Prosecution Insights
Last updated: July 17, 2026
Application No. 18/794,606

METHOD AND SYSTEM FOR GENERATING APPLICATION-LAYER SIGNATURES CHARACTERIZING ADVANCED APPLICATION-LAYER ATTACKS

Final Rejection §103§112
Filed
Aug 05, 2024
Priority
Dec 28, 2022 — provisional 63/477,522 +1 more
Examiner
ALI, AFAQ
Art Unit
2434
Tech Center
2400 — Computer Networks
Assignee
Radware Ltd.
OA Round
2 (Final)
90%
Grant Probability
Favorable
3-4
OA Rounds
6m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
123 granted / 137 resolved
+31.8% vs TC avg
Moderate +13% lift
Without
With
+13.3%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
18 currently pending
Career history
168
Total Applications
across all art units

Statute-Specific Performance

§101
2.2%
-37.8% vs TC avg
§103
90.8%
+50.8% vs TC avg
§102
0.6%
-39.4% vs TC avg
§112
2.5%
-37.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 137 resolved cases

Office Action

§103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Claims 1, 3, 6, 7, 9-11, 13, 18-23, 25, 28, 29, 31-33, 35, and 40-42 are amended Claims 1-42 are pending Priority This application is a continuation in part of US Patent Application No. 18/176,667, filed on March 1, 2023. The 18/176,667 Application claims the benefit of US Provisional Application No. 63/477,522 filed on December 28, 2022. Therefore, the effective filing date of this application is 12/28/2022. Information Disclosure Statement The information disclosure statements (IDS) submitted on 12/22/2025 and 05/12/2026. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements have been considered by the examiner. Response to Arguments Applicant’s arguments filed on 02/17/2026 have been fully considered. With respect to the claim objections. All claim objections listed in the non-final office action mailed on 11/14/2025 have been overcome except for claim 26. Applicant has not amended claim 26 to overcome the objection. Therefore, the objection to claim 26 is maintained. With respect to USC 112(b) rejection for claims 1-42. All rejections have been overcome except for claim 21. Claim 21 recites of “attack time past samples” and “the past samples”. There is insufficient antecedent basis for “the past samples”. Examiner suggests amending this to “the attack time past samples”. With respect to USC 101 rejection for claims 1-17, 19-39, 41, and 42. The rejection has been overcome due to applicant’s amendments With respect to the double patenting rejection. The rejection is being maintained due to no approved terminal disclaimer being filed. With respect to the arguments for USC 103 Applicant has argued that the teaching of RADINSKY-MEDVEDOVSKY fail to teach the limitations of claim 1. In particular the limitation of “application-layer signatures”. Examiner respectfully disagrees. Applicant has argued that the “application layer” is the layer-7 of the OSI model. However, this is not recited in the claims. The claims broadly recite of application layer signatures. Which under broadest reasonable interpretation relate to any signature of an application. RADINSKY teaches of generating signatures for applications as seen in the following citation. ([RADINSKY, para. 0061] “the applications for which signatures may be generated may be identified. The application may be a desirable or undesirable application. An undesirable application may be a malicious application, such as a virus, worm, Trojan horse, spyware, scareware, crimeware, rootkits, or other type of application”). RADINSKY further teaches of the OSI model as seen in para. 0024 ([RADINSKY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes. A parameter vector may include parameters relating to the transport or lower level layers in the Open Systems Interconnection model (OSI model) definitions. ”). Furthermore, RADINSKY teaches of applicative attribute included in the signatures as seen in the following citations ([RADINSKY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes.”) The parameter vector included in the application signature is being interpreted as an applicative attribute. Therefore, RADINSKY-MEDVEDOVSKY teaches all limitations of claim 1. Examiner suggests that Applicant amends the claims by clarifying the limitations to specifically recite application layer is the layer-7 of the OSI model. Claim Objections Claim 26 is objected to because of the following informalities: Claims 26 recites “wherein, are derived from computed”. It is unclear what is derived. Examiner believes there is a typo and the claim should be amended similar to parallel claim 4 and recite “wherein, Pjattack[n] are derived from computed attack paraphrase distributions, Pjbaseline are derived from baseline paraphrase distributions, and AF is an attack factor.”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claim 21 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 21 recites the limitation " the past samples". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this limitation as “the attack time past samples”. Appropriate correction is required. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 5, 19, 22, 23, 27, and 41 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 4, 14, and 18 of copending Application No. 18/398,985 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. Current application 18/794,606 copending Application No. 18/398,985 1. A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 1.) A method for learning attack-safe baselines, comprising: receiving application-layer transactions directed to a protected entity; measuring values of a rate-based attribute and a rate-invariant attribute from the received application-layer transactions; determining, based on the measured rate-based attribute, if the received application-layer transactions represent a normal behavior; computing at least one baseline using application-layer transactions determined to represent the normal behavior; validating the at least one computed baseline using the measured rate-invariant attribute and rate-based attribute; and building a set of baselines based on the at least one validated baseline, wherein the set of baselines are utilized for characterization of DDoS attacks. 