Prosecution Insights
Last updated: July 05, 2026
Application No. 18/917,992

SYSTEMS AND METHODS FOR SOURCE-BASED MISUSE DETECTION

Non-Final OA §103
Filed
Oct 16, 2024
Examiner
DOAN, TRANG T
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Netscout Systems Inc.
OA Round
2 (Non-Final)
83%
Grant Probability
Favorable
2-3
OA Rounds
1y 7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 83% — above average
83%
Career Allowance Rate
518 granted / 624 resolved
+25.0% vs TC avg
Strong +17% interview lift
Without
With
+17.4%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
23 currently pending
Career history
654
Total Applications
across all art units

Statute-Specific Performance

§101
5.0%
-35.0% vs TC avg
§103
63.2%
+23.2% vs TC avg
§102
16.4%
-23.6% vs TC avg
§112
10.4%
-29.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 624 resolved cases

Office Action

§103
DETAILED ACTION In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This Office Action is in response to the amendment filed on 2/9/2026. Claims 1, 11 and 19-20 have been amended. Claims 1-20 are pending for consideration. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Specification The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification. Response to Arguments The claim objections of claim 20 has been withdrawn as the claim has been amended to correct the informalities. Applicant's arguments filed on 2/9/2026 have been fully considered but they are not persuasive. Applicant argues on page 11 of the Remarks that Raleigh does not teach the following limitation, generating a tag in the first managed object for each source IP address... indicating misuse of the communications network by the source IP address, wherein the tag is indexed to the source IP address within the first managed object. Examiner respectfully disagrees. An indicator or flag recited in Raleigh reference is assigned to a specific end-user device associated with possible fraudulent activity is broadly interpreted as generating a tag in the first managed object for each source IP address (Raleigh: paragraphs 1430-1433, “based on its analysis of the UDRs and carrier-based data records, which may include FDR data, service controller 125 sets an indicator or flag to indicate potential fraudulent activity. The indicator or flag is specific to end-user device 105 and, in some embodiments in which the carrier-based usage reports specify a time period, the time period specified by the carrier-based usage report”). Raleigh further discloses a set of credentials storing or embedding into the end-user device, such as, one or more IP addresses, one or more MAC addresses, any other network address identifier, embedded device descriptive information block… (Raleigh: paragraphs 0528-0529, “the credentials can include one or more of the following: phone number, device identification number, MEID or similar mobile device identifier, hardware security device ID, security signature or other security credentials, device serial number, device identification and/or credential information via security hardware such as a SIM, one or more IP addresses, one or more MAC addresses, any other network address identifier, embedded device descriptive information block”). The indicator or flag associated to potential fraudulent activity is specific to the end-user device. Since the device has a source IP address (the device's IP is specific to the device), the indicator/flag is associated with it which is mapped to indicating misuse of the communications network by the source IP address. Raleigh further teaches wherein the tag is indexed to the source IP address within the first managed object (Raleigh: paragraphs 1430-1434, “after service controller 125 has completed the anomaly detection procedure, if the potential fraud indicator or flag is not set, service controller 125 generates charging data records with detailed charging codes for the data usage by end-user device 105. … if the potential fraud indicator or flag is set, service controller 125 waits for the network to send an FDR report via FDR report interface 2040-2 for end-user device 105. When service controller 125 receives the FDR report, service controller 125 performs validation of the carrier-based usage report based on the FDR report. ”). Based on the reasons above, Raleigh does teach the disputed limitations. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., the claims require a specific data structure where tags are indexed to source IP addresses within managed objects to enable searchability and processing) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Applicant’s arguments (i.e., “wherein the first misuse type corresponds to a distributed denial of service (DDoS) attack type”) with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 9-11 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Raleigh et al. (US 20130132854) (hereinafter Raleigh) in view of Feder et al. (US 20250373654) (hereinafter Feder). Regarding claim 1, Raleigh discloses a method comprising: storing, by one or more processors, a plurality of managed objects in memory, each of the plurality of managed objects corresponding to one or more computing devices configured to communicate over a communications network (Raleigh: paragraphs 0053-0057 and 0459, “systems, and apparatuses to allow subscribers to monitor or manage the mobile wireless communication devices in a device group from one or more master devices in the device group. Managing includes adding, deleting, or modifying devices or properties of devices”… “one or more device credentials, … is published to a specified device group”), and each of the plurality of managed objects having a configuration comprising one or more thresholds corresponding to one or more network parameters for detecting an attack on the communications network (Raleigh: paragraphs 0385, 0492-0494 and 0529, “the access control integrity server 1654 collects device information on service policy, service usage, agent configuration and/or agent behavior. For example, the access control integrity server 1654 can cross check this information to identify integrity breaches in the service policy implementation and control system.”