Prosecution Insights
Last updated: July 17, 2026
Application No. 18/999,728

Efficient Threat Context-Aware Packet Filtering for Network Protection

Non-Final OA §103
Filed
Dec 23, 2024
Priority
Apr 20, 2021 — continuation of 11/159,546 +5 more
Examiner
CHOY, KA SHAN
Art Unit
Tech Center
Assignee
Centripetal Networks LLC
OA Round
1 (Non-Final)
94%
Grant Probability
Favorable
1-2
OA Rounds
7m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 94% — above average
94%
Career Allowance Rate
253 granted / 270 resolved
+33.7% vs TC avg
Moderate +10% lift
Without
With
+9.9%
Interview Lift
resolved cases with interview
Fast prosecutor
2y 1m
Avg Prosecution
14 currently pending
Career history
283
Total Applications
across all art units

Statute-Specific Performance

§101
4.5%
-35.5% vs TC avg
§103
69.6%
+29.6% vs TC avg
§102
4.5%
-35.5% vs TC avg
§112
14.0%
-26.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 270 resolved cases

Office Action

§103
DETAILED ACTION This office action is in response to the correspondence filed on 12/23/2024. Claim 1 is pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Information Disclosure Statement The information disclosure statement (IDS) was submitted on 08/07/2025 x2 and 03/02/2026. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. US 11159546 B1 (US Application No. 17235544) , claim 1 of U.S. Patent No. US 11349854 B1 (US Application No. 17508614), claim 1 of U.S. Patent No. US 11316876 B1 (US Application No. 17508596), claim 1 of U.S. Patent No. US 11438351 B1 (US Application No. 17713827), claim 1 of U.S. Patent No. US 11444963 B1 (US Application No. 17695047), claim 1 of U.S. Patent No. US 11552970 B2 (US Application No. 17866208), claim 1 of U.S. Patent No. US 11824875 B2 (US Application No. 18084366), and over claim 1 of U.S. Patent No. US 12218959 B2 (US Application No. 18380016). Although the claims at issue are not identical, they are not patentably distinct from each other because the claim in the instant application is anticipated by the ones in the various issued patents. The instant application has the basic elements of a packet-filtering appliance including receiving multiple cyber threat intelligence reports and performing some actions based on threat context information while the various issued patents are narrower in scope in which they have the same basic elements plus additional details about more specific threat context information, matching criteria, second in-transit packet, etc. Please see the example below in claim 1 of the instant application and claim 1 of the various issued patents. Instant Application U.S. Patent No. 11159546 B1 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A method comprising: receiving, by a packet-filtering appliance, a plurality of packet-filtering rules, wherein the packet-filtering rules were determined based on a plurality of threat indicators that were determined based on cyber intelligence reports from a plurality of cyber threat intelligence providers; receiving, from a first network, an in-transit packet destined to a second network; based on determining that the in-transit packet matches a first packet-filtering rule of the plurality of packet-filtering rules, determining an observation time of the in-transit packet; determining, based on the observation time, a disposition; and applying the disposition to the in-transit packet. Instant Application U.S. Patent No. 11349854 B1 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A method comprising: receiving, by a packet-filtering appliance configured to process a plurality of in-transit packets traversing a boundary from a first network to a second network, a plurality of packet-filtering rules each indicating a criterion and an action to be performed, wherein: the packet-filtering appliance is configured to process each in-transit packet of the plurality of in-transit packets before processing an immediately subsequent in-transit packet of the plurality of in-transit packets, the packet-filtering rules were determined based on a plurality of threat indicators that were determined based on cyber threat intelligence reports of a plurality of cyber threat intelligence providers, and a first packet-filtering rule of the plurality of packet-filtering rules indicates a first criterion and that an action is to be determined after an in-transit packet matching the first packet-filtering rule is received; Instant Application U.S. Patent No. 11316876 B1 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A method comprising: receiving, by a packet-filtering appliance configured to process packets in-transit traversing a boundary between a first network and a second network, a plurality of packet-filtering rules each indicating a criterion and an action to be performed, wherein: the packet-filtering rules were determined based on a plurality of threat indicators that were determined based on cyber threat intelligence reports of a plurality of cyber threat intelligence providers, and a first packet-filtering rule of the plurality of packet-filtering rules indicates a first criterion and that an action is to be determined after an in-transit packet matching the first packet-filtering rule is received; receiving, by the packet-filtering appliance from the first network and at a first time, a first in-transit packet destined to the second network; based on determining that the first in-transit packet matches the first criterion of the first packet-filtering rule, the packet-filtering appliance: determining first threat context information associated with the receiving the first in-transit packet; determining, based on the first threat context