4. The method of claim 1, further comprising: generating, using at least one computed baseline, an application-layer signature designating applicative attributes utilized for characterization of DDoS attacks. 5. The method of claim 4, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); and building a set of baseline paraphrase buffers (BPBFs) from transactions directed to the protected entity during peacetime, wherein the BPBFs represent a paraphrase distribution of normal behavior. 3.) The method of claim 2, further comprises: computing paraphrase values mean occurrences for the BPBFs for a current time window based on an average of occurrences for paraphrase values in the BPBFs computed for a previous time window, a total of occurrences for paraphrase values in the WPBFs for a current time window, and using an Alpha filter. 19. The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. 18. The method of claim 1, wherein the attack-safe baselines are utilized for the characterization and mitigation of application layer flood denial-of-service (DDoS) attacks carried by attackers utilizing advanced application layer flood attack tools. Claims 22, 23, 27, and 41 are parallel claims and are rejected in a similar manner. Claims 1, 5-10, 12, and 19, 22, 23, 27-32, 34, and 41 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 4-9, 20 of copending Application No. 18/176667 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. copending Application No. 18/176667 Current application 18/794,606 1. A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: determining applicative baseline distributions of attributes included in transactions directed to a protected entity during peacetime; determining attack distributions of applicative attributes included in transactions directed to a protected entity during an on-going application-layer attack; determining, based on the applicative baseline distributions and the attack distributions of applicative attributes, a probability of an attacker executing the on-going application-layer attack to generate an attack using at least one attribute; and generating an application-layer signature designating applicative attributes determined to be eligible based on their respective probabilities, wherein the application- layer signature characterizes behavior of the attacker executing the on-going application-layer attack. 1.(Original) A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application- layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 4.) The method of claim 2, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); building a set of baseline paraphrase buffers (BPBFs) from transactions directed to the protected entity during peacetime, wherein the BPBFs represent a paraphrase normal behavior. 5.(Original) The method of claim 4, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); and building a set of baseline paraphrase buffers (BPBFs) from transactions directed to the protected entity during peacetime, wherein the BPBFs represent a paraphrase distribution of normal behavior. 5. The method of claim 4, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); building, for each time window, a set of attack paraphrase buffers (APBFs) from transactions received during the on-going application-layer attack, wherein the APBFs represent a paraphrase attack time behavior for a duration of the on-going application-layer attack. 6.(Original) The method of claim 5, further comprising: sampling transactions received during a time window; for each time window, building a set of per-second paraphrase buffers; and building, from each per-second paraphrase buffers, attack paraphrase distributions from transactions received during an on-going application-layer attack, wherein the attack paraphrase distributions represent paraphrases distributions for a duration of the on-going application-layer attack. 6.) The method of claim 5, wherein building the set of WPBFs further comprises: vectoring a set of paraphrases derived from the received transactions during a time window; and buffering the paraphrase vectors to provide the WPBFs. 7.(Original) The method of claim 6, wherein building the set of WPBFs and per-second paraphrase buffers further comprises: vectoring a set of paraphrases derived from the received transactions during a time window; and buffering the paraphrase vectors to provide the WPBFs and per-second paraphrase buffers. 7. The method of claim 4, wherein building the set of BPBFs further comprises: updating values from the WPBFs into the BPBFs. 8. (Original) The method of claim 7, wherein building the set of BPBFs further comprises: updating values from the WPBFs into the BPBFs. 8. The method of claim 7, further comprises: computing paraphrase values mean occurrences for the BPBFs for a current time window based on an average of occurrences for paraphrase values in the BPBFs computed for a previous time window, a total of occurrences for paraphrase values in the WPBFs for a current time window, and an Alpha filter. 9. (Original) The method of claim 8, further comprising: computing paraphrase values mean occurrences for the BPBFs for a current time window based on an average of distributions for paraphrase values in the BPBFs computed for a previous time window, a total of distributions for paraphrase values in the WPBFs for a current time window, and an R filter. 9. The method of claim 4, wherein building the APBFs further comprises: updating the values from the WPBFs into the APBFs; and updating paraphrase value occurrences based on transactions directed to the protected entity during the on-going application-layer attack. 10. (Original) The method of claim 9, wherein building the attack paraphrase distributions further comprises: updating the distributions from the per-second paraphrase buffer into the attack paraphrase mean histogram; and updating paraphrase value distributions based on transactions directed to the protected entity during an ongoing application-layer attack. 2. The method of claim 1, further comprising: maintaining attributes of transactions, directed to a protected entity, in a paraphrase, wherein each paraphrase includes at least one paraphrase value, wherein a paraphrase value represents an applicative attribute in a transaction. 