Prosecution Insights
Last updated: July 17, 2026
Application No. 18/792,214

ARRANGEMENT AND METHOD OF THREAT DETECTION IN A COMPUTER OR COMPUTER NETWORK

Non-Final OA §102§103
Filed
Aug 01, 2024
Priority
Aug 04, 2023 — GB 2311959.7
Examiner
LI, MENG
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Withsecure Corporation
OA Round
2 (Non-Final)
87%
Grant Probability
Favorable
2-3
OA Rounds
3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 87% — above average
87%
Career Allowance Rate
498 granted / 575 resolved
+28.6% vs TC avg
Strong +20% interview lift
Without
With
+19.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 3m
Avg Prosecution
24 currently pending
Career history
594
Total Applications
across all art units

Statute-Specific Performance

§101
2.7%
-37.3% vs TC avg
§103
85.5%
+45.5% vs TC avg
§102
2.0%
-38.0% vs TC avg
§112
5.6%
-34.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 575 resolved cases

Office Action

§102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Priority/Benefit Acknowledgment is made of applicant’s claim for priority under 35 U.S.C. 119 (a)-(d). The certified copy of United Kingdom Application GB2311959.7 filed on Aug. 04, 2023 has been received on 09/16/2024. Response to Amendment The Amendment filed on 03/23/2026 has been entered. The objections of claims 4 and 18 are withdrawn in view of the amendment. The rejection of claims 12 and 13 under 35 U.S.C 101 is withdrawn in view of the amendment. Claim 12 is amended. Claim 13 is cancelled. Claim 18 is new. Claims 1-11 are pending of which claims 1 and 10 are independent claims. Response to Arguments The applicant's arguments filed on 03/23/2026 regarding claims 1-18 have been fully considered but they are not persuasive. Applicant argues (see page 9-15) regarding claims 1 and 10 of limitation “monitoring the application for a predetermined duration after a start of the application is determined, the monitoring the application comprises monitoring the application for accessing a predefined storage area of the computer” that “Rivera does not disclose specifically monitoring access to certain security sensitive areas. Rivera lists in para. [0046] that the client can monitor "unauthorized system directory access or modifications, unauthorized writing to an operating system, termination of security applications such as anti-virus applications, and malicious network activity, but Rivera does not disclose taking any specific actions related to the monitoring. Rivera only generally discloses reference to restrictions of resources of the computer in paras. [0049] and [0050]", Examiner acknowledged Applicant’s perspective but respectfully disagrees for the following reasons: Firstly, in response to argument that “Rivera does not disclose specifically monitoring access to certain security sensitive areas”, claimed language doesn’t specifically recite “access to certain security sensitive areas”, instead, it claims “accessing a predefined storage area of the computer”. As disclosed in the prior office action, Rivera in para. [0066] discloses “the system may be monitored for unauthorized system directory access”. The “access system directory” in Rivera is mapped to “access a predefined storage area of the computer”. Further, “unauthorized access” is mapped to “malicious activity”. Secondly, in response to argument that “Rivera does not disclose taking any specific actions related to the monitoring. Rivera only generally discloses reference to restrictions of resources of the computer in paras. [0049] and [0050]", Rivera in para. [0070] and Fig. 5 discloses that a new application reputation is received (in block 512) based on monitoring (in block 506). If the new reputation indicates that the application is malicious then the application may be completely blocked or may be restricted to running. Because the claimed language doesn’t specifically recites how the access is denied or action is taken, Rivera teaches taking specific actions (denying access) related to the monitoring. Applicant argues further (see page 12-8) regarding claims 1 and 10 of limitation “one or more of: (i) denying access to the predefined storage area of the computer for the monitored application and (ii) denying or throttling network access of the monitored application, when access to the predetermined storage area of the computer is determined during the monitoring” without additional details beyond previous arguments. As discussed above, Rivera teaches denying access related to the monitoring. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-2, 6-7 and 10-14, 16 is rejected under 35 U.S.C. 102 (a) (1) as being anticipated by RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA). Regarding claim 1: RIVERA teaches: A method of threat detection in a computer or computer network, the method comprising: determining that an application is starting at the computer; monitoring the application for a predetermined duration after a start of the application is determined in order to recognize malicious activity by the application (RIVERA - [0067]: The monitoring of the system behavior may be performed concurrently with the execution of the application from block 504. Additionally, the monitoring may be performed for a predetermined time period at regular intervals or continuously), the monitoring the application comprises monitoring the application for accessing a predefined storage area of the computer (RIVERA - [0066]: the system may be monitored for unauthorized system directory access or modifications, unauthorized writing to an operating system); and one or more of: (i) denying access to the predefined storage area of the computer for the monitored application and (ii) denying or throttling network access of the monitored application, when access to the predetermined storage area of the computer is determined during the monitoring (RIVERA - [0070] and Fig. 5 discloses that a new application reputation is received (in block 512) based on monitoring (in block 506). If the new reputation indicates that the application is malicious then the application may be completely