information, a first action; and applying the first action to the first in-transit packet; receiving, by the packet-filtering appliance from the first network and at a second time, a second in-transit packet destined to the second network; and based on determining that the second in-transit packet matches the first criterion of the first packet-filtering rule, the packet-filtering appliance: determining second threat context information associated with the receiving the second in-transit packet, wherein the second threat context information has at least one value different from the first threat context information; determining, based on the second threat context information and independently from the determining the first action, a second action; and applying the second action to the second in-transit packet. Instant Application U.S. Patent No. 11438351 B1 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A method comprising: receiving, by a packet-filtering appliance configured to process a plurality of in-transit packets traversing a boundary between a first network and a second network, a plurality of packet-filtering rules each indicating one or more criteria and one or more actions to be performed, wherein: the packet-filtering appliance is configured to process each in-transit packet of the plurality of in-transit packets before processing an immediately subsequent in-transit packet of the plurality of in-transit packets, the packet-filtering rules were automatically generated based on a plurality of threat indicators that were determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of threat indicators comprises a plurality of network addresses associated with one or more network threats identified by the one or more cyber threat intelligence providers, and a first packet-filtering rule of the plurality of packet-filtering rules indicates at least one criterion and a disposition indication, wherein the disposition indication corresponds to a disposition that is to be determined after an in-transit packet matching the first packet-filtering rule is received; receiving, by the packet-filtering appliance from the first network and at a first time, a first in-transit packet of the plurality of in-transit packets; based on determining that the first in-transit packet matches the at least one criterion of the first packet-filtering rule, the packet-filtering appliance processing the first in-transit packet by: determining first threat context information associated with the receiving the first in-transit packet; determining, based on the first threat context information, a first disposition; determining, based on the first disposition, a first directive; and applying the first disposition and the first directive to the first in-transit packet; receiving, by the packet-filtering appliance from the first network and at a second time, a second in-transit packet of the plurality of in-transit packets; and based on determining that the second in-transit packet matches the at least one criterion of the first packet-filtering rule, the packet-filtering appliance processing, after the processing the first in-transit packet, the second in-transit packet by: determining second threat context information associated with the receiving the second in-transit packet, wherein the second threat context information has at least one value different from the first threat context information; determining, based on the second threat context information, a second disposition; determining, based on the second disposition, a second directive; and applying the second disposition and the second directive to the second in-transit packet. Instant Application U.S. Patent No. 11444963 B1 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A method comprising: receiving, by a packet-filtering appliance configured to process packets in-transit traversing a boundary between a first network and a second network, a plurality of packet-filtering rules each indicating one or more criteria and one or more actions to be performed, wherein: the packet-filtering rules were automatically generated based on a plurality of threat indicators that were determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of threat indicators comprises a plurality of network addresses associated with one or more network threats identified by the one or more cyber threat intelligence providers, and a first packet-filtering rule of the plurality of packet-filtering rules indicates at least one criterion and comprises a disposition indication, wherein the disposition indication corresponds to a disposition that is to be determined after an in-transit packet matching the first packet-filtering rule is received; receiving, by the packet-filtering appliance from the first network and at a first time, a first in-transit packet destined to the second network; based on determining that the first in-transit packet matches the at least one criterion of the first packet-filtering rule, the packet-filtering appliance performing: determining first threat context information associated with the receiving the first in-transit packet; determining, based on the first threat context information, a first disposition; determining, based on the first disposition, a first directive; and applying the first disposition and the first directive to the first in-transit packet; receiving, by the packet-filtering appliance from the first network and at a second time, a second in-transit packet destined to the second network; and based on determining that the second in-transit packet matches the at least one criterion of the first packet-filtering rule, the