12. (Original) The method of claim 3, further comprising: maintaining applicative attributes of transactions, directed to the protected entity, in a paraphrase, wherein each paraphrase includes at least one paraphrase value, wherein a paraphrase value represents an applicative attribute in a transaction. 20. The method of claim 21, wherein the on-going application-layer attack is a DDoS attack realized as a HTTP flood application-layer attack. 19. (Original) The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. Claims 22, 23, 27-32, 34, and 41 are parallel claims and therefore, are rejected in a similar manner. Claims 1, 5, 19, 22, 23, 29, and 41 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, 13 of U.S. Patent No. US 11582259 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. Current application 18/794,606 U.S. Patent No. US 11582259 B1 1. A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 1.) A method for characterizing application layer flood denial-of-service (DDoS) attacks, comprising: receiving an indication on an on-going DDoS attack directed to a protected entity; generating a dynamic applicative signature by analyzing requests received during the on-going DDoS attack, wherein generating the dynamic applicative signature includes, at an end of a characterization window, determining a top of buffer values of each paraphrase in an array of paraphrase buffers, wherein the dynamic applicative signature is the top of buffer across all paraphrases in the array, wherein the dynamic applicative signature characterizes requests generated by an attack tool executing the on-going DDoS attack; characterizing each incoming request based on the generated dynamic applicative signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool; and generating a multi-paraphrase signature characterizing the attack tool by clustering at least one value of a plurality of different attributes of the received requests. 7. The method of claim 6, wherein building the set of WPBFs and per-second paraphrase buffers further comprises: vectoring a set of paraphrases derived from the received transactions during a time window; and buffering the paraphrase vectors to provide the WPBFs and per-second paraphrase buffers. 2. The method of claim 1, wherein generating the dynamic applicative signature further comprises: for each request received during the characterization window: updating a paraphrase vector with paraphrases and values of the paraphrases representing attributes in the request; updating a paraphrase buffer with values of paraphrases in the designated paraphrase vector, wherein the paraphrase buffer is part of an array of paraphrase buffers; and at the end of the characterization window, determining a top of buffer values of each paraphrase across all the paraphrase buffers in the array, wherein the dynamic applicative signature is the top of buffer across all paraphrases in the array. 19. The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. 13. The method of claim 1, wherein the DDoS attack is an HTTP Flood attack, and the attacker carries the attack using an HTTP Flood attack tool, wherein the HTTP Flood attack tool generates HTTP requests having legitimate structure and content. Claims 22, 23, 29, and 41 are parallel claims and therefore, are rejected in a similar manner. Claims 1, 19, 22, 23, and 41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of U.S. Patent No. US 11888893 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. Current application 18/794,606 U.S. Patent No. US 11888893 B2 1.) A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 19. The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. 1.) A method for characterizing application layer denial-of-service (DDoS) attacks, comprising: generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDoS attack, wherein a dynamic applicative signature characterizes each received application layer request based on frequent applicative application layer attributes appearing in the received application layer requests; characterizing each of the received application layer requests based on one of the generated dynamic applicative signatures, wherein the characterization provides an indication for each received application layer request whether a received application layer request is generated by an attack tool executing the on-going DDoS attributes; and causing a mitigation action on the received application layer request generated by the attack tool based on the generated dynamic applicative signature. Claims 22, 23, and 41 are parallel claims and therefore, are rejected in a similar manner. Claims 1, 5, 19, 22, 23, 27, 41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. US 12184690 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. Current application 18/794,606 U.S. Patent No. US 12184690 B2 1.) A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 19. The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. 5. The method of claim 4, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); and building a set of baseline paraphrase buffers (BPBFs) from transactions directed to the protected entity during peacetime, wherein the BPBFs represent a paraphrase distribution of normal behavior. 1.) A method for characterizing application layer denial-of-service (DDoS) attacks, comprising: generating a plurality of dynamic applicative signatures by analyzing at the application layer application layer requests received during an on-going DDOS attack, wherein a dynamic applicative signature characterizes each received application layer request based on frequent application layer attributes appearing in the received application layer requests, wherein the application layer requests are represented as a set of paraphrases, wherein each paraphrase represents a specific aspect of an application layer request's structure, and wherein the frequent application layer attributes are determined based on frequency of paraphrases in the set of paraphrases; characterizing each of the received application layer requests based on one of the generated dynamic applicative signatures, wherein the characterization provides an indication for each received application layer request whether a received application layer request is generated by an attack tool executing the on-going DDOS attack; and causing a mitigation action on the received application layer request generated by the attack tool based on the generated dynamic applicative signature. Claims 22, 23, 27, and 41 are parallel claims and therefore, are rejected in a similar manner. Claims 1, 5, 19, 22, 23, 27, 41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 15 of U.S. Patent No. US 11552989 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. Current application 18/794,606 U.S. Patent No. US 11552989 B1 1.) A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. 