Prosecution Insights
Last updated: July 05, 2026
Application No. 18/791,262

SYSTEMS AND METHODS FOR DETERMINING AND UPDATING KNOWLEDGE GRAPHS OF INFORMATION TECHNOLOGY EVENT DATA AND CONFIGURATION ITEMS

Non-Final OA §103
Filed
Jul 31, 2024
Examiner
ALMANI, MOHSEN
Art Unit
2159
Tech Center
2100 — Computer Architecture & Software
Assignee
Fidelity Information Services LLC
OA Round
2 (Non-Final)
50%
Grant Probability
Moderate
2-3
OA Rounds
2y 2m
Est. Remaining
72%
With Interview

Examiner Intelligence

Grants 50% of resolved cases
50%
Career Allowance Rate
190 granted / 378 resolved
-4.7% vs TC avg
Strong +22% interview lift
Without
With
+21.7%
Interview Lift
resolved cases with interview
Typical timeline
4y 1m
Avg Prosecution
20 currently pending
Career history
406
Total Applications
across all art units

Statute-Specific Performance

§101
1.3%
-38.7% vs TC avg
§103
82.2%
+42.2% vs TC avg
§102
12.8%
-27.2% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 378 resolved cases

Office Action

§103
Detailed Action Applicant amended claims 1-3, 6-8, 10-12, 15-17, 19, and 20 and presented claims 1-20 for reconsideration on 01/27/2026. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over PURDY et al., Pub. No.: US 2023/0065398 A1 (Purdy), in view of Markley et al., Patent No.: US 11,531,651 B1 (Markley). Claim 1. Purdy teaches: A computer-implemented method for managing information technology event data in a graph database, the method comprising: obtaining a graph database, the graph database including a set of nodes and set of edges that connect the set of nodes; (¶¶ 8-9, 61, incoming data stream is ingested into a graph database) receiving a first data object and a second data object from a data source, the first data object and second data object representing information technology data; (¶¶ 8-9, objects in data stream represent information technology data, “the plurality of data streams comprise a network infrastructure data stream, a network information flow data stream, a network vulnerability scan data stream, a network intrusion detection alert data stream, a network mission dependencies data stream, an arbitrary data stream, or any combination thereof is ingested into a graph database”) processing the first data object and the second data object, wherein processing the first data object includes assigning a first identification field to the first data object and identifying additional fields of the first data object, wherein processing the second data object includes assigning a second identification field to the second data object and identifying additional fields of the second data object; (¶ 8-9, UID is assigned to each object: “the common data format for the node comprises a unique identifier (UID), a category description, a display name description, one or more key-value property fields, and an aggregation field…an edge comprises information about a relationship between a starting node and a destination node…the common format for an edge comprises a unique identifier (UID), a category description, a display name description, a starting node UID, a destination node UID, one or more key-value property fields, and an aggregation field”) determining the first data object is a configuration relationship object, wherein the configuration relationship object defines a relationship between a first configuration item and a second configuration item, wherein the additional fields of the configuration relationship object includes a confidence of association between the first configuration item and the second configuration item; (¶¶ 48-49, 53-54, wherein “information relating to network components, network topology, network vulnerabilities, client/server configurations, firewall rules, network events, and mission dependencies input” suggests that input data is a configuration relationship object and ¶¶ 36, 48-49, 53-54, 60-61, 65, 99, wherein “A node may comprise information about…entities or tasks… a network device, a network computer, a network machine, a network cyberspace asset, a network domain, a network rule, a network mission objective, a network mission asset, a network mission task, a network alert, a network vulnerability state, a network vulnerability score, a cyberattack classification, an organization, a user, a geographical area, or any combination thereof. An edge may comprise information about…a relationship between a starting node and a destination node” suggests that each data object can have any required information, e.g. a first configuration item name identification field, a second configuration item name identification field, and association identification variable, a confidence of association, and an updated date that the association occurred to be represented in graph format) determining the first data object does not exist as a node in the graph database; (¶¶ 9, 11, 39, 51, 65, 92, graph is updated by adding a new node and relation to the graph) creating a first node for the first data object and assigning the first identification field to the first node; (¶¶ 9, 11, 39, 51, 65, 92, graph is updated by adding a new node and relation to the graph: ¶ 11, “updating the graph model comprises an action selected from the group consisting of adding the node or edge of the converted data, deleting a node or edge of the plurality of nodes and edges stored within the graph model that corresponds to the node or edge of the converted data, or modifying a property associated with a node or edge of the plurality of nodes and edges stored within the graph model according to that of the node or edge of the converted data”, ¶ 39, “the graph database server updates the graph model(s) within the graph database with the new node and/or edge information contained in the data ingest message”, ¶ 65, “as each node and each edge is ingested by the Queue-to-Event module 125 it is compared (e.g., on the basis