMENTS

Non-Final OA §103
Filed
Jul 30, 2024
Priority
Apr 13, 2022 — continuation of 12/095,793
Examiner
NGUYEN, ANH
Art Unit
2458
Tech Center
2400 — Computer Networks
Assignee
Mellanox Technologies Ltd.
OA Round
2 (Non-Final)
78%
Grant Probability
Favorable
2-3
OA Rounds
9m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
288 granted / 367 resolved
+20.5% vs TC avg
Strong +26% interview lift
Without
With
+25.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
17 currently pending
Career history
393
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
95.6%
+55.6% vs TC avg
§102
1.3%
-38.7% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 367 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the amendment filed on 02/26/2026. Claims 1-20 are rejected. Response to Arguments Applicant's arguments, with respect to the rejection under 35. U.S.C 103, have been fully considered but they are not persuasive. Applicants are arguing in substance the following: Arguments to claims 1, 8, and 16: The prior art does not teach or suggest: “the hardware-accelerated security service is to extract a plurality of features from first data in the network traffic received on the network interface and telemetry data generated and stored by the acceleration hardware engine”. Response to the arguments of claims 1, 8, and 16: Villella teaches that the system may employ agents or system monitors that can operate on the individual root data sources to extract data entries from registers or records of the root data sources. Villella teaches telemetry data is extracted from registers (acceleration hardware engine). This telemetry data is generated and stored by the registers. That is, Villella teaches “the hardware-accelerated security service is to extract telemetry data generated and stored by the acceleration hardware engine”. Hong, in view of Villella teaches that collecting original packet data from data traffic transmitted over a network, (b) writing the collected original packet data in a memory ([see paragraph 0016]). In paragraph [0089], Hong teaches that at the same time, the data access module may extract metadata from the collected original packet data, and may write the metadata in a secured memory region of the memory unit. In these paragraphs and figure. 1, Hong teaches that the data access module 110 is to extract data from data traffic transmitted over a network. That is, Hong teaches the limitation “the hardware-accelerated security service is to extract a plurality of features from first data in the network traffic received on the network interface”. The combination of Villella and Hong teaches the entire limitation “the hardware-accelerated security service is to extract a plurality of features from first data in the network traffic received on the network interface and telemetry data generated and stored by the acceleration hardware engine.” As noted above, the combination of Villella and Hong teaches the applicant’s arguments. Villella [0013] further teaches that a machine-learning is used to execute on system data thereby substantially improving event detection and analysis. Villella teaches the machine learning uses to determine the malicious network attack (see [0019-0021]). Hong supplies further hardware elements, including a CPU and hardware-accelerated packet processing components that perform real-time data access and metadata extraction. Applicant also argues that Villella does not teach the specific DPU architecture (network interface, host interface, CPU, acceleration hardware engine) or accelerated pipeline hardware coupled to the DPU. However, the argument is not persuasive. Villella in [0051] teaches the system 10 includes computers within the computer network. A computer system, as obviously includes data processing unit and network interface to connect to network. Paragraph [0059-0060], fig. 5 further teaches that the processing pipeline 500 takes in system data (502) and pre-processes (504) the system data. The system data 502 includes a variety of types of data from monitored network software/firmware/hardware platforms as well as other source. Therefore, the DPU architecture as claimed is taught by Villella. The motivation to provide a pattern-based index processing system capable of classifying application, metadata, or user-defined patterns for scenario analysis is proper and supported by the references. It directly addresses the need for enhanced detection in a security context, which is the core purpose of both Villella’s Machine learning-based anomaly detection and Hong’s metadata-driven security architecture. The rejection is maintained. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claim 1-4, 6-8, 10-11, 13-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-8 of Patent No. 12/095793. Present Application Patent No. 12/095793 Claims 1, 8, and 16 A computing system comprising: a data processing unit (DPU) comprising a network interface, a host interface, a central processing unit (CPU), and an acceleration hardware engine, the DPU to receive network traffic on the network interface and send the network traffic to a host device on the host interface, and the DPU to host a hardware-accelerated security service to protect the host device from a malicious network attack, wherein the hardware-accelerated security service is to extract a plurality of features from first data in the network traffic received on the network interface and telemetry data generated and stored by the acceleration hardware engine, wherein the telemetry data is associated with operations of the acceleration hardware engine; and accelerated pipeline hardware coupled to the DPU, wherein the accelerated pipeline hardware is to: determine, using a machine learning (ML) detection system, whether the host device is subject to the malicious network attack based on the plurality of features; and send an enforcement rule to the DPU responsive to a determination that the host device is subject to the malicious network attack. Claim 1 A computing system comprising: a graphics processing unit (GPU) comprising a cybersecurity platform with one or more accelerated machine learning pipelines; and a data processing unit (DPU) coupled to the GPU, wherein the DPU comprises: a network interface operatively coupled to a network, the network interface to receive network traffic directed to a host device from a second device over the network; a host interface operatively coupled to the host device, the DPU to send the network traffic to the host device over the host interface; an acceleration hardware engine operatively coupled to the network interface and the GPU, wherein the acceleration hardware engine is to host a hardware-accelerated security service to: extract first feature data from the network traffic; extract second feature data from telemetry data generated and stored by the acceleration hardware engine, wherein the telemetry data is associated with operations of the acceleration hardware engine; send the first feature data and the second feature data to the cybersecurity platform to determine whether the host device is subject to a malicious network attack using the one or more accelerated machine learning pipelines; receive an enforcement rule from the cybersecurity platform responsive to a determination by the cybersecurity platform that the host device is subject to the malicious network attack; and perform an action, associated with the enforcement rule, on subsequent network traffic directed to the host device from the second device. Claims 2 and 19 The computing system of claim 1, wherein the DPU is a programmable data center infrastructure on a chip. Claim 4 The computing system of claim 1, wherein the DPU is a programmable data center infrastructure on a chip. Claim 3 wherein the network interface is to handle network data path processing, wherein the CPU is to control path initialization and exception processing. Claim 5 a central processing unit (CPU) operatively coupled to the acceleration hardware engine and the GPU, wherein the acceleration hardware engine to handle network data path processing, wherein the CPU is to control path initialization and exception processing. Claim 4 wherein the host device resides in a first computing domain, wherein the hardware-accelerated security service resides in a second computing domain different than the first computing domain, and wherein the ML detection system resides in the second computing domain or a third computing domain different than the first computing domain and the second computing domain.. Claim 6 wherein the host device resides in a first computing domain, wherein the hardware-accelerated security service and the cybersecurity platform reside in a second computing domain different than the first computing domain. Claims 6 and 10 wherein the accelerated pipeline hardware comprises feature extraction logic to tokenize the first feature data into tokens and extract numeric features from the second feature data, and wherein the ML detection system comprises a classification model trained to classify the first and second feature data as malicious or benign. Claims 7, 11, and 18 wherein the classification model comprises: an embedding layer to receive the tokens as an input sequence of tokens and generate an input vector based on the input sequence of tokens; a Long Short-Term Memory (LSTM) layer trained to generate an output vector based on the input vector; and a neural network layer trained to classify the first and second feature data as malicious or benign using the output vector from the LSTM layer and the numeric features of the second feature data. Claim 3 wherein the cybersecurity platform comprises feature extraction logic to tokenize the first feature data into tokens and extract numeric features from the second feature data, and wherein the classification model comprises: an embedding layer to receive the tokens as an input sequence of tokens and generate an input vector based on the input sequence of tokens; a Long Short-Term Memory (LSTM) layer trained to generate an output vector based on the input vector; and a neural network layer trained to classify the first and second feature data as malicious or benign using the output vector from the LSTM layer and the numeric features of the second feature data. Claims 13 and 20 wherein Villella further teaches the DPU resides in a second computing domain different than the first computing domain, and wherein the ML detection system resides in a third computing domain different than the first computing domain and the second computing domain Claim 7 wherein the host device resides in a first computing domain, wherein the hardware-accelerated security service resides in a second computing domain different than the first