19. The method of claim 1, wherein the ongoing application-layer attack is a DDoS attack realized as an HTTP flood application-layer attack. 5. The method of claim 4, further comprising: sampling transactions received during a time window; for each time window, building a set of window paraphrase buffers (WPBFs); and building a set of baseline paraphrase buffers (BPBFs) from transactions directed to the protected entity during peacetime, wherein the BPBFs represent a paraphrase distribution of normal behavior. 1.) A method for characterizing application layer flood denial-of-service (DDoS) attacks carried by advanced application layer flood attack tools, comprising: receiving an indication on an on-going DDoS attack directed toward a protected entity; analyzing requests received during the on-going DDoS attack to determine a plurality of different attributes of the received requests; generating a dynamic applicative multi-paraphrase signature by clustering at least one value of the plurality of different attributes, wherein the multi-paraphrase signature characterizes requests with different attributes as generated by an advanced application layer flood attack tool executing the on-going DDoS attack; generating the multi-paraphrase signature based on eligible top of buffer (ToB) values generated across all paraphrase buffers, wherein the eligible ToB values are determined based on paraphrase values in the ToB and rest of buffer (RoB) and a minimum attack factor (MAF); and characterizing each incoming request based on the multi-paraphrase signature, wherein the characterization provides an indication for each incoming request whether a request is generated by the attack tool. Claims 22, 23, 27, and 41 are parallel claims and therefore, are rejected in a similar manner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3, 12-16, 18, 19, 22, 23, 25, 34-38, and 41 are rejected under 35 U.S.C. 103 as being unpatentable over RADINSKY (US-20120317306-A1) in view of MEDVEDOVSKY (US-20210194903-A1), hereinafter RADINSKY-MEDVEDOVSKY. Regarding claim 1, RADINSKY teaches “ A method for generating application-layer signatures characterizing advanced application-layer attacks, comprising: ([RADINSKY, abstract] “A set of signatures may be created by training a machine learning system using network traffic with and without a specific application. The machine learning system may generate a signature for the specific application, and the signature may be analyzed using a monitoring system to identify the presence of the application's traffic on the network.”) ([RADINSKY, para. 0061] “the applications for which signatures may be generated may be identified. The application may be a desirable or undesirable application. An undesirable application may be a malicious application, such as a virus, worm, Trojan horse, spyware, scareware, crimeware, rootkits, or other type of application”) … including in an application-layer signature eligible applicative attributes having an attacker probability higher than the dynamic attacker probability threshold, wherein the application-layer signature includes an inclusive section and an exclusive section, and wherein the application-layer signature is indicative of an ongoing attack based on one of the exclusive section and the inclusive section. ([RADINSKY, para. 0059] “The signatures may be a decision tree with conditional probabilities. Such signatures may be able to detect a specific application and give a probability of a match for that application.”) ([RADINSKY, para. 0080] “If the probability of a match between the parameter vector and the currently analyzed signature does not exceed a predefined threshold in block 314, the process may return to block 308 to process another signature. If the probability of a match does exceed the predefined threshold in block 314, the signature may be determined as a match”) ([RADINSKY, para. 0038] “embodiment may have a mechanism for determining a signature for a given application, and a separate monitoring application that may capture and analyze network traffic in real time. The mechanism for determining a signature for a given application may cause an application to execute, then monitor the network communications performed by the application. The data collected may be analyzed using a machine learning algorithm or other mechanism to create a signature. The signature may then be transmitted to the monitoring applications to identify the given application.”) ([RADINSKY, para. 0061] “the applications for which signatures may be generated may be identified. The application may be a desirable or undesirable application. An undesirable application may be a malicious application”) ([RADINSKY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes. A parameter vector may include parameters relating to the transport or lower level layers in the Open Systems Interconnection model (OSI model) definitions. Such parameters may include protocol types, such as UDP or TCP.”) ([RADINSKY, para. 0030] “various statistics regarding packet transmission may be collected and used as part of the signature of an application. The statistics may include the minimum, mean, average, maximum, standard deviation, or other descriptive characteristics”) However, RADINSKY does not teach “computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; ... and performing mitigation of the ongoing attack based on the application-layer signature”. In analogous teaching MEDVEDOVSKY teaches “… computing, based on applicative peacetime baseline distributions and attack distributions of applicative attributes included in application-layer transactions directed to a protected entity, an attacker probability of an attacker executing an ongoing application-layer