blocked or may be restricted to running). Regarding claim 2: RIVERA teaches: wherein, when no malicious activity is recognized to be carried out by the monitored application during the predefined duration, one or more of: (i) stopping monitoring and allowing access to the predefined storage area (ii) allowing network access of the monitored application, and (iii) stopping the throttling of the network access (RIVERA - [0065]: Based on the reputation, the client may execute the application by permitting the application access to all available resources when the reputation is good or safe). Regarding claim 6: RIVERA teaches: wherein the application is monitored by tracking events created by the application, such as created or changed files, accesses to registry, changes done to registry, created processes, created child processes, injection of processes in other processes, and/or by analyzing captured events to be malicious, e.g. by recognizing known patterns of file encryption, preventing malware detection by the application (RIVERA - [0046]: system and application monitoring module 320 may monitor a client for unauthorized system directory access or modifications, unauthorized writing to an operating system, termination of security applications such as anti-virus applications, and malicious network activity). Regarding claim 7: RIVERA teaches: wherein, when malicious activity by the application is determined when the application is running and/or if the application is accessing the predefined storage area, stopping the application, removing the application and/or reverting changes made to the computer based on the backup of the computer, the backup being prepared when the application was starting (RIVERA - [0067]: the client may terminate an application if a particular known malicious behavior is detected). Regarding claim 10: this claim defines an arrangement for threat detection in a computer or computer network claim that corresponds to method 1 and does not define beyond limitations of claim 1. Therefore, claim 10 is rejected with the same rational as in the rejection of claim 1. Regarding claim 11: this claim does not define beyond limitations of claims 1 and 2. Therefore, claim 11 is rejected with the same rational as in the rejection of claims 1 and 2. Regarding claim 12: this claim defines a computer program and does not define beyond limitations of claim 1. Therefore, claim 12 is rejected with the same rational as in the rejection of claim 1. Regarding claim 14: RIVERA teaches: wherein the predefined storage area of the computer is a security sensitive area of the computer (RIVERA - [0046]: system and application monitoring module 320 may monitor a client for unauthorized system directory access or modifications, unauthorized writing to an operating system). Regarding claim 16: RIVERA teaches: wherein the tracked events created by the application include created or changed files, accesses to registry, changes done to registry, created processes, created child processes, and an injection of processes in other processes (RIVERA - [0046]: system and application monitoring module 320 may monitor a client for unauthorized system directory access or modifications). Regarding claim 16: RIVERA teaches: wherein the application is monitored to determine whether the application is accessing the predefined storage area of the computer (RIVERA - [0046]: The system and application monitoring module 320 may monitor various types of behavior of the client. For example, system and application monitoring module 320 may monitor a client for unauthorized system directory access or modifications, unauthorized writing to an operating system). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Chen et al. (Patent No.: US 8,413,235, hereinafter Chen). Regarding claim 3: RIVERA teaches: wherein, based on the determined starting of the application, intercepting the application start, identifying the application, checking a reputation rating of the application (RIVERA - [0065]: The initial reputation may indicate whether the application is trusted and safe, potentially suspicious, suspicious, malicious, or any other classification … Based on the reputation, the client may execute the application). However, RIVERA doesn’t explicitly teach, but Chen discloses when the reputation rating of the application is unrated or unknown, allowing the application to start and starting monitoring of the application (Chen - [Col. 3, Line 18-24]: The security module 112 can monitor for creations of only certain types of files. In one embodiment, the security module 112 specifically monitors for creations of executable files, such as files in the portable executable (PE) format having the ".EXE" file extension. [Col. 3, Line 47-50]: the file categorization module 132 observes typical behaviors of files and categorizes the files based on their behaviors. For example, the security server 130 can categorize a previously unknown file as an "expected executable file creator" or as an "executable file creator of interest"). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Chen so that typical behavior files such as previous unknown files are observed or monitored. The modification would have allowed the system to improve security. Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Gu et al. (US 11216559, hereinafter Gu). Regarding claim 4: RIVERA teaches: wherein, based on the determined starting of the application, intercepting the application start, identifying the application, checking reputation rating of the application (RIVERA - [0065]: The initial reputation may indicate whether the application is trusted and safe, potentially suspicious, suspicious, malicious, or any other classification … Based on the reputation, the client may execute the application). However, RIVERA doesn’t explicitly teach, but Gu discloses when the reputation rating of the application is unrated or unknown, creating a backup of the computer (Gu - [Col. 6, Line 50-54]: FIG. 3, at step 306, one or more of the systems described herein may save, in response to determining that the reputation of the process is unknown, a backup copy of the file targeted by the process on a remote storage device prior to allowing the process to modify). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Gu so that a backup copy of files are saved if the reputation rating is unknown. The modification would have allowed the system to be protected. Regarding claim 5: RIVERA teaches: wherein checking the reputation rating of the application comprises receiving application reputation information from a database based on one or more of: (i) identification and (ii) signatures of the application (RIVERA - [0045]: the reputation module 310 may assign a reputation to each application or process being executed on each client within the network based on a plurality of factors. For example, the reputation module 310 may assign a reputation to an application based on the developer of the application, a reputation of a previous version of the application, characteristics or behavior of the application upon installation or at a later time, a whitelist, or any other factor). Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Campbell et al. (Pub. No.: US 2010/0205421, hereinafter Campbell). Regarding claim 8: RIVERA doesn’t explicitly teach, but Campbell discloses wherein the backup comprises at least one of the following: current system settings, application settings, security settings, DNS-settings, scheduled tasks, and settings related to backups or shadow copy of the computer (Campbell - [0024]: a computer system might be configured to operate on a company or group intranet and a snapshot can contain a configuration setting for use of and access to the company or group system. A snapshot with these settings can be placed in a password protected group so that unauthorized personnel cannot boot and use these settings). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Campbell so that a backup can contain a configuration setting for use of and access to the company or group system. The modification would have allowed the system to be more secure. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Bruso et al. (US 2018/0373877, hereinafter Bruso). Regarding claim 9: RIVERA doesn’t explicitly teach, but Bruso discloses wherein the predefined storage area comprises at least one of the following: documents and data of a user of the computer, password data, key storage data, a memory state of the application, a memory state of a password manager, a memory state of an encryption services, computer registry data, windows registry data, and registry data containing one or more of: (i) password information and (ii) token information (Bruso - [0017]: server 110 includes logic, modules or processes to monitor access to user data and data integrity). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Bruso so that access to storage area with user data is monitored. The modification would have allowed the system to be monitor user data access event. Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Satish et al. (Patent No.: US 8,499,063, hereinafter Satish). Regarding claim 15: RIVERA doesn’t explicitly teach, but Satish discloses wherein the database is a backend system reputation database (Satish - [Col 9, Line 21-23]: The reputation score database 401 stores reputation scores in association with a unique identifier for the software application (e.g. a hash of the software application)). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Satish so that database is a reputation database. The modification would have allowed the system to be evaluated based on the reputation of an application. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over RIVERA et al. (Pub. No.: US 2015/0007315, hereinafter RIVERA) in view of Merchan et al. (US 2024/0330459, hereinafter Merchan). Regarding claim 17: RIVERA teaches: wherein the analyzing the captured events to be malicious comprises … preventing malware detection by the application (RIVERA - [0046]: system and application monitoring module 320 may monitor a client for … termination of security applications such as anti-virus applications). However, RIVERA doesn’t explicitly teach, but Merchan discloses wherein the analyzing the captured events to be malicious comprises recognizing known patterns of file encryption (Merchan - [0022]: The malware detection system may monitor the system during normal operations of the system and may detect signatures of the encryption of known files). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of RIVERA with Merchan so that signature of encryption of known files are monitored. The modification would have allowed the system to improve security. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kim et al. US 20190114079 - Apparatus for managing disaggregated memory and method thereof Turbin et al. US 20220327207 - Arrangement and method of threat detection in a computer or computer network Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG LI/ Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Aug 01, 2024
Application Filed
Dec 23, 2025
Non-Final Rejection mailed — §102, §103
Mar 23, 2026
Response Filed
Apr 14, 2026
Final Rejection mailed — §102, §103
Jun 15, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682050
PROCESSOR SUPPORT FOR SOFTWARE-LEVEL CONTAINMENT OF ROW HAMMER ATTACKS
4y 6m to grant Granted Jul 14, 2026
Patent 12664286
Predicting and Quantifying Weaponization of Software Weaknesses
2y 11m to grant Granted Jun 23, 2026
Patent 12665740
METHODS AND APPARATUSES FOR JOINTLY PROCESSING DATA BY TWO PARTIES FOR DATA PRIVACY PROTECTION
2y 5m to grant Granted Jun 23, 2026
Patent 12664288
GENERATING REMEDIATION STRATEGIES FOR RESPONDING TO SECURITY DEFICIENCIES USING GENERATIVE MACHINE LEARNING MODELS
2y 3m to grant Granted Jun 23, 2026
Patent 12645804
Managing Implementation Of Application-Code Scanning Processes
2y 1m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
87%
Grant Probability
99%
With Interview (+19.9%)
2y 3m (~3m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 575 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month