Prosecution Insights
Last updated: July 17, 2026
Application No. 19/082,851

System and method for detecting and countering malicious code

Non-Final OA §103§112
Filed
Mar 18, 2025
Priority
Jan 03, 2023 — continuation of 12/335,303
Examiner
ALI, AFAQ
Art Unit
Tech Center
Assignee
Bank of America Corporation
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
1y 1m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
123 granted / 137 resolved
+29.8% vs TC avg
Moderate +13% lift
Without
With
+13.3%
Interview Lift
resolved cases with interview
Typical timeline
2y 5m
Avg Prosecution
18 currently pending
Career history
168
Total Applications
across all art units

Statute-Specific Performance

§101
2.2%
-37.8% vs TC avg
§103
90.8%
+50.8% vs TC avg
§102
0.6%
-39.4% vs TC avg
§112
2.5%
-37.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 137 resolved cases

Office Action

§103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Claims 1-20 are pending Priority The application is a continuation of U.S. patent application Ser. No. 18/149,193, filed Jan. 3, 2023. Therefore, the effective filing date of this application is 01/03/2023. Drawings Applicants’ drawings filed on 03/18/2025 has been inspected and it is in compliance with MPEP 608.02. Specification The specification filed on 03/18/2025 is acceptable for examination proceedings. Information Disclosure Statement The information disclosure statements (IDS) submitted on 03/18/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements have been considered by the examiner. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-7 and 15-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites the limitation “a memory configured to store a set of historical configuration parameter values associated with a web application”. The claim previously recites “detecting and countering malicious code executed on a web application”. It is unclear if the detecting and countering malicious code on a web application is the same web application for which a memory stores historical configuration parameter values. For the purpose of examination Examiner is interpreting this limitation as “a memory configured to store a set of historical configuration parameter values associated with the web application”. Appropriate correction is required. Claims 2-7 depend on claim 1. Therefore, they also inherit the rejection. Claim 15 recites the limitation " parameter values associated with the web application". There is insufficient antecedent basis for “web application” in the claim. For the purpose of examination Examiner is interpreting this limitation as “parameter values associated with a web application”. Appropriate correction is required. Claims 16-20 depend on claim 15. Therefore, they also inherit the rejection. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7 of U.S. Patent No. US 12335303 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the corresponding claims further recite similar/same limitations of the same subject matter. Current Application 19/082,851 US 12335303 B2 1) A system for detecting and countering malicious code executed on a web application comprising: a memory configured to store a set of historical configuration parameter values associated with a web application, wherein the set of historical configuration parameter values provides information about historical events that occurred on the web application; a processor operably coupled to the memory, and configured to: detect a set of configuration parameter values associated with the web application, the set of configuration parameter values provides information about events occurring on the web application; for at least a first configuration parameter value from among the set of configuration parameter values: determine the first configuration parameter value over a particular period; compare the first configuration parameter value with a counterpart configuration parameter value from among the set of historical configuration parameter values; in response to the comparison between the first configuration parameter value and the counterpart configuration parameter value, determine that a malicious code is being executed on the web application; determine a function associated with the malicious code; determine, based at least in part upon the function associated with the malicious code, one or more actions to counter the malicious code; and execute at least one of the one or more actions. 1. A system for detecting and countering malicious code executed on a web application comprising: a memory configured to store a set of historical configuration parameter values associated with a web application, wherein the set of historical configuration parameter values provides information about historical events that occurred on the web application; a processor operably coupled to the memory, and configured to: detect a set of configuration parameter values associated with the web application, the set of configuration parameter values provides information about events occurring on the web application; for at least a first configuration parameter value from among the set of configuration parameter values: determine the first configuration parameter value over a particular period; compare the first configuration parameter value with a counterpart configuration parameter value from among the set of historical configuration parameter values; determine a difference between the first configuration parameter value and the counterpart configuration parameter value; determine that the difference between the first configuration parameter value and the counterpart configuration parameter value exceeds a threshold rate; in response to determining that the difference between the first configuration parameter value and the counterpart configuration parameter value exceeds the threshold rate: determine that a malicious code is executed on the web application; determine a function associated with the malicious code, wherein the function associated with the malicious code is one or more of gaining unauthorized access to non-public information associated with the web application, causing performance degradation at the web application, or causing network traffic congestion at the web application; determine, based at least in part upon the function associated with the malicious code, one or more actions to counter the malicious code; and execute at least one of the one or more actions. 