attack; ([MEDVEDOVSKY, abstract] “The method includes receiving samples of at least rate-base features, wherein the rate-base features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity; computing a short-term baseline and a long-term baseline based on the received samples”) ([MEDVEDOVSKY, para. 0012] “The method comprising receiving samples of at least rate-base features, wherein the rate-base features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity”) ([MEDVEDOVSKY, para. 0030] “ingress traffic from the client device 120 to the victim server 130 is analyzed to determine a number of HTTPS requests per second”) ([MEDVEDOVSKY, para. 0029] “The inspected traffic is analyzed to determine abnormal activity based on rate-base and rate-invariant features of the inspected traffic. The rate-base traffic features and the rate-invariant traffic features demonstrate behavior of HTTPS traffic directed to the victim server 130.”) ([MEDVEDOVSKY, para. 0080] “a rate-invariant anomaly is detected based on an abnormal distribution of the size of HTTPS requests and responses. In an embodiment, an abnormal distribution is determined based on the probability that a request's size would fit a specific bin. A bin is defined as a single “bucket” in the distribution.”) ([MEDVEDOVSKY, para. 0081] “The distribution of each bin reflects the overall probability of an individual HTTPS request, or response, accordingly, to appear in a specific bin.”) comparing the attacker probability computed for each of the applicative attributes to a dynamic attacker probability threshold; and ([MEDVEDOVSKY, para. 0073] “In an embodiment, a threshold may be determined as follows: U(t)=Y(t)+maxDev(t) where U(t) is an anomaly threshold, Y(t) is the baseline, and maxDev(t) is the maximal deviation of an observed traffic feature during peace-time corresponding to the required value of the false positive detection rate of the observed traffic feature. For the given false probability rate, the maxDev(t) is considered as the maximal “legitimate” deviation from the momentary baselines; it is also updated with each new sample.”) ([MEDVEDOVSKY, para. 0081] “The distribution of each BIN is computed for every sample as the total number of requests in a BIN, divided by the total number of requests in the sample. The distribution of each bin reflects the overall probability of an individual HTTPS request”) ([MEDVEDOVSKY, para. 0072] “States where real time samples of each traffic feature exceed the threshold in amount equal or greater to/from the maximal deviation continuously for some time are considered anomalous.”) and performing mitigation of the ongoing attack based on the application-layer signature. ([MEDVEDOVSKY, para. 0025] “The defense system 110 includes a detector 111 and a mitigation resource 112”) ([MEDVEDOVSKY, para. 0026] “The mitigation resource 112 is configured to perform one or more mitigation actions, triggered by the detector 111, in order to mitigate a detected attack”) ([MEDVEDOVSKY, para. 0027] “The communication with the victim server 130 is over an application-layer cryptographic protocol, such as HTTPS, based on any version of an encryption protocol such as SSL, TLS, and the like”). Thus, given the teaching of MEDVEDOVSKY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of determining applicative baseline distributions by MEDVEDOVSKY into a method for generating application-layer signatures by RADINSKY. One of ordinary skill in the art would have been motivated to do so because MEDVEDOVSKY recognizes the need to efficiently detect HTTPS flood attacks ([MEDVEDOVSKY, para. 0010] “It would be, therefore, advantageous to provide an efficient security solution for detecting and mitigating HTTPS flood attacks.”). Regarding claim 22, this claim recites of a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process that performs the steps of method claim 1. Therefore, claim 22 is rejected in a similar manner as in the rejection of claim 1. Regarding claim 23, this claim recites of a device which performs the steps of method claim 1. Therefore, claim 23 is rejected in a similar manner as in the rejection of claim 1. Regarding claims 3 and 25, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. RADINSKY further teaches “determining, based on attacker probabilities, an eligibility threshold of applicative attributes to be included in the application-layer signature.” ([RADINSKY, para. 0059] “The signatures may be a decision tree with conditional probabilities. Such signatures may be able to detect a specific application and give a probability of a match for that application.”) ([RADINKSY, para. 0080] “If the probability of a match between the parameter vector and the currently analyzed signature does not exceed a predefined threshold in block 314, the process may return to block 308 to process another signature. If the probability of a match does exceed the predefined threshold in block 314, the signature may be determined as a match and the loop may be exited in block 316.”) ([RADINKSY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes.”) ([RADINKSY, para. 0025] “The parameter vector may include parameters regarding the behavior of a session. Such parameters may include the duration of the connection, as well as the volume of information transmitted during a session.”) Regarding claims 12 and 34, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 25. MEDVEDOVSKY further teaches “maintaining applicative attributes of transactions, directed to the protected entity, in a paraphrase, wherein each paraphrase includes at least one paraphrase value, wherein a paraphrase value represents an applicative attribute in a transaction.” ([MEDVEDOVSKY, para. 0060] “each sample, traffic features are estimated. This includes estimating, for example, the total number of HTTPS requests, total volume (bytes) of HTTPS requests, total volume (bytes) of HTTPS responses, lists of all requests and their sizes and the source IP generating each request”) ([MEDVEDOVSKY, para. 0096] “In an embodiment, each buffer is a dedicated cyclic FIFO buffer for keeping several last samples of input/output. Initially, the buffers are filled with a padding value, which is the average value of several previous samples or the first valid sample.”) The same motivation