Prosecution Insights
Last updated: July 17, 2026
Application No. 19/018,538

IDENTIFYING MALICIOUS NETWORK TRAFFIC BEHAVIOR USING FLOW-BASED PACKET PAYLOAD LENGTH AGGREGATION

Non-Final OA §103§112
Filed
Jan 13, 2025
Priority
Sep 27, 2024 — provisional 63/700,426
Examiner
TAYLOR, SAKINAH W
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
SOPHOS Limited
OA Round
1 (Non-Final)
87%
Grant Probability
Favorable
1-2
OA Rounds
1y 0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 87% — above average
87%
Career Allowance Rate
332 granted / 383 resolved
+28.7% vs TC avg
Strong +23% interview lift
Without
With
+23.2%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
13 currently pending
Career history
396
Total Applications
across all art units

Statute-Specific Performance

§101
0.3%
-39.7% vs TC avg
§103
94.9%
+54.9% vs TC avg
§102
2.2%
-37.8% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 383 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 have been examined and are pending. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1 and 15 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 6, 10, 13, and 18 of U.S. Patent No.11159560 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because both inventions use generated images from payload data are used to train and normalize data points for identifying malicious applications. Claim 1, 11, and 15 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1, 12, and 20 of copending Application No. 18/809841. Although the claims at issue are not identical, they are not patentably distinct from each other because both inventions use generated images from payload data are used to place in a matrix which are converted data points into pixels of the target image. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. Furthermore, Claims 1, 11, and 15 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 12, and 20 of copending Application No. 18/809841 in view of US Patent No. 11159560 B1. As to claims 1, 12, and 20, Copending Application No. 18/809841 does not discloses the method according to claim 1, 11, and 15, capturing, by network detection and response (NDR) software executing on one or more computing devices, packets of a target packet flow traveling over a network between a target client application and a target server application, the packets of the target packet flow having respective packet payload lengths; aggregating, by the NDR software, the packet payload length of one or more packets of the target packet flow that are part of same segments to produce a plurality of segment payload lengths; generating a target image from the segment payload lengths by organizing datapoints based on the segment payload lengths into a matrix and converting the data points in the matrix into pixels of the target image; applying the target image to a trained machine learning (ML) model configured to determine a likelihood network traffic behavior between the target client application and the target server application is malicious network traffic behavior; and performing, by the NDR software, a remedial action in response to the likelihood. However, Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of, Shah et al, hereinafter (“Shah”) US PG Publication 20240396913 A1 discloses the method according to claims 1, 11, and 15, capturing target data from a target flow of network packets; generating a target image from the target data by generating a set of data points based on the target data, placing the set of data points in a matrix, and converting the matrix into the target image by converting each data point in the matrix into a pixel of the target image. It would have been obvious to one of ordinary skill in the art at the time of invention to combine the teaching of Shah with the teaching of Copending Application No. 18/809841 by including the feature of generating an image from converted data points from matrix. Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/13/2025 and 02/25/2026 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 6 recites the limitation "…wherein the packets of a target packet flow…" in line 1 due to claim 1 line 3. There is insufficient antecedent basis for this limitation in the claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1, 5-6, 9-10, 15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of, Shah et al, hereinafter (“Shah”) US PG Publication 20240396913 A1. Regarding claims 1, 15 and 18-19, Orans teaches a method for identifying malicious network traffic behavior, comprising; and a non-transitory computing device readable medium having instructions stored thereon, the instructions when executed by one or more computing devices operable to: [Orans p. 1, ¶Introduction: market guide for network detection and response with added automated and manuals response feature solutions] capturing, by network detection and response (NDR) software executing on one or more computing devices, packets of a target packet flow traveling over a network between a target client application and a target server application, the packets of the target packet flow having respective packet payload lengths [Orans et al, “Market Guide for Network Detection and Response” p. 2, ¶1 “NDR tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior... In addition to monitoring north/south traffic that crosses the enterprise perimeter, NDR solutions can also monitor east/west communications by analyzing traffic from strategically placed network sensors.” P. 3 ¶Market Direction “…ability to detect suspicious traffic without decrypting the TLS traffic and inspecting the payload…techniques such as analyzing the length of individual packets…”]; aggregating, by the NDR software, the packet payload length of one or more packets of the target packet flow that are part of same segments to produce a plurality of segment payload lengths [Orans p. 12, Vendor Profiles/Vectra ¶1 vendor uses supervised machine learning to detect global threats using JA3 fingerprinting and other techniques for monitoring and investigating; where event aggregation and automated response]; and performing, by the NDR software, a remedial action in response to the likelihood [Orans p. 11, Vendor Profiles/Lastline ¶¶2-3 anomaly detection to JA3 hashes have automated responses from sensors deployed in-inline which suspicious traffic can be blocked.]