computing domain, and wherein the cybersecurity platform resides in a third computing domain different than the first computing domain and the second computing domain. Claims 14 and 15 wherein the telemetry data is stored in at least one of i) one or more registers of the acceleration hardware engine or ii) a hardware counter of the acceleration hardware engine. Claim 8 wherein the telemetry data is stored in at least of i) one of one or more registers of the acceleration hardware engine or ii) a hardware counter of the acceleration hardware engine.. Claim 17 receive the plurality of features from the hardware-accelerated security service; determine whether the host device is subject to the malicious network attack using a classification model of the one or more accelerated machine learning pipelines, the classification model being trained to classify the plurality of features as malicious or benign; and send the enforcement rule to the hardware-accelerated security service responsive to the determination that the host device is subject to the malicious network attack. Claim 2 receive the first feature data and the second feature data from the hardware-accelerated security service; determine whether the host device is subject to the malicious network attack using a classification model of the one or more accelerated machine learning pipelines, the classification model being trained to classify the first and second feature data as malicious or benign; and send the enforcement rule to the hardware-accelerated security service responsive to the determination that the host device is subject to the malicious network attack. Although the claims at issue are not identical, they are not patentably distinct from each other because the claimed subject matter of the present applicant and that of Patent No. 12/095793 are substantially the same and the claimed subject matter of the present application would have been obvious to one of ordinary skill in the art based on the claimed subject matter of Patent No. 12/095793. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-5, 8-9, 12-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Villella et al. (US 20180248904 A1), hereafter Villella in view of Hong et al. (US 20200412634 A1), hereafter Hong. Regarding claim 1, Villella teaches a method comprising: a data processing unit (DPU) comprising a network interface ([0051] administering communications among computers within the computer network), a host interface, an acceleration hardware engine, and the DPU to host a hardware-accelerated security service to protect the host device from a malicious network attack ([0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information), wherein the hardware-accelerated security service is to extract telemetry data generated and stored by the acceleration hardware engine, wherein the telemetry data is associated with operations of the acceleration hardware engine ([0053] The system 10 of the present disclosure provides for the rapid/automated extraction of viable information from the data 18. The system may employ agents or system monitors that can operate on the individual root data sources 14 to extract data entries from registers or records of the root data sources); and accelerated pipeline hardware coupled to the DPU, wherein the accelerated pipeline hardware is to: determine, using a machine learning (ML) detection system, whether the host device is subject to the malicious network attack based on the plurality of features ([0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information); and send an enforcement rule to the DPU responsive to a determination that the host device is subject to the malicious network attack ([0018] A detected anomaly may then be evaluated in a security context, i.e., to determine whether the anomaly represents a security threat; [0058] the system 10 may include one or more machine analytics platforms 50 broadly operable to analyze and process numerous types of data using one or more processing rules to detect what may be complex events/conditions/developments/etc. occurring in relation to the data sources 14). Villella does not explicitly teach a central processing unit (CPU); the hardware-accelerated security service is to extract…a plurality of features from telemetry data generated and stored by the acceleration hardware engine, wherein the telemetry data is associated with operations of the acceleration hardware engine; Hong teaches a central processing unit (CPU) ([0136] data processor); the hardware-accelerated security service is to extract…a plurality of features from telemetry data generated and stored by the acceleration hardware engine, wherein the telemetry data is associated with operations of the acceleration hardware engine ([0087] when the amount of collected packets is the collection setting value or less, the data access module 110 may directly write the original packet data, collected in real time, in a secured memory region of the memory unit 120 (generated and stored by the acceleration hardware engine) [0089], fig. 3, at the same time, the data access module 110 may extract metadata (telemetry data) from the collected original packet data, and may write the metadata in a secured memory region of the memory unit 120. The metadata may include a source IP, a source port, a destination IP, a destination port, a protocol); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, the metadata is extracted to send to a remote extension node to determine an attack , as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claims 2 and 19, Villella and Hong teach all limitation of parent claims 1 and 16, wherein Hong further teaches the DPU is a programmable data center infrastructure on a chip ([0141] A process and logical flow described in this specification may be performed by one or more programmable processors that execute one or more computer programs in order to perform a function in such a way as to operate on input data and generate an output). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, a processor to execute computer programs, as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claim 3, Villella and Hong teach the computing system of claim 1, wherein Hong further teaches the network interface is to handle network data path processing, wherein the CPU is to control path initialization and exception processing ([0141] A process and logical flow described in this specification may be performed by one or more programmable processors that execute one or more computer programs in order to perform a function in such a way as to operate on input data and generate an output). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, a processor to control input/output paths, as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claim 4, Villella and Hong teach the computing system of claim 1, wherein Villella further teaches the host device resides in a first computing domain, wherein the hardware-accelerated security service resides in a second computing domain different than the first computing domain ([0051] one of the devices 22 may be a computer that is operable within a computer network configuration), and wherein the ML detection system resides in the second computing domain or a third computing domain different than the first computing domain and the second computing domain ([0053] The various structured data managers 30 and event/platform managers 38 may transmit structured data, events, alerts and/or other data or messages to one or more third-party products 42 by way of any appropriate third-party services 46). Regarding claims 5 and 9, Villella and Hong teach all limitation of parent claims 1 and 8, wherein Villella further teaches the hardware-accelerated security service is to: extract first feature data from the first data in the network traffic ([0053] [The system 10 of the present disclosure provides for the rapid/automated extraction of viable information from the data 18); combine the first feature data and the second feature data into the plurality of features ([0110] a feature sub-selection module 552d may compare or combine extracted features (e.g., 552a and/or 552b) to support a modeling module 556a); send the plurality of features to the accelerated pipeline hardware to determine whether the host device is subject to the malicious network attack ([0057] forwarding the structured data or event to (e.g., or otherwise triggering or alerting) an event or platform manager 38 to determine whether one or more alarms should be generated); receive the enforcement rule from the accelerated pipeline hardware responsive to a determination by the accelerated pipeline hardware that the host device is subject to the malicious network attack ([0018] A detected anomaly may then be evaluated in a security context, i.e., to determine whether the anomaly represents a security threat; [0058] the system 10 may include one or more machine analytics platforms 50 broadly operable to analyze and process numerous types of data using one or more processing rules to detect what may be complex events/conditions/developments/etc. occurring in relation to the data sources 14); and perform an action, associated with the enforcement rule, on subsequent network traffic directed to the host device ([0057] Processing rules may also specify one or more additional actions the structured data manager 30 is to take upon data 18 matching or triggering a processing rule such as archiving the data or event in any appropriate archival data store). Villella does not explicitly teach extract second feature data from the telemetry data generated and stored by the acceleration hardware engine; Hong teaches extract second feature data from the telemetry data generated and stored by the acceleration hardware engine ([0089], fig. 3, at the same time, the data access module 110 may extract metadata from the collected original packet data, and may write the metadata in a secured memory region of the memory unit 120. The metadata may include a source IP, a source port, a destination IP, a destination port, a protocol (second feature data)); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, the metadata is extracted to send to a remote extension node to determine an attack , as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claim 8, Villella teaches a method comprising: receiving, by a data processing unit (DPU) coupled to a host device, network traffic on a network interface of the DPU ([0051] administering communications among computers within the computer network; [0056] FIG. 4 presents a screenshot of a user interface that provides information regarding data that has been collected and processed according to one or more structured data managers 30); send, by