Prosecution Insights
Last updated: May 28, 2026
Application No. 18/794,620

METHOD AND SYSTEM FOR METHOD FOR FINETUNING APPLICATION-LAYER SIGNATURES

Non-Final OA §101§103§112
Filed
Aug 05, 2024
Priority
Dec 28, 2022 — provisional 63/477,522 +1 more
Examiner
ALI, AFAQ
Art Unit
2434
Tech Center
2400 — Computer Networks
Assignee
Radware Ltd.
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
120 granted / 133 resolved
+32.2% vs TC avg
Moderate +12% lift
Without
With
+12.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
22 currently pending
Career history
161
Total Applications
across all art units

Statute-Specific Performance

§101
1.1%
-38.9% vs TC avg
§103
91.2%
+51.2% vs TC avg
§102
0.7%
-39.3% vs TC avg
§112
2.6%
-37.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 133 resolved cases

Office Action

§101 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Claims 1-25 are pending Priority This application is a continuation in part of U.S. patent application Ser. No. 18/176,667, filed on Mar. 1, 2023. The 18/176,667 Application claims the benefit of U.S. Provisional Application No. 63/477,522 filed on Dec. 28, 2022. Therefore, the effective filing date of this application is 12/28/2022. Drawings Applicants’ drawings filed on 08/05/2024 has been inspected and it is in compliance with MPEP 608.02. Specification The specification filed on 08/05/2024 is acceptable for examination proceedings. Information Disclosure Statement The information disclosure statements (IDS) submitted on 08/05/2024, 09/03/2024, 11/05/2024, 03/04/2025, and 12/04/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements have been considered by the examiner. Claim Objections Claims 3, 4, 16, and 17 are objected to because of the following informalities: Claims 3, 4, 16, and 17 recite of the acronym RPS without spelling it out on the first instance. For the purpose of examination examiner is interpreting this limitation as request-per-second (RPS). Appropriate correction is required. Claim 24 is objected to because of the following informalities: Claim 24 repeats the limitation “aggregate the identified non-binary paraphrase values and binary paraphrase values to set the final signature Sig2[n]” twice. Examiner suggests removing the last limitation. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-25 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 13, and 14 recites the limitation "the finetune feedback process". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “wherein finetuning application-layer signatures is performed”. Appropriate correction is required. Claims 2-12, and 15-25 depend on claims 1 and 14. Therefore, they also inherit the rejection. Claims 2 and 15 recites the limitation "the past samples". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “the past transactions”. Appropriate correction is required. Claims 3-6 and 15-19 depend on claims 2 and 15. Therefore, they also inherit the rejection. Claims 4 and 17 recites the limitation " the past time windows". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “past time windows”. Appropriate correction is required. Claims 7 and 20 recites the limitation " the past samples". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “past samples”. Appropriate correction is required. Claims 8-10 and 21-23 depend on claims 7 and 20. Therefore, they also inherit the rejection. Claims 7 and 20 recites the limitation " the blocking". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “blocking”. Appropriate correction is required. Claims 8-10 and 21-23 depend on claims 7 and 20. Therefore, they also inherit the rejection. Claims 8 and 21 recites the limitation " the desired threshold". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “a desired threshold”. Appropriate correction is required. Claims 9, 10, 22, and 23 recites the limitation " the Sig1[n]". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “a first finetuned signature Sig1[n]”. Appropriate correction is required. Claims 10 and 23 recite the limitation “an optimal set of paraphrase values”. The term “optimal” is a relative terminology. For the purpose of examination examiner is interpreting this limitation as “identifying a set of paraphrase value”. Appropriate correction is required. Claims 10 and 23 recites the limitation " the Sig2[n]". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “ a second finetuned signature Sig2[n]”. Appropriate correction is required. Claims 11 and 24 recites the limitation " the final signature Sig2[n]". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “ a final signature Sig2[n]”. Appropriate correction is required. Claims 12 and 25 depend on claims 11 and 24. Therefore, they also inherit the rejection. Claims 12 and 25 recites the limitation “the list of legitimate transactions". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination examiner is interpreting this as “a list of legitimate transactions”. Appropriate correction is required. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 2, 13, 14, and 15 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 20 and 21 of copending Application No. 18/794,606 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitation of the same subject matter. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. Current application 18/794,620 copending Application No. 18/794,606 1.) A method for finetuning application-layer signatures, comprising: operating a false negative (FN) feedback process to finetune application-layer signature; and operating a false positive (FP) feedback process on the application-layer signature finetuned by the FN feedback process to generate a finetuned application-layer signature to reduce a false negative rate, wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold. 20.) The method of claim 1, further comprising: finetuning application-layer signatures to reduce a false negative rate, while reducing an estimated egress traffic below a RPS attack threshold and an imposed FP rate below a pre-defined FP rate threshold. 21.) The method of claim 20, wherein finetuning the application-layer signatures further comprises: retrieving a predefined number of attack time samples of past transactions (samples[n]); generating an initial signature (Sig0[n]) from the past samples; operating a false negative (FN) feedback process to finetune the Sig0[n] to generate a first finetuned signature Sig1 [n]; operating a false positive (FP) feedback process to finetune the Sig1 [n] to generate a second finetuned signature Sig2[n]; and iteratively updating the initial signature to values of the Sig2[n] to generate a finetuned application-layer signature used for attack mitigation. 2.) The method of claim 1, further comprising: retrieving a predefined number of attack time samples of past transactions (samples[n]); generating an initial signature (Sig0[n]) from the past samples; operating a false negative (FN) feedback process to finetune the Sig0[n] to generate a first finetuned signature Sig1[n]; operating a false positive (FP) feedback process to finetune the Sig1[n] to generate a second finetuned signature Sig2[n]; and iteratively updating the initial signature to values of the Sig2[n] to generate a finetuned application-layer signature used for attack mitigation. 21.) The method of claim 20, wherein finetuning the application-layer signatures further comprises: retrieving a predefined number of attack time samples of past transactions (samples[n]); generating an initial signature (Sig0[n]) from the past samples; operating a false negative (FN) feedback process to finetune the Sig0[n] to generate a first finetuned signature Sig1 [n]; operating a false positive (FP) feedback process to finetune the Sig1 [n] to generate a second finetuned signature Sig2[n]; and iteratively updating the initial signature to values of the Sig2[n] to generate a finetuned application-layer signature used for attack mitigation. Claims 13-15 are parallel claims to claims 1 and 2. Therefore, they are rejected in a similar manner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-25 are rejected under 35 U.S.C. 101 because they are directed to an abstract idea. Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites of method for finetuning application-layer signatures, comprising: operating a false negative (FN) feedback process to finetune application-layer signature; and operating a false positive (FP) feedback process on the application-layer signature finetuned by the FN feedback process to generate a finetuned application-layer signature to reduce a false negative rate, wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold. The limitation of operating a false negative (FN) feedback process to finetune application-layer signature, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually operate FN feedback to finetune signatures. The limitation of operating a false positive (FP) feedback process on the application-layer signature finetuned by the FN feedback process to generate a finetuned application-layer signature to reduce a false negative rate, wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can be performed in the mind. A user can manually operate FP feedback on signatures while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claim 2 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of retrieving a predefined number of attack time samples of past transactions (samples[n]); generating an initial signature (Sig0[n]) from the past samples; operating a false negative (FN) feedback process to finetune the Sig0[n] to generate a first finetuned signature Sig1[n]; operating a false positive (FP) feedback process to finetune the Sig1[n] to generate a second finetuned signature Sig2[n]; and iteratively updating the initial signature to values of the Sig2[n] to generate a finetuned application-layer signature used for attack mitigation. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually retrieve a predefine number of attack samples, generate an initial signature, operate false negative feedback, operate false positive feedback and iteratively update the initial signature. Claim 3 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of augmenting the initial signature with at least one paraphrase value to generate the Sig1[n] by, so that an estimated egress traffic is reduced below a RPS attack threshold and an imposed FP rate below a pre-defined FP rate threshold. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually augment the initial signature with at least one paraphrase value to generate the Sig1[n]. Claim 4 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of computing the estimated egress traffic as a ratio between a number of samples not blocked by a current signature to a total number of past samples multiplied by an actual real RPS measured over the past time windows, wherein the current signature is a state of a signature being tuned at a current iteration. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually compute the estimated egress traffic. Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of computing the imposed FP rate as a ratio between a number of legitimate transactions blocked by a current signature and a total number of the legitimate transactions, wherein the current signature is a state of a signature being tuned at a current iteration. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually compute the imposed FP rate. Claim 6 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of saving the legitimate transactions during peacetime for each predefined period of time. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually save the legitimate transactions during peacetime. Claim 7 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of iteratively applying a current signature on the past samples, wherein the current signature is a state of a signature being tuned at a current iteration; generating a list of paraphrase vectors representing past samples that have not been blocked by the current signature; generating a list of missed paraphrase values, wherein missed paraphrase values eliminate the blocking of the past samples by the current signature; from the list of missed paraphrase values, iteratively augmenting a current signature with paraphrase values that reduce estimated egress traffic to a value lower than a pre-defined egress threshold and keep an imposed FP rate at a value lower than an FP pre-defined threshold, wherein the false negative feedback process terminates upon meeting a termination condition. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually iteratively apply a current signature on the past samples, generate a list of paraphrase vectors representing past samples, generate a list of missed paraphrase values, from the list of missed paraphrase values, iteratively augmenting a current signature with paraphrase values that reduce estimated egress traffic. Claim 8 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the termination condition includes at least when the estimated egress traffic decreases below the desired threshold and an imposed FP rate decreases below a pre-defined FP rate threshold. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually determine a termination condition. Claim 9 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the Sig1[n] is set to the current signature when the false negative feedback process is terminated. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually set Sig1[n] as a current signature when the false negative feedback is terminated. Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of identifying an optimal set of paraphrase values from the Sig1[n] to be included in the Sig2[n], while keeping the imposed FP rate below a pre-defined FP rate threshold. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually identify an optimal set of paraphrase values from the Sig1[n] to be included in the Sig2[n]. Claim 11 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of generating a set of legitimate groups from a predetermined set of legitimate transactions; identifying a maximum number of non-binary paraphrase values that causes a minimal blocking of legitimate transactions from the set of legitimate groups; identifying a minimum number of binary paraphrase values that causes a minimal blocking of legitimate transactions from the set of legitimate groups; and aggregating the identified non-binary paraphrase values and binary paraphrase values to set the final signature Sig2[n]. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually generate a set of legitimate groups, identify a maximum number of non-binary paraphrase values, identify a minimum number of binary paraphrases, and aggregate the identified non-binary paraphrase values and binary paraphrase values. Claim 12 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. This claim recites of wherein the legitimate groups include a set of paraphrase vectors generated from the list of legitimate transactions. Therefore, the limitations of this claim, as drafted, is a process that, under its broadest reasonable interpretation, covers steps that can also be performed in the mind. A user can manually determine a legitimate group include a set of paraphrase vectors generated from the list of legitimate transactions. Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Furthermore, this claim recites of features similar to those of claim 1. Therefore, claim 13 is rejected in a similar manner as in the rejection of claim 1. Furthermore, if a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic statement such as “non-transitory computer-readable medium storing a set of instructions” and “one or more processors”, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element of one or more processors. The “one or more processors” recited at a high-level of generality (i.e., as a generic processor performing the method) such that it amounts no more than mere instructions to apply the exception using a generic computer. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claim 14 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Furthermore, this claim recites of features similar to those of claim 1. Therefore, claim 14 is rejected in a similar manner as in the rejection of claim 1. Furthermore, if a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic statement such as “device” and “one or more processors”, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element of one or more processors. The “one or more processors” recited at a high-level of generality (i.e., as a generic processor performing the method) such that it amounts no more than mere instructions to apply the exception using a generic computer. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claims 15-25 recite of features similar to those of claims 2-12. Therefore, claims 15-25 are rejected in a similar manner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 7-14, and 20-25 are rejected under 35 U.S.C. 103 as being unpatentable over ZAVESKY (US-20190354629-A1) in view of CHESLA (US-20040250124-A1), hereinafter ZAVESKY-CHESLA. Regarding claim 1, ZAVESKY teaches “A method for finetuning … signatures, comprising: ([ZAVESKY, para. 0037] “As just one example, the operations described above with respect to event detection station 150 may alternatively or additionally be performed by a device … a second device may correlate the anomalies to events identified in one or more external data feeds, a third device may create and update anomaly signatures based upon feedback”) operating a false negative (FN) feedback process to finetune … signature; and ([ZAVESKY, para. 0016] “For instance, the features of the second anomaly may be used as a positive training example for the anomaly signature when the feedback is a positive feedback. Conversely, the features of the second anomaly may be used as a negative training example for the anomaly signature when the feedback is a negative feedback.”) operating a false positive (FP) feedback process on the … signature finetuned by the FN feedback process to generate a finetuned … signature …, ([ZAVESKY, para. 0057] “For example, the features of the second anomaly may comprise a positive training example for the first anomaly signature when the feedback is a positive feedback, and may comprise a negative training example for the first anomaly signature when the feedback is a negative feedback.”) However, ZAVESKY does not teach of “… application-layer signature to reduce a false negative wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold.”. In analogous teaching CHESLA teaches “ …. application-layer signature to reduce a false negative ([CHESLA, para. 0133] “determine as many signatures, i.e., characteristic parameters, of the anomalous traffic, as is possible. The trapping module uses a number of different signature types”) ([CHESLA, para. 0195] “signatures in a logical OR relationship: “source port OR source IP address.”) ([CHESLA, para. 0173] “For example, if the narrower combination of signature types A and 1 results in an increase in the degree of attack (D3) above the threshold value, the controller cancels signature type 1 and instead tries the combination of signature types A and 2 (TTL).”) wherein the finetune feedback process is performed while reducing estimated egress traffic below a predefined threshold and an imposed FP rate below a pre-defined FP rate threshold. ([CHESLA, para. 0196] “As a result of the stable positive feedback, at a refine filter step 262, the controller transitions to sub-hierarchy state 166, in which the controller directs filtering module 70 to apply a signature”) ([CHESLA, para. 0197] “The controller remains in sub-hierarchy state 166, and again determines whether the new filter is successful. In this example, the filter is successful, and the system again achieves stable positive feedback, at a positive feedback step 263. The controller therefore attempts to further refine the signature”) ([CHESLA, para. 0172] “At a second level 364 of tree 360, the controller checks whether a degree of attack D2, calculated by FIS module 62 based on the filtered traffic, is less than a threshold value, e.g., 8. A value of D2 less than the threshold value indicates that application of signature A is successfully filtering the attack.”) ([CHESLA, para. 0173] “Alternatively, if the degree of attack remains below the threshold value despite the narrower combination A+1, the controller tries the still narrower combination of signature types A, 1 and 2. This process continues until the narrowest combination of signature type A with types 1, 2 and 3 is found that still gives a satisfactory degree of attack.”). Thus, given the teaching of CHESLA, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of finetuning and