… “service activity is used to refer to any service usage or traffic usage that can be associated with, for example, an application; a network communication end point, such as an address, uniform resource locator (URL) or other identifier with which the device is communicating”… “device identification and/or credential information via security hardware such as a SIM, one or more IP addresses, one or more MAC addresses, any other network address identifier”); monitoring, by the one or more processors, network traffic from the one or more computing devices of each of the plurality of managed objects over the communications network (Raleigh: paragraphs 0385, 0417, 0431-0432 and 0492-0494 , “collects device information on service policy, service usage, agent configuration and/or agent behavior. For example, the access control integrity server 1654 can cross check this information to identify integrity breaches); detecting, by the one or more processors, a first network parameter of managed object network traffic of a first set of computing devices of a first managed object of the plurality of managed objects exceeds a threshold of a first misuse type of a set of misuse types of the configuration of the first managed object (Raleigh: paragraphs 0439, 0493-0495, 0529, 0922 and 1431-1433, “the access control integrity server 1654 (and/or some other agent of service controller 125) verifies device service policy, and the verification error conditions that can indicate a mismatch in service measure and service policy include one or more of the following: … unauthorized network address; …; and/or any other mismatch in service measure and service policy.”… “notifications are triggered when certain policy events (managed by Policy Management) or certain usage thresholds (managed by Usage Accounting) occur.”); responsive to detecting the first network parameter of the managed object network traffic exceeds the threshold of the first misuse type, identifying, by the one or more processors, a source internet protocol (IP) address for each computing device of the first set of computing devices (Raleigh: paragraphs 0494-0496 and 1430-1434, “the verification error conditions that can indicate a mismatch in service measure and service policy include one or more of the following: …unauthorized network address;”… “detects possible fraudulent activity by end-user device”); and generating, by the one or more processors, a tag in the first managed object for each source IP address for each computing device of the first set of computing devices indicating misuse of the communications network by the source IP address (Raleigh: paragraphs 0446, 0529 and 1431-1434, “sets an indicator or flag to indicate potential fraudulent activity. The indicator or flag is specific to end-user device”… “device identification and/or credential information via security hardware such as a SIM, one or more IP addresses, one or more MAC addresses, any other network address identifier”), wherein the tag is indexed to the source IP address within the first managed object (Raleigh: paragraphs 0529 and 1430-1434, “after service controller 125 has completed the anomaly detection procedure, if the potential fraud indicator or flag is not set, service controller 125 generates charging data records with detailed charging codes for the data usage by end-user device 105. … if the potential fraud indicator or flag is set, service controller 125 waits for the network to send an FDR report via FDR report interface 2040-2 for end-user device 105. When service controller 125 receives the FDR report, service controller 125 performs validation of the carrier-based usage report based on the FDR report.”). Raleigh does not explicitly disclose the following limitation which is disclosed by Feder, wherein the first misuse type corresponds to a distributed denial of service (DDoS) attack type (Feder: paragraphs 0012, 0020 and 0082, “monitor ongoing energy consumption levels to detect possible anomalies, and then take actions at the UE device level, session level, flow level, and/or slice level to mitigate or prevent DoS and/or DDoS attacks”…“ Additionally, or alternatively, the EC DDoS monitoring system may collect statistics to establish a normal and abnormal energy consumption levels of individual UE devices 110, groups of UE devices 110, Protocol Data Unit (PDU) sessions, and/or IP flows to assist in detecting potential DoS or DDoS attacks.”). Raleigh and Feder are analogous art because they are from the same field of endeavor, network protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Raleigh and Feder before him or her, to modify the system of Raleigh to include a first misuse type corresponds to a distributed denial of service (DDoS) attack type of Feder. The suggestion/motivation for doing so would have been to mitigate or prevent DoS and/or DDoS attacks. (Feder: paragraph 0012). Regarding