. While Orans teaches a network detection and response (NDR) software that captures and aggregates packets of the target packet flow having respective packet payload lengths and aggregating the packet payload length of one or more packets of the target packet flow that are part of same segments to produce a plurality of segment payload lengths; to determine a likelihood network traffic behavior between the target client application and the target server application is malicious network traffic behavior [Oran Market Description p. 2 ¶Inclusion Criteria; Vendor Profiles/FireEye p. 9 ¶1 FireEye SmartVision is its NDR solution, specialized on server-side traffic. SmartVision physical or virtual sensors are deployed typically to intercept client-to-server traffic.]; however, Orans fails to explicitly teach but Shah teaches generating a target image from the segment payload lengths by organizing datapoints based on the segment payload lengths into a matrix and converting the data points in the matrix into pixels of the target image [Shah Abstract ¶¶0006-0014 and 0039 at step 114 process 114 may take data of received packets and convert data into a data format; amenable to generating an image where the sequential bytes of data of packet may be converted into defined pixels (or similar attributes or portions) of an image. ¶0056 for example, convert decimal values to RGB scale (or other image format)]; and applying the target image to a trained machine learning (ML) model configured to determine a likelihood network traffic behavior between the target client application and the target server application is malicious network traffic behavior [Shah Abstract ¶¶0060 leverages AI techniques for (near-) real-time detection of network attacks]; Orans teaches all the features of claims 1 not generating a target image from the segment payload lengths by organizing datapoints based on the segment payload lengths into a matrix and converting the data points in the matrix into pixels of the target image and applying the target image to a trained machine learning (ML) model configured to determine a likelihood network traffic behavior between the target client application and the target server application is malicious network traffic behavior. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah and Orans are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the detection process by training a neural network model [Shah ¶¶0006-0014 0039-0040 0046]. Regarding claim 5, the combination of Orans and Shah teach claim 1 as described above. Orans teaches a handshake and aggregating [Orans Vendor Profiles: Blue Hexagon p. 6 TLS handshake, Vectra p.12, para 1 event aggregation ]; however, Orans fails to explicitly teach but Shah teaches wherein the packets of the target packet flow include handshake packets used to conduct a multi-way handshake and non-handshake packets, and the aggregating aggregates packet payload length of the non-handshake packets [Shah ¶0034 TCP three-way handshakes]. Orans teaches all the features of claims 1 not wherein the packets of the target packet flow include handshake packets used to conduct a multi-way handshake and non-handshake packets, and the aggregating aggregates packet payload length of the non-handshake packets. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah and Orans are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the detection process by training a neural network model [Shah ¶¶0006-0014 0039-0040 0046]. Regarding claim 6, the combination of Orans and Shah teach claim 1 as described above. Orans teaches wherein the packets of a target packet flow include packets having encrypted payloads, and the aggregating produces the plurality of segment payload lengths without decrypting the encrypted payloads [Orans Blue Hexagon, p. 6 para 1 solution uses TLS handshake and tunnel characteristics to detect anomalies on encrypted traffic]. Regarding claim 9, the combination of Orans and Shah teach claim 1 as described above. However, Orans fails to explicitly teach but Shah teaches wherein the trained ML model is a convolutional neural network (CNN) trained upon training images generated from training packet flows exhibiting known malicious network traffic behavior, and the applying further comprises: calculating an extent a pattern in the target image matches a pattern in one or more of the training images to determine the likelihood [Shah ¶0034 forward and backward packet patterns compared to normal traffic¶0043 the neural network may be a CNN or similar type of model useful for processing and classifying images. ]. Orans teaches all the features of claims 1 not wherein the trained ML model is a convolutional neural network (CNN) trained upon training images generated from training packet flows exhibiting known malicious network traffic behavior, and the applying further comprises: calculating an extent a pattern in the target image matches a pattern in one or more of the training images to determine the likelihood. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah and Orans are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the detection process by training a neural network model [Shah ¶¶0006-0014 0039-0040 0046]. Regarding claim 10, the combination of Orans and Shah teach claim 1 as described above. However, Orans fails to explicitly teach but Shah teaches wherein the remedial action comprises providing an alert that the network traffic behavior is likely malicious network traffic behavior, blocking execution of the target client application and/or the target server application, or blocking one or more other applications from communicating with the target client application and/or the target server application [Shah ¶0044 then process 100 may proceed to take preventative action, mitigate harm, and/or alert a human user or other application at block 122. For example, process 100 may trigger a quarantine of the flow]. Orans teaches all the features of claims 1 not wherein the remedial action comprises providing an alert that the network traffic behavior is likely malicious network traffic behavior, blocking execution of the target client application and/or the target server application, or blocking one or more other applications from communicating with the target client application and/or the target server application. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah and Orans are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to provide additional remedial actions [Shah ¶0044]. Claim(s) 2-3 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of, Shah et al, hereinafter (“Shah”) US PG Publication 20240396913 A1, in view of Litichever et al 20200389469 A1. Regarding claims 2 and 16, the combination of Orans and Shah teach claim 1 as described above. However, the combination of Orans and Shah fail to explicitly teach but Litichever teaches wherein the segments are TCP segments, the segment payload lengths are TCP segment payload lengths, and the aggregating comprises: adding together packet payload lengths until an indicator is encountered in a packet of the target packet flow [Litichever et al 20200389469 A1 ¶0151 ¶0152 field indicates which packet queue should be used]. The combination of Orans and Shah teach all the features of claims 1 and 15 not wherein the segments are TCP segments, the segment payload lengths are TCP segment payload lengths, and the aggregating comprises: adding together packet payload lengths until an indicator is encountered in a packet of the target packet flow. Litichever teaches a system for tunnel-based malware detection. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah Orans and Litichever are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the further combined with analysis to use TCP flags for the detection process as taught by Litichever [Litichever ¶0610]. Regarding claims 3 and 17, the combination of Orans Shah and Litichever teach claim 2 as described above. However, the combination of Orans and Shah fail to explicitly teach but Litichever teaches wherein the indicator is a TCP Finish (FIN) flag, a TCP Reset (RST) flag, or a TCP Push (PSH) flag [Litichever et al 20200389469 A1 ¶0610 analyzer server 81 may could mitigate Denial-of-Service (DoS) attacks by controlling the use of TCP flags such as PSH]. The combination of Orans and Shah teach all the features of claims 1 and 15 not wherein the indicator is a TCP Finish (FIN) flag, a TCP Reset (RST) flag, or a TCP Push (PSH) flag. Litichever teaches a system for tunnel-based malware detection. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because both Shah Orans and Litichever are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the further combined with analysis to use TCP flags for the detection process as taught by Litichever [Litichever ¶0610]. Claim(s) 4 is rejected under 35 U.S.C. 103 as being unpatentable over Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of, Shah et al, hereinafter (“Shah”) US PG Publication 20240396913 A1, in view of Lim et al, hereinafter (“Lim”), US PG Publication 20220174083 A1. Regarding claim 4, the combination of Orans and Shah teach claim 1 as described above. Shah teaches wherein one or more of the segments include a plurality of packets having payloads split [Shah ¶¶0062 0064 and packet parser include seven auxiliary features and a total of 1486 packet-based features; Table 2 packet parser component for each attack type ]; however, the combination of Orans and Shah fail to explicitly teach but Lim teaches wherein one or more of the segments include a plurality of packets having payloads split due to a maximum transmission unit (MTU) value used in the network [Lim ¶¶0058-0059 communicating party prepares record frame by dividing into several segments as consecutive bits within payload of different packets; where corresponding size may be larger than a maximum transmission unit (MTU) allowed for packet delivery.]. The combination of Orans and Shah teach all the features of claims 1 and 15 not wherein one or more of the segments include a plurality of packets having payloads split due to a maximum transmission unit (MTU) value used in the network. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Lim teaches a method and device for detecting malicious activity over encrypted secure channel. Because Shah Orans and Lim are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the further combined with analysis to use TCP flags for the detection process as taught by Litichever [Litichever ¶0610]. Claim(s) 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of, Shah et al, hereinafter (“Shah”) US PG Publication 20240396913 A1, in view of Averbuch et al, hereinafter (“Averbuch”), US Patent 9843596 B1. Regarding claim 7, the combination of Orans and Shah teach claim 1 as described above. However, the combination of Orans and Shah fail to explicitly teach but Averbuch teaches wherein the generating further comprises: normalizing the segment payload lengths to produce the data points [Averbuch col 10, lines 65-67 to col 11, lines 1-5 “step 202, each statistical matrix is normalized to obtain a respective Markov matrix. This can be done using normalization procedures known in the art, or using a specific normalization procedure described in steps 406 in FIGS. 4 and 508 and 510 in FIG. 5. The normalization converts each column (feature) in a statistical matrix to a common scale with the other features.”]; and placing the data points into the matrix beginning at a center of the matrix and spiraling outward from the center of the matrix [Averbuch col 11, lines 1-15 further normalization steps; Examiner interprets as new rows/columns can be manipulated]. Orans teaches all the features of claims 1 not wherein the generating further comprises: normalizing the segment payload lengths to produce the data points and placing the data points into the matrix beginning at a center of the matrix and spiraling outward from the center of the matrix. Averbuch teaches detection of abnormalities in multi-dimensional data is performed by processing the multi-dimensional data to obtain a reduced dimension embedding matrix. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because Shah Orans and Averbuch are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the detection process by training a neural network model by incorporating normalizing matrix data [Averbuch col 10, lines 65-67 to col 11, lines 1-5]. Regarding claim 8, the combination of Shah Orans and Averbuch teach claim 7 as described above. However, the combination of Shah and Orans fails to explicitly teach but Averbuch teaches wherein the normalizing further comprises: converting the segment payload lengths to positive integer values [¶]; padding the positive integer values to a given number of digits [¶]; splitting digits of the padded integer values to produce single-digit integers [¶]; and scaling the single-digit integers [Averbuch col 50, lines 26-30 spectral signature different from surrounding pixels with same numeric range scale for normalization]. Orans teaches all the features of claims 1 not wherein the normalizing further comprises: scaling the single-digit integers. Averbuch teaches detection of abnormalities in multi-dimensional data is performed by processing the multi-dimensional data to obtain a reduced dimension embedding matrix. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Shah teaches a method for detecting malicious activity in a network communication system. Because Shah Orans and Averbuch are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the NDR together with the capability to convert data points into an image as taught by Shah to improve the detection process by training a neural network model by incorporating normalizing matrix data [Averbuch col 10, lines 65-67 to col 11, lines 1-5 and col 50, lines 26-30]. Claim(s) 11- 12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Lim et al, hereinafter (“Lim”), US PG Publication 20220174083 A1 in view of, Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020. Regarding claim 11, Lim teaches an apparatus for identifying malicious network traffic behavior, comprising: [Lim et al 20220174083 A1 Abstract and ¶¶0186-0187 present invention is a new malicious traffic detection method for monitoring of each record for unique behavioral characteristics] one or more processors [Lim et al 20220174083 A1 ¶0208 one processor or microprocessor where controller 910 may be referred to as a communication processor (CP)]; and one or more memories coupled to the one or more processors, the one or more memories configured to store network detection and response (NDR) software, wherein the NDR software when executed on the one or more processors is operable to [Lim et al 20220174083 A1 ¶¶0210-0212]: determine segment payload lengths of segments of a target packet flow [Lim ¶¶0058 and 0060 record frame is generally divided into several segments occupying consecutive bits within payloads of different packets; corresponding SSL records into a consecutive SSL byte stream is then split into fixed-length chunks—TCP segments] traveling over a network between a target client application and a target server application, wherein one or more of the segments include a plurality of packets having payloads split due to a maximum transmission unit (MTU) value used in the network, generate a target image from the segment payload lengths [Lim et al 20220174083 A1 ¶¶0058-0059 record frame is generally divided into several segments occupying consecutive bits within payloads of different packets; when record delivers upper-layer data through the SSL protocol, corresponding size may be larger than maximum transmission unit (MTU). ¶¶0063-0064 Fig. 2 shows TCP 3-way handshake of message flow of SSL tunneling between a client terminal 201and server 203. ¶0076 type of data, corresponding elements (e.g., adjacent pixels of an image) may have explicit spatial relationships that the multi-layer perceptron (MLP) does not recognize in an initial