Prosecution Insights
Last updated: July 17, 2026
Application No. 18/843,750

COMMUNICATION CONTROL DEVICE, COMMUNICATION DEVICE, COMMUNICATION CONTROL SYSTEM, COMMUNICATION CONTROL METHOD, AND PROGRAM

Non-Final OA §102§103
Filed
Sep 04, 2024
Priority
Mar 15, 2022 — nonprovisional of PCTJP2022011516
Examiner
KIM, JUNG W
Art Unit
2494
Tech Center
2400 — Computer Networks
Assignee
NEC Corporation
OA Round
2 (Non-Final)
48%
Grant Probability
Moderate
2-3
OA Rounds
2y 6m
Est. Remaining
63%
With Interview

Examiner Intelligence

Grants 48% of resolved cases
48%
Career Allowance Rate
73 granted / 153 resolved
-10.3% vs TC avg
Strong +15% interview lift
Without
With
+15.1%
Interview Lift
resolved cases with interview
Typical timeline
4y 4m
Avg Prosecution
7 currently pending
Career history
162
Total Applications
across all art units

Statute-Specific Performance

§101
4.4%
-35.6% vs TC avg
§103
68.7%
+28.7% vs TC avg
§102
17.4%
-22.6% vs TC avg
§112
5.7%
-34.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 153 resolved cases

Office Action

§102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s argument that Hannel ‘366 does not disclose the new claim elements of the independent claims (see Remarks, page 10), in particular, the limitation “when the risk score is equal to or less than a first threshold, the at least one processor is configured to set the encryption range to data and a first header from a plurality of headers of a packet which is transmitted in the target flow according to the risk score,” have been fully considered but are not persuasive. The new claim limitation as written does not specify which header or which data of the packet is encrypted, nor does it specify whether more than one header is encrypted, or even if there are different degrees of encryption beyond a) no encryption and b) encryption of a portion of the packet. As understood in the art, a packet is a formatted data for transmission over a network that typically encapsulates multiple nested layers (communication protocols). In Hannel ‘366, the payload of a SKIP message is encrypted, which encrypts the IP header and the corresponding IP payload. The SKIP header and outer IP header are not encrypted. See fig. 22. It is further recognized that the IP layer is a middle layer of the Internet Protocol suite. Hence, the encryption of the IP header and payload would necessarily encrypt the headers of the layers encapsulated by the IP layer, while leaving the headers in the layers below the IP layer unencrypted. Moreover, Applicant’s specification supports this interpretation of the claims. Applicant’s figure 8 (1) illustrates setting an encryption range of the packet to the TCP/UDP header and data when the risk score >= first threshold. This is equivalent to setting an encryption range to the IP payload of the packet. For this reason, the amended independent claims remain rejected as being anticipated by Hannel et al. US 20080172366. Applicant’s argument that Molsberry et al. US 20090327695 does not teach the new claim elements of the independent claims (see Remarks, page 11) have been fully considered and are persuasive. These rejections have been withdrawn. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1 and 14 are rejected under 35 USC 102(a)(1) as being anticipated by Hannel et al. US 20080172366 (hereinafter Hannel ‘366). As per claim 1, Hannel ‘366 discloses a communication control apparatus comprising: at least one processor, the at least one processor being configured to execute a process of acquiring communication path information; a process of instructing at least one of encryption and decryption of a target flow with use of an encryption range which is defined according to the communication path information acquired and which is of the target flow (fig. 2, access filters 203; para 0198, “For segment (b), if the weakest trust level of any network component in the path is greater than or equal to the data sensitivity of the resource, then the traffic is sent without encryption. This corresponds to the case where the network is inherently secure enough to transmit the data. In the example table above, information resources with a Public data sensitivity level may be transmitted on any network, as shown by row 609(4). However, the access filters 203 will use SKIP to authenticate the session, allowing subsequent access filters to pass the session through without incurring the larger overheads of decryption, access checking, and reencryption. If the weakest trust level for the path is less than the data sensitivity of the resource, then the SEND table is consulted for the minimum encryption algorithm required for the sensitivity level and the session is encrypted using that algorithm. The encryption upgrades the security of the link, making it suitable to carry data of that given sensitivity and permitting access by the user to the resource.”; fig. 6 (i.e., SEND table) and related text; para 0201, “FIG. 7 provides an example of how the sensitivity level of an information resource, the trust level of the user identification, and the trust level associated with the path between the client and the server affect