Prosecution Insights
Last updated: July 17, 2026
Application No. 19/049,348

ENDPOINT SECURITY ARCHITECTURE WITH PROGRAMMABLE LOGIC ENGINE

Non-Final OA §103
Filed
Feb 10, 2025
Priority
Jan 22, 2018 — provisional 62/620,110 +2 more
Examiner
ANDERSON, MICHAEL D
Art Unit
Tech Center
Assignee
Nuix Limited
OA Round
1 (Non-Final)
80%
Grant Probability
Favorable
1-2
OA Rounds
1y 10m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 80% — above average
80%
Career Allowance Rate
568 granted / 711 resolved
+19.9% vs TC avg
Strong +16% interview lift
Without
With
+15.5%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
23 currently pending
Career history
735
Total Applications
across all art units

Statute-Specific Performance

§101
0.7%
-39.3% vs TC avg
§103
82.2%
+42.2% vs TC avg
§102
15.4%
-24.6% vs TC avg
§112
1.0%
-39.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 711 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No.12250234. Although the claims at issue are not identical, they are not patentably distinct from each other (see below table) Patent No. 12250234 Ap# 19/049348 1. (Original) A system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: a server configured to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. A method for providing an integrated security management framework for a plurality of endpoint devices, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the endpoint device, the method comprising: configuring a server to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. 2. (Original) The system of claim 1, wherein the system further comprises the plurality of endpoint devices. 2. The method of claim 1, wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent. 3. (Original) The system of claim 2, wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the response logic rule, and wherein: each endpoint device has a learning mode in which the endpoint device sends, to the server over the network, a message comprising a copy of an event that matched the response logic rule, metadata describing said response logic rule, and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule. 3. The method of claim 1, further comprising configuring the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules. 4. (Original) The system of claim 1, wherein the server is configured to receive, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules. 4. The method of claim 1, wherein the plurality of endpoint devices belong to an enterprise, and the authorized user is an individual or group tasked with managing the enterprise's security posture. 5. (Original) The system of claim 1, wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language, wherein the custom, declarative programming language is compiled, via a compiler module, into byte code, wherein the compiler module is configured to output a compiled rule set. 5. The method of claim 1, wherein the plurality of endpoint devices belong to an enterprise, and the enterprise comprises at least one of a business entity, company, organization, and government agency. 6. (Original) The system of claim 5, wherein the customized set of detection and response logic rules outputted from the server comprises a compiled rule set embedded into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules. 6. The method of claim 1, further comprising configuring the server to: compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent. 7. (Original) The system of claim 1, wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency. 7. The method of claim 1, further comprising configuring the server to: compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules. 8. (Currently Amended) A non-transitory computer-readable medium having computer- executable code thereon to provide an integrated security management framework for an enterprise having a plurality of endpoint devices, the computer-executable code, when executed by the server, causing a server to: communicate and exchange data with the one or more of one or more of the endpoint devices over a network, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, activity associated with the respective endpoint device that poses a potential security threat to the enterprise; provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. 8. The method of claim 1, wherein the customized sets of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action. 9. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer- executable code further comprises code that, when executed by the server, configures the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules. 9. The method of claim 8, wherein the customized sets of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria. 10. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer- executable code further comprises code that, when executed by the server, configures the server to compile a rule set of detection and response logic rules into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules. 10. The method of claim 8, wherein the associated action comprises a suppress action. 11. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer-executable code further comprises code that, when executed by the server, configures the server to: compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent. 11. The method of claim 8, wherein the associated action comprises an alert action. 12. (Currently Amended) The non-transitory computer-readable medium of claim 8, wherein one or more of the sets the set of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action. 12. The method of claim 8, wherein the associated action comprises a forward action. 13. (Currently Amended) The non-transitory computer-readable medium of claim 12, wherein said one or more sets the set of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria. 13. The method of claim 8, wherein the associated action comprises a block action. 14. (Original) The non-transitory computer-readable medium of claim 12, wherein the associated action is selected from the group consisting of a suppress action, an alert action, a forward action, a block action, a killprocess action, an isolate action, and a set action. 14. The method of claim 8, wherein the associated action comprises a killprocess action. 15. (Original) A system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: means for communicating with the one or more of the endpoint devices over a network; means for providing a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; means for providing an integrated development environment (IDE) operably coupled to the interface; means for receiving, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and means for outputting, to the endpoint agent, a customized set of detection and response logic rules. 15. The method of claim 8, wherein the associated action comprises an isolate action. 16. (Original) The system of claim 15, wherein the system further comprises the plurality of endpoint devices. 16. The method of claim 8, wherein the associated action comprises a set action. 17. (Currently Amended) The system of claim 16, wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the response logic rule, and wherein: each endpoint device has a learning mode in which the endpoint device sends, to a server the server over the network, a message comprising a copy of an event that matched the response logic rule, metadata describing said response logic rule, and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule. 17. A method for providing an integrated security management framework for a plurality of endpoint devices, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the endpoint device, the method comprising: providing a server to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. 18. (Original) The system of claim 15, further comprising means for receiving, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules. 18. The method of claim 17, wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent. 19. (Currently Amended) The system of claim 15, wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language, wherein the custom, declarative programming language is compiled, by a means for compiling, into byte code, wherein the means for compiling compiler module is configured to output a compiled rule set. 19. The method of claim 17, wherein the instructions executable by the processor further comprise instructions to cause the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules. 20. (Original) The system of claim 15, wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency. 20. The method of claim 17, wherein the instructions executable by the processor further comprise instructions to cause the server to compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent to configure the endpoint agent to execute the customized set of detection and response logic rules. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 4. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,092,616 B2 to Kumar et al (hereafter referenced as Kumar), in view of in view of Patent No.: US 8,032,940 B1 to Dhanani, in further view of Patent No.: US 7,463,590 B2 to Mualem et al (hereafter referenced as Mualem). Regarding claim 1, Kumar discloses “a method for providing an integrated security management framework for a plurality of endpoint devices(Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]), each endpoint device (inputs from network and endpoint sensors to correlate network activity, system configuration, resource utilization and application integrity [Col.4/lines 65- Col.5/lines 3]) comprising a deployed endpoint agent (endpoint trust agent [Fig.5/item 510]) configured to continuously monitor and record activity (continuous monitoring [Fig.1/item 110]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(Event & Behavior correlation engine [Fig.1/item 130]), and response to, any activity associated with the respective endpoint device that poses a potential security threat to the endpoint device, the method comprising: configuring a server(VM is a software implementation of a machine Such as a server,[Col.8/lines 48-50]) to communicate and exchange data with the one or more of the endpoint devices over a network(remediation engine exchanges data [Fig.1/item 170]), Kumar does not explicitly disclose “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; However, Mualem in an analogous art discloses “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity. One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, and both from the same field of endeavor. Neither Kumar nor Mualem explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.” However, Dhanani in an analogous art discloses provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface(secure IDE Dhanani [Fig.4/item 200] within server 414) , input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4]) Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, and Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core, with Dhanani’s secured integrated development environment in order to provide additional security and data integrity. One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, Dhanani discloses a process to provide a secure Integrated development environment, and all are from the same field of endeavor. Regarding claim 2 in view of claim 1 the references combined disclose “wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (multiple endpoint devices Dhanani [Fig.1]). Regarding claim 3 in view of claim 1 the references combined disclose “further comprising configuring the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules” (threat signature detection module in step S45 provides a library of rules Mualem[Col.6/lines 55-57]) Regarding claim 4 in view of claim 1 the references combined disclose “wherein the plurality of endpoint devices belong to an enterprise, and the authorized user is an individual or group tasked with managing the enterprise's security posture” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]). Regarding claim 5 in view of claim 1 the references combined disclose “wherein the plurality of endpoint devices belong to an enterprise, and the enterprise comprises at least one of a business entity, company, organization, and government agency.” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]). Regarding claim 6 in view of claim 1 the references combined disclose “further comprising configuring the server to: compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent” (threat detection module Mualem [Fig.3]). Regarding claim 7 in view of claim 1 the references combined disclose “further comprising configuring the server to: compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules” (threat detection module Mualem [Fig.3]). Regarding claim 8 in view of claim 1 the references combined disclose “ wherein the customized sets of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action” (analyzer portion Mualem [Fig.4/irwm 244]). Regarding claim 9 in view of claim 8 the references combined disclose “ wherein the customized sets of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria.” (threat signatures used by the threat signature detection module may utilize a generic form. For example, each signature may include: a) A set of actions to take upon a match of the signature Mualem [Col.7/lines 8-15]). Regarding claim 10 in view of claim 8 the references combined disclose “wherein the associated action comprises a suppress action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 11 in view of claim 8 the references combined disclose “wherein the associated action comprises an alert action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 12 in view of claim 8 the references combined disclose “wherein the associated action comprises a forward action. (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 13 in view of claim 8 the references combined disclose “wherein the associated action comprises a block action. (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 14 in view of claim 8 the references combined disclose “wherein the associated action comprises a killprocess action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 15 in view of claim 8 the references combined disclose “wherein the associated action comprises an isolate action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 16 in view of claim 8 the references combined disclose “wherein the associated action comprises a set action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]). Regarding claim 17, Kumar discloses “a method for providing an integrated security management framework for a plurality of endpoint devices(Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]), each endpoint device(inputs from network and endpoint sensors to correlate network activity, system configuration, resource utilization and application integrity [Col.4/lines 65- Col.5/lines 3]) comprising a deployed endpoint agent (endpoint trust agent [Fig.5/item 510]) configured to continuously monitor and record activity(continuous monitoring [Fig.1/item 110]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(Event & Behavior correlation engine [Fig.1/item 130]),, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the endpoint device, the method comprising: providing a server (VM is a software implementation of a machine Such as a server,[Col.8/lines 48-50]) to communicate and exchange data with the one or more of the endpoint devices over a network(remediation engine exchanges data [Fig.1/item 170]). Kumar does not explicitly disclose “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” However, Mualem in an analogous art discloses “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]). Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity. One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, and both from the same field of endeavor. Neither Kumar nor Mualem explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.” However, Dhanani in an analogous art discloses provide an integrated development environment (IDE) operably coupled to the interface (secure IDE Dhanani [Fig.4/item 200] within server 414) receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4]) Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, and Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core, with Dhanani’s secured integrated development environment in order to provide additional security and data integrity. One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, Dhanani discloses a process to provide a secure Integrated development environment, and all are from the same field of endeavor. Regarding claim 18 in view of claim 17, the references combined disclose “wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]). Regarding claim 19 in view of claim 17, the references combined disclose “wherein the instructions executable by the processor further comprise instructions to cause the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules” ( The threat signature detection module in step S45 provides a library of rules Which evaluate every packet Mualem[Col.6/lines 56-57]). Regarding claim 20 in view of claim 17, the references combined disclose “wherein the instructions executable by the processor further comprise instructions to cause the server to compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent to configure the endpoint agent to execute the customized set of detection and response logic rules” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL D ANDERSON/ Examiner, Art Unit 2433 /JEFFREY C PWU/ Supervisory Patent Examiner, Art Unit 2433
Read full office action