the DPU, the network traffic to the host device on a host interface of the DPU ([0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information); extracting, by the DPU, telemetry data generated and stored by an acceleration hardware engine of the DPU, the first data being directed to the host device from a second device, wherein the telemetry data is associated with operations of the acceleration hardware engine ([0053] The system 10 of the present disclosure provides for the rapid/automated extraction of viable information from the data 18. The system may employ agents or system monitors that can operate on the individual root data sources 14 to extract data entries from registers or records of the root data sources); and determining, using a machine learning (ML) detection system, whether the host device is subject to a malicious network attack based on the plurality of features ([0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information); and performing, by the DPU, an action associated with an enforcement rule on subsequent network traffic directed to the host device from the second device, responsive to a determination that the host device is subject to the malicious network attack ([0018] A detected anomaly may then be evaluated in a security context, i.e., to determine whether the anomaly represents a security threat; [0058] the system 10 may include one or more machine analytics platforms 50 broadly operable to analyze and process numerous types of data using one or more processing rules to detect what may be complex events/conditions/developments/etc. occurring in relation to the data sources 14). Villella does not explicitly teach extracting, by the DPU, a plurality of features … a plurality of features from first data in the network traffic received on the network interface of the DPU; Hong teaches a central processing unit (CPU) ([0136] data processor); extracting, by the DPU, a plurality of features … a plurality of features from first data in the network traffic received on the network interface of the DPU ([0087] when the amount of collected packets is the collection setting value or less, the data access module 110 may directly write the original packet data, collected in real time, in a secured memory region of the memory unit 120 (generated and stored by the acceleration hardware engine) [0089], fig. 3, at the same time, the data access module 110 may extract metadata (telemetry data) from the collected original packet data, and may write the metadata in a secured memory region of the memory unit 120. The metadata may include a source IP, a source port, a destination IP, a destination port, a protocol); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, the metadata is extracted to send to a remote extension node to determine an attack , as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claim 12, Villella and Hong teach the method of claim 8, wherein Villella further teaches the host device resides in a first computing domain, wherein the DPU and the ML detection system reside in a second computing domain different than the first computing domain ([0051] one of the devices 22 may be a computer that is operable within a computer network configuration). Regarding claim 13, Villella and Hong teach the method of claim 8, the host device resides in a first computing domain, wherein Villella further teaches the DPU resides in a second computing domain different than the first computing domain, and wherein the ML detection system resides in a third computing domain different than the first computing domain and the second computing domain ([0051] one of the devices 22 may be a computer that is operable within a computer network configuration; [0053] The various structured data managers 30 and event/platform managers 38 may transmit structured data, events, alerts and/or other data or messages to one or more third-party products 42 by way of any appropriate third-party services 46). Regarding claims 14 and 15, Villella and Hong teach the all limitations of parent claims 1 and 8, wherein Villella further teaches the telemetry data is stored in at least one of i) one or more registers of the acceleration hardware engine or ii) a hardware counter of the acceleration hardware engine ([0019] distributing and storing, in the plurality of extension nodes, the original packet data and the metadata from the memory when a network speed exceeds a given reference). Regarding claim 16, Villella teaches a computing system comprising: a graphics processing unit (GPU) comprising a cybersecurity platform with one or more accelerated machine learning pipelines ([0058] the system 10 may include one or more machine analytics platforms 50 (cybersecurity platform) broadly operable to analyze and process numerous types of data); and a data processing unit (DPU) coupled to the GPU, wherein the DPU comprises: a host interface; an acceleration hardware engine, the DPU to receive network traffic on the network interface and send the network traffic to a host device on the host interface, and the DPU to host a hardware-accelerated security service to protect the host device from a malicious network attack ([0051] administering communications among computers within the computer network; [0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information;, wherein: the hardware-accelerated security service is to