reducing FP and FN based on a threshold by CHESLA into a method for finetuning signatures by ZAVESKY. One of ordinary skill in the art would have been motivated to do so because CHESLA recognizes the need to protect networks from attacks ([CHESLA, para. 0002] “Computer networks often face malicious attacks originating from public networks. Such attacks currently include pre-attack probes, worm propagation, network flooding attacks such as denial of service (DoS) and distributed DoS (DDoS) attacks”) ([CHESLA, para. 0016] “In embodiments of the present invention, a dynamic network security system detects and filters malicious traffic entering a protected network”) Regarding claim 13, this claim recites of a non-transitory computer-readable medium storing a set of instructions which once executed by a processor performs the steps of method claim 1. Therefore, claim 13 is rejected in a similar manner as in the rejection of claim 1. Regarding claim 14, this claim recites of a device comprising a processor which executes the steps of method claim 1. Therefore, claim 14 is rejected in a similar manner as in the rejection of claim 1. Regarding claims 7 and 20, ZAVESKY-CHESLA teach all limitations of claims 1 and 14. CHESLA further teaches “wherein the false negative feedback process further comprises: iteratively applying a current signature on the past samples, wherein the current signature is a state of a signature being tuned at a current iteration; ([CHESLA, para. 0168] “controller checks whether the non-attack counter has reached a predetermined constant, such as 3 seconds, at a feedback check step 164. If the counter equals the constant, indicating that stable positive (non-attack) feedback has been achieved, the controller transitions to a sub-hierarchy state 166, for refining (i.e., narrowing) of the filtering conditions.”) ([CHESLA, 0169] “In sub-hierarchy state 166, the controller directs filtering module 70 to reduce the restrictiveness of the filtering by additionally applying one or more sub-hierarchy signatures. These sub-hierarchy signatures were determined by trapping module”) ([CHESLA, para. 0196] “at a refine filter step 262, the controller transitions to sub-hierarchy state 166, in which the controller directs filtering module 70 to apply a signature from the sub-hierarchy group, which signature was already identified by trapping module 68”) generating a list of paraphrase vectors representing past samples that have not been blocked by the current signature; ([CHESLA, para. 0196] “the new filter additionally includes a sub-signature for the source IP address signature, resulting in the refined filter: “source port OR (source IP address AND packet size).””) generating a list of missed paraphrase values, wherein missed paraphrase values eliminate the blocking of the past samples by the current signature; ([CHESLA, para. 0197] “The controller remains in sub-hierarchy state 166, and again determines whether the new filter is successful. In this example, the filter is successful, and the system again achieves stable positive feedback, at a positive feedback step 263. The controller therefore attempts to further refine the signature (source IP address) already refined with a sub-signature (packet size). At a refine filter step 264, the controller successfully adds a second sub-signature previously determined by trapping module 68, resulting in the further refined filter: “source port OR (source IP address AND packet size AND TTL).””) from the list of missed paraphrase values, iteratively augmenting a current signature with paraphrase values that reduce estimated egress traffic to a value lower than a pre-defined egress threshold and keep an imposed FP rate at a value lower than an FP pre-defined threshold, wherein the false negative feedback process terminates upon meeting a termination condition. ([CHESLA, para. 0197] “At a refine filter step 264, the controller successfully adds a second sub-signature previously determined by trapping module 68, resulting in the further refined filter: “source port OR (source IP address AND packet size AND TTL).””) ([CHESLA, para. 0172] “At a second level 364 of tree 360, the controller checks whether a degree of attack D2, calculated by FIS module 62 based on the filtered traffic, is less than a threshold value, e.g., 8. A value of D2 less than the threshold value indicates that application of signature A is successfully filtering the attack.”) ([CHESLA, para. 0173] “Alternatively, if the degree of attack remains below the threshold value despite the narrower combination A+1, the controller tries the still narrower combination of signature types A, 1 and 2. This process continues until the narrowest combination of signature type A with types 1, 2 and 3 is found that still gives a satisfactory degree of attack.”). The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Regarding claims 8 and 21, ZAVESKY-CHESLA teach all limitations of claims 7 and 20. CHESLA further teaches “wherein the termination condition includes at least when the estimated egress traffic decreases below the desired threshold and an imposed FP rate decreases below a pre-defined FP rate threshold. ([CHESLA, para. 0197] “The