Prosecution Insights
Last updated: July 17, 2026
Application No. 18/886,147

AGGREGATING SECURITY EVENTS

Final Rejection §103§DOUBLEPATENT
Filed
Sep 16, 2024
Priority
Mar 21, 2022 — continuation of 12/095,731
Examiner
MCNALLY, MICHAEL S
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
SOPHOS Limited
OA Round
2 (Final)
90%
Grant Probability
Favorable
3-4
OA Rounds
9m
Est. Remaining
98%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
962 granted / 1072 resolved
+31.7% vs TC avg
Moderate +9% lift
Without
With
+8.7%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
16 currently pending
Career history
1093
Total Applications
across all art units

Statute-Specific Performance

§101
4.2%
-35.8% vs TC avg
§103
59.2%
+19.2% vs TC avg
§102
13.4%
-26.6% vs TC avg
§112
5.9%
-34.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 1072 resolved cases

Office Action

§103 §DOUBLEPATENT
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Information Disclosure Statement The information disclosure statement (IDS) submitted on 28 May 2025 has been considered by the examiner. Response to Arguments Applicant’s arguments with respect to claims 24, 38 and 39 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 24-28, 30-40 and 42-43 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication No. 2021/0400071 by Ray et al. in view of U.S. Patent No. 11,086,709 to Ratkovic et al. As to claims 24, 38 and 39, Ray discloses a computer program product/method/system for aggregating security events, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices of a threat management facility, perform the steps of: receiving a stream of events from an operating system at a local security agent executing on an endpoint, each event in the stream of events including an event type (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; stream of changes/events including type of change); detecting an event of a first event type in the stream of events, the first event type including one or more of writing data to memory, reading data in memory, and allocating memory (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; filtering of event stream to isolate specific type of change (memory read/write)); generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type, the aggregate event including a first event of the aggregate event, a most recent event of the aggregate event, and one or more summary fields characterizing occurrences of the first event type in the stream (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; events sharing a common type aggregated); determining an end to the aggregate event at a predetermined time period from the most recent event of the aggregate event, wherein the predetermined time period is adjusted based on processing resources available to the local security agent (Ray: Page 20, Sec 169-171 and Page 23, Sec 193; filtered event stream determines end of aggregation based on time or other factors, timing of transmission based on processing ability among other factors); and transmitting the aggregate event to a security resource after the predetermined time period (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; aggregated events sent to threat management facility). With respect to claim 39 only, Ray further discloses a plurality of local security agents executing on a plurality of endpoints, each of the plurality of local security agents configured by non-transitory computer executable code stored in a memory to perform the steps (Ray: Page 23, Sec 194: “while shown as a single transformer 1406, it will be understood that the platform 1400 may use any number of transformers, operating in sequence or in parallel, or some combination of these, suitable for timely processing events and maintaining the stream service 1404 in a state suitable for, e.g., real time threat detection, remediation, and/or other security-related functions”). Ray does not expressly disclose wherein the predetermined time period provides an upper time limit for processing. Ratkovic discloses wherein the predetermined time period provides an upper time limit for processing (Ratkovic: Col 45, Line 39 – Col 46, Line 3; “ At 2012, an aggregate property of the set of network elements is calculated. In various embodiments, a standard deviation, minimum, maximum, average, or any appropriate statistic or property is calculated. For example, a recent history time series for the traffic on each link may be created and run through a watermark aggregator to determine the number of links running over 80% utilization for more than 30 seconds. At 2014, conditional logic is applied to the result to detect an anomaly. In some embodiments, pre-defined conditional logic comprises a threshold value (e.g. maximum or minimum) for the aggregate property and an anomaly is detected in the event the calculated aggregate property is abnormal based on the threshold value. For example, an anomaly is generated in the event more than five percent of links in the set of links are running over 80% utilization for more than 30 seconds.”). Ray and Ratkovic are analogous art because they are from the common area of anomaly detection. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the threshold of Ratkovic in the system of Ray. The rationale would have been to have a trigger for the analysis (Ratkovic: Col 45, Line 39 – Col 46, Line 3). As to claim 25, the modified Ray/Ratkovic reference further discloses wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time (Ray: Fig 11). As to claim 26, the modified Ray/Ratkovic reference further discloses wherein the security resource includes at least one of the local security agent on the endpoint and a threat management facility for an enterprise network associated with the endpoint (Ray: Fig 11; Pager 16, Sec 145; agents on endpoints and threat management facility).. As to claim 27, the modified Ray/Ratkovic reference further discloses a method comprising: receiving a stream of events at a local security agent executing on an endpoint, each event in the stream of events including an event type (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; stream of changes/events including type of change); detecting an event of a first event type in the stream of events (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; filtering of event stream to isolate specific type of change (memory read/write)); generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; filtering of event stream to isolate specific type of change (memory read/write)); determining an end to the aggregate event at a predetermined time period from the most recent event of the aggregate event, wherein the predetermined time period is adjusted based on a processing utilization of the local security agent (Ray: Page 20, Sec 169-171 and Page 23, Sec 193; filtered event stream determines end of aggregation based on time or other factors, timing of transmission based on processing ability among other factors); detecting malware on the endpoint based on the aggregate event (Ray: Fig 12: Page 20-21, Sec 177; malware detected based on stream data); and remediating the malware on the endpoint (Ray: Fig 12: Page 20-21, Sec 177; remedial action taken based on detection of malware). As to claim 28, the modified Ray/Ratkovic reference further discloses further comprising transmitting the aggregate event to a security resource when a predetermined time period has elapsed from a most recent event of the aggregate event (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; aggregated events sent to threat management facility). As to claim 30, the modified Ray/Ratkovic reference further discloses further comprising transmitting the aggregate event to a security resource (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; aggregated events sent to threat management facility). As to claim 31, the modified Ray/Ratkovic reference further discloses further comprising transmitting the aggregate event to a security resource in response to detecting a second event of a second type in the stream of events (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). As to claim 32, the modified Ray/Ratkovic reference further discloses further comprising transmitting the aggregate event to a local security agent on the endpoint for use in detecting the malware (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). As to claim 33, the modified Ray/Ratkovic reference further discloses wherein the aggregate event includes one or more summary fields characterizing occurrences of the first event type in the stream (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). As to claim 34, the modified Ray/Ratkovic reference further discloses wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time (Ray: Page 2-3, Sec 19; address, identifier; Page 23, Sec 193; timestamps, file sizes). As to claim 35, the modified Ray/Ratkovic reference further discloses wherein the first event type includes one or more of writing data to memory, reading data in memory, and allocating memory (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; filtering of event stream to isolate specific type of change (memory read/write)). As to claim 36, the modified Ray/Ratkovic reference further discloses wherein the stream of events includes one or more security events received from one or more of an operating system, a security service native to an operating system, and a third-party security service (Ray: Page 6, Sec 64 and Page 9, Sec 81; monitoring OS calls for events). As to claim 37, the modified Ray/Ratkovic reference further discloses further comprising performing an initial malware detection on the endpoint based on detecting the event of the first type in the stream of events (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). As to claim 40, the modified Ray/Ratkovic reference further discloses wherein each of the plurality of local security agents are further configured by computer executable code to perform the step of delivering the one of the aggregate events to the threat management facility when a predetermined time period has elapsed from a most recent event of the one of the aggregate events (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171; aggregated events sent to threat management facility). As to claim 42, the modified Ray/Ratkovic reference further discloses further comprising code that performs the step of delivering the one of the aggregate events to the threat management facility in response to detecting a second event of a second type in the stream of events from one of the plurality of endpoints (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). As to claim 43, the modified Ray/Ratkovic reference further discloses wherein the one of the aggregate events includes one or more summary fields characterizing occurrences of the first event type (Ray: Fig 12: Page 19, Sec 162 – Page 20, Sec 171). Claims 29 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication No. 2021/0400071 by Ray et al. in view of U.S. Patent No. 11,086,709 to Ratkovic et al. further in view of U.S. Patent Application Publication No. 2022/0197879 by Jha et al. As to claims 29 and 41, the modified Ray/Ratkovic reference discloses all recited elements of claims 27 and 39 from which claims 29 and 41 respectively depend. The modified reference does not expressly disclose wherein the predetermined time period is one second or less. Jha discloses wherein the predetermined time period is one second or less (Jha: Page 5, Sec 56; events collected in one second intervals). The modified reference and Jha are analogous art because they are from the common area of event logging. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant invention, to use the one second period of Jha in the system of Ray. The rationale would have been to group aggregated records (Jha: Page 5, Sec 56). Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 24-43 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 12,095,731. Although the claims at issue are not identical, they are not patentably distinct from each other because thew claims of the instant application represent a slight broadening and rearrangement of the claims of the ‘731 Patent and on that basis, the claims of the ‘731 Patent anticipate the claims of the instant application. As to claim 24, the ‘731 Patent discloses a computer program product for aggregating security events, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices, performs the steps of (Claim 1: A computer program product for aggregating security events, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on one or more computing devices of a threat management facility, perform the steps of): receiving a stream of events from an operating system at a local security agent executing on an endpoint, each event in the stream of events including an event type (Claim 1: receiving a stream of events from an operating system at a local security agent executing on an endpoint, each event in the stream of events including an event type); detecting an event of a first event type in the stream of events, the first event type including one or more of writing data to memory, reading data in memory, and allocating memory (Claim 1: detecting an event of a first event type in the stream of events, the first event type including one or more of writing data to memory, reading data in memory, and allocating memory); generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type, the aggregate event including a first event of the aggregate event, a most recent event of the aggregate event, and one or more summary fields characterizing occurrences of the first event type in the stream (Claim 1: generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type, the aggregate event including a first event of the aggregate event, a most recent event of the aggregate event, and one or more summary fields characterizing occurrences of the first event type in the stream); determining an end to the aggregate event at a predetermined time period from the most recent event of the aggregate event (Claim 1: determining an end to the aggregate event by detecting an earlier of a predetermined time period from the most recent event and an occurrence of a second event of a second event type in the stream of events), wherein the predetermined time period provides an upper time limit for processing (Claim 6: The method of claim 5, wherein the predetermined time period is one second or less. One second as claimed is a specific upper time limit), and wherein the predetermined time period is adjusted based on processing resources available to the local security agent; (Claim 3: The computer program product of claim 1, further comprising code that performs the step of adjusting the predetermined time period based on a processing utilization of the local security agent); and transmitting the aggregate event to a security resource after the predetermined time period (Claim 1: and transmitting the aggregate event to a security resource.). As to claim 25, the ‘731 Patent discloses the computer program product of claim 24, wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time (Claim 2: The computer program product of claim 1, wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time). As to claim 26, the ‘731 Patent discloses the computer program product of claim 24, wherein the security resource includes at least one of the local security agent on the endpoint (Claim 16: a plurality of local security agents executing on a plurality of endpoints) and a threat management facility for an enterprise network associated with the endpoint (Claim 16: and a threat management facility configured to receive one of the aggregate events from one of the plurality of local security agents). As to claim 27, the ‘731 Patent discloses a method comprising (Clam 4: A method comprising): receiving a stream of events at a local security agent executing on an endpoint, each event in the stream of events including an event type (Claim 4: receiving a stream of events at a local security agent executing on an endpoint, each event in the stream of events including an event type); detecting an event of a first event type in the stream of events (Claim 4: detecting an event of a first event type in the stream of events); generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type (Claim 4: generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type); determining an end to the aggregate event after a predetermined time period from a most recent event of the aggregate event (Claim 4: determining an end to the aggregate event by detecting an earlier of a predetermined time period from a most recent event of the aggregate event and an occurrence of a second event of a second event type in the stream of