Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsOpen Text Inc. › 18892382
Last updated: April 19, 2026
Application No. 18/892,382

Security Privilege Escalation Exploit Detection and Mitigation

Non-Final OA §102§103§112§DP
Filed
Sep 21, 2024
Examiner
MCNALLY, MICHAEL S
Art Unit
2432
Tech Center
2400 — Computer Networks
Assignee
Open Text Inc.
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
2y 8m
To Grant
98%
With Interview

Interview Optional

+8.7% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 1060 resolved cases, 2023–2026

Examiner Intelligence

MCNALLY, MICHAEL S View full profile →
Grants 90% — above average
90%
Career Allow Rate
950 granted / 1060 resolved
+31.6% vs TC avg
Moderate +9% lift
Without
With
+8.7%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
17 currently pending
Career history
1077
Total Applications
across all art units

Statute-Specific Performance

§101
11.2%
-28.8% vs TC avg
§103
36.8%
-3.2% vs TC avg
§102
22.5%
-17.5% vs TC avg
§112
13.7%
-26.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 1060 resolved cases

Office Action

§102 §103 §112 §DP
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 120 as follows: The independent claims recite the limitations “accessing an access token baseline from a memory, the access token baseline comprising a baseline attribute that corresponds to the current attribute; and evaluating the current attribute against the baseline attribute and determining that the current attribute does not match the baseline attribute; and based on the determination that the current attribute does not match the baseline attribute, performing a corrective action relating to the execution of the process on the device.”. None of the prior-filed applications discloses or mentions a “baseline” but instead refers to an initial or prior state of the token. A “baseline” is a significantly more expansive concept that merely an initial or prior state of the token, and on that basis, the prior-filed applications fail to provide adequate support for the claimed limitation, and as such, the instant application does not receive the benefit of the earlier filing dates of the prior-filled applications. Accordingly, the instant application is considered to have an effective filing date of 16 October 2024. Specification The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: The specification contains no mention of the word “baseline”, and as such lacks antecedent basis for its use in the claims. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Applicant recites a baseline in the independent claims. The specification is silent as to a baseline, as the word is never used. The baseline as recited in the independent claim is a generic statement of the boundaries of the claim. “Generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad, 598 F.3d at 1349-50, 94 USPQ2d at 1171 ("[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.") (citing Eli Lilly, 119 F.3d at 1568, 43 USPQ2d at 1405-06); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, 1616 (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, 1606 (Fed. Cir. 1993) (rejecting the argument that "only similar language in the specification or original claims is necessary to satisfy the written description requirement" “ (MPEP 2161.01) The claimed “baseline” represents an entire genus of values that could be used, and the language of the claims only serves to support a fraction of the possible species. “The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed." LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand the inventor to have invented, and been in possession of, the invention as broadly claimed.” (MPEP 2161.01). Accordingly, Claims 1 and 11 are rejected under 35 U.S.C. 112(a) for failing to comply with the written description requirement. Claims 2-10 and 12-20 are rejected as depending fron a rejected claim and failing to correct the deficiencies thereof. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 4-7, 9-11, 14-17 and 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by U.S. Patent No. 11,314,859 to Singh et al. As to claims 1 and 11, Singh discloses a computer-implemented method/medium of exploit protection comprising: registering with an operating system of a device to receive selected types of notifications (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; creation of monitored process); receiving, based on the registering, a notification associated with a process executing on the device (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; detection of suspicious activity for a monitored process); identifying a current access token that is associated with the process (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; current token state for process identified); evaluating a current state of the current access token, the current state of the current access token comprising a current attribute associated with the current access token (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; current token state for process identified), wherein evaluating the current state of the current access token comprises: accessing an access token baseline from a memory, the access token baseline comprising a baseline attribute that corresponds to the current attribute (Singh: Col 3, Line 56 – Col 4, Line 14; obtain baseline token for comparison) and evaluating the current attribute against the baseline attribute and determining that the current attribute does not match the baseline attribute (Singh: Col 3, Line 56 – Col 4, Line 14; baseline token state compared to current token state); and based