controller remains in sub-hierarchy state 166, and again determines whether the new filter is successful. In this example, the filter is successful, and the system again achieves stable positive feedback, at a positive feedback step 263. The controller therefore attempts to further refine the signature”) ([CHESLA, para. 0172] “At a second level 364 of tree 360, the controller checks whether a degree of attack D2, calculated by FIS module 62 based on the filtered traffic, is less than a threshold value, e.g., 8. A value of D2 less than the threshold value indicates that application of signature A is successfully filtering the attack.”) ([CHESLA, para. 0173] “Alternatively, if the degree of attack remains below the threshold value despite the narrower combination A+1, the controller tries the still narrower combination of signature types A, 1 and 2. This process continues until the narrowest combination of signature type A with types 1, 2 and 3 is found that still gives a satisfactory degree of attack.”). The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Regarding claims 9 and 22, ZAVESKY-CHESLA teach all limitations of claims 7 and 20. CHESLA further teaches “wherein the Sig1[n] is set to the current signature when the false negative feedback process is terminated. ([CHESLA, para. 0198] “the controller transitions to convergence state 168, at a convergence transition step 266. In the convergence state, the controller directs filtering module 70 to filter using the most recent successful filter, i.e., “source port OR (source IP address AND packet size),” at a convergence state step 267. The controller continues filtering in the convergence state until stable attack stop feedback is achieved, as indicated by the consistency counter.”) The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Regarding claims 10 and 23, ZAVESKY-CHESLA teach all limitations of claims 9 and 22. CHESLA further teaches “further comprising: identifying an optimal set of paraphrase values from the Sig1[n] to be included in the Sig2[n], while keeping the imposed FP rate below a pre-defined FP rate threshold. ([CHESLA, para. 0172] “At a second level 364 of tree 360, the controller checks whether a degree of attack D2, calculated by FIS module 62 based on the filtered traffic, is less than a threshold value, e.g., 8. A value of D2 less than the threshold value indicates that application of signature A is successfully filtering the attack.”) ([CHESLA, para. 0173] “Alternatively, if the degree of attack remains below the threshold value despite the narrower combination A+1, the controller tries the still narrower combination of signature types A, 1 and 2. This process continues until the narrowest combination of signature type A with types 1, 2 and 3 is found that still gives a satisfactory degree of attack.”). The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Regarding claims 11 and 24, ZAVESKY-CHESLA teach all limitations of claims 1 and 14. CHESLA further teaches “wherein the false positive feedback process further comprises: generating a set of legitimate groups from a predetermined set of legitimate transactions; ([CHESLA, para. 0135] “When the counter is at its initial, lowest level, the filtering module uses a relatively narrow set of signatures, in order to minimize the likelihood of blocking legitimate traffic (i.e., false positives). As the counter is incremented, as described hereinbelow with reference to step 116, the intensity of filtering provided by the signatures is gradually increased.”) ([CHESLA, para. 0266] “The more specific a signature type is (i.e., the lower the probability of repetition), the more likely the signature type is to block only packets participating in the attack, thereby avoiding false positives.”) ([CHESLA, para. 0267] “Upon entering trap buffers state 152, controller 60 directs trapping module 68 to attempt to determine as many signature types from the hierarchy group as possible. The hierarchy group typically includes the following signature types in the following order, from most specific to least specific:”) identifying a maximum number of non-binary paraphrase values that causes a minimal blocking of legitimate transactions from the set of legitimate groups; ([CHESLA, para. 0280] “Each of these signature types can be used as a stand-alone criterion for filtering attack packets, i.e., independently of any other signature types in the hierarchy group or any other group. Therefore, as filtering module 70 adds more signature types to the filtering in order to increase the level of filtering”) identifying a minimum number of binary paraphrase values that causes a minimal blocking of legitimate transactions from the set of legitimate groups; and ([CHESLA, para. 0281] “A second group of signatures types is the “dependent group,” which includes conditional signature types. … Signatures of types in the dependent group are filtered only in conjunction with their parent signatures in the hierarchy group, i.e., using an “AND” relationship between the parent signature and the dependent signature.”) aggregating the identified non-binary paraphrase values and binary paraphrase values to set the final signature Sig2[n]. ([CHESLA, para. 