events), wherein the predetermined time period is adjusted based on a processing utilization of the local security agent (Claim 3: The computer program product of claim 1, further comprising code that performs the step of adjusting the predetermined time period based on a processing utilization of the local security agent); detecting malware on the endpoint based on the aggregate event (Claim 4: detecting malware on the endpoint based on the aggregate event); and remediating the malware on the endpoint (Claim 4: and remediating the malware on the endpoint). As to claim 28, the ‘731 Patent discloses the method of claim 27, further comprising transmitting the aggregate event to a security resource when the predetermined time period has elapsed from the most recent event of the aggregate event (Claim 5: The method of claim 4, further comprising transmitting the aggregate event to a security resource when the predetermined time period has elapsed from the most recent event of the aggregate event.). As to claim 29, the ‘731 Patent discloses the method of claim 28, wherein the predetermined time period is one second or less (Claim 6: The method of claim 5, wherein the predetermined time period is one second or less.). As to claim 30, the ‘731 Patent discloses the method of claim 27, further comprising transmitting the aggregate event to a security resource (Claim 8: The method of claim 4, further comprising transmitting the aggregate event to a security resource in response to detecting the second event of the second type in the stream of events). As to claim 31, the ‘731 Patent discloses the method of claim 27, further comprising transmitting the aggregate event to a security resource in response to detecting a second event of a second type in the stream of events (Claim 8: The method of claim 4, further comprising transmitting the aggregate event to a security resource in response to detecting the second event of the second type in the stream of events). As to claim 32, the ‘731 Patent discloses the method of claim 27, further comprising transmitting the aggregate event to a local security agent on the endpoint for use in detecting the malware (Claim 9: The method of claim 4 further comprising transmitting the aggregate event to a local security agent on the endpoint for use in detecting the malware). As to claim 33, the ‘731 Patent discloses the method of claim 27, wherein the aggregate event includes one or more summary fields characterizing occurrences of the first event type in the stream (Claim 10: The method of claim 4, wherein the aggregate event includes one or more summary fields characterizing occurrences of the first event type in the stream”). As to claim 34, the ‘731 Patent discloses the method of claim 33, wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time (Claim 11: The method of claim 10, wherein the one or more summary fields includes one or more of a first target process identifier, a last target process identifier, a first address, a most recent address, a first size, a last size, a total size, a time of first occurrence, a time of most recent occurrence, an event type identifier, and a last update time.). As to claim 35, the ‘731 Patent discloses the method of claim 27, wherein the first event type includes one or more of writing data to memory, reading data in memory, and allocating memory (Clam 12: The method of claim 4, wherein the first event type includes one or more of writing data to memory, reading data in memory, and allocating memory). As to claim 36, the ‘731 Patent discloses the method of claim 27, wherein the stream of events includes one or more security events received from one or more of an operating system, a security service native to an operating system, and a third-party security service (Claim 13: The method of claim 4, wherein the stream of events includes one or more security events received from one or more of an operating system, a security service native to an operating system, and a third-party security service). As to claim 37, the ‘731 Patent discloses the method of claim 27, further comprising performing an initial malware detection on the endpoint based on detecting the event of the first event type in the stream of events (Claim 14: The method of claim 4, further comprising performing an initial malware detection on the endpoint based on detecting the event of the first type in the stream of events). As to claim 38, the ‘731 Patent discloses a method comprising (Claim 15: A method comprising): receiving a stream of events at a local security agent executing on an endpoint, each event in the stream of events including an event type (Claim 15: receiving a stream of events at a local security agent executing on an endpoint, each event in the stream of events including an event type); detecting an event of a first event type in the stream of events (Claim 15: detecting an event of a first event type in the stream of events); generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type (Claim 15: generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type); determining an end to the aggregate event after a predetermined time period from a most recent event of the aggregate event (Claim 15: determining an end to the aggregate event by detecting an earlier of a predetermined time period from a most recent event of the aggregate event and an occurrence of a second event of a second event type in the stream of events), wherein the predetermined time period is adjusted based on a processing utilization of the local security agent (Claim 3: The computer program product of claim 