extract telemetry data generated and stored by the acceleration hardware engine, the telemetry data being associated with operations of the acceleration hardware engine ([0053] The system 10 of the present disclosure provides for the rapid/automated extraction of viable information from the data 18. The system may employ agents or system monitors that can operate on the individual root data sources 14 to extract data entries from registers or records of the root data sources); and the cybersecurity platform is to determine, using the one or more accelerated machine learning pipelines, whether the host device is subject to the malicious network attack based on the plurality of features ([0013] advanced analytics including, for example, a machine-learning process can be executed on system data thereby substantially improving event detection and analysis; [0025] The machine learning process may be applied to the set of system data so as to identify a subset of features that is statistically optimal for discriminating between the normal data and anomalous data; [0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information); and the cybersecurity platform is to send an enforcement rule to the DPU responsive to a determination that the host device is subject to the malicious network attack ([0018] A detected anomaly may then be evaluated in a security context, i.e., to determine whether the anomaly represents a security threat; [0058] the system 10 may include one or more machine analytics platforms 50 broadly operable to analyze and process numerous types of data using one or more processing rules to detect what may be complex events/conditions/developments/etc. occurring in relation to the data sources 14). Villella does not explicitly teach a central processing unit (CPU); the hardware-accelerated security service is to extract… a plurality of features from first data in the network traffic received on the network interface; Hong teaches a central processing unit (CPU) ([0136] data processor); the hardware-accelerated security service is to extract… a plurality of features from first data in the network traffic received on the network interface ([0087] when the amount of collected packets is the collection setting value or less, the data access module 110 may directly write the original packet data, collected in real time, in a secured memory region of the memory unit 120 (generated and stored by the acceleration hardware engine) [0089], fig. 3, at the same time, the data access module 110 may extract metadata (telemetry data) from the collected original packet data, and may write the metadata in a secured memory region of the memory unit 120. The metadata may include a source IP, a source port, a destination IP, a destination port, a protocol); It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, the metadata is extracted to send to a remote extension node to determine an attack , as taught by Hong. One would be motivated to do so to provide a pattern-based index processing system and pattern-based index processing method capable of classifying applications, metadata or user-defined patterns for scenario analysis. Regarding claim 17, Villella and Hong teach the computing system of claim 16, wherein Villella further teaches the cybersecurity platform is to: receive the plurality of features from the hardware-accelerated security service ([0052] the data 18 generated by devices 22 may be in the form of host forensic data such as file integrity information, process information, data transfer information); determine whether the host device is subject to the malicious network attack using a classification model of the one or more accelerated machine learning pipelines, the classification model being trained to classify the plurality of features as malicious or benign ([0011] monitoring systems from static signatures and predefined rules such that the systems can identify and classify emerging threats, adapt to changing information environments and continuously optimize performance. The analytics enable efficient and accurate modeling of baseline behavior as well as anomaly detection and attribution); and send the enforcement rule to the hardware-accelerated security service responsive to the determination that the host device is subject to the malicious network attack ([0057] forwarding the structured data or event to (e.g., or otherwise triggering or alerting) an event or platform manager 38 to determine whether one or more alarms should be generated. Regarding claim 20, Villella and Hong teach the computing system of claim 16, wherein Villella further teaches the host device resides in a first computing domain, wherein the hardware-accelerated security service resides in a second computing domain different than the first computing domain, and wherein the cybersecurity platform resides in the second computing domain or a third computing domain different than the first computing domain and the second computing domain ([0053], fig. 1, structured data managers 30, platform manager 38, and System monitors 34 are in different domain. The system 10 may employ agents or system monitors 34 (e.g., software) that can operate on the individual root data sources 14). Claims 6-7, 10-11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Villella in view of Hong and further in view of Guggilla (US 20200073882 A1). Regarding