claim 11, claim 11 discloses a system claim that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 11 and rejected for the same reasons. Regarding claim 19, claim 19 discloses a medium claim that is substantially equivalent to the method of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 19 and rejected for the same reasons. Regarding claim 9, Raleigh as modified discloses wherein the set of misuse types comprises one or more of a total traffic type, a character generator amplification type, a connectionless lightweight directory access protocol (CLDAP) amplification type, a domain name system (DNS) type, a DNS amplification type, an internet control message protocol (ICMP) type, an IP fragment type, an IP private type, an IP version four (IPv4) protocol type, a layer two tunneling protocol (L2TP) type, a multicast DNS (mDNS) type, a memcached amplification type, a structured query language (SQL) reporting service (RS) amplification type, a network basic input/output (NetBIOS) type, a network time protocol (NTP) amplification type, a routing information protocol version one (RIPv1) type, a rpcbind type, a simple network management protocol (SNMP) amplification type, a simple service discovery protocol (SSDP) amplification type, a transmission control protocol (TCP) acknowledgment (ACK) type, a TCP null type, a TCP reset (TCP RST) type, a TCP synchronize (TCP SYN) type, a TCP SYN/ACK amplification type, or a user datagram protocol (UDP) type, or a user defined type defined according to criteria comprising one or more of the group consisting of a source port, a destination port, a protocol, and a number of bytes per-packet (Raleigh: paragraphs 0385, 0495-0496 and 1430-1433, “the access control integrity server 1654 (and/or some other agent of service controller 125) verifies device service policy based at least in part on, for example, various error conditions that indicate a mismatch in service measure and service policy. For example, various verification error conditions that can indicate a mismatch in service measure and service policy include one or more of the following: mismatch in one service measure and another service measure; agent failure to report in; agent failure to respond to queries (e.g., challenge-response sequence and/or expected periodic agent reporting); agent failure to respond correctly to challenge/response sequence; agent improperly configured; agent failure in self checks; agent failure in cross-checks; unauthorized agent communication or attempted unauthorized communication; failure in service policy implementation test; failure in service usage reporting test; failure in service usage billing test; failure in transaction billing test; failure in download sequence; environment compromise event, such as unauthorized software load or execution (or attempt), unauthorized memory access (or attempt), unauthorized agent access (or attempt), known harmful software, and/or known harmful communications signature; and/or failure to respond to various messages, such as send message and suspend and/or send message and quarantine.”… “The data elements that may be passed over fraud alert interface 2090-2 include any or all of: IMSI, MSID, MDN, MEID, fraud alert start time, fraud alert end time, affected service plan, affected charging code, fraud reason code (e.g., no device report, count mismatch, etc.). As would be appreciated by a person having ordinary skill in the art, other protocols, data formats, and data elements are possible.”). Regarding claims 10 and 18, Raleigh as modified discloses further comprising: responsive to detecting the first network parameter of the managed object network traffic exceeds the threshold of the first misuse type, executing, by the one or more processors, a mitigation protocol to block network traffic from the first set of computing devices associated with the source IP addresses on the communications network (Raleigh: paragraphs 0439, 0493-0495, 0529 and 0922, “the access control integrity server 1654 (and/or some other agent of service controller 125) verifies device service policy, and the verification error conditions that can indicate a mismatch in service measure and service policy include one or more of the following: … unauthorized network address; …; and/or any other mismatch in service measure and service policy.”… “notifications are triggered when certain policy events (managed by Policy Management) or certain usage thresholds (managed by Usage Accounting) occur.”). Claim(s) 2-5, 12-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Raleigh in view of Feder, and further in view of PANDRANGI (WO 2012040609) (hereinafter PANDRANGI). Regarding claims 2, 12 and 20, Raleigh in view of Feder does not explicitly disclose the following limitation which is disclosed by PANDRANGI, wherein the plurality of managed objects having the configuration further comprises a plurality of IP address thresholds (PANDRANGI: paragraphs 005-007, “embodiments utilize an IP prioritization technique that allows for thresholds to be applied at different confidence levels”), the plurality of IP address thresholds at least comprising: a first threshold, a second threshold greater than the first threshold, and a third threshold greater than the second threshold (PANDRANGI: paragraphs 006, 012-013 and 031-034, “Some embodiments utilize an IP prioritization technique that allows for thresholds to be applied at different confidence levels as described below”… “The level of network traffic is determined and adjusted by limiting the network