Prosecution Insights
Last updated: July 17, 2026
Application No. 19/066,742

INTRUSION DETECTION AND PREVENTION SYSTEM RULE AUTOMATION AND OPTIMIZATION

Non-Final OA §103§112
Filed
Feb 28, 2025
Priority
Sep 25, 2020 — continuation of 11/563,777 +1 more
Examiner
WYSZYNSKI, AUBREY H
Art Unit
Tech Center
Assignee
Charles Schwab & Co., Inc.
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
1y 3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
639 granted / 714 resolved
+29.5% vs TC avg
Moderate +12% lift
Without
With
+12.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
20 currently pending
Career history
745
Total Applications
across all art units

Statute-Specific Performance

§101
3.3%
-36.7% vs TC avg
§103
59.0%
+19.0% vs TC avg
§102
23.6%
-16.4% vs TC avg
§112
1.2%
-38.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 714 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 3 and 13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 3 and 13 recite “removing any none enabled rule” and is unclear. For examination purposes here within, the examiner assumes the claim is meant to recite “removing any non-enabled rule”. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 7,574,740 to Kennis, and further in view of US 2021/0400080 to Kaidi. Regarding claim 1, Kennis teaches a network intrusion system for a protected network, the network intrusion system (FIGS. 2-8: a computer network includes an intrusion detection system 200 and a communications link extending between the Internet 205 and an Intranet 210. Col. 5, lines 7-21) comprising: at least one memory, wherein the memory stores instructions (Col. 11, lines 1-28: Fig. 6, a table for mapping the combination of an intrusion event identifier and scanner vulnerability exploit(s) to a vulnerability analysis action. This table can be maintained in a storage medium, such as memory, for access by the intrusion detection system.); and at least one processor configured to execute the instructions and cause the network intrusion system to perform (scanner 220, sensor 225), receiving a rule describing a set of associated network vulnerabilities (Col. 9, Table I maps signatures to vulnerability assessment methods); determining whether there is a match between any of the set of associated network vulnerabilities and a set of cumulative vulnerabilities present in at least one of a plurality of network devices in the protected network (col. 7, lines 4-22: explicitly maps “intrusion event” to “scanner vulnerability test”; and in response to determining that there is a match between any of the set of associated network vulnerabilities and the set of cumulative vulnerabilities (col. 6, lines 51-59: If this comparison task does not result in a match in step 315, a response to the intrusion event is defined by a predetermined configuration for the intrusion detection system. For example, the detected intrusion event can be tracked by creating a corresponding log entry for future reference. If, on the other hand, the attack signature matches a qualifying signature, the detected intrusion event is processed as a qualifying event in step 325. Col. 5, lines 23-Col. 6, line 2: a sensor request a scan of the target component to determine vulnerability to the specific attack). Kennis teaches the decision to enable a firewall block. However, lacks or does not expressly disclose transmitting a command signal. However, Kaidi discloses transmitting a command signal to a network security processor, wherein the command signal instructs the network security processor to enable the rule (0044: The request classification module 184 may analyze the general log and malicious request logs to determine rules for blocking or otherwise limiting traffic. For example, the request classification module 184 may determine a rule to block traffic from any IP address or device identifier associated with a request in the malicious request log. The request classification module 184 may push the rule (with a block list containing IP address from the requests in the malicious request log) to the proxy provider server 150 (e.g., via the firewall configuration service 154).). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to modify, Kennis with Kaidi to include transmitting a command signal to enable a rule, in order to achieve an automated, adaptive security posture, as taught by Kaidi, 0044. Regarding claim 2, Kennis, as modified above, further discloses the network intrusion system of claim 1, further comprising the network security processor, wherein the network security processor is configured to cause the network intrusion system to perform inspecting network traffic to the protected network according to a plurality of rules (col. 5, lines 3-22: firewall 215 operating in tandem with the IDS). Regarding claim 3, Kennis, as modified above, further discloses the network intrusion system of claim 2, wherein the network intrusion system is further caused to perform removing any none enabled rule from the