of unique identifier (UID), type, and/or properties) to the dataset within the graph database. For example, the unique identifier is used to determine if a corresponding node and/or edge already exists. If not, the new node and/or edge is added to the dataset”, ¶ 92, “Graph model extensions are simply the creation of additional nodes, relationships, and properties in the property graph model”) determining the second data object does exist as a second node in the graph database; and (¶ 69, “Node and/or edge properties may also be compared and modified according to the relative importance assigned in a precedence table. The properties of the existing and incoming nodes and/or edges are compared and any properties that are different (i.e., if they don't exist in both) may be merged. For example, if an incoming node has property A and an existing node has property B, the modified node will have property A and property B”) updating the second node to include the additional fields of the second data object. (¶¶ 65, 69, “Node and/or edge properties may also be compared and modified according to the relative importance assigned in a precedence table. The properties of the existing and incoming nodes and/or edges are compared and any properties that are different (i.e., if they don't exist in both) may be merged. For example, if an incoming node has property A and an existing node has property B, the modified node will have property A and property B”, ¶ 90, “Assume that the existing graph is G=(N, E), and the transform T extracts information about two nodes, n1 and n2, and an edge e between them. The new graph is G′=(N∪{n1, n2}, E∪{e}), where the properties of n1, n2, and e are defined by the transform T. If n1 or n2 was already in N then their properties are simply updated according to any extra information contained in record r”) Purdy did not specifically teach but Markley teaches creating a first edge connecting the first data object to a first related node from the set of nodes of the graph database. (Markley, 16: 8-23, wherein a child node is added to a graph structure with an edge connecting the child node to a parent node) Purdy and Markley utilize a graph model comprising nodes/edges for representing data elements and relationships among the data elements. They also provide for updating the graph model by adding/modifying/deleting nodes/edges. It would have been obvious before the effective filling date of the claimed invention to a person having ordinary skill in the art to combine the applied references for disclosing creating a first edge connecting the first data object to a first related node from the set of nodes of the graph database because doing so would provide for an explicit disclosure of connecting a newly added node to a node in the graph database for achieving the same predictable result of updating and visualizing a status of a computer network. Claims 10 and 19 are rejected under the same rationale as above. Claim 2. The method of claim 1, wherein determining the first data object does not exist as a node in the graph database, further includes: performing a search function to traverse all possible edges of the graph database to determine that the first identification field of the first data object does not exist as an identification field for any of the set of nodes in the graph database. (Purdy, ¶ 65, “the unique identifier is used to determine if a corresponding node and/or edge already exists. If not, the new node and/or edge is added to the dataset” suggests traversing the graph for identifying existence of a node) Claims 11 and 20 are rejected under the same rationale. Claim 3. The method of claim 1, wherein creating the first node further includes: creating a third edge connection to a first time node, the first time node identifying a time that the first data object occurred, the time being identified from a first time stamp associated with the first data object, wherein the first edge connection is attributed the additional fields of the first data object and indicates an association between the first node and additional data in the graph database. (Purdy, ¶¶ 62, 88, 97, 122, each node or edge is assigned key/value properties including additional fields: “The property key-value pairs can include any property that can be associated with nodes or edges (relationships) in a graph database”) Claim 12 is rejected under the same rationale. Claim 4. The method of claim 1, wherein the graph database includes attributes for the set of nodes and attributes for the set of edges, wherein the attributes provide additional data related to define the set of nodes and the set of edges. (Purdy, ¶¶ 62, 88, 122, “A property graph is a graph in which the nodes and edges have associated attributes, that is, arbitrary key/value pairs describing properties of the component nodes or edges. For example, nodes have attributes that include a unique identifier and a type…Edges also have an attribute describing their type as well as additional attributes identifying their source and destination nodes…Additional attributes may include such things as location information, mission criticality, or traffic packet counts”) Claim 13 is rejected under the same rationale. Claim 5. The method of claim 1, wherein each of the first data object and second data object comprises item data, configuration item relationship data, incidents data, alert data, changes data, or problem data. (Purdy, ¶¶ 8-9, “the plurality of data streams comprise a network infrastructure data stream, a network information flow data stream, a network vulnerability scan data stream, a network intrusion detection alert data stream, a network mission dependencies data stream, an arbitrary data stream, or any combination thereof is ingested into a graph database”) Claim 14 is rejected under the same rationale. Claim 6. The method of claim 1, further