on the determination that the current attribute does not match the baseline attribute, performing a corrective action relating to the execution of the process on the device (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; malicious access token reported). As to claims 4 and 14, Singh further discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a privilege specified by the access token baseline (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; detection of privilege escalation by child process). As to claims 5 and 15, Singh further discloses wherein the access token baseline is a previous access token state of an access token previously associated with the process (Singh: Col 3, Line 56 – Col 4, Line 14; stored token state for process). As to claims 6 and 16, Singh further discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address (Singh: Col 10, Lines 3-19; address pointer in token information). As to claims 7 and 17, Singh further discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier (Singh: Col 3, Line 56 – Col 4, Line 14; user identifier one of points of comparison). As to claims 9 and 19, Singh further discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a previous privilege level for the process (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; detection of privilege escalation by child process). As to claims 10 and 20, Singh further discloses wherein the corrective action comprises at least one of: displaying warnings indicating privilege information has been modified (Singh: Fig 5; Col 14, Line 64 – Col 15, Line 41; warning provided), deleting privilege information, replacing privilege information with a previous version of the privilege information, or terminating the process. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 3, 8, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 11,314,859 to Singh et al. in view of U.S. Patent Application Publication No. 2013/0191880 by Conlan et al. As to claims 3, 8, 13 and 18, Singh discloses all recited elements of claims 1, 5, 11 and 15 from which claims 3, 8, 13 and 18 depend. Singh does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline. Conlan discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline (Conlan: Page 3,Sec 37: “The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects”. Singh and Conlan are analogous art because they are from the common area of access monitoring. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the integrity level check of Conlan in the system of Singh. The rationale would have been to protect the security of the processes (Conlan: Page 3,Sec 37). Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 4-5, 9-11, 14-15 and 19-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,728,034. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application represent an obvious variation and rearrangement of the claims of the ‘034 Patent As to claim 1, the ‘034 Patent discloses a computer-implemented method of exploit protection comprising (Claim 10: A method comprising): registering with an operating system of a device to receive selected types of notifications (Claim 11: The method of claim 10, further comprising registering to receive the notification from an operating system of a computing device); receiving, based on the registering, a notification associated with a process executing on the device (Claim 10: receiving a notification associated with a process) ; identifying a current access token that is associated with the process (Claim 10: identifying a security token associated with the process); evaluating a current state of the current access token (Claim 10: wherein the identifying comprises determining an initial state of the security token), the current state of the current access token comprising a current attribute associated with the current access token (Claim 10: wherein determining that the current state of the security token has been modified comprises identifying a privilege escalation exploit), wherein evaluating the current state of the current access token comprises: accessing an access token baseline from a memory, the access token baseline comprising a baseline attribute that corresponds to the current attribute (Claim 16: The method of claim 15, wherein the security context for the process is associated with a low privilege for the initial state of the security token and a high privilege for the current state of the security token); and evaluating the current attribute against the baseline attribute and determining that the current attribute does not match the baseline attribute (Claim 10: and determining that the current state of the security token has been modified, wherein determining that the current state of the security token has been modified comprises identifying a privilege escalation exploit); and based on the determination that the current attribute does not match the baseline attribute, performing a corrective action relating to the execution of the process on the device (Claim 10: and based on determining that the current state of the security token has been modified, performing one or more actions related to the process). As to claim 4, the ‘034 Patent discloses the computer-implemented method of Claim 1, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a privilege specified by the access token baseline (Claim 10: and determining that the current state of the security token has been modified, wherein determining that the current state of the security token has been modified comprises identifying a privilege escalation exploit). As to claim 5, the ‘034 Patent