Prosecution Insights
Last updated: July 17, 2026
Application No. 19/043,222

DYNAMIC EVALUATION OF INFORMATION SECURITY RISK FOR VENDOR AND SUBVENDOR COMPUTING SYSTEMS

Non-Final OA §103
Filed
Jan 31, 2025
Priority
Sep 29, 2017 — continuation of 11/055,415 +2 more
Examiner
ANDERSON, MICHAEL D
Art Unit
Tech Center
Assignee
Valente Sherman Inc.
OA Round
1 (Non-Final)
80%
Grant Probability
Favorable
1-2
OA Rounds
1y 10m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 80% — above average
80%
Career Allowance Rate
568 granted / 711 resolved
+19.9% vs TC avg
Strong +16% interview lift
Without
With
+15.5%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
23 currently pending
Career history
735
Total Applications
across all art units

Statute-Specific Performance

§101
0.7%
-39.3% vs TC avg
§103
82.2%
+42.2% vs TC avg
§102
15.4%
-24.6% vs TC avg
§112
1.0%
-39.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 711 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 2. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 8,141,157 B2 to Farley et al(hereafter referenced as Farley) in view of Patent No.: US 7,463,590 B2 to Mualem et al(hereafter referenced as Mualem). Regarding claim 1, Farley discloses “a system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices (security management system 20 [Col.9/lines 29-33]) , each endpoint device comprising a deployed endpoint agent (event collector [Fig.7/item 775]) configured to continuously monitor and record activity (data source 28 can comprise a host detector which monitors network traffic in the form of data packets.[Col.9/lines 55-57]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of (classifier 615 can be responsible for forwarding raw event information to the CoBRA processor 625 and one or more correlation rules 620.[Col.13/lines 44-46]). Farley does not explicitly disclose “and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: a server configured to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.” However Mualem in an analogous art discloses “and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: a server configured to communicate and exchange data with the one or more of the endpoint devices over a network(intrusion detection system Mualem[Fig.5/item 100]), the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface (network management system Mualem[Fig.5/item 200]) with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices(threat management system Mualem[Fig.4/item 200]) ; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.”(threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Farley’s system for managing computer security information with Mualem’s threat management and detection system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Farley discloses a system for managing computer security information , Mualem teaches a threat management system, and both are from the same field of endeavor. Regarding claim 2 in view of claim 1, the references combined disclose “wherein the system further comprises the plurality of endpoint devices” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]) also see interceptors Mualem [Fig.10]). Regarding claim 3 in view of claim 2, the references combined disclose “wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the response logic rule”(threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]), “and wherein: each endpoint device has a learning mode in which the endpoint device sends, to the server over the network, a message comprising a copy of an event that matched the response logic rule” (threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]), metadata describing said response logic rule, and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule” (threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]). Regarding claim 4 in view of claim 1, the references combined disclose “wherein the server is configured to receive, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]) also see interceptors Mualem [Fig.10]). Regarding claim 5 in view of claim 1, the references combined disclose “wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language, wherein the custom, declarative programming language is compiled(threat management system Mualem[Fig.4/item 200]), via a compiler module, into byte code, wherein the compiler module is configured to output a compiled rule set.” (threat management system Mualem[Fig.4/item 200]) Regarding claim 6 in view of claim 5, the references combined disclose “wherein the customized set of detection and response logic rules outputted from the server comprises a compiled rule set embedded into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules(classifier 615 can be responsible for forwarding raw event information to the CoBRA processor 625 and one or more correlation rules 620 Farley[Col.13/lines 44-46]). Regarding claim 7 in view of claim 1, the references combined disclose “wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency”(permission detection module can optionally associate a user With a physical host. This allows the system administrator to restrict the access privileges of the specified user-host combination Within the network Mualem[Col.13/lines 45-49]). Regarding claim 8, Farley discloses “a non-transitory computer-readable medium having computer-executable code thereon to provide an integrated security management framework for an enterprise having a plurality of endpoint devices(security management system 20 [Col.9/lines 29-33]), the computer-executable code, when executed by the server, causing a server to: communicate and exchange data with the one or more of one or more of the endpoint devices over a network, each endpoint device comprising a deployed endpoint agent(event collector [Fig.7/item 775]) configured to continuously monitor and record activity (data source 28 can comprise a host detector which monitors network traffic in the form of data packets.[Col.9/lines 55-57]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(classifier 615 can be responsible for forwarding raw event information to the CoBRA processor 625 and one or more correlation rules 620.[Col.13/lines 44-46]). Farley does not explicitly disclose “and response to, activity associated with the respective endpoint device that poses a potential security threat to the enterprise; provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on- the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.” However, Mualem in an analogous art discloses “and response to, activity associated with the respective endpoint device that poses a potential security threat to the enterprise; provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity(intrusion detection system Mualem[Fig.5/item 100]), and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices(network management system Mualem[Fig.5/item 200]); provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Farley’s system for managing computer security information with Mualem’s threat management and detection system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Farley discloses a system for managing computer security information , Mualem teaches a threat management system, and both are from the same field of endeavor. Regarding claim 9 in view of claim 8, the references combined disclose “wherein the computer- executable code further comprises code that, when executed