claims 6 and 10, Villella and Hong teach all limitation of parents claim 5 and 9, wherein Villella further teaches wherein the ML detection system comprises a classification model trained to classify the first and second feature data as malicious or benign ([0011] monitoring systems from static signatures and predefined rules such that the systems can identify and classify emerging threats, adapt to changing information environments and continuously optimize performance. The analytics enable efficient and accurate modeling of baseline behavior as well as anomaly detection and attribution). Villella and Hong do not explicitly teach the accelerated pipeline hardware comprises feature extraction logic to tokenize the first feature data into tokens and extract numeric features from the second feature data. Guggilla teaches the accelerated pipeline hardware comprises feature extraction logic to tokenize the first feature data into tokens and extract numeric features from the second feature data ([0107] given each sequence, tokens in the sequence may be separated into characters using a tokenization process, and on top of these character represented sequences. Character embeddings may refer to numerical vector representations learned from various character contexts). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella and Hong disclosure, the machine learning models such as long short-term memories, as taught by Guggilla. One would be motivated to do so to implement annotation of all of the entities that are available in a set of entities, and to reduce the time needed to prepare training samples needed for building entity and relation detection models. Regarding claims 7, 11, and 18, Villella, Hong, and Guggilla teach all limitations of parent claims 6, 10, and 17, Villella does not explicitly teach wherein the classification model comprises: an embedding layer to receive the tokens as an input sequence of tokens and generate an input vector based on the input sequence of tokens; a Long Short-Term Memory (LSTM) layer trained to generate an output vector based on the input vector; and a neural network layer trained to classify the first and second feature data as malicious or benign using the output vector from the LSTM layer and the numeric features of the second feature data. Guggilla teaches an embedding layer to receive the tokens as an input sequence of tokens and generate an input vector based on the input sequence of tokens ([0040] vocabulary in these sequences may be transformed into semantic vectors of varying dimensions [e.g., 50, 100, 200, 300] including numerical values denoting syntactic and semantic weights which may be further used as input vectors for LSTM-based deep neural networks); a Long Short-Term Memory (LSTM) layer trained to generate an output vector based on the input vector ([0040] The sequences may function as learning representation units for deep learning and/or machine learning models such as long short-term memories (LSTMs); [0109] The corpus generator and enricher 112 may transform each segment into character represented vector embeddings, where entities and tokens present in each segment may be converted into character vector representations); and a neural network layer trained to classify the first and second feature data as malicious or benign using the output vector from the LSTM layer and the numeric features of the second feature data ([0098] he document categorizer 110 may process these documents and classify them into a category of a specified number of categories using fine-grained pre-entity marked and/or annotated documents; [0109] an output to the sub-process-4 performed by the corpus generator and enricher 112 may include ‘n’ training samples with tagged entities). It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Villella disclosure, the machine learning models such as long short-term memories, as taught by Guggilla. One would be motivated to do so to implement annotation of all of the entities that are available in a set of entities, and to reduce the time needed to prepare training samples needed for building entity and relation detection models. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ANH NGUYEN/Primary Examiner, Art Unit 2458
Read full office action

Prosecution Timeline

Jul 30, 2024
Application Filed
Jan 14, 2026
Non-Final Rejection mailed — §103
Feb 26, 2026
Response Filed
Apr 30, 2026
Final Rejection mailed — §103
Jun 15, 2026
Response after Non-Final Action
Jul 01, 2026
Examiner Interview (Telephonic)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665920
COORDINATED MONITORING OF HETEROGENEOUS DOMAINS IN EXTENDED DETECTION AND RESPONSE (XDR) SYSTEMS
2y 10m to grant Granted Jun 23, 2026
Patent 12664311
INTEGRATED LOGGING LIBRARY FOR OBFUSCATING SENSITIVE INFORMATION
2y 2m to grant Granted Jun 23, 2026
Patent 12659255
DETECTING NETWORK EVENTS HAVING ADVERSE USER IMPACT
2y 1m to grant Granted Jun 16, 2026
Patent 12652294
CONTROLLER AREA NETWORK INTRUSION DETECTION SYSTEM AND OPERATING METHOD THEREOF
2y 7m to grant Granted Jun 09, 2026
Patent 12634325
SYSTEMS, APPARATUSES, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR CYBERSECURITY THREAT ASSESSMENT
2y 7m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+25.8%)
2y 9m (~9m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 367 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month