discloses the computer-implemented method of Claim 1, wherein the access token baseline is a previous access token state of an access token previously associated with the process (Claim 15: The method of claim 10, wherein the security token is associated with a security context describing a set of credentials for the process; and claim 16: The method of claim 15, wherein the security context for the process is associated with a low privilege for the initial state of the security token and a high privilege for the current state of the security token.). As to claim 9, the ‘034 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a previous privilege level for the process (Claim 15: The method of claim 10, wherein the security token is associated with a security context describing a set of credentials for the process; and claim 16: The method of claim 15, wherein the security context for the process is associated with a low privilege for the initial state of the security token and a high privilege for the current state of the security token.). As to claim 10, the ‘034 Patent discloses the computer-implemented method of Claim 5, wherein the corrective action comprises at least one of: displaying warnings indicating privilege information has been modified, deleting privilege information, replacing privilege information with a previous version of the privilege information, or terminating the process (Claim 17: The method of claim 10, wherein the one or more actions comprise at least one of: displaying warnings indicating the current state of the security token has been modified, deleting the security token, replacing the security token with a previous version of the security token, or terminating the process). Claims 11, 14-15 and 19-20 recited a computer medium commensurate in scope to the method of claims 1, 4-5 and 9-10 and are thus rejected under a substantially similar rationale. Claims 3, 8, 13 and 18 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,728,034. in view of U.S. Patent Application Publication No. 2013/0191880 by Conlan et al. As to claims 3, 8, 13 and 18, the ‘034 Patent discloses all recited elements of claims 1, 5, 11 and 15 from which claims 3, 8, 13 and 18 depend. The ‘034 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline. Conlan discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline (Conlan: Page 3,Sec 37: “The integrity level in the access token is compared against the integrity level in the security descriptor when the security reference monitor performs authorization before granting access to objects”. The ‘034 Patent and Conlan are analogous art because they are from the common area of access monitoring. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the integrity level check of Conlan in the system of the ‘034 Patent. The rationale would have been to protect the security of the processes (Conlan: Page 3,Sec 37). Claims 6-7 and 16-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,728,034 in view of U.S. Patent No. 11,314,859 to Singh et al. As to claims 6 and 16 the ‘034 Patent discloses all recited elements of claims 5 and 15 from which claims 6 and 16 depend. The ‘034 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address. Singh discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address. (Singh: Col 10, Lines 3-19; address pointer in token information). The ‘034 Patent and Singh are analogous art because they are from the common area of access monitoring. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the address of Singh in the system of the ‘034 Patent. The rationale would have been to verify the token had not been modified (Singh: Col 10, Lines 3-19). As to claims 7 and 17 the ‘034 Patent discloses all recited elements of claims 5 and 15 from which claims 7 and 17 depend. The ‘034 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier. Singh discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier (Singh: Col 3, Line 56 – Col 4, Line 14; user identifier one of points of comparison). It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the identifier of Singh in the system of the ‘034 Patent. The rationale would have been to verify the token had not been modified (Singh: Col 3, Line 56 – Col 4, Line 14). Claims 1, 3-5, 8-11, 13-15 and 18-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,438,159. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application represent an obvious variation and rearrangement of the claims of the ‘159 Patent As to claim 1, the ‘159 Patent discloses a computer-implemented method of exploit protection comprising (Claim 11: A method comprising): registering with an operating system of a device to receive selected types of notifications (Claim 12: The method of claim 11, further comprising registering to receive the notification from an operating system of the device); receiving, based on the registering, a notification associated with a process executing on the device (Claim 11: receiving a notification associated with an execution of a process on a device); identifying a current access token that is associated with the process (Claim 11: identifying privilege information associated with the process and Claim 14: The method of claim 11, wherein identifying the privilege information comprises at least one of: parsing the notification, accessing a security token data store, and accessing a token issuing authority); evaluating a current state of the current access token (Claim 1: periodically evaluating one or more attributes of the privilege information), the current state of the current access token comprising a current attribute