1, further comprising code that performs the step of adjusting the predetermined time period based on a processing utilization of the local security agent); and transmitting the aggregate event to a security resource (Claim 1: and transmitting the aggregate event to a security resource.). As to claim 39, the ‘731 Patent discloses A system comprising (Claim 16: A system comprising): a plurality of local security agents executing on a plurality of endpoints, each of the plurality of local security agents configured by non-transitory computer executable code stored in a memory to perform the steps of (Claim 16: a plurality of local security agents executing on a plurality of endpoints, each of the plurality of local security agents configured by non-transitory computer executable code stored in a memory to perform the steps of): receiving a stream of events, each event in the stream of events including an event type (Claim 16: receiving a stream of events, each event in the stream of events including an event type), detecting an event of a first event type in the stream of events (Claim 16: detecting an event of a first event type in the stream of events), generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type (Claim 16: generating an aggregate event for the first event type by continuously aggregating subsequent events of the first event type in the stream of events to the event of the first event type), and determining an end to the aggregate event after a predetermined time period from a most recent event of the aggregate event (Claim 16: and determining an end to the aggregate event by detecting an earlier of a predetermined time period from a most recent event of the aggregate event and an occurrence of a second event of a second event type in the stream of events), wherein the predetermined time period is adjusted based on a processing utilization of a local security agent (Claim 3: The computer program product of claim 1, further comprising code that performs the step of adjusting the predetermined time period based on a processing utilization of the local security agent); and a threat management facility configured to receive one of the aggregate events from one of the plurality of local security agents (Claim 16: and a threat management facility configured to receive one of the aggregate events from one of the plurality of local security agents). As to claim 40, the ‘731 Patent discloses the system of claim 39, wherein each of the plurality of local security agents are further configured by computer executable code to perform the step of delivering the one of the aggregate events to the threat management facility when the predetermined time period has elapsed from the most recent event of the one of the aggregate events (Claim 17: The system of claim 16, wherein each of the plurality of local security agents are further configured by computer executable code to perform the step of delivering the one of the aggregate events to the threat management facility when the predetermined time period has elapsed from the most recent event of the one of the aggregate events). As to claim 41, the ‘731 Patent discloses the system of claim 40, wherein the predetermined time period is one second or less (Claim 18: The system of claim 17, wherein the predetermined time period is one second or less). As to claim 42, the ‘731 Patent discloses the system of claim 39, further comprising code that performs the step of delivering the one of the aggregate events to the threat management facility in response to detecting a second event of a second type in the stream of events from one of the plurality of endpoints (Claim 19: The system of claim 16, further comprising code that performs the step of delivering the one of the aggregate events to the threat management facility in response to detecting the second event of the second type in the stream of events from one of the plurality of endpoints). As to claim 43, the ‘731 Patent discloses the system of claim 39, wherein the one of the aggregate events includes one or more summary fields characterizing occurrences of the first event type (Claim 20: The system of claim 16, wherein the one of the aggregate events includes one or more summary fields characterizing occurrences of the first event type) Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MICHAEL S. MCNALLY Primary Examiner Art Unit 2432 /Michael S McNally/Primary Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Sep 16, 2024
Application Filed
Nov 18, 2025
Non-Final Rejection (signed) — §103, §DOUBLEPATENT
Dec 29, 2025
Non-Final Rejection mailed — §103, §DOUBLEPATENT
Mar 18, 2026
Applicant Interview (Telephonic)
Mar 18, 2026
Examiner Interview Summary
Mar 24, 2026
Response Filed
Apr 14, 2026
Final Rejection mailed — §103, §DOUBLEPATENT (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12675563
METHOD FOR UNLOCKING AN ELECTRONIC DEVICE
1y 10m to grant Granted Jul 07, 2026
Patent 12659300
CUSTOMER-MANAGED IDENTIFIER ROTATION AND ANONYMOUS PROCESSING
2y 3m to grant Granted Jun 16, 2026
Patent 12641079
BIOMETRIC DATA-BASED HOLOGRAPHIC AUTHENTICATION
2y 7m to grant Granted May 26, 2026
Patent 12640923
NUMBER-THEORETIC TRANSFORM ARCHITECTURE FOR LATTICE-BASED CRYPTOGRAPHIC ALGORITHMS
2y 1m to grant Granted May 26, 2026
Patent 12632547
INFORMATION PROCESSING APPARATUS AND VIRUS DETECTION DISPLAY METHOD
2y 6m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
90%
Grant Probability
98%
With Interview (+8.7%)
2y 6m (~9m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 1072 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month