Prosecution Insights
Last updated: July 17, 2026
Application No. 19/020,021

Efficient Management of Complex Attack Surfaces

Non-Final OA §102
Filed
Jan 14, 2025
Priority
Apr 22, 2022 — provisional 63/333,792 +1 more
Examiner
JHAVERI, JAYESH M
Art Unit
2433
Tech Center
2400 — Computer Networks
Assignee
Anomali Incorporated
OA Round
1 (Non-Final)
83%
Grant Probability
Favorable
1-2
OA Rounds
11m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 83% — above average
83%
Career Allowance Rate
458 granted / 552 resolved
+25.0% vs TC avg
Strong +31% interview lift
Without
With
+30.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
9 currently pending
Career history
561
Total Applications
across all art units

Statute-Specific Performance

§101
0.9%
-39.1% vs TC avg
§103
83.1%
+43.1% vs TC avg
§102
10.5%
-29.5% vs TC avg
§112
2.0%
-38.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 552 resolved cases

Office Action

§102
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Claims 1-20 are pending in this office action. Priority Priority is claimed to US application# 17/986,821, filed on 04/22/2022. Information Disclosure Statement The information disclosure statements (IDS's) submitted on 5/28/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b). Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over various claims of application# 17/986,821, now patent# 12,231,450 B2 (referred to as ‘450 hereinafter). Claims 1-20 of ‘450 patent claim all the limitations set forth in the instant claims 1-20. Although the conflicting claims are not identical, they are not patentably distinct from each other because the instant independent claims are anticipated and covered by similar subject matter as that of generally narrower independent claims 1, 12 and 18 respectively of ‘450, and as that of other dependent claims 2-11, 13-17 and 19-20 respectively of ‘450, as also shown below. Claim Comparison Table Patent# 12,231,450 Instant Application 19/020,021 1. A method comprising: determining an exposed set of host identifiers from among a plurality of host identifiers having inbound traffic from at least one malicious indicator, the exposed set of host identifiers identifying hosts that form an attack surface of a domain; determining host attributes and indicator attributes associated with each host identifier in the exposed set of host identifiers; providing the exposed set of host identifiers and the associated host attributes and indicator attributes as input to a prioritization model; receiving one or more prioritization scores associated with each host identifier in the exposed set of host identifiers as output from the prioritization model; and outputting for display a dashboard organized based at least in part on the prioritization scores. 1. A method comprising: obtaining a plurality of network traffic logs for a domain; correlating the plurality of network traffic logs with a plurality of threat data feeds to identify a plurality of malicious indicators and a plurality of host identifiers communicating with the plurality of malicious indicators, the plurality of host identifiers identifying a plurality of hosts of the domain; mapping a flow of network traffic between the plurality of malicious indicators and the plurality of host identifiers from the plurality of network traffic logs; determining an exposed set of host identifiers from among the plurality of host identifiers having inbound traffic from at least one malicious indicator from the plurality of malicious indicators based on the mapping, the exposed set of host identifiers identifying hosts that form an attack surface of the domain; determining host attributes and indicator attributes associated with each host identifier in the exposed set of host identifiers; providing the exposed set of host identifiers and the associated host attributes and indicator attributes as input to a prioritization model; receiving one or more prioritization scores associated with each host identifier in the exposed set of host identifiers as output from the prioritization model; and generating a prioritized attack surface data structure based on the one or more prioritization scores associated with each host identifier, wherein an interface is configured to modify a display based at least in part on the prioritized attack surface data structure. 2. The method of claim 1, further comprising mapping a flow of network traffic between a plurality of malicious indicators and the plurality of host identifiers from a plurality of network traffic logs by: generating a directed graph comprising a plurality of nodes connected by a plurality of directed edges, wherein generating the directed graph comprises: generating host nodes in the directed graph for each host identifier in the plurality of host identifiers from the plurality of network traffic logs; generating indicator nodes for each malicious indicator in the plurality of malicious indicators from the plurality of network traffic logs; and generating directed edges between the host nodes and the indicator nodes, each directed edge mapping a direction of flow of network traffic between a host identifier corresponding to the host node and a malicious indicator corresponding to the indicator node. 2. The method of claim 1, wherein mapping the flow of network traffic between the plurality of malicious indicators and the plurality of host identifiers from the plurality of network traffic logs comprises: generating a directed graph comprising a plurality of nodes connected by a plurality of directed edges, wherein generating the directed graph comprises: generating host nodes in the directed graph for each host identifier in the plurality of host identifiers from the plurality of network traffic logs; generating indicator nodes for each