associated with the current access token (Claim 8: The system of claim 1, wherein evaluating one or more attributes of the privilege information comprises comparing a current state of the one or more attributes to the previous state of the one or more attributes), wherein evaluating the current state of the current access token comprises: accessing an access token baseline from a memory, the access token baseline comprising a baseline attribute that corresponds to the current attribute (Claim 6: The system of claim 1, wherein identifying the privilege information comprises identifying an initial state of a security token associated with the privilege information); and evaluating the current attribute against the baseline attribute and determining that the current attribute does not match the baseline attribute (Claim 11: determining that the one or more attributes of the privilege information has been modified from a previous state of the one or more attributes); and based on the determination that the current attribute does not match the baseline attribute, performing a corrective action relating to the execution of the process on the device (Claim 11: and upon determining that the one or more attributes of the privilege information has been modified from the previous state of the one or more attributes, performing one or more corrective actions relating to the execution of the process on the device). As to claim 3, the ‘159 Patent discloses the computer-implemented method of Claim 1, wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline (Claim 7: The system of claim 6, wherein identifying the initial state of the security token comprises at least one of: determining an address of the security token, determining a privilege level of the security token, determining an integrity level of the security token, and determining a current execution environment executing the process). As to claim 4, the ‘159 Patent discloses the computer-implemented method of Claim 1, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a privilege specified by the access token baseline (Claim 7: The system of claim 6, wherein identifying the initial state of the security token comprises at least one of: determining an address of the security token, determining a privilege level of the security token, determining an integrity level of the security token, and determining a current execution environment executing the process). As to claim 5, the ‘159 Patent discloses the computer-implemented method of Claim 1, wherein the access token baseline is a previous access token state of an access token previously associated with the process (Claim 15: The method of claim 11, wherein the privilege information is associated with a security context describing a set of credentials for the process. And Claim 16: The method of claim 15, wherein the security context for the process is associated with a low privilege for an initial state of the privilege information and a high privilege for a current state of the privilege information). As to claim 8, the ‘159 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match a previous integrity level (Claim 7: The system of claim 6, wherein identifying the initial state of the security token comprises at least one of: determining an address of the security token, determining a privilege level of the security token, determining an integrity level of the security token, and determining a current execution environment executing the process). As to claim 9, the ‘159 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a previous privilege level for the process (Claim 11: determining that the one or more attributes of the privilege information has been modified from a previous state of the one or more attributes). As to claim 10, the ‘159 Patent discloses the computer-implemented method of Claim 5, wherein the corrective action comprises at least one of: displaying warnings indicating privilege information has been modified, deleting privilege information, replacing privilege information with a previous version of the privilege information, or terminating the process (Claim 17: The method of claim 11, wherein the one or more corrective actions comprise at least one of: displaying warnings indicating a current state of the privilege information has been modified, deleting the privilege information, replacing the privilege information with a previous version of the privilege information, and terminating the process). Claims 11, 13-15 and 18-20 recited a computer medium commensurate in scope to the method of claims 1, 3-5 and 8-10 and are thus rejected under a substantially similar rationale. Claims 6-7 and 16-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,438,159 in view of U.S. Patent No. 11,314,859 to Singh et al. As to claims 6 and 16 the ‘159 Patent discloses all recited elements of claims 5 and 15 from which claims 6 and 16 depend. The ‘159 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address. Singh discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address. (Singh: Col 10, Lines 3-19; address pointer in token information). The ‘159 Patent and Singh are analogous art because they are from the common area of access monitoring. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the address of Singh in the system of the ‘034 Patent. The rationale would have been to verify the token had not been modified (Singh: Col 10, Lines 3-19). As to claims 7 and 17 the ‘159 Patent discloses all recited elements of claims 5 and 15 from which claims 7 and 17 depend. The ‘159 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier. Singh discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier (Singh: Col 3, Line 56 – Col 4, Line 14; user identifier one of points of comparison). It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the identifier of Singh in the system of the ‘159 Patent. The rationale would have been to verify the token had not been modified (Singh: Col 3, Line 56 – Col 4, Line 14). Claims 1-6, 8-16 and 18-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-25 of U.S. Patent No. 12,149,623. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application represent an obvious variation and rearrangement of the claims of the ‘623 Patent As to claim 1, the ‘623 Patent discloses a computer-implemented method of exploit protection comprising (Claim 8: A method comprising): registering with an operating system of a device to receive selected types of notifications (Claim 15: The non-transitory, computer-readable media of claim 14, wherein the method further comprises registering to receive the notification from an operating system of the device); receiving, based on the registering, a notification associated with a process executing on the device (Claim 8: receiving a notification associated with an execution of a process on a device); identifying a current access token that is associated with the process (Claim 8: identifying privilege information associated with the process, including identifying a first security token for the process); evaluating a current state of the current access token, the current state of the current access token comprising a current attribute associated with the current access token (Claim 8: periodically evaluating an attribute of the privilege information, including periodically comparing a current security token associated with the process with the first security token), wherein evaluating the current state of the current access token comprises: accessing an access token baseline from a memory, the access token baseline comprising a baseline attribute that corresponds to the current attribute (Claim 10: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises determining that a security token attribute of the current security token has been modified compared to the first security token); and evaluating the current attribute against the baseline attribute and determining that the current attribute does not match the baseline attribute (Claim 10: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises determining that a security token attribute of the current security token has been modified compared to the first security token); and based on the determination that the current attribute does not match the baseline attribute, performing a corrective action relating to the execution of the process on the device (Claim 8: and upon determining that the attribute of the privilege information has been modified from the previous state of the attribute, performing a corrective action relating to the execution of the process on the device). As to claim 2, the ‘623 Patent discloses the computer-implemented method of Claim 1, further comprising: accessing a checkpoint list from the memory; and comparing the notification against the checkpoint list to determine that the notification matches a checkpoint, wherein the current access token is identified and the current state is evaluated based on the notification matching the checkpoint (Claim 24: The method of claim 8, wherein an evaluation of the attribute of the privilege information is performed at a time corresponding to at least one of: a process creation, a creation of a thread, a DLL loading event, or a system registry activity). As to claim 3, the ‘623 Patent discloses the computer-implemented method of Claim 1, wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match an integrity level specified by the access token baseline (Claim 11: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises at least one of: determining that an address of the current security token has been modified from the first security token, determining that an integrity level of the current security token has been modified from the first security token, determining that a privilege level granted by the current security token has been modified from the first security token). As to claim 4, the ‘623 Patent discloses the computer-implemented method of Claim 1, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a privilege specified by the access token baseline (Claim 11: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises at least one of: determining that an address of the current security token has been modified from the first security token, determining that an integrity level of the current security token has been modified from the first security token, determining that a privilege level granted by the current security token has been modified from the first security token). As to claim 5, the ‘623 Patent discloses the computer-implemented method of Claim 1, wherein the access token baseline is a previous access token state of an access token previously associated with the process (Claim 10: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises determining that a security token attribute of the current security token has been modified compared to the first security token). As to claim 6, the ‘623 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that a current address of the current access token does not match a previous access token address (Claim 11: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises at least one of: determining that an address of the current security token has been