traffic of a second subset of client IP addresses based on a confidence score less than a second threshold, where the second threshold is greater than the first threshold.”). Raleigh in view of Feder and PANDRANGI are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Raleigh in view of Feder and PANDRANGI before him or her, to modify the system of Raleigh in view of Feder to include a plurality of managed objects having a configuration further comprises a plurality of IP address thresholds of PANDRANGI. The suggestion/motivation for doing so would have been to detect and mitigate DDoS attacks are needed (PANDRANGI: paragraph 002). Regarding claims 3 and 13, Raleigh as modified discloses further comprising: responsive to identifying, by the one or more processors, the source IP address for each computing device of the first set of computing devices, detecting, by the one or more processors, an amount of source IP addresses of the first set of computing devices (PANDRANGI: paragraphs 006, 012-013 and 031-034, “Some embodiments utilize an IP prioritization technique that allows for thresholds to be applied at different confidence levels as described below”… “The level of network traffic is determined and adjusted by limiting the network traffic of a second subset of client IP addresses based on a confidence score less than a second threshold, where the second threshold is greater than the first threshold.”); and identifying, by the one or more processors, the amount of source IP addresses exceeds a first IP address threshold of the plurality of IP address thresholds (PANDRANGI: paragraphs 006, 012-013 and 031-034, “Some embodiments utilize an IP prioritization technique that allows for thresholds to be applied at different confidence levels as described below”… “The level of network traffic is determined and adjusted by limiting the network traffic of a second subset of client IP addresses based on a confidence score less than a second threshold, where the second threshold is greater than the first threshold.”). The same motivation to modify Raleigh in view of Feder and PANDRANGI, as applied in claim 2 above, applies here. Regarding claims 4 and 14, Raleigh as modified further comprising: responsive to identifying, by the one or more processors, the amount of source IP addresses exceeds the first IP address threshold, generating, by the one or more processors, a severity alert corresponding to the first IP address threshold, wherein the first IP address threshold corresponds to the first threshold, and the severity alert is an alert of low severity (PANDRANGI: paragraphs 033-034, “During an attack, the thresholds for the various actions (e.g., drop, inspect, rate limit, queue, accept, and the like) are shifted such that the actions are applied at higher confidence levels”… “As the attack lessens, the thresholds can be shifted to lower confidence levels, effectively accepting more packets and allowing more traffic at lower confidence levels to be passed through the network”); or wherein the first IP address threshold corresponds to the second threshold, and the severity alert is an alert of medium severity; generating, by the one or more processors, a set of notifications corresponding to the alert of medium severity and event tracking data corresponding to the first set of computing devices; or wherein the first IP address threshold corresponds to the third threshold, and the severity alert is an alert of high severity (PANDRANGI: paragraphs 033-034, “During an attack, the thresholds for the various actions (e.g., drop, inspect, rate limit, queue, accept, and the like) are shifted such that the actions are applied at higher confidence levels”); and executing, by the one or more processors, one or more mitigation actions corresponding to an auto-mitigation configuration of the first managed object (PANDRANGI: paragraphs 043-044, “if a whitelist has not included an IP address, and a new client begins communication during a DDoS attack, the network traffic can be analyzed to determine that the client is malicious and the client can be blocked”). The same motivation to modify Raleigh in view of Feder and PANDRANGI, as applied in claim 2 above, applies here. Regarding claims 5 and 15, Raleigh as modified discloses further comprising: detecting, by the one or more processors, a second network parameter of the managed object network traffic of the first set of computing devices exceeds a second threshold of a second misuse type of the set of misuse types of the configuration of the first managed object (PANDRANGI: paragraphs 006, 012-013 and 031-034); responsive to detecting, by the one or more processors, the second network parameter of the managed object network traffic exceeds the threshold of the second misuse type, identifying, by the one or more processors, the source IP address for each computing device of the first set of computing devices (PANDRANGI: paragraphs 006, 012-013 and 031-034); and identifying, by the one or more processors, the source IP addresses of the first set of computing devices are associated with the tag in the first managed object (PANDRANGI: paragraphs 006, 012-013 and 031-034, “Some embodiments utilize an IP prioritization technique that allows for thresholds to be applied at different confidence levels as described below”… “The level of network traffic is determined and adjusted by limiting the network traffic of a second subset of client IP addresses based on a confidence score less than a second threshold, where the second threshold is greater than