Prosecution Insights
Last updated: July 17, 2026
Application No. 19/029,940

SECURITY-RELATED EVENT ANOMALY DETECTION

Non-Final OA §112
Filed
Jan 17, 2025
Priority
Jun 06, 2016 — provisional 62/346,382 +4 more
Examiner
LEUNG, ROBERT B
Art Unit
Tech Center
Assignee
NetSkope Inc.
OA Round
1 (Non-Final)
84%
Grant Probability
Favorable
1-2
OA Rounds
1y 0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 84% — above average
84%
Career Allowance Rate
527 granted / 624 resolved
+24.5% vs TC avg
Strong +17% interview lift
Without
With
+17.3%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
20 currently pending
Career history
638
Total Applications
across all art units

Statute-Specific Performance

§101
4.7%
-35.3% vs TC avg
§103
72.2%
+32.2% vs TC avg
§102
4.5%
-35.5% vs TC avg
§112
12.5%
-27.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 624 resolved cases

Office Action

§112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continuation This application is a continuation application of US 18/347,498 (filed on Jul. 5, 2023 – now US Patent No. 12,244,617), which is a continuation application of US 17/332,879 (filed on May 27, 2021 – now US Patent No. 11,743,275), which is a continuation application of US 16/389,861 (filed on Apr. 19, 2019 – now US Patent No. 11,025,653), which is a continuation application of US 15/256,483 (filed on Sept. 2, 2016 – now US Patent No. 10,270,788). The prosecution history and references cited in the above applications have been fully reviewed and considered. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 4-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 4 recites: “initializing an anomaly detector” and is dependent on claims 1 and 3. Claim 1 also recites “initializing an anomaly detector”. It is unclear if these detectors are the same or distinct. Claims 5-9 are dependent on claim 4 and similarly rejected. Claim 8 recites: “a production space ID” and is dependent on claims 4, 3, and 1. Claim 8 subsequently recites “the space ID”. It is unclear if the subsequent space IDs are referring to the production space ID, or “a space ID” initially established in parent claim 1. Claims 9 and 10 are dependent on claim 8 and similarly rejected. Claim 8 recites: “determining a standard candle value” and is dependent on claims 4, 3, and 1. It is unclear if “a standard candle value” determined in claim 8 is the same or different from “a standard candle value” in claim 1. Claims 9 and 10 are dependent on claim 8 and similarly rejected. Claim 9 recites: “initializing and analyzing a space ID during the applying the hash function” and “maturing the standard candle value of the space ID” and is dependent on claims 8, 4, 3, and 1. It is unclear if the first “[a] space ID” is referring to the same space ID initially presented in claim 1. Furthermore, it is unclear which space ID the second (and subsequent) recited “[the] space ID[s]” are being referenced. Claim 10 is dependent on claim 9 and similarly rejected. Claim 10 recites the term “near-zero”, which is a relative term and renders the claim indefinite. The term “near-zero” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. It is unclear what numerical range and/or degree when a value is considered “near-zero”. Claim Interpretation The phrase “majority” (e.g., as in claim 2) is understood by one having ordinary skill in the art to be more than half of a whole. For example, in [0055] of the originally filed specifications describes a majority, for example, as “55 percent, 60 percent, 70 percent, or 90 percent”. Allowable Subject Matter Claims 1-3 and 11-20 are allowable. Claims 4-10 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: The claimed invention is directed to initializing an anomaly detector for analyzing event streams of security-related events of one or more organizations. Independent claim 1 presents a series of tasks of how an enhanced anomaly detector is established. The current invention is an improvement over prior detectors as disclosed in [0024]-[0030] & [0035]-[0036] of the originally filed specifications. In particular, the claimed invention “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label” in anomaly detection. The claimed invention mirrors the facts of Ex Parte Desjardins, wherein the claimed invention exhibits improvement in machine learning based anomaly detection. Thus, the claimed invention is integrated into a practical application. The currently cited prior arts are generally directed to implementing machine learning algorithms to train models describing normal/expected user behavior, or activity patterns, for detecting anomalous network events. For example, US 9,338,187 discloses creating a model on collected user activities in a network and using that model to detect abnormal patterns over a period of time. The model contains temporal patterns of activity within a network and assigns a risk score to alerts of inconsistent activities. In another example, US 2012/0137367 discloses continuous anomaly detection by collecting data, processing and categorizing a plurality of events, continuously clustering the events, and continuously build the model. A set of cluster IDs can represent the events. In