to combine RADINSKY with MEDVEDOVSKY as in the rejection of claim 1 applies. Regarding claims 13 and 35, RADINSKY-MEDVEDOVSKY teach all limitations of claims 12 and 34. MEDVEDOVSKY further teaches “setting at least one dynamic paraphrase, wherein the dynamic paraphrase includes any one of: a Hypertext Transfer Protocol (HTTP) header key, a cookie key in cookie header, and a query argument key.” ([MEDVEDOVSKY, para. 0060] “each sample, traffic features are estimated. This includes estimating, for example, the total number of HTTPS requests, total volume (bytes) of HTTPS requests, total volume (bytes) of HTTPS responses, lists of all requests and their sizes and the source IP generating each request”) ([MEDVEDOVSKY, para. 0061] “The information carried in a header of a TCP packet can be utilized to estimate the existence of HTTP requests and responses, and the size of the responses and requests. Specifically, the TCP SEQ number and the TCP ACK number designated in the TCP header can be utilized to estimate the size of the request and response, respectively.”) ([MEDVEDOVSKY, para. 0036] “all measurements are analyzed without undertaking any decryption activity and/or extracting headers of HTTPS requests or responses.”). The same motivation to combine RADINSKY with MEDVEDOVSKY as in the rejection of claim 1 applies. Regarding claims 14 and 36, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. RADINSKY further teaches “wherein the exclusive section includes a plurality of paraphrase values, wherein the application-layer signature is indicative of an ongoing attack based on all of the plurality of paraphrase values.” ([RADINSKY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes. A parameter vector may include parameters relating to the transport or lower level layers in the Open Systems Interconnection model (OSI model) definitions. Such parameters may include protocol types, such as UDP or TCP.”) ([RADINSKY, para. 0030] “various statistics regarding packet transmission may be collected and used as part of the signature of an application. The statistics may include the minimum, mean, average, maximum, standard deviation, or other descriptive characteristics”) ([RADINSKY, para. 0061] “the applications for which signatures may be generated may be identified. The application may be a desirable or undesirable application. An undesirable application may be a malicious application, such as a virus, worm, Trojan horse, spyware, scareware, crimeware, rootkits, or other type of application.”) Regarding claims 15 and 37, RADINSKY-MEDVEDOVSKY teach all limitations of claims 14 and 36. RADINSKY further teaches “wherein the inclusive section includes a plurality of paraphrase values, wherein the application-layer signature is indicative of an ongoing attack based on at least one of the plurality of paraphrase values.” ([RADINSKY, para. 0024] “The applications signatures may use a parameter vector that includes many protocol or communication attributes. A parameter vector may include parameters relating to the transport or lower level layers in the Open Systems Interconnection model (OSI model) definitions. Such parameters may include protocol types, such as UDP or TCP.”) ([RADINSKY, para. 0030] “various statistics regarding packet transmission may be collected and used as part of the signature of an application. The statistics may include the minimum, mean, average, maximum, standard deviation, or other descriptive characteristics”) ([RADINSKY, para. 0061] “the applications for which signatures may be generated may be identified. The application may be a desirable or undesirable application. An undesirable application may be a malicious application, such as a virus, worm, Trojan horse, spyware, scareware, crimeware, rootkits, or other type of application.”) Regarding claims 16 and 38, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. RADINSKY further teaches “determining based, in part, on an attacker probability a set of paraphrase values to be included in the inclusive section.” ([RADINSKY, para. 0059] “Embodiment 200 illustrates one method by which signatures may be created for applications. The signatures may be a decision tree with conditional probabilities. Such signatures may be able to detect a specific application and give a probability of a match for that application.”) ([RADINSKY, para. 0062] “The first application may be started in block 204 and network traffic created by the first application may be captured in block 206.”) ([RADINSKY, para. 0063] “From the collected data, a training set may be identified in block 208. The training set may be a parameter vector that includes values for all of the parameters measured in a signature.”). Regarding claims 18, RADINSKY-MEDVEDOVSKY teach all limitations of claim 1. MEDVEDOVSKY further teaches “wherein performing mitigation of the ongoing attack includes at least blocking the attacker based on at least one applicative attribute included in the exclusive section.” ([MEDVEDOVSKY, para. 0052] “The mitigation action may be, for example, blocking, or rate-limiting, traffic from the client 120 to the server, challenging the client causing any traffic anomaly (e.g., CAPTCHA), redirecting the traffic to a scrubbing center for cleaning malicious traffic, and so on … In an embodiment, a mitigation action can start by challenging each entity (client device and/or attack tool) in the suspect list and end with a rate limit applied on these clients, or a blocking of these source IPs.”). The same motivation to combine RADINSKY with MEDVEDOVSKY as in the rejection of claim 1 applies. Regarding claims 19 and 41, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. MEDVEDOVSKY further teaches “wherein the ongoing application-layer attack is a Distributed Denial of Service (DDoS) attack realized as an a Hypertext Transfer Protocol (HTTP) flood application-layer attack.” ([MEDVEDOVSKY, para. 0044] “in order to detect HTTPS flood attacks, the defense system 110 is configured to compare features of inspected traffic to the legitimate traffic patterns (or their normal baselines).”) ([MEDVEDOVSKY, para. 0092] “As noted above, an HTTPS flood DDoS attack is detected responsive to a short-term baseline, a long-term baseline, or both.”) The same motivation to combine RADINSKY with MEDVEDOVSKY as in the rejection of claim 1 applies. Claims 2 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over RADINSKY-MEDVEDOVSKY in view of SINGH (US-11153217-B1). Regarding claim 2 and 24, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. However, RADINSKY-MEDVEDOVSKY does not teach “wherein the dynamic attacker probability threshold is dynamically calculated with a reverse ratio to a current attack factor (AF).”