2. The system of claim 1, wherein the one or more actions comprise: blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code; rerouting the network communications originated from the IP address associated with the malicious code; or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address. 2. The system of claim 1, wherein the one or more actions comprise: blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code; rerouting the network communications originated from the IP address associated with the malicious code; or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address. 3. The system of claim 1, wherein the processor is further configured to: display the one or more actions on a screen; receive user input indicating that the at least one of the one or more actions is confirmed; and use the user input as feedback for further events where the malicious code is detected on web applications, such that when the malicious code is detected on a second web application, the at least one of the one or more actions is executed. 3. The system of claim 1, wherein the processor is further configured to: display the one or more actions on a screen; receive user input indicating that the at least one of the one or more actions is confirmed; and use the user input as feedback for further events where the malicious code is detected to have been executed on web applications, such that when the malicious code is detected to have been executed on a second web application, the at least one of the one or more actions is executed. 4. The system of claim 1, wherein the processor is further configured to: detect a user interaction session at the web application, wherein the user interaction session involves a user attempting to access a user profile on the web application; and in response to determining that the malicious code is executed on the web application, terminate the user interaction session. 4. The system of claim 1, wherein the processor is further configured to: detect a user interaction session at the web application, wherein the user interaction session involves a user attempting to access a user profile on the web application; and in response to determining that the malicious code is executed on the web application, terminate the user interaction session. 5. The system of claim 1, wherein the set of configuration parameter values comprises at least one of: a number of visits to the web application; a location from which the web application is visited; a number of times a database associated with the web application is accessed; a number of failed login attempts at the web application; a number of failures to load one or more web pages associated with the web application; a number of Application Programming Interface (API) calls made to the web application; or a number of API responses made by the web application. 5. The system of claim 1, wherein the set of configuration parameter values comprises at least one of: a number of visits to the web application; a location from which the web application is visited; a number of times a database associated with the web application is accessed; a number of failed login attempts at the web application; a number of failures to load one or more web pages associated with the web application; a number of Application Programming Interface (API) calls made to the web application; or a number of API responses made by the web application. 6. The system of claim 1, wherein determining that the malicious code is executed on the web application is in response to determining that more than a threshold number of set of configuration parameter values are deviating from counterpart historical configuration parameter values. 6. The system of claim 1, wherein determining that the malicious code is executed on the web application is in response to determining that more than a threshold number of set of configuration parameter values are deviating from counterpart historical configuration parameter values by more than the threshold rate. 7. The system of claim 1, wherein, determining, based at least in part upon the function associated with the malicious code, the one or more actions to counter the malicious code comprises: in response to determining that the malicious code is executed to gain unauthorized access to non-public information associated with the web application, the at least one of the one or more actions comprises blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address; in response to determining that the malicious code is executed to cause performance degradation at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application; or in response to determining that the malicious code is executed to cause network traffic congestion at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application. 7. The system of claim 1, wherein, determining, based at least in part upon the function associated with the malicious code, the one or more actions to counter the malicious code comprises: in response to determining that the malicious code is executed to gain unauthorized access to the non-public information associated with the web application, the at least one of the one or more actions comprises blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address; in response to determining that the malicious code is executed to cause performance degradation at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application; or in response to determining that the malicious code is executed to cause network traffic congestion at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application. Claims 8-20 recite of similar features of claims 1-7. Therefore, claims 8-20 are rejected in a similar manner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 5-9, 12-16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over PENG (US-20190207973-A1) in view of BROWN (US-20100251371-A1), hereinafter PENG-BROWN. Regarding claim 1, PENG teaches “A system for detecting and countering malicious [code] executed on a web application comprising: a memory configured to store a set of historical configuration parameter values associated with a web application, wherein the set of historical configuration parameter values provides information about historical events that occurred on the web application; ([PENG, abstract] “Embodiments of this application disclose a website attack detection and protection method