Office Action Predictor
Last updated: April 16, 2026
Application No. 18/795,717

VISUALIZATION TOOL FOR REAL-TIME NETWORK RISK ASSESSMENT

Non-Final OA §101§103
Filed
Aug 06, 2024
Examiner
ABYANEH, ALI S
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Sonicwall INC.
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
3y 3m
To Grant
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allow Rate
485 granted / 623 resolved
+19.8% vs TC avg
Strong +28% interview lift
Without
With
+27.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
23 currently pending
Career history
646
Total Applications
across all art units

Statute-Specific Performance

§101
17.2%
-22.8% vs TC avg
§103
49.1%
+9.1% vs TC avg
§102
9.5%
-30.5% vs TC avg
§112
13.9%
-26.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 623 resolved cases

Office Action

§101 §103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 2-20 are pending. Claim 1 has been canceled. Information Disclosure Statement PTO-1449 The Information Disclosure Statement submitted by applicant on 06-09-2025 and 10-21-2024 have been considered. Please see attached PTO-1449. Claim Rejections - 35 USC § 101 835 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 2-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…receiving information regarding at least one type of malware threat targeting a computer network…performing a first set of malware tests associated with a first protection layer of the plurality of malware protection layers and a second set of malware tests associated with a second protection layer…generating a visualization that illustrates a movement of the at least one type of malware threat at the first protection layer and at the second protection layer based on results of the first set of malware tests and of the second set of malware tests… presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers…”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply receiving information on a piece of paper regarding a malware threat and performing a first and second set of malware test by comparing the received information to a first list, such as white list and a second list, such as black list, generating visualization by drawing on a piece of paper the movement of the malware, and presenting the drawing with options for enabling or disabling malware protection layers. Thus, the claim recites a mental process when analyzed under step 2A prong 1. Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation appears to be generic computer functions which does not constitute meaningful limitation that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitation on practicing the abstract idea. Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere receiving information… performing a first set of malware tests… and a second set of malware tests…generating a visualization… presenting the visualization…”is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here. Independent claims 11 and 20 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1. Claims 3 and 12 further narrow the visualization of the claim 2 to dynamically illustrate the at least one type of malware threat moving relative to the first protection layer. Dynamically displaying data or spread of malware is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea. Claims 4 and 13 recite at least one type of malware threat is illustrated in the dynamic illustration as moving toward, through, or stopping at one or more of the different malware protection layers. Dynamic illustration or displaying spread, stop or any other behavior of malware data is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea Claims 5 and 14 are directed to generating one or more deep packet inspection (DPI) signature for new malware type. Generation of new malware signature is a step that could be performed in human mined or by human simply using a pen and paper. Therefore, the additional element of generating new malware signature does not amount to significantly more than the judicial exception. Claims 6 and 15 recite the DPI signature is provided to an external computer for storage which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea. Claims 7 and 16 narrow the first set of malware test to include one or more of content filtering using universal resource locators (URL), botnet filtering, firewall/gateway virus inspection scanning, or intrusion prevention. However, these additional elements could be performed in human mind or by human simply using a pen and paper. Therefore, the additional elements for testing do not improve the functioning of the computer, nor add an inventive concept. Claims 8 and 17 recite the visualization includes one or more arrowed lines that represent the at least one type of a malware threat, which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea. Claims 9 and 18 recite the visualization includes one or more different colors for the different protection layers and the at least one type of malware threat, which is considered extra significant activity. This activity is well-understood, routine, and conventional. Insignificant extra-solution activity does not amount to an inventive concept, particularly when the activity is well-understood or conventional. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing the abstract idea. Claim 10 and 19 recite the visualization is generated in real-time or in near- real-time with receipt of test data from the first set of malware tests. However, generating visualization in real-time or near real-time could be performed by human. For example, a human simply using a pen and paper could draw a visualization at the time or near the time of receipt of test data. Therefore, the additional element does not improve the functioning of the computer, nor add an inventive concept. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2-4, 7, 8, 10-13, 16, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia (US Patent No. 10,805,340 ), hereinafter Goradia, in view of Moore et al. (US Patent No. 10,333,898), hereinafter Moore, further in view of Sun (US Publication No. 2017/0171170), hereinafter Sun. As per claim 2, 11 and 20, Goradia discloses a method for visualizing the spread of malware, the method comprising: receiving information targeting a computer network that is protected by a plurality of different malware protection layers corresponding to different types of malware threats (column 5, lines 22-32, “the network interface 136…configured to receive data propagating to/from one or more endpoint devices 130…and provide at least some of this data to the first TDS 1101 or a duplicated copy of the data. This data includes metadata”); performing a first set of malware tests associated with a first protection layer of the plurality of malware protection layers (column 6, lines 47-55, “the static analysis logic 143 includes one or more software modules that, when executed by one or more controllers 141, analyzes characteristics for one or more objects within an incoming flow”, column 7, lines 25-32, “Upon detecting a match during the signature matching analysis (e.g., an object under analysis has characteristics that suggest the object is an exploit), the static analysis engine 140 determines that the object is ‘suspicious,’ namely has characteristics that suggest the object is am exploit”) and a second set of malware tests associated with a second protection layer of the plurality of malware protection layers in response to the at least one type of malware threat (column 8, lines 23-28, “After analysis of objects within the flow, the static analysis engine 140 may route one or more ‘suspect’ objects…to the dynamic analysis engine 160, which is configured to provide more in-depth analysis by analyzing the behavior of the suspect object 148 in a VM-based operating environment”); generating a visualization that illustrates a movement of the at least one type of malware threat at the first protection layer and at the second protection layer based on results of the first set of malware tests and of the second set of malware tests (column 13, lines 25, “ The visual representation may be comprised of, among other things, a static picture of a map providing a visual illustration of the one or more hops from its point of origin to the point at which it was detected. Metadata associated with hops outside an enterprise network…may be retrieved from servers external to the enterprise network while metadata associated with the hops within the enterprise network may be accessible from a selected TDS”); and presenting the visualization within a user interface that includes one or more options associated with the computer network (column 16, lines 23, a viewer could use the selection buttons 806-808 on display screen to view different parameters of a network device). Goradia does not explicitly discloses, receiving information regarding at least one type of malware threat; and presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers. However, in an analogous art, Moore discloses, receiving information regarding at least one type of malware threat (column 24, lines 23-35, “receiving, by at least one threat analysis device, the first portion of the plurality of packets, the threat metadata associated with the first portion of the plurality of packets”, column 6, lines 55-56, metadata includes for example, the threat type and name). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Goradia with Moore. This would have been obvious because one of ordinary skill in the art would have been motivated to provide efficient and performant operation of threat analysis to improve the effectiveness of network protection system. Goradia in view of Moore does not explicitly disclose, but in an analogous art, Sun discloses, presenting the visualization within a user interface that includes one or more options for enabling or disabling one or more of the different malware protection layers (paragraph [0050], “Through management console & dashboards module 310, an admin user could activate or deactivate each of the proxy detection modules”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Goradia with Moore. This would have been obvious because one of ordinary skill in the art would have been motivated to enable administrator user to configure various protection modules to prevent attacker from harming the system. Goradia furthermore disclose a communication interface, a processor that executes instruction stored in memory and a non-transitory computer readable storage medium, as claimed in claim 11 and 20 (figure 1, column 5, lines 59-66). As per claim 3 and 12, Goradia furthermore discloses, wherein the visualization dynamically illustrates the at least one type of malware threat moving relative to the first protection layer (figure 7, column 15, lines 5-17, the malware may travel to TDS 711 via hop path). As per claim 4 and 13, Goradia furthermore discloses, wherein the at least one type of malware threat is illustrated in the dynamic illustration as moving toward, through, or stopping at one or more of the different malware protection layers (figure 7, column 15, lines 1-5, “the malware may also spread [moving] laterally through peer-to-peer communication within the enterprise network”). As per claim 7 and 16, Goradia furthermore discloses, wherein the first set of malware tests includes one or more of content filtering using universal resource locators (URL), botnet filtering, firewall/gateway virus