another example, US 2015/0059982 discloses anomaly detection by identifying sparse regions of a feature space from clustering operations over an entire data set. In another example, US 9,548,987 discloses a classifier configured to producing risk scores to security-related events and receiving feedback from users regarding the risk scores to update the classifier. Therefore, generating, or “initializing”, network behavior-based models to detect anomalous activities on a network was a well-known concept in the art. However, none of the prior arts teach, disclose, or reasonably suggest the manner of initialization, as a whole, recited in independent claim 1. Specifically, the series of steps of “transforming” the security-related events to feature-value pairs and “scoring” coded feature-valued pairs to classify the events not explicitly disclose or suggested by the prior arts of record. The following are additional prior arts relevant to various claimed features of the invention: US 7,743,003: Discloses identifying a feature from a plurality of features in a repository and applying a number of hash functions to the feature to generate a corresponding number of different hash values. A group of buckets in memory is identified based on the hash values and updated, thereby generating rules for a model based on the values in the group of buckets. See col. 1, lines 15-23. US 2017/0147930: A model is trained to learn the characteristics of a system from time series data. A histogram of segment lengths of a time series is categorized into several bins. The segments within each category are then clustered using K-means. See Abstract, [0062]-[0063]. US 2016/0203316: Meta events are generated by clustering extracted features. Their individual feature space is calculated and then assigned one or more labels based on the nearest cluster it belongs to. Fast anomaly detection on an unbounded number of events can be achieved to detect suspicious changes in user behavior. See [0035]. US 2014/0040174: A histogram is generated for detecting anomalies in a cloud environment. Cloud metric sample values are collected and normalized to be assigned to a data bin of a series of data bins. See [0038]-[0040]. Kind, M. P. Stoecklin and X. Dimitropoulos, "Histogram-based traffic anomaly detection," in IEEE Transactions on Network and Service Management, vol. 6, no. 2, pp. 110-121, June 2009. (Discloses anomaly detection using histograms of different traffic features. Histograms describing traffic features are built. Each histogram is then embedded into a metric space so that dissimilar/similar histograms are positioned apart/close. See Abstract & I. Introduction on pg. 110.) Davis JJ, Clark AJ. Data preprocessing for anomaly based network intrusion detection: A review. computers & security. 2011 Sep 1;30(6-7):353-75. (During data pre-processing for network intrusion detection systems (NIDS), a dataset is transformed by embedding categorical features into metric space. Normalization of the dataset was also performed by scaling numeric features with respect to their mean and standard deviation. See pg.362.) N. H. Duong and H. Dang Hai, "A semi-supervised model for network traffic anomaly detection," 2015 17th International Conference on Advanced Communication Technology (ICACT), PyeongChang, Korea (South), 2015, pp. 70-75. (A semi-supervised model using a modified Mahanalobis distance based on principal component analysis (PCA) for network traffic anomaly detection is disclosed. K-means clustering is used to reduce the noise of anomalies to group similar data and build a normal traffic profile. See pg. 70, I. Introduction.) D. Tran, W. Ma and D. Sharma, "Automated network feature weighting-based anomaly detection," 2008 IEEE International Conference on Intelligence and Security Informatics, Taipei, Taiwan, 2008, pp. 162-166. (Discloses an automated feature weighting method based on fuzzy subspace approach to assign a weigh (i.e., the claimed “likelihood coefficients”) t to each network feature depending on its degree of importance in anomaly detection. See Abstract.) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ROBERT B LEUNG/Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Jan 17, 2025
Application Filed
Jun 22, 2026
Non-Final Rejection mailed — §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682056
TECHNIQUES FOR DETECTING ANOMALIES IN DATA FILES
2y 2m to grant Granted Jul 14, 2026
Patent 12671596
AUTHENTICATION APPARATUS, AUTHENTICATION TARGET APPARATUS, IMAGE FORMING APPARATUS, REPLACEMENT UNIT, AND AUTHENTICATION METHOD
2y 6m to grant Granted Jun 30, 2026
Patent 12657299
Ransomware Detection Training Using Variable Levels Of Encryption
2y 4m to grant Granted Jun 16, 2026
Patent 12657326
AUTHENTICATION SYSTEM, AUTHENTICATION METHOD, AND RECORDING MEDIUM HAVING AUTHENTICATION PROGRAM RECORDED THEREON
1y 11m to grant Granted Jun 16, 2026
Patent 12639457
VISIBILITY FOR PARTICULARIZED DATA SECURITY
2y 2m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
84%
Grant Probability
99%
With Interview (+17.3%)
2y 6m (~1y 0m remaining)
Median Time to Grant
Low
PTA Risk
Based on 624 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month