malicious indicator in the plurality of malicious indicators from the plurality of network traffic logs; and generating directed edges between the host nodes and the indicator nodes, each directed edge mapping a direction of flow of network traffic between a host identifier corresponding to the host node and a malicious indicator corresponding to the indicator node. Likewise, instant independent claim 1 is also anticipated by limitations of claims 12 and 18 of ‘450; instant claims 2-11 are anticipated by limitations of claims 2-11 resp. of ‘450. Other claims 13-17 and 19-20 are parallel to other dependent claims and are anticipated that way. Further, a system claim or a computer readable medium may carry out method steps in a computing environment of the system with elements such as processor and memory. Therefore, it would be obvious to be able to carry out steps of a method, using a device or a system and executed by a processor of the system. This is a non-provisional obviousness type double patenting rejection because the conflicting claims have been patented. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 12 and 18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Dunn et al. (US 2023/0336581 A1, Dunn hereinafter). For claim 1, Dunn teaches a method comprising: determining an exposed set of host identifiers from among a plurality of host identifiers having inbound traffic from at least one malicious indicator (Abstract; para 0005, 0033-0034, 0051, 0083, 0159-0161 - maliciously exposed hosts or devices and their configurations are determined for further actions, implying that hosts are identified or tracked using identifying attributes), the exposed set of host identifiers identifying hosts that form an attack surface of a domain (Fig. 5; para 0050-0051, 0054-0056, 0081, 0091, 0123 - identified hosts that are exposed or compromised, and forming attack surface); determining host attributes and indicator attributes associated with each host identifier in the exposed set of host identifiers (para 0006, 0019, 0070, 0125 - node attributes associated with vulnerabilities or exposure factors); providing the exposed set of host identifiers and the associated host attributes and indicator attributes as input to a prioritization model (para 0006, 0019, 0060, 0071-0072, 0083 - identified nodes, with attributes and indicators therein that are associated with vulnerabilities or exposure factors provided to prioritization mechanism); receiving one or more prioritization scores associated with each host identifier in the exposed set of host identifiers as output from the prioritization model (para 0006, 0016, 0019, 0031, 0056, 0060, 0071 - prioritization scores associated with exposed hosts obtained); and outputting for display a dashboard organized based at least in part on the prioritization scores (para 0006, 0070, 0084-0085 - report associated with scores is displayed on the screen). As to claim 12, the claim limitations are similar to those of claim 1, except claim 12 is drawn to a non-transitory computer-readable storage medium storing instructions that when executed by one or more processors (Fig. 2-3; para 0128, 0211-0213) cause the one or more processors to perform the method of claim 1. Therefore claim 12 is rejected according to claim 1 above. As to claim 18, the claim limitations are similar to those of claim 1, except claim 18 is drawn to a system comprising: one or more processors; and a non-transitory computer-readable medium storing instructions that when executed by the one or more processors (Fig. 2-3; para 0128, 0211-0213) cause the one or more processors to perform the method of claim 1. Therefore claim 18 is rejected according to claim 1 above. Allowable Subject Matter Claims 2-11, 13-17 and 19-20 are objected to as being dependent upon rejected base claims, but would be allowable if incorporated in their respective base claims 1, 12 or 18 including all of the limitations of the base claims and any intervening claims, in addition to overcoming the above-mentioned rejections associated with their parent claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (1) Rao - US 20230306121 A1 (Determining application attack surface for network applications); (2) Iyer - US 11677773 B2 (Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring); (3) Ibatullin - US 20150264061 A1 (Detecting network intrusions using layered host scoring); (4) Saha - US 8813236 B1 (Detecting malicious endpoints using network connectivity and flow information); (5) Kraning - US 20210288993 A1 (Correlation-driven threat assessment and remediation) - are cited to show methods, computer program products and systems pertinent to malware-exposed hosts or compromised hosts in a domain/network. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAYESH M JHAVERI/Primary Examiner, Art Unit 2433
Read full office action

Prosecution Timeline

Jan 14, 2025
Application Filed
Jun 03, 2026
Non-Final Rejection mailed — §102 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682088
POLICY CONSISTENCY VERIFICATION APPARATUS, POLICY CONSISTENCY VERIFICATION METHOD, AND POLICY CONSISTENCY VERIFICATION PROGRAM
2y 6m to grant Granted Jul 14, 2026
Patent 12670255
GENERATION DEVICE, GENERATION METHOD, AND GENERATION PROGRAM
2y 1m to grant Granted Jun 30, 2026
Patent 12652282
EVENT BASED AUTHENTICATION
1y 7m to grant Granted Jun 09, 2026
Patent 12627653
SECURED DIRECT ACCESS FOR CUSTOMER SERVICE
2y 4m to grant Granted May 12, 2026
Patent 12619786
SYSTEM AND METHODS FOR SMART REGISTER APPLICATIONS
3y 4m to grant Granted May 05, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
83%
Grant Probability
99%
With Interview (+30.8%)
2y 5m (~11m remaining)
Median Time to Grant
Low
PTA Risk
Based on 552 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month