access by the user to the information resource … Segment 709(2) is Internet 121, so its trust level is "public", which is the minimum in segment 709. Then access filter 203(1) uses access control data base 301 to check the trust level of segment 711. It is "secret". Thus, only segment (b) 709 has a trust level that is too low for the path of a session that is accessing a "secret" information resource 703. To deal with this problem, access filter 103(1) must encrypt the session to bring it up to the necessary trust level. First access filter 203(1) consults SEND table 601 to determine what kind of encryption is required, and row 609(2) indicates that DES encryption is sufficient. First access filter 203(1) accordingly encrypts the session using that algorithm and sends it to access filter 203(5).”; examiner’s note: Hannel ‘366 discloses an encryption range of no encryption [i.e., information resources with a public data sensitivity level] and either 3DES, DES or RC4-40 encryption depending on the sensitivity level of the information resource and the trust level of the collective segments of a communication link; SKIP encryption is on the Network layer); and a process of deciding the encryption range of the target flow by referring to the communication path information on each communication path in the target flow (para 0183, “SEND table 601 has three columns: one, 603 for the trust/sensitivity levels, one, 605, for minimum encryption methods, and one, 607, for minimum identification methods. … Each row 609 of the table associates a trust/sensitivity level with a minimum encryption level for the path connecting the access filter, client, and server and a minimum identification level for the user. Thus, row 609(1) associates the "top secret" trust/sensitivity level with the 3DES encryption algorithm and a user certificate obtained via SKIP. A user who wishes to gain access to a resource with the sensitivity level "top secret" must consequently have an identification that is certified by SKIP and if the path does not have a "top secret" trust level, the session must be encrypted with the 3DES algorithm. On the other hand, as shown by row 609(4), a user who wishes to gain access to a resource with the sensitivity level "public" may be identified by any method and there is no requirement that the session be encrypted.”; para 0201, “Segment 709 has subsegments 709(1), 709(2), 709(3), 709(4), and 709(5), and first access filter 203(1) checks the trust level of each of these subsegments in database 301. Segment 709(2) is Internet 121, so its trust level is "public", which is the minimum in segment 709. Then access filter 203(1) uses access control data base 301 to check the trust level of segment 711. It is "secret". Thus, only segment (b) 709 has a trust level that is too low for the path of a session that is accessing a "secret" information resource 703. To deal with this problem, access filter 103(1) must encrypt the session to bring it up to the necessary trust level. First access filter 203(1) consults SEND table 601 to determine what kind of encryption is required, and row 609(2) indicates that DES encryption is sufficient. First access filter 203(1) accordingly encrypts the session using that algorithm and sends it to access filter 203(5).”); wherein the communication path information is obtained by quantifying, into a trust score, a degree of reliability of each communication path in the target flow; wherein in the process of deciding the encryption range of the target flow, the at least one processor is configured to: calculate a risk score of the target flow from the trust score of each communication path in the target flow, and decide the encryption range of the target flow according to the risk score (para 0109-0113, “The sensitivity level of a resource is simply a value that indicates the trust level required to access the resource. In general, the greater the need to protect the information resource, the higher its sensitivity level. The trust level of a request has a number of components: the trust level of the identification technique used to identify the user; for example, identification of a user by a token has a higher trust level than identification of the user by IP address. The trust level of the path taken by the access request through the network; for example, a path that includes the Internet has a lower trust level than one that includes only internal networks. if the access request is encrypted, the trust level of the encryption technique used; the stronger the encryption technique, the higher the trust level. The trust level of the identification technique and the trust level of the path are each considered separately. The trust level of the path may, however, be affected by the trust level of the encryption technique used to encrypt the access request. If the request is encrypted with an encryption technique whose trust level is higher that the trust level of a portion of the path, the trust level of the portion is increased to the trust level of the encryption technique. Thus, if the trust level of a portion of a path is less than required for the sensitivity level of the