modified from the first security token, determining that an integrity level of the current security token has been modified from the first security token, determining that a privilege level granted by the current security token has been modified from the first security token). As to claim 8, the ‘623 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that an integrity level associated with the current access token does not match a previous integrity level (Claim 11: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises at least one of: determining that an address of the current security token has been modified from the first security token, determining that an integrity level of the current security token has been modified from the first security token, determining that a privilege level granted by the current security token has been modified from the first security token). As to claim 9, the ‘623 Patent discloses the computer-implemented method of Claim 5, wherein determining that the current attribute does not match the baseline attribute comprises determining that a privilege level for the process from the current access token does not match a previous privilege level for the process (Claim 11: The method of claim 8, wherein determining that the attribute of the privilege information has been modified from the previous state of the attribute comprises at least one of: determining that an address of the current security token has been modified from the first security token, determining that an integrity level of the current security token has been modified from the first security token, determining that a privilege level granted by the current security token has been modified from the first security token). As to claim 10, the ‘623 Patent discloses the computer-implemented method of Claim 5, wherein the corrective action comprises at least one of: displaying warnings indicating privilege information has been modified, deleting privilege information, replacing privilege information with a previous version of the privilege information, or terminating the process (Claim 13: The method of claim 8, wherein the corrective action comprises at least one of: displaying warnings indicating a current state of the privilege information has been modified, deleting the privilege information, replacing the privilege information with a previous version of the privilege information, or terminating the process). Claims 11-16 and 18-20 recited a computer medium commensurate in scope to the method of claims 1-6 and 8-10 and are thus rejected under a substantially similar rationale. Claims 7 and 17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12,149,623 in view of U.S. Patent No. 11,314,859 to Singh et al. As to claims 7 and 17 the ‘623 Patent discloses all recited elements of claims 5 and 15 from which claims 7 and 17 depend. The ‘623 Patent does not expressly disclose wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier. Singh discloses wherein determining that the current attribute does not match the baseline attribute comprises determining that an access token identifier for the current access token does not match a previous access token identifier (Singh: Col 3, Line 56 – Col 4, Line 14; user identifier one of points of comparison). The ‘623 Patent and Singh are analogous art because they are from the common area of access monitoring. It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use the identifier of Singh in the system of the ‘623 Patent. The rationale would have been to verify the token had not been modified (Singh: Col 3, Line 56 – Col 4, Line 14). Prior Art The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. Patent Application Publication No. 2005/0055579 by Kanda et al. discloses the distribution of security policies in a network U.S. Patent Application Publication No. 2006/0107037 by Lincoln et al. discloses the authentication of transactions U.S. Patent Application Publication No. 2007/0014397 by Ukeda et al. discloses distributing license information U.S. Patent Application Publication No. 2008/0133756 by Taylor discloses data integrity in a client-server environment U.S. Patent Application Publication No. 2012/0210415 by Somani et al. discloses push notifications U.S. Patent No. 8,572,716 to Chander et al. discloses integrated systems U.S. Patent Application Publication No. 2015/0101044 by Martin et al. discloses using an event model to determine system states U.S. Patent No. 9,250,811 to Patiejunas discloses data queueing. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MICHAEL S. MCNALLY Primary Examiner Art Unit 2432 /Michael S McNally/Primary Examiner, Art Unit 2432
Read full office action

Prosecution Timeline

Sep 21, 2024
Application Filed
Jan 21, 2026
Non-Final Rejection — §102, §103, §112
Apr 09, 2026
Applicant Interview (Telephonic)
Apr 09, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

18/602,162
Patent 12597369
CRYPTO RECOVERY SEED PHRASE STORAGE DEVICE
2y 5m to grant Granted Apr 07, 2026
18/446,689
Patent 12579243
PROVIDING DYNAMIC AUTHENTICATION AND AUTHORIZATION AN ON ELECTRONIC DEVICE
2y 5m to grant Granted Mar 17, 2026
18/166,488
Patent 12572676
AUTHENTICATED DOCUMENT STORAGE VAULT
2y 5m to grant Granted Mar 10, 2026
18/410,406
Patent 12561422
SYSTEM FOR AUTHENTICATING DATA
2y 5m to grant Granted Feb 24, 2026
18/578,261
Patent 12563401
Hash Function and Lawful Interception
2y 5m to grant Granted Feb 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
98%
With Interview (+8.7%)
2y 8m
Median Time to Grant
Low
PTA Risk
Based on 1060 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month