0290] “A third group of signatures types is the “sub-hierarchy group,” which includes signature types that are used in conjunction with signatures of the hierarchy group, in an “AND” relationship.”) ([CHESLA, para. 0197] “The controller remains in sub-hierarchy state 166, and again determines whether the new filter is successful. In this example, the filter is successful, and the system again achieves stable positive feedback, at a positive feedback step 263. The controller therefore attempts to further refine the signature (source IP address) already refined with a sub-signature (packet size). At a refine filter step 264, the controller successfully adds a second sub-signature previously determined by trapping module 68, resulting in the further refined filter “source port OR (source IP address AND packet size AND TTL).””) The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Regarding claims 12 and 25, ZAVESKY-CHESLA teach all limitations of claims 11 and 24. CHESLA further teaches “wherein the legitimate groups include a set of paraphrase vectors generated from the list of legitimate transactions. ([CHESLA, para. 0135] “The controller directs the filtering module to select the number of signature types to use based on the value of the hierarchy counter. When the counter is at its initial, lowest level, the filtering module uses a relatively narrow set of signatures, in order to minimize the likelihood of blocking legitimate traffic (i.e., false positives). As the counter is incremented, as described hereinbelow with reference to”) ([CHESLA, para. 0199] “Ignoring certain signatures may be desirable, for example, for signature values that are common values for legitimate traffic.”) ([CHESLA, para. 0200] “Packet size. Network flood module 50 is configurable to exclude signatures of the packet size signature type having certain common values. For example, common TCP packet sizes typically include 60 bytes (SYN), 62 bytes (ACK), 66 bytes (SACK), and 74 bytes (SACK).”). The same motivation to modify ZAVESKY with CHESLA as in the rejection of claim 1 applies. Allowable Subject Matter Claims 2-6 and 15-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and if they overcome any other rejection and objection. Pertinent Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. NAIDOO (US-20230156034-A1): This prior art teaches of system and method for real-time threat detection for encrypted communications are provided. A method includes monitoring a data stream in a network, such as an M2M network, including encrypted message data and non-encrypted metadata associated with the encrypted message data being transmitted between endpoints on the network. The method includes extracting data stream metadata from the data stream including data points extracted from the non-encrypted metadata. The method includes enriching the data stream metadata with contextual data relating to one or more of threat, vulnerability and reputation data points and being obtained from one or more signal sources to output enriched data. The enriched data is analyzed and a risk probability score associated therewith is calculated. An action is initiated in accordance with the risk probability score so as to mitigate a threat present on the network. AHN (US-20240106861-A1): This prior art teaches of identity-based DNS-traffic routing and monitoring. A computing platform may establish, using an encrypted DNS process, a secure DNS session by executing an encrypted session handshake with a client device, which may include receiving a security certificate for the encrypted DNS process that identifies a user of the client device. The computing platform may receive an encrypted DNS query request comprising a request for an IP address for a specified domain name. The computing platform may determine, based on the security certificate, an identity of the user. The computing platform may determine, based on the identity of the user, a security policy indicating domain matching criteria and corresponding actions to take on matching domain names. The computing platform may determine a first action corresponding to the domain name, and may send, based on the first action, an encrypted DNS query response. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A./ 12/18/2025 /AFAQ ALI/Examiner, Art Unit 2434 /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Aug 05, 2024
Application Filed
Dec 23, 2025
Non-Final Rejection mailed — §101, §103, §112
Apr 23, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12639404
Authorization of Access Rights Licenses
2y 2m to grant Granted May 26, 2026
Patent 12627679
CYBER SECURITY SYSTEM APPLYING NETWORK SEQUENCE PREDICTION USING TRANSFORMERS
2y 3m to grant Granted May 12, 2026
Patent 12585791
ENCRYPTED COMMUNICATION METHOD AND ELECTRONIC DEVICE
3y 7m to grant Granted Mar 24, 2026
Patent 12572656
CONTROL FLOW INTEGRITY MONITORING BASED INSIGHTS
3y 2m to grant Granted Mar 10, 2026
Patent 12563050
TECHNIQUES FOR DETECTING CYBER-ATTACK SCANNERS
4y 1m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+12.0%)
2y 5m (~7m remaining)
Median Time to Grant
Low
PTA Risk
Based on 133 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month