resource, the problem can be solved by encrypting the access request with an encryption technique that has the necessary trust level.”; para 0182, “These relationships between trust levels and orderings with regard to security are included in access control database 301. Then a SEND table is constructed which relates trust and sensitivity levels to identification and encryption techniques.”; examiner’s note: the lowest trust level from all portions of the path equate to the risk level of the path). wherein, in the process of deciding the encryption range of the target flow, when the risk score is equal to or less than a first threshold, the at least one processor sets the encryption range to data and a first header of a packet from a plurality of headers of a packet which is transmitted in the target flow (para 0127, “In VPN 201, SKIP is also used by access filters 203 to identify themselves to other access filters 203 in the VPN and to encrypt TCP/IP sessions where that is required.”; fig. 5 (end-to-end encryption example [see further para 0339-362]) and fig. 22, Encrypted Payload 2227: the IP header 2331 is encrypted, but the SKIP header 2205 and Outer IP header 2203 are not; fig. 6; para 00183, “SEND table 601 has three columns: one, 603 for the trust/sensitivity levels, one, 605, for minimum encryption methods, and one, 607, for minimum identification methods. For details on the encryption methods of column 605, see Bruce Schneier, Applied Cryptography, John Wiley & Sons, New York, 1994. Each row 609 of the table associates a trust/sensitivity level with a minimum encryption level for the path connecting the access filter, client, and server and a minimum identification level for the user. Thus, row 609(1) associates the "top secret" trust/sensitivity level with the 3DES encryption algorithm and a user certificate obtained via SKIP. A user who wishes to gain access to a resource with the sensitivity level "top secret" must consequently have an identification that is certified by SKIP and if the path does not have a "top secret" trust level, the session must be encrypted with the 3DES algorithm. On the other hand, as shown by row 609(4), a user who wishes to gain access to a resource with the sensitivity level "public" may be identified by any method and there is no requirement that the session be encrypted.”; para 0261, “As previously explained, the User Group tables 1301 and the Information Sets tables 1401 provide the information needed by access filter 203 to determine whether the access policies of tables 1601 permit the access and also provide information about the sensitivity level of the resource being accessed. Access filters tables 1701 additionally provide the information needed by access filter 203 to determine the minimum trust level of the path in the VPN being taken by the session and the trust levels of the available encryption algorithms. Thus, if access filter 203 determines that a given user wishing to access a given resource belongs to a user group which has the right to access the information set to which the given resource belongs and that the authentication level used for the user's identification is no lower than that required for the resource's sensitivity level, access filter 203 can further determine whether the trust level of the path is sufficiently high, and if it is not, access filter 203 can raise the trust level the necessary amount by selecting an encryption algorithm with the required trust level and encrypting the session”; see further para 0339-362, which describes the end-to-end encryption example of fig. 5 and 22, where the trust level is “secret”). Claim 14 is a method claims that corresponds to claim 1. Hence claim 14 is rejected as being anticipated by Hannel ‘366 for the same reason as claim 1. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hannel ‘366 in view of Huang et al. US 20230066604 (hereinafter Huang ‘604). As per claim 5, Hannel ‘366 discloses the communication control apparatus according to claim 1 (supra). Hannel ‘366 does not disclose, but Huang ‘604 discloses wherein, in the process of deciding, the at least one processor sets the encryption range to part of the data and part of the first header of the packet which is transmitted in the target flow (para 0035,” In the example encrypted packet 350, a header and a portion of a payload are encrypted. For instance, a IEEE 802.11 header 354 (comprising an Ethernet header 356 and IP header 358) and a first payload portion 362A can be encrypted based on ESP. An ESP trailer 360 can be appended after the first payload portion 362A. Then, an IPSec encrypt part 364 comprising the IEEE 802.11 header 304, first payload portion 362A, and ESP trailer 360 can be encrypted collectively. An ESP header 352, which may not be encrypted, can provide information about the encryption. The example encrypted packet 350 and encryption method thereof can be advantageous when the first payload portion 362A of the packet are not already encrypted or encrypted with lower security encryption. For instance, the payload portions 362A, 362B may have been encrypted with data link layer encryption, such as IEEE 802.11 