packet-filtering appliance performing: determining second threat context information associated with the receiving the second in-transit packet, wherein the second threat context information has at least one value different from the first threat context information; determining, based on the second threat context information and independently from the determining the first disposition, a second disposition; determining, based on the second disposition, a second directive; and applying the second disposition and the second directive to the second in-transit packet. Instant Application U.S. Patent No. 11552970 B2 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A packet-filtering appliance comprising: one or more processors; and one or more non-transitory computer-readable media storing instructions that, when executed by the one or more processors, configure the packet-filtering appliance to: receive a first in-transit packet that is in transit from a first network toward a second network, wherein: the packet-filtering appliance is configured to process, based on a plurality of packet-filtering rules, packets in-transit traversing a boundary between the first network and the second network, the plurality of packet-filtering rules each indicates one or more criteria and one or more actions to be performed, and the packet-filtering rules were automatically generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of threat indicators comprises a plurality of network addresses associated with one or more network threats identified by the one or more cyber threat intelligence providers; based on a determination that the first in-transit packet matches at least one criterion indicated by a first packet-filtering rule of the plurality of packet-filtering rules: determine, based on at least one action indicated by the first packet-filtering rule, first threat context information associated with the first in-transit packet; and based on the first threat context information, allow the first in-transit packet to proceed toward a destination of the first in-transit packet; receive, subsequent to the packet-filtering appliance receiving the first in-transit packet, a second in-transit packet that is in transit from the first network toward the second network; and based on a determination that the second in-transit packet matches the at least one criterion indicated by the first packet-filtering rule: determine, based on the at least one action indicated by the first packet-filtering rule, second threat context information associated with the second in-transit packet, wherein the second threat context information is determined based on the first in-transit packet and the second in-transit packet; determine, based on the second threat context information, that the second in-transit packet is part of an active attack; and based on determining that the second in-transit packet is part of the active attack, drop the second in-transit packet to prevent the second in-transit packet from proceeding toward a destination of the second in-transit packet. Instant Application U.S. Patent No. 11824875 B2 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to perform: receiving a plurality of packet-filtering rules each indicating one or more packet-matching criteria and an action to be performed, wherein: the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and a first packet-filtering rule, of the plurality of packet-filtering rules, associated with an action that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received; receiving threat context information indicating an attack on a third network and comprising one or more network addresses associated with the attack on the third network; receiving, from a first network, a first in-transit packet destined to at least one location in a second network; and based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule, filtering the first in-transit packet by: determining, based on the threat context information, a first action; and applying the first action to the first in-transit packet. Instant Application U.S. Patent No. 12218959 B2 1. (New) A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria and one or more actions to be performed, wherein the packet- filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet- filtering rules: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. 1. A packet-filtering appliance comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: receive a plurality of packet-filtering rules each indicating one or more packet-matching criteria and one or more actions to be performed, wherein: the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators, and wherein the plurality of threat indicators comprises a plurality of network addresses, and a first packet-filtering rule, of the plurality of packet-filtering rules, indicates a first directive and is associated with a disposition that is to be determined after an in-transit packet matching first one or more packet-matching criteria of the first packet-filtering rule is received; receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; based on determining that the first in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; determine, based on the first threat context information, a first disposition; selectively apply, based on the first disposition and to the first in-transit packet, the first directive of the first packet-filtering rule; and apply the first disposition to the first in-transit packet; receive, from the first network and at a second time, a second in-transit packet destined to at least one location in the second network; and based on determining that the second in-transit packet matches the first one or more packet-matching criteria of the first packet-filtering rule: determine second threat context information associated with receipt of the second in-transit packet by the packet-filtering appliance, wherein the second threat context information has at least one value different from the first threat context information; determine, based on the second threat context information and independently from the determining the first disposition, a second disposition different from the first disposition; and selectively apply, based on the second disposition and to the second in-transit packet, the first directive of the first packet-filtering rule; and apply the second disposition to the second in-transit packet. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin et al. (US Pub No. 2022/0159036 A1, referred to as Tsirkin), in view of Cai et al. (US Pub No. 2012/0215862 A1, referred to as Cai). Regarding claim 1, Tsirkin discloses, 1. (New) A packet-filtering appliance comprising: one or more processors; and (Tsirkin: Claim 8) memory storing instructions that, when executed by the one or more processors, cause the packet-filtering appliance to: (Tsirkin: Claim 8) …and one or more actions to be performed, (Tsirkin: [0030]; the filtering rule may specify an action to take, such as block the malicious packet, discard the malicious packet, or the like.) …receive, from a first network and at a first time, a first in-transit packet destined to at least one location in a second network; and (Tsirkin: Fig. 11A; [00135]; filtering rule applying module 1130A may apply the filtering rule 304A to subsequent packets 1102A addressed to the virtual machine 121A and subsequent packets 1104A addressed to the virtual machine 121B to determine whether any of the subsequent packets 1102A and/or subsequent packets 1104A are to be discarded.) after determining that the first in-transit packet matches a first one or more packet-matching criteria of a first packet-filtering rule of the plurality of packet-filtering rules: (Tsirkin: [0030].) determine first threat context information associated with receipt of the first in-transit packet by the packet-filtering appliance; and (Tsirkin: [0030]; the hypervisor or host OS (e.g., supervisor) may determine that any packet accessed in the filtering queue is malicious… the characteristics may include a source address of the source of the malicious packet, a snippet of data from the malicious packet, or the like.) apply, based on the first threat context information, one or both of a disposition or a directive to the first in-transit packet. (Tsirkin: [0030]; the filtering rule may specify an action to take, such as block the malicious packet, discard the malicious packet, or the like.) Tsirkin does not explicitly disclose, however Cai teaches, …receive a plurality of packet-filtering rules each indicating one or more packet- matching criteria… (Cai: Fig. 4; [0040]; in step 406, spam center 130 distributes (receives) the spam filtering rules to one or more of the entities for filtering spam in subsequent electronic messages.) wherein the packet-filtering rules were generated based on a plurality of threat indicators that were previously determined based on a plurality of cyber threat intelligence reports from one or more cyber threat intelligence providers, and wherein the plurality of cyber threat intelligence reports comprises the plurality of threat indicators; (Cai: [0006]; a centralized spam center receives spam reports from entities (cyber threat intelligence providers) that detect spam in electronic messages that they previously handled. The spam center processes the spam reports (cyber threat intelligence reports for spam threat indicators) to generate spam filtering rules (packet filtering rules), and distributes the spam filtering rules to message centers or other entities within the network. The entities may then use the spam filtering rules to filter spam in subsequently-received electronic messages.) It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Cai into the teachings of Tsirkin with a motivation to improve the robustness and performance of threat filters by collecting knowledge and learning experience from other similar threat detection entities. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. NIMMAGADDA; Srinivas et al. US-PGPUB US 20190007454 A1 Dynamic implementation of a security rule ISHIKAWA; Mark M. US-PGPUB US 20080270601 A1 Method for service attack detection on a network Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571)272-1569. The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KA SHAN CHOY/Primary Examiner, Art Unit 2435
Read full office action

Prosecution Timeline

Dec 23, 2024
Application Filed
Jun 30, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676875
LEVERAGING GLOBAL EXPLANATIONS ON A RESTRICTED EDGE ENVIRONMENT
2y 2m to grant Granted Jul 07, 2026
Patent 12671701
SCRIPTING ATTACK DETECTION AND MITIGATION USING CONTENT SECURITY POLICY VIOLATION REPORTS
2y 2m to grant Granted Jun 30, 2026
Patent 12671715
DETECTING AND MITIGATING FORGED AUTHENTICATION ATTACKS WITHIN A DOMAIN
2y 1m to grant Granted Jun 30, 2026
Patent 12659298
SYSTEM, METHOD, AND DATA DIODE FOR SELECTIVE UNIDIRECTIONAL DATA TRANSFER
2y 1m to grant Granted Jun 16, 2026
Patent 12659334
METHOD AND DEVICE FOR PROCESSING A NETWORK DATA STREAM
2y 3m to grant Granted Jun 16, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
94%
Grant Probability
99%
With Interview (+9.9%)
2y 1m (~7m remaining)
Median Time to Grant
Low
PTA Risk
Based on 270 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month