learning stage.]; apply the target image to a machine learning (ML) model trained upon training images generated from training packet flows exhibiting known malicious network traffic behavior and determine a likelihood network traffic behavior between the target client application and the target server application is malicious network traffic behavior based on an extent a pattern in the target image matches a pattern in one or more of the training images [Lim ¶¶0075-0076 success or failure of pattern recognition may be determined by a deep learning-based training model selection; images having a grid-structured topology are not easily distinguishable with an existing multi-layer perceptron (MLP). ¶0125 feature extraction operation 311: pattern-matching strategy], However, Lim fails to explicitly teach but Orans teaches perform a remedial action in response to the likelihood [Orans p. 11, Vendor Profiles/Lastline ¶¶2-3 anomaly detection to JA3 hashes have automated responses from sensors deployed in-inline which suspicious traffic can be blocked.]. Lim teaches all the features of claims 1 not perform a remedial action in response to the likelihood. Lim teaches a method and device for detecting malicious activity over encrypted secure channel. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Because both Lim and Orans are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention to improve the detection process by training a neural network model combined with Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. [Orans, Abstract]. Regarding claim 12, the combination of Lim and Orans teach claim 11 as described above. Lim teaches wherein the segments are TCP segments, the segment payload lengths are TCP segment payload lengths, and the NDR software is operable to determine TCP segment payload lengths by aggregating packet payload length of one or more packets that are part of same TCP segments [Lim ¶¶0109 and 0115-0016 a series of received records are spread over TCP segments a]. Regarding claim 14, the combination of Lim and Shah teach claim 11 as described above. Lim teaches wherein the NDR software is operable to generate the target image by organizing data points based on the segment payload lengths into a matrix, and converting the data points in the matrix into pixels of the target image [Lim ¶0076 corresponding elements (e.g., adjacent pixels of an image) may have explicit spatial relationships]. Claim(s) 13 is rejected under 35 U.S.C. 103 as being unpatentable over Lim et al, hereinafter (“Lim”), US PG Publication 20220174083 A1 in view of, Orans et al, hereinafter (“Orans"), “Market Guide for Network Detection and Response” published 11 June 2020, in view of Litichever et al 20200389469 A1. Regarding claim 13, the combination of Lim and Shah teach claim 12 as described above. However, the combination of Lim and Orans fail to explicitly teach but Litichever teaches wherein NDR software is operable to determine same segments based on one or more TCP flags, wherein the one or more TCP flags include a TCP Finish (FIN) flag, a TCP Push (PSH) flag [Litichever et al 20200389469 A1 ¶0610 analyzer server 81 may could mitigate Denial-of-Service (DoS) attacks by controlling the use of TCP flags such as PSH]. Lim teaches all the features of claims 1 not wherein NDR software is operable to determine same segments based on one or more TCP flags, wherein the one or more TCP flags include a TCP Finish (FIN) flag, a TCP Push (PSH) flag. Lim teaches a method and device for detecting malicious activity over encrypted secure channel. Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions. Litichever teaches System and method for tunnel-based malware detection. Because Lim Orans and Litichever are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention to improve the detection process by training a neural network model combined with Orans teaches a market guide for network detection and response with added automated and manuals response feature solutions with the ability to use TCP flags. [Litichever ¶0610]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Bong et al 7526085 B1 teaches Throughput and latency of inbound and outbound IPsec processing. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH WHITE-TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 10:45a-6:45p. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CATHERINE THIAW can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SAKINAH WHITE-TAYLOR Primary Examiner Art Unit 2407 /Sakinah White-Taylor/Primary Examiner, Art Unit 2407
Read full office action

Prosecution Timeline

Jan 13, 2025
Application Filed
Jun 03, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12659303
ELECTRONIC CONTROL UNIT, AUTHENTICATION METHOD, AND NON-TRANSITORY COMPUTER-READABLE STORAGE MEDIUM STORING AUTHENTICATION PROGRAM
2y 2m to grant Granted Jun 16, 2026
Patent 12659177
SYSTEMS AND METHODS USING SEARCH ENGINES TO GENERATE CRYPTOGRAPHIC KEYS FROM ERRATIC PHYSICAL UNCLONABLE FUNCTIONS
1y 8m to grant Granted Jun 16, 2026
Patent 12641102
MONITORING APPARATUS AND MONITORING METHOD
2y 6m to grant Granted May 26, 2026
Patent 12614001
METHODS AND SYSTEMS FOR RUNNING SECURE PIPELINE TASKS AND INSECURE PIPELINE TASKS IN THE SAME HARDWARE ENTITIES
3y 0m to grant Granted Apr 28, 2026
Patent 12614002
Security Isolation Apparatus and Method
2y 10m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
87%
Grant Probability
99%
With Interview (+23.2%)
2y 6m (~1y 0m remaining)
Median Time to Grant
Low
PTA Risk
Based on 383 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month