. In analogous teaching SINGH teaches “wherein the dynamic attacker probability threshold is dynamically calculated with a reverse ratio to a current attack factor (AF).” ([SINGH, col. 11 Lines. 23-52] “Table 804 of FIG. 8 illustrates exemplary threshold rates for packet policers 1 and 2 calculated based on an inversely-proportional-to-packet-rate keep-aside allocation scheme. … In some embodiments, policing module 106 may implement this allocation scheme in the event that a potential DoS attack or similar attack has been detected. For example, policing module 106 may determine that network device 402 is potentially experiencing a DoS attack that involves packets sized between 0 and 750 bytes based on the rate of packets tracked by packet policer 1 exceeding the rate of packets tracked by packet policer 2. Thus, implementing the inversely proportional keep-aside allocation scheme may prevent packets sized between 0 and 750 bytes from overloading network device 402.”). Thus, given the teaching of SINGH, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of dynamic attacker probability threshold is dynamically calculated with a reverse ratio by SINGH into a method for generating application-layer signatures by RADINSKY-MEDVEDOVSKY. One of ordinary skill in the art would have been motivated to do so because SINGH recognizes the need to police network traffic ([SING, col. 1 Lines. 39-41] “The instant disclosure, therefore, identifies and addresses a need for improved systems and methods for policing network traffic rates.”). Claims 17, 39, and 40 are rejected under 35 U.S.C. 103 as being unpatentable over RADINSKY-MEDVEDOVSKY in view of JIAO (US-20230231871-A1) based on its foreign priority to Chinese Patent Application No. 202010948783.1, filed on Sep. 10, 2020. Regarding claim 17 and 39, RADINSKY-MEDVEDOVSKY teach all limitations of claims 16 and 38. However, RADINSKY-MEDVEDOVSKY does not teach “selecting a set of a pre-defined number of paraphrase values with a highest attacker probability and lower than a pre-defined threshold baseline probability to be included in the exclusive section.”. In analogous teaching JIAO teaches “selecting a set of a pre-defined number of paraphrase values with a highest attacker probability and lower than a pre-defined threshold baseline probability to be included in the exclusive section.” ([JIAO, para. 0228] “The probability value indicates a possibility that a second traffic flow is a malicious traffic flow. A larger probability value indicates a higher possibility that the second traffic flow is a malicious traffic flow. Whether the second traffic flow is a malicious traffic flow or a suspicious traffic flow can be indicated based on a quantity relationship between the probability value and a threshold. For example, if the probability value is less than a threshold A, it indicates that the second traffic flow is a normal traffic flow; if the probability value is greater than or equal to the threshold A and less than a threshold B, it indicates that the second traffic flow is a suspicious traffic flow; and if the probability value is greater than the threshold B, it indicates that the second traffic flow is a malicious traffic flow.”) ([JIAO, para. 0113] “An input parameter of the detection model includes metadata of the traffic flow. The metadata of the traffic flow includes at least one of a source IP address, a destination IP address, a source port number, a destination port number, an HTTP uniform resource locator (URL), a user agent (UA) character string, an occurrence time, or a duration of the traffic flow.”). Thus, given the teaching of JIAO, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of a set of a pre-defined number of paraphrase values with a highest attacker probability and lower than a pre-defined threshold baseline probability by JIAO into a method for generating application-layer signatures by RADINSKY-MEDVEDOVSKY. One of ordinary skill in the art would have been motivated to do so because JIAO recognizes the need to improve threat detection ([JIAO, para. 0075] “Therefore, how to generate AI models based on data of all parties and deploy the models in a customer environment to accurately detect more threats while meeting data privacy, security, and supervision requirements is a problem that needs to be considered currently.”) ([JIAO, para. 0005] “Embodiments of this application provide a training method for a detection model, a system, a device, and a storage medium, to improve a model training effect, thereby helping improve performance of the detection model.”) Regarding claims 40, RADINSKY-MEDVEDOVSKY-JIAO teach all limitations of claim 39. MEDVEDOVSKY further teaches “wherein the device is further configured to perform mitigation of the ongoing attack by at least blocking the attacker based on at least one applicative attribute included in the exclusive section.” ([MEDVEDOVSKY, para. 0052] “The mitigation action may be, for example, blocking, or rate-limiting, traffic from the client 120 to the server, challenging the client causing any traffic anomaly (e.g., CAPTCHA), redirecting the traffic to a scrubbing center for cleaning malicious traffic, and so on … In an embodiment, a mitigation action can start by challenging each entity (client device and/or attack tool) in the suspect list and end with a rate limit applied on these clients, or a blocking of these source IPs.”). The same motivation to combine RADINSKY with MEDVEDOVSKY as in the rejection of claim 1 applies. Claims 20 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over RADINSKY-MEDVEDOVSKY in view of JAKOBSSON (US-11757914-B1). Regarding claim 20 and 42, RADINSKY-MEDVEDOVSKY teach all limitations of claims 1 and 23. However, RADINSKY-MEDVEDOVSKY does not teach “finetuning application-layer signatures to reduce a false negative rate, while reducing an estimated egress traffic below a request per second (RPS) attack threshold and an imposed false positive (FP) rate below a pre-defined FP rate threshold.”