including: receiving a third data object from the data source, the third data object representing information technology data; processing the third data object, wherein processing the third data object includes assigning a third identification field to the third data object and identifying additional fields of the third data object; (this step is the same as receiving, a first or a second object as recited in claim 1) determining the third data object is a configuration item object, (Purdy, ¶ 48, “Non-limiting examples of the types of data that can be provided by computer network sensors, network monitoring tools, and/or data brokers as input to the disclosed cyber-security analysis system include…information relating to network components, network topology, network vulnerabilities, client/server configurations, firewall rules, network events, and mission dependencies”) wherein the additional fields of the first data object include a name, asset class, and active status; (Purdy, ¶¶ 48, a data object includes data fields as needed e.g. a name, asset class and active status: ¶ 48, “The reformatted ingest data may include, for example, a "unique identifier" (UID) field, "type" field, "showname" field, a "from" field…, a "to" field…, a "delete" field, a "properties" field, and an "aggregation" field”; ¶ 97, “Alert node 704c can include information gathered in real-time about the state of a network”) determining the third data object does not exist as a node in the graph database; creating a third node for the third data object and assigning the third identification field to the third , wherein creating the third node includes: (this is the same as claim 2 for determining existence of an object) assigning a third label of the third identification field; and (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) assigning a fourth label of the additional fields to the third data object; (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) creating a second edge connecting the third data object to a second related node from the set of nodes of the graph database, wherein creating the second edge includes: identifying a parent relationship and a child relationship; (Markley, 15: 21-38, wherein inserting a node in a hierarchal graph requires identifying parent and child for the node and connecting them by edges) identifying the second related node based upon parent relationship; (Markley, 15: 21-38, wherein inserting a node in a hierarchal graph requires identifying parent and child for the node and connecting them by edges) identifying a third related node based upon the child relationship; and (Markley, 15: 21-38, wherein inserting a node in a hierarchal graph requires identifying parent and child for the node and connecting them by edges) creating a third edge between the third node and second related node extracted from the child relationship. (Markley, 15: 21-38, wherein inserting a node in a hierarchal graph requires identifying parent and child for the node and connecting them by edges) Claim 15 is rejected under the same rationale. Claim 7. The method of claim 1, wherein the additional fields of the first data object include a first configuration item name identification field, a second configuration item name identification field, and association identification variable, and an updated date that the association occurred; (Purdy, ¶¶ 36, 48-49, 53-54, 60-61, 65, 99, wherein “A node may comprise information about…entities or tasks… a network device, a network computer, a network machine, a network cyberspace asset, a network domain, a network rule, a network mission objective, a network mission asset, a network mission task, a network alert, a network vulnerability state, a network vulnerability score, a cyberattack classification, an organization, a user, a geographical area, or any combination thereof. An edge may comprise information about…a relationship between a starting node and a destination node” suggests that each data object can have any required information, e.g. a first configuration item name identification field, a second configuration item name identification field, and association identification variable, and an updated date that the association occurred to be represented in graph format) wherein creating the first node for the first data object, includes: assigning a first label of the first identification field; and (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) assigning a second label of the additional fields to the first data object; (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) wherein the first related node is associated with the first configuration item name identification field, (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) wherein creating the first edge connecting the first data object to the first related node includes: identifying a second related node associated with the second configuration item name identification field; (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) creating a second edge between the first node and the second related node; and (Purdy, 8-9 and Markley, 15: 21-38, inserting a node in a graph requires creating edges representing relationship of the node to other nodes as required) creating a third edge between the first node and a date node associated with the updated date from the additional fields of the first data object. (Purdy, 8-9 and Markley, 15: 21-38, inserting a node in a graph requires creating edges representing relationship of the node to other nodes as required; Purdy, ¶¶ 62, 88, 97, 122, each node or edge is assigned key/value properties including time-value) Claim 16 is rejected under the same rationale. Claim 8. The method of claim 1, further including: receiving a third data object from the data source, the third data object representing information technology data; processing the third data object, wherein