plurality of rules (col. 6, lines 3-18 and col. 12, lines 36-48: creating and applying an updated intrusion detection policy base on environment changes and removing obsolete items). Regarding claim 4, Kennis, as modified above, further discloses the network intrusion system of claim 2, wherein the network intrusion system is further caused to perform receiving a definition for each of the plurality of rules from a distribution server external to the protected network (col. 12, lines 36-48: the scanner creating a new policy file and forwarding that policy to network sensors – the distribution of the policy). Regarding claim 5, Kennis, as modified above, further discloses the network intrusion system of claim 2, wherein the network security processor includes at least one of an intrusion detection system (IDS) and an intrusion prevention system (IPS) (col. 5, lines 22-45: the integration of a scanner and IDS sensor with firewall 215 (IPS functionality)). Regarding claim 6, Kennis, as modified above, further discloses the network intrusion system of claim 1, wherein the at least one processor includes the network security processor (col. 5, lines 3-21: describes IDS and firewall as integrated components of the internal computing environment). Regarding claim 7, Kennis, as modified above, further discloses the network intrusion system of claim 1, wherein the network intrusion system is further caused to perform receiving a first alert indicating suspect network traffic, determining a source IP address associated with the suspect network traffic, and in response to the source IP address being within the protected network, transmitting a second alert indicating a potential internal attack (col. 5, line 22-col. 6, line 2: evaluating event severity (priority) based on source address (hacker 240 vs internal traffic)). Regarding claim 8, Kennis, as modified above, further discloses the network intrusion system of claim 1, wherein the network intrusion system is further caused to perform receiving a first alert indicating suspect network traffic, determining a source IP address associated with the suspect network traffic, and in response to the source IP address being external to the protected network, transmitting a second alert indicating a potential external attack (col. 5, line 22-col. 6, line 2: evaluating event severity (priority) based on source address (hacker 240 vs internal traffic)). Regarding claim 9, Kennis, as modified above, further discloses the network intrusion system of claim 1, wherein the command signal is a first command signal and wherein the network intrusion system is further caused to perform, receiving a firewall policy associated with a firewall that is configured to control access to the protected network, determining affected devices from the plurality of network devices, determining a traffic signature of the rule, and in response to the firewall policy blocking traffic matching the traffic signature from reaching the affected devices, transmitting a second command signal to the network security processor, wherein the second command signal instructs the network security processor to disable the rule (col.6, lines 3-18 and col. 12, lines 36-49: monitoring for changes in the computing environment (addition/removal of devices) and updating the policy). Regarding claim 10, Kennis, as modified above, further discloses the network intrusion system of claim 1, wherein the network intrusion system is further caused to perform receiving a severity value for the rule, comparing the severity value to a severity threshold, and in response to determining that the severity value is above the severity threshold, transmitting the command signal to the network security processor (col. 5, line 22-col. 6, line 2 and col. 8, lines 1-27: alert priority (High/Medium/Low) based on the vulnerability assessment results). As per claims 11-18 and 19-20, this is a method and medium version of the claimed system discussed above in claims 1-10 wherein all claimed limitations have also been addressed and/or cited as set forth above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Feb 28, 2025
Application Filed
Jun 30, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676891
ENDPOINT SECURITY GROUPS IN PRIVATE MULTI-ACCESS EDGE COMPUTE NETWORKS
2y 6m to grant Granted Jul 07, 2026
Patent 12659351
SECURE NETWORK COMMUNICATION SYSTEM AND METHOD
2y 4m to grant Granted Jun 16, 2026
Patent 12652310
SELECTING ACTIONS RESPONSIVE TO COMPUTING ENVIRONMENT INCIDENTS BASED ON SEVERITY RATING
2y 10m to grant Granted Jun 09, 2026
Patent 12647406
CROSS APPLICATION AUTHORIZATION FOR ENTERPRISE SYSTEMS
2y 8m to grant Granted Jun 02, 2026
Patent 12641125
AUTOMATED EDGE DRIVEN COLLABORATIVE DATA PROTECTION POLICY MANAGEMENT IN LARGE SCALE EDGE ENVIRONMENTS
3y 3m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+12.5%)
2y 8m (~1y 3m remaining)
Median Time to Grant
Low
PTA Risk
Based on 714 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month