Temporal Key Integrity Protocol (TKIP) encryption. In some embodiments, the encryption/decryption module 208 of FIG. 2 may provide the determination that the payload portions 362A, 362B are already encrypted with which layer encryption, which encryption algorithm, and/or with which level of security.”; para 0036, “As illustrated in the example encrypted packets 300, 350, the system and methods disclosed herein allow for the protection of sensitive header information without need to encrypt the whole payload. The selective encryption can significantly reduce computing resource and time overheads associated with the conventional double encryption and, thus, provide performance improvement regarding securing network traffic over IPSec tunnels. In order to access whole plain data from encrypted packets, one must decrypt the encrypted part and combine the decrypted part with unencrypted payload. Thus, the example encrypted packets 300, 350 may provide the same level of security as compared to conventional double encryption but with reduced bottleneck and increased throughput.”; fig. 3b, IPsec Encrypt Part 364: portion of the packet header and portion of the payload are encrypted. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hannel ‘366 such that only a portion of the header and data are encrypted. One would have been motivated to do so to increase throughput while maintaining sufficient security. Claim 21 is method claim that corresponds to claim 5. Hence claim 21 is rejected as being unpatentable over Hannel ‘366 in view of Huang ‘604 for the same reasons as claim 5. Claims 6-7 and 22-23 are rejected under 35 USC 103 as being unpatentable over Hannel ‘366 in view of Shi et al. US 20180139191 (hereinafter Shi ‘191). As per claim 6, Hannel ‘366 discloses the communication control apparatus according to claim 1 (supra). Hannel ‘366 does not disclose, but Shi ‘191 discloses wherein, in the process of deciding, when the risk score is equal to or more than the first threshold and equal to or less than a second threshold, which is more than the first threshold, the at least one processor sets the encryption range to the data, the first header, and a second header of the packet which is transmitted in the target flow (para 0116, “Dotted-line parts in FIG. 6a to FIG. 6c are encryption ranges determined by the network device according to the encryption range identifier. The network device encrypts the corresponding part of the VXLAN packet according to the encryption range to generate ciphertext. For example, if the encryption range identifier is 01, the network device determines to encrypt the payload in the VXLAN packet. If the encryption range identifier is 10, the network device determines to encrypt the inner IP header and the payload in the VXLAN packet. If the encryption range identifier is 11, and the network device determines to encrypt the inner Ethernet header, the inner IP header, and the payload in the VXLAN packet. Such a setting facilitates flexible setting of the VXLAN security policy, to provide encrypted ciphertext with different security levels.”; fig. 6b, encrypting VXLAN packet payload would necessarily encrypt higher layer headers and payloads; examiner’s note, encrypting the inner IP header but not the inner Ethernet header has a lower security level than encrypting both the inner IP and Ethernet header). It would have been obvious before the effective filing date of the claimed invention to modify Hannel ‘366 such that additional headers are encrypted depending on the need for higher levels of security. One would have been motivated to do so to vary the level of security of the communication flow to the particular circumstance in order to balance security strength with overhead performance. See Shi ‘191, para 0055. As per claim 7, Hannel ‘336 disclose the communication control apparatus according to claim 6 (supra). Hannel ‘336 does not disclose, but Shi ‘191 discloses wherein, in the process of deciding, when the risk score is equal to or more than the second threshold, the at least one processor sets the encryption range to the data, the first header, the second header, and a third header of the packet which is transmitted in the target flow (para 0116, “Dotted-line parts in FIG. 6a to FIG.6c are encryption ranges determined by the network device according to the encryption range identifier. The network device encrypts the corresponding part of the VXLAN packet according to the encryption range, to generate ciphertext. For example, if the encryption range identifier is 01, the network device determines to encrypt the payload in the VXLAN packet. If the encryption range identifier is 10, the network device determines to encrypt the inner IP header and the payload in the VXLAN packet. If the encryption range identifier is 11, and the network device determines to encrypt the inner Ethernet header, the inner IP header, and the payload in the VXLAN packet. Such a setting facilitates flexible setting of the VXLAN security policy, to provide encrypted ciphertext with different security levels.”; fig. 6c, encrypting VXLAN packet payload would necessarily encrypt higher layer headers