by the server, configures the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules” (threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]), Regarding claim 10 in view of claim 8, the references combined disclose “wherein the computer- executable code further comprises code that, when executed by the server, configures the server to compile a rule set of detection and response logic rules into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules” (threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]). Regarding claim 11 in view of claim 8, the references combined disclose “wherein the computer- executable code further comprises code that, when executed by the server, configures the server to: compile(threat management system Mualem[Fig.4/item 200]), into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent. (threat management system Mualem[Fig.4/item 200]). Regarding claim 12 in view of claim 8, the references combined disclose “wherein one or more of the sets the set of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]) also see interceptors Mualem [Fig.10]). Regarding claim 13 in view of claim 12, the references combined disclose “wherein said one or more sets the set of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]) also see interceptors Mualem [Fig.10]). Regarding claim 14 in view of claim 12, the references combined disclose “wherein the associated action is selected from the group consisting of a suppress action, an alert action, a forward action, a block action, a killprocess action, an isolate action, and a set action.” (permission detection module can optionally associate a user With a physical host. This allows the system administrator to restrict the access privileges of the specified user-host combination Within the network Mualem[Col.13/lines 45-49]). Regarding claim 15, Farley discloses “a system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices(security management system 20 [Col.9/lines 29-33]), each endpoint device comprising a deployed endpoint agent (event collector [Fig.7/item 775]) configured to continuously monitor and record activity (data source 28 can comprise a host detector which monitors network traffic in the form of data packets.[Col.9/lines 55-57]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(classifier 615 can be responsible for forwarding raw event information to the CoBRA processor 625 and one or more correlation rules 620.[Col.13/lines 44-46]). Farley does not explicitly disclose “and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: means for communicating with the one or more of the endpoint devices over a network; means for providing a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; means for providing an integrated development environment (IDE) operably coupled to the interface; means for receiving, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and means for outputting, to the endpoint agent, a customized set of detection and response logic rules. However, Mualem in an analogous art discloses “and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: means for communicating with the one or more of the endpoint devices over a network; (intrusion detection system Mualem[Fig.5/item 100]), means for providing a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; means for providing an integrated development environment (IDE) operably coupled to the interface(network management system Mualem[Fig.5/item 200]); means for receiving, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and means for outputting, to the endpoint agent, a customized set of detection and response logic rules” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Farley’s system for managing computer security information with Mualem’s threat management and detection system in order to provide additional security. One of ordinary skill in the art would have been motivated to combine because Farley discloses a system for managing computer security information , Mualem teaches a threat management system, and both are from the same field of endeavor. Regarding claim 16 in view of claim 15, the references combined disclose “wherein the system further comprises the plurality of endpoint devices” (security management system 20 [Col.9/lines 29-33]). Regarding claim 17 in view of claim 16, the references combined disclose “wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the response logic rule(threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]),, and wherein: each endpoint device has a learning mode in which the endpoint device sends, to a server the server over the network, a message comprising a copy of an event that matched the response logic rule, metadata describing said response logic rule(threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]), and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule” (threat signature detection module in step S45 provides a library of rules Which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, Worms, reconnaissance activity, backdoor usage, and buffer overflows Mualem[Col.6./lines 56-60]). Regarding claim 18 in view of claim 15, the references combined disclose “further comprising means for receiving, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules” (threat management system may include a plurality of Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Fig.10]). Regarding claim 19 in view of claim 15, the references combined disclose “wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language (threat management system Mualem[Fig.4/item 200]), wherein the custom, declarative programming language is compiled, by a means for compiling, into byte code, wherein the means for compiling compiler module is configured to output a compiled rule set” (threat management system Mualem[Fig.4/item 200]) Regarding claim 20 in view of claim 15, the references combined disclose “wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency” (permission detection module can optionally associate a user With a physical host. This allows the system administrator to restrict the access privileges of the specified user-host combination Within the network Mualem[Col.13/lines 45-49]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL D ANDERSON/Examiner, Art Unit 2433 /JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433
Read full office action

Prosecution Timeline

Jan 31, 2025
Application Filed
Jun 26, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671692
NETWORK SYSTEM AND CONTROL METHOD THEREOF
3y 1m to grant Granted Jun 30, 2026
Patent 12659745
METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR INDICATING CONSUMER NETWORK FUNCTION (NF) TYPE FOR ACCESS TOKEN REQUESTS FORWARDED BETWEEN NF REPOSITORY FUNCTIONS (NRFs)
2y 3m to grant Granted Jun 16, 2026
Patent 12640907
MODULATION-AGNOSTIC TRANSFORMATIONS USING UNITARY BRAID DIVISIONAL MULTIPLEXING (UBDM)
3y 2m to grant Granted May 26, 2026
Patent 12627469
ELECTRONIC DEVICE FOR STORING SECURE DATA AND METHOD FOR OPERATING THE SAME
2y 5m to grant Granted May 12, 2026
Patent 12603865
SYSTEMS AND METHODS FOR REMOTE ACCESS LATENCY REDUCTION
2y 12m to grant Granted Apr 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
80%
Grant Probability
95%
With Interview (+15.5%)
3y 3m (~1y 10m remaining)
Median Time to Grant
Low
PTA Risk
Based on 711 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month