Prosecution Timeline

Feb 10, 2025
Application Filed
Jun 17, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12671692
NETWORK SYSTEM AND CONTROL METHOD THEREOF
3y 1m to grant Granted Jun 30, 2026
Patent 12659745
METHODS, SYSTEMS, AND COMPUTER READABLE MEDIA FOR INDICATING CONSUMER NETWORK FUNCTION (NF) TYPE FOR ACCESS TOKEN REQUESTS FORWARDED BETWEEN NF REPOSITORY FUNCTIONS (NRFs)
2y 3m to grant Granted Jun 16, 2026
Patent 12640907
MODULATION-AGNOSTIC TRANSFORMATIONS USING UNITARY BRAID DIVISIONAL MULTIPLEXING (UBDM)
3y 2m to grant Granted May 26, 2026
Patent 12627469
ELECTRONIC DEVICE FOR STORING SECURE DATA AND METHOD FOR OPERATING THE SAME
2y 5m to grant Granted May 12, 2026
Patent 12603865
SYSTEMS AND METHODS FOR REMOTE ACCESS LATENCY REDUCTION
2y 12m to grant Granted Apr 14, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
80%
Grant Probability
95%
With Interview (+15.5%)
3y 3m (~1y 10m remaining)
Median Time to Grant
Low
PTA Risk
Based on 711 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month