and payloads; examiner’s note, encrypting the inner IP header and the inner Ethernet header has a higher security level than encrypting only the inner IP header). Claims 22-23 are method claims that corresponds to claims 6-7. Hence claims 22-23 are rejected as being unpatentable over Hannel ‘366 in view of Shi ‘191 for the same reasons as claims 6-7. Claims 8 and 24 are rejected under 35 USC 103 as being unpatentable over Hannel ‘366 in view of Ben-Shalom et al. US 20150365427 (hereinafter Ben-Shalom ‘427). As per claim 8, Hannel ‘336 disclose the communication control apparatus according to claim 1 (supra). Hannel ‘336 does not disclose, but Ben-Shalom ‘427 discloses wherein the communication path information is information that has been quantified according to a communication medium of each communication path in the target flow (para. 0031, “Alternatively or additionally, in some embodiments, the locations on which such determinations of trust levels may be based may include locations of one or more of the computing devices on the network 999, including and not limited to, the relative level of security of different portions of the network 999. Such relative levels of security may be based on what communications media is employed for a portion (e.g., wired versus wireless), whether encryption or other measures to detect interference with communications are employed in a portion, or whether a portion includes or requires access through an openly accessible public network (e.g., the Internet). As familiar to those skilled in the art, a determination of a level of trust for communications with a computing device may include both the degree to which the computing device itself is secure and the degree to which communications with that computing device is secure.”). It would have been obvious before the effective filing date of the claimed invention to modify Hannel ‘366 such that the communication path information has been quantified according to a communication medium of each communication path in the target flow. One would have been motivated to do so because wired and wireless communication mediums are recognized in the art to have different levels of security. Claim 24 is method claim that corresponds to claim 8. Hence claim 24 is rejected as being unpatentable over Hannel ‘366 in view of Ben-Shalom ‘427 for the same reasons as claim 8. Claims 9 and 25 are rejected under 35 USC 103 as being unpatentable over Hannel ‘366 in view of Brandt et al. US 20040107345 (hereinafter Brandt ‘345). As per claim 9. Hannel ‘336 disclose the communication control apparatus according to claim 1 (supra). Hannel ‘336 does not disclose, but Brandt ‘345 discloses wherein the communication path information is information that has been quantified according to a presence of suspicious traffic on each communication path of the target flow (para. 0029, “It is to be appreciated that the security protocols 42-46 can be dynamically adjusted or altered as conditions change and/or over the course of time (e.g., upon detection of a suspicious communication from an unknown network device, increase security protocols between remote device and automation asset to higher-end security mechanisms).”). It would have been obvious before the effective filing date of the claimed invention to modify Hannel ‘366 such that the communication path information has been quantified according to a presence of suspicious traffic on each communication path of the target flow. One would have been motivated to do so to consider additional security factors when determining the security protocol as conditions change over time. Claim 25 is method claim that corresponds to claim 9. Hence claim 25 is rejected as being unpatentable over Hannel ‘366 in view of Brandt ‘345 for the same reasons as claim 9. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNG W KIM whose telephone number is (571)272-3804. The examiner can normally be reached Monday-Friday, 10 a.m. - 6 p.m.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amy Cohen Johnson can be reached at 571-272-2238. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Sep 04, 2024
Application Filed
Dec 16, 2025
Non-Final Rejection mailed — §102, §103
Mar 16, 2026
Response Filed
Apr 22, 2026
Final Rejection mailed — §102, §103
Jun 22, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683817
BLOCKCHAIN RECORD CERTIFICATION
2y 7m to grant Granted Jul 14, 2026
Patent 12556366
PRIVACY-PRESERVING COMPUTATION METHOD AND SYSTEM FOR SECURE THREE-PARTY LINEAR REGRESSION
1y 12m to grant Granted Feb 17, 2026
Patent 12413973
MULTISESSION PAP/CHAP SUPPORT FOR WWC
1y 10m to grant Granted Sep 09, 2025
Patent 12361173
METHOD OF MANAGING ACCESS RIGHTS FOR SOFTWARE TASKS EXECUTED BY A MICROCONTROLLER, AND CORRESPONDING INTEGRATED CIRCUIT
3y 0m to grant Granted Jul 15, 2025
Patent 12321425
Identity Verification Method and Apparatus, and Electronic Device
2y 9m to grant Granted Jun 03, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
48%
Grant Probability
63%
With Interview (+15.1%)
4y 4m (~2y 6m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 153 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month