. In analogous teaching JAKOBSSON teaches “finetuning application-layer signatures to reduce a false negative rate, while reducing an estimated egress traffic below a request per second (RPS) attack threshold and an imposed false positive (FP) rate below a pre-defined FP rate threshold.” ([JAKOBSSON, col. 116 Lines 21-57] “FIG. 18 is a flowchart illustrating an embodiment of a process for generating a signature. … at least one signature is generated, and tested in 1806 with respect to at least a corpora, one for benevolent messages and one for malicious messages. It is determined what the false positive rate is by determining how many benevolent messages are detected by the generated signature, and it is determined what the recall rate the signature corresponds to by determining how many malicious messages are detected by it. In 1807, the determined false positive rate is compared to a threshold, and if the false positive rate exceeds the threshold, then the process continues to 1808, where the signature is discarded. Otherwise, the computation proceeds to step 1811 where the recall rate is compared with a second threshold, and if this is below the second threshold, then the process continues to 1808, otherwise to 1812 where a signature is generated and its scores set according to the computed false positives and the recall rates, or using another scoring system as described previously. In 1809, it is determined whether to time out based on the number of attempts to create a signature. For example, if ten signatures have failed to be created for the email, then the system may conclude that it should time out and proceed to 1810 where the generation process is ended; otherwise, the process continues by going to 1805 and generating another signature. Other criteria for timing out can also be used, and these may depend on the estimated danger of the threat posed by the email, where a high threat corresponds to many attempts to create a signature. Moreover, the thresholds associated with steps 1807 and 1811 may also preferably depend on the assessed threat, where a high threat corresponds to a greater willingness to accept false positives and low recall rates.”). Thus, given the teaching of JAKOBSSON, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of finetuning application-layer signatures to reduce a false negative rate by JAKOBSSON into a method for generating application-layer signatures by RADINSKY-MEDVEDOVSKY. One of ordinary skill in the art would have been motivated to do so because JAKOBSSON recognizes the need to improve security ([JAKOBSSON, col. 12 Lines 43-47] “There is great need for organizations to identify the level of risk they are exposed to, and to determine changes over time. It is also important for organizations to determine what users—internal and external, associated with the organization or not—pose a risk”) ([JAKOBSSON, col. 12 Lines 36-40] “In some embodiments, the disclosed technology has benefits beyond enabling blocking of risk. Whereas one of the primary benefits is associated with identifying risk associated with an email, and use that identified risk to limit access to web resources and other actionable material”) Allowable Subject Matter Claims 4-11, 21, and 26-33 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and if they overcome any other rejection listed above. Pertinent Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. MAJKOWSKI (US-10038715-B1): This prior art teaches of a server receives a SYN packet and generates a SYN packet signature from the SYN packet. The server generates multiple aggregate signatures for the SYN packet signature that each include a generalized value for at least one element, where each aggregate signature has a different level of specificity and corresponds with a different fingerprint table. The server sequentially iterates through the fingerprint tables starting with the most specific aggregate signature and the most specific fingerprint table until a match exceeding a counter threshold is found, if any. If an aggregate signature does not match a fingerprint in a fingerprint table, the aggregate signature is added to that fingerprint table and an initial value for the counter is set. A bytecode using an attack fingerprint as input is generated in a form understandable by a network filter, and installed in a network filter. CHESLA (US-8566936-B2): This prior art teaches of method and system for protecting a protected entity using a multi-dimensional protection surface are provided. According to various embodiments, the multi-dimensional protection surface is generated by correlating multiple inputs related to the at least one detected attack. The inputs include at least one input identifying the detected attack and another input identifying each attack tool that performs the detected attack. The generated protection multi-dimensional surface includes protection points, where each such point defines at least one attack mitigation action to mitigate the detected attack. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A./ 05/26/2026 /AFAQ ALI/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Aug 05, 2024
Application Filed
Nov 14, 2025
Non-Final Rejection mailed — §103, §112
Feb 17, 2026
Response Filed
Jun 01, 2026
Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665926
System And Methods Of Defense Against DDoS Attacks For Applications On A Multi-Substrate Multi-Ingress Shared Infrastructure With Multiple Cloud Architectures
1y 9m to grant Granted Jun 23, 2026
Patent 12639404
Authorization of Access Rights Licenses
2y 2m to grant Granted May 26, 2026
Patent 12627679
CYBER SECURITY SYSTEM APPLYING NETWORK SEQUENCE PREDICTION USING TRANSFORMERS
2y 3m to grant Granted May 12, 2026
Patent 12585791
ENCRYPTED COMMUNICATION METHOD AND ELECTRONIC DEVICE
3y 7m to grant Granted Mar 24, 2026
Patent 12572656
CONTROL FLOW INTEGRITY MONITORING BASED INSIGHTS
3y 2m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+13.3%)
2y 5m (~6m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 137 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month