processing the third data object includes assigning a third identification field to the third data object and identifying additional fields of the third data object; (this step is the same as receiving, a first or a second object as recited in claim 1) determining the third data object is an event object; (Purdy, 8-9, 65, a message includes an event) creating a third node for the third data object and assigning the third identification field to the third node, wherein creating the third node includes: assigning a third label of the first identification field; and (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) assigning a fourth label of the additional fields to the third data object; (Purdy, ¶¶ 62, 72, each node is labeled, e.g., a showname, Markley, 12: 65-13:6, 17: 5-12, each data filed is labeled) wherein a related data object is identified based on the additional fields of the third data object. (Purdy, 8-9, 65, nodes/edges are created/identified based on the information included in the event message) Claim 17 is rejected under the same rationale. Claim 9. The method of claim 1, wherein the graph database includes a time tree node structure, the time tree node structure including: (Purdy, ¶¶ 11, 71-72, 119-120, 122, a date/timestamp property is a representation of year, month and day nodes because a simple timeline query for each year, month, day or any combination of them generates results by linking events to requested year, month and day nodes) a year node; (Purdy, ¶¶ 11, 71-72, 119-120, 122, a date includes a year node, a simple search for a specific year shows all event related to the year) twelve month nodes; (Purdy, ¶¶ 11, 71-72, 122, a date includes a month node) edges between the year node and each of the twelve month nodes; (Purdy, ¶¶ 11, 71-72, a date include an edge between a year and a month) nodes for each day of each of the twelve month nodes; and (Purdy, ¶¶ 11, 71-72, 122, a date includes a day of a month) edges between each day and the respective month nodes; (Purdy, ¶¶ 11, 71-72, 122, a date includes a day of a month) wherein, creating a second edge, linking the first node to a temporal node, (Purdy, ¶¶ 11, 65, 71-72, 122, “at one time” is a temporal node in which an event happened) wherein the temporal node represents a day that the first data object occurred or was opened on. (Purdy, ¶¶ 11, 65, 71-72, 122, “at one time” is a temporal node in which an event happened) Claim 18 is rejected under the same rationale. Response to Amendment and Arguments Applicant’s arguments with respect to rejected claims have been considered but are not persuasive for the following reason. Applicant argues “the Office Action does not identify any portion of Purdy that discloses either that the first data object is a configuration relationship object, or a confidence of association. Instead, the Office Action states that certain portions of Purdy "suggest[] that input data is a configuration relationship object," and "suggest[] that each data object can have any required information, e.g.[,] ... a confidence of association." In response, claim 1 simply associates a node with a type of data without any impact on the implementation of the claim. For example, “a confidence associated between the first configuration item and the second configuration item” is never used. As noted above, Purdy ¶¶ 48-49, 53-54, discloses “information relating to network components, network topology, network vulnerabilities, client/server configurations, firewall rules, network events, and mission dependencies input” which suggests that input data is a configuration relationship object and Purdy, ¶¶ 36, 48-49, 53-54, 60-61, 65, 99, discloses “A node may comprise information about…entities or tasks… a network device, a network computer, a network machine, a network cyberspace asset, a network domain, a network rule, a network mission objective, a network mission asset, a network mission task, a network alert, a network vulnerability state, a network vulnerability score, a cyberattack classification, an organization, a user, a geographical area, or any combination thereof. An edge may comprise information about…a relationship between a starting node and a destination node” which suggests that each data object can have any required information, e.g. a first configuration item name identification field, a second configuration item name identification field, and association identification variable, a confidence of association, and an updated date that the association occurred to be represented in graph format. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mohsen Almani whose telephone number is (571)270-7722. The examiner can normally be reached on M-F, 9 AM-5 PM, ET. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann J. Lo can be reached on 571-272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHSEN ALMANI/Primary Examiner, Art Unit 2159
Read full office action

Prosecution Timeline

Jul 31, 2024
Application Filed
Oct 28, 2025
Non-Final Rejection mailed — §103
Jan 27, 2026
Response Filed
Apr 08, 2026
Final Rejection mailed — §103
Jun 03, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12657216
SCALABLE INDEXING ARCHITECTURE
6y 9m to grant Granted Jun 16, 2026
Patent 12651023
VIDEO EDITING TEMPLATE SEARCH METHOD AND APPARATUS, ELECTRONIC DEVICE AND STORAGE MEDIUM
2y 5m to grant Granted Jun 09, 2026
Patent 12625882
INTELLIGENT DATASET SLICING DURING MICROSERVICE HANDSHAKING
4y 8m to grant Granted May 12, 2026
Patent 12625881
CACHING SYSTEMS AND METHODS
2y 2m to grant Granted May 12, 2026
Patent 12625891
DATA STORAGE METHOD AND APPARATUSE, AND DATA READING METHOD AND APPARATUSE
1y 8m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
50%
Grant Probability
72%
With Interview (+21.7%)
4y 1m (~2y 2m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 378 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month