inspection scanning, or intrusion prevention (column 16, lines 54-56, “…the detection network device is a firewall, router, switch” corresponding to firewall/gateway virus inspection scanning). As per claim 8 and 17, Goradia furthermore discloses, wherein the visualization includes one or more arrowed lines that represent the at least one type of a malware threat (figure 7, column 14, lines 40-67, The detected malware may spread laterally throughout the enterprise network. In FIG. 7, the malware travels via hop path 2 750 to TDS (web-based traffic) 710…”). As per claim 10 and 19, Goradia furthermore discloses, wherein the visualization is generated in real-time or in near- real-time with receipt of test data from the first set of malware tests (column 11, lines 29-31, “the virtualization logic 194 may be activated by a real-time clock”). Claims 5, 6, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia, in view of Moore and Sun, further in view of Carney et al. (US Publication No. 2015/0058976), hereinafter Carney. As per claim 5 and 14, Goradia as modified does not explicitly disclose, but in an analogous art, Carney discloses, wherein the at least one type of malware threat is a new malware type, and further comprising generating one or more deep packet inspection (DPI) signatures that are characteristic of the new malware type (paragraph [0062], “the malicious traffic may be inspected according to various deep packet inspection tools s to discover discernible properties for future prevention of an attack before it overloads a customer network device. Once discovered, such properties may be used to create attack signature files”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Goradia with Carney. This would have been obvious because one of ordinary skill in the art would have been motivated to protect network devices from newly generated malware. As per claim 6 and 15, Carney furthermore discloses providing the DPI signatures to an external computer for storage (paragraph [0062], “attack signature files that can be installed at the mitigation servers 111 and/or various ingress points of the service provider network 101”). The motivation is similar to the motivation provided in claim 5 Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia, in view of Moore and Sun, further in view of Muddu et al. (US Publication No. 2017/0063912), hereinafter Muddu. As per claim 9 and 18, Goradia as modified does not explicitly disclose, but in an analogous art, Muddu discloses, wherein the visualization includes one or more different colors for the different protection layers and the at least one type of malware threat (paragraph [0475], “Devices Location map 4009 also includes color-coded lines that connect the devices. For example, line 4093 connects the devices represented by circle 4091 to the device represented by circle 4092. The lines correspond to the one or more anomalies for which the connected devices are participants. As shown in FIG. 40H, by hovering over line 4093, the GUI generates a bubble 4095 that identifies each anomaly represented by that line and a color-code…”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Goradia with Muddu. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of enabling security analysts in the organization to quickly and easily identify detected anomalies between connected devices of an organization. References Cited, Not Used The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Brown et al. (US Patent No. 11,588,832) discloses, techniques to provide visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event. Kaloroumakis et al. (US Publication No. 2016/0149943) discloses, a system and method for network data characterization and/or classification. The method includes receiving network events, including content, converting the received content into data messages, routing the data messages to a plurality of analyzers, each of one or more analyzers that received the routed data messages analyzing the content within the data messages, in which the one or more analyzers include at least one machine-learning analyzer that classifies the content with a confidence percentage that indicates the probability that the content is malign or the confidence that a prediction that the content is malign is correct, outputting the characterization results of the one or more analyzers, and comparing the output characterization results against a plurality of criteria to determine subsequent action to take based on the characterization results. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /ALI S ABYANEH/Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Aug 06, 2024
Application Filed
Feb 06, 2026
Non-Final Rejection — §101, §103
Mar 31, 2026
Response Filed

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12603868
Endpoint Data Loss Prevention
2y 5m to grant Granted Apr 14, 2026
Patent 12579259
SYSTEMS AND METHODS FOR INTELLIGENT CYBERSECURITY ALERT SIMILARITY DETECTION AND CYBERSECURITY ALERT HANDLING
2y 5m to grant Granted Mar 17, 2026
Patent 12574374
PROVIDING ACCESS CONTROL AND IDENTITY VERIFICATION FOR COMMUNICATIONS WHEN INITIATING A COMMUNICATION TO AN ENTITY TO BE VERIFIED
2y 5m to grant Granted Mar 10, 2026
Patent 12561465
VIRTUAL REPRESENTATION OF INDIVIDUAL IN COMPUTING ENVIRONMENT
2y 5m to grant Granted Feb 24, 2026
Patent 12556553
NETWORK SECURITY AND RELATED APPARATUSES, METHODS, AND SECURITY SYSTEMS
2y 5m to grant Granted Feb 17, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+27.8%)
3y 3m
Median Time to Grant
Low
PTA Risk
Based on 623 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in for Full Analysis

Enter your email to receive a magic link. No password needed.

Free tier: 3 strategy analyses per month