the first threshold.”). The same motivation to modify Raleigh in view of Feder and PANDRANGI, as applied in claim 2 above, applies here. Claim(s) 6-8 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Raleigh in view of Feder, and further in view of Visbal (US 9100428) (hereinafter Visbal). Regarding claims 6 and 16, Raleigh in view of Feder does not explicitly disclose the following limitation which is disclosed by Visbal, further comprising: generating a visualization for a computing device (Visbal: paragraphs 37 and 90-93, “the reporting module 158 may generate a user interface, a heat map, web site, or some other kinds of representation of the scores generated by the threat reputation score module 152 and/or the usage score module 154.”), the visualization comprising a plurality of graphical depictions that are representative of at least a portion of the plurality of managed objects, each graphical depiction of the plurality of graphical depictions representative of one or more source IP addresses corresponding to one or more computing devices of the portion of the plurality of managed objects, wherein a first graphical depiction of the plurality of graphical depictions is representative of the source IP addresses of the first set of computing devices, the first graphical depiction indicating misuse of the communications network by the source IP addresses (Visbal: paragraphs 90-93, “a two-dimensional example heat map illustrating several IP addresses within a threat reputation scores and usage scores matrix. The heat map 800 includes two dimensions, the horizontal dimension representing threat score 870 and the vertical dimension representing usage score 860. The heat map may display the scores associated with a plurality of IP addresses.”… “An IP address 852 with a low threat reputation score appears on the left part of the heat map 800. An IP address 853 associated with a high usage score usually appears on the upper part of the heat map”). Raleigh in view of Feder and Visbal are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Raleigh in view of Feder and Visbal before him or her, to modify the system of Raleigh in view of Feder to include a visualization comprising a plurality of graphical depictions that are representative of at least a portion of a plurality of managed objects, each graphical depiction of the plurality of graphical depictions representative of one or more source IP addresses corresponding to one or more computing devices of a portion of the plurality of managed objects of Visbal. The suggestion/motivation for doing so would have been for recognizing noteworthy IP addresses for further analysis and also for displaying trends of possible network threats (Visbal: paragraph 93). Regarding claims 7 and 17, Raleigh as modified discloses wherein the visualization comprises a heat map comprising the plurality of graphical depictions, a timeline, and a plurality of electronic representations of the portion of the plurality of managed objects, wherein the graphical depictions are visualized on the timeline that is representative of a period of time input by an operator of the computing device (Visbal: paragraphs 90-93, “each IP address may be represented by the reporting module 158 in the heat map 800 using its threat reputation score and usage score. As can be seen from the heat map 800, an IP address 851 with a high threat reputation score appears on the right part of the heat map 800. An IP address 852 with a low threat reputation score appears on the left part of the heat map”). The same motivation to modify Raleigh in view of Feder and Visbal, as applied in claim 6 above, applies here. Regarding claim 8, Raleigh as modified discloses wherein the visualization comprises a line graph comprising the plurality of graphical depictions and a timeline, wherein the graphical depictions are visualized on the timeline that is representative of a period of time input by an operator of the computing device (Visbal: paragraphs 51-52, “Depending on the embodiment, other graphical indicators may be provided (e.g., rather than the bombs shown in example table 430), and various algorithms may be used in interpreting threat usage and/or usage scores in order to determine graphical representations.”). The same motivation to modify Raleigh in view of Feder and Visbal, as applied in claim 6 above, applies here. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TRANG T DOAN/Primary Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Oct 16, 2024
Application Filed
Feb 03, 2026
Non-Final Rejection mailed — §103
Feb 09, 2026
Response Filed
Feb 09, 2026
Examiner Interview Summary
Feb 09, 2026
Applicant Interview (Telephonic)
Jun 04, 2026
Final Rejection mailed — §103
Jun 08, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671996
UPGRADING CONTROL PLANE NETWORK FUNCTIONS WITH PROACTIVE ANOMALY DETECTION CAPABILITIES
2y 8m to grant Granted Jun 30, 2026
Patent 12664294
CONTROL OF ACCESS TO RESOURCES OF DATA OBJECTS
3y 9m to grant Granted Jun 23, 2026
Patent 12665738
APPARATUS AND METHOD FOR CRYPTOGRAPHY SECURE AGAINST SIDE-CHANNEL ATTACKS
2y 5m to grant Granted Jun 23, 2026
Patent 12665875
NETWORKING AND SECURITY SPLIT ARCHITECTURE
1y 11m to grant Granted Jun 23, 2026
Patent 12645836
SYSTEMS AND METHODS FOR CONTROLLING DATA EXPOSURE USING ARTIFICIAL- INTELLIGENCE-BASED MODELING
1y 8m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+17.4%)
3y 4m (~1y 7m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 624 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month