and system performed by a computing device, applied to the field of information processing technologies”) ([PENG, para. 0003] “A Challenge Collapsar (CC) attack means that an attacker generates, by using an agent server or a chicken, an authorized request pointed to an aggrieved host, to implement a distributed denial of service (DDOS) and masquerade.”) ([PENG, para. 0048] “Step 201: Determine that a plurality of historical access requests when the website does not suffer a CC attack as request samples.”) ([PENG, para. 0049] “Step 202: Respectively calculate parameter values of information aggregation degree parameters of all fields included in a header of each of the plurality of historical access requests”) ([PENG, para. 0051] “statistics on baseline values of the information aggregation degree parameter corresponding to the field are collected, an average value of the parameter values that are of the information aggregation degree parameter corresponding to the field and that are included in the plurality of request samples is used as the baseline value”) ([PENG, para. 0080] “The statistics collection module 614 is configured to collect statistics on parameter value ranges that are of the information aggregation degree parameters corresponding to all the fields”) a processor operably coupled to the memory, and configured to: detect a set of configuration parameter values associated with the web application, the set of configuration parameter values provides information about events occurring on the web application; ([PENG, para. 0059] “FIG. 4 is a flowchart of a website attack detection and intercepting method according to an embodiment of this application. As shown in FIG. 4, the method may include the following steps:”) ([PENG, para. 0060] “Step S401: Detect a request for accessing a website, where a header of the request for accessing the website includes a plurality of fields.”) for at least a first configuration parameter value from among the set of configuration parameter values: determine the first configuration parameter value over a particular period; ([PENG, para. 0061] “Step S402: Calculate a parameter value of an information aggregation degree parameter corresponding to each of the plurality of fields, and then perform step S403 or S404”) ([PENG, para. 0111] “the website attack protection apparatus collects statistics on the quantity of access requests sent to the target website within the unit time range”) compare the first configuration parameter value with a counterpart configuration parameter value from among the set of historical configuration parameter values; ([PENG, para. 0062] “Step S403: Determine whether the parameter value of the information aggregation degree parameter of each field exceeds a corresponding preset parameter value range; and if the parameter value of the information aggregation degree parameter of the field exceeds a corresponding first preset range, perform step S405; or if the parameter value of the information aggregation degree parameter of the field does not exceed a corresponding first preset range, determine that the website does not suffer a CC attack”) in response to the comparison between the first configuration parameter value and the counterpart configuration parameter value, determine that a malicious [code] is being executed on the web application; ([PENG, para. 0063] “and if the variation degree of the parameter value of the information aggregation degree parameter of the field exceeds a corresponding second preset range, perform step S405”) ([PENG, para. 0064] “Step S405: Determine that the website suffers a CC attack”) determine a function associated with the malicious [code]; ([PENG, para. 0046] “according to the parameter value or the variation degree of the parameter value of the information aggregation degree parameter of the field, whether the website suffers a CC attack. Because when generating an attack request (that is, a request for accessing the website), to reduce performance consumption, an attacker sets information of some fields in the attack request to fixed values. In this way, in this embodiment of this application, whether the website suffers a CC attack may be detected”) determine, based at least in part upon the function associated with the malicious [code], one or more actions to counter the malicious [code]; and execute at least one of the one or more actions. ([PENG, para. 0044] “if it is determined that the website suffers a CC attack, the website attack detection system may further enable a limitation policy for the request for accessing the website. For example, an access request in which information of a field is the same as information in a blacklist is limited from accessing a server of the website, or an access request having some features is limited from accessing the server of the website, or a transmission speed of the request for accessing the website is limited”). However, PENG does not explicitly teach of “malicious code executed on a web application”. In analogous teaching BROWN teaches “malicious code executed on a web application” ([BROWN, para. 0049] “Malicious code inhibitor 11 preferably conduct scans for malicious activity in real-time, instead of via a scheduled scanning. Malicious code inhibitor 11 is preferably configured to conduct a scanning operation every time a call or access is made to the protected website. The protected website thereby benefits by continuous scanning performed in real-time”) ([BROWN, para. 0042] “One embodiment of malicious code inhibitor 11 includes an optional real-time monitoring service (“SecurePlus™”) that acts as a live website guardian.”) ([BROWN, para. 0015] “aspect of this disclosure, a computer-implemented method and system are disclosed for real-time removal or blocking of malicious code from a string sent as a request to a server. The system and method comprises splitting the string into a first string portion and a second string portion. A first portion substring is parsed from the first string portion and compared to a list of malicious codes”). Thus, given the teaching of BROWN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of malicious code executed on websites by BROWN into the teaching of a system for detecting and countering malicious code as taught by PENG. One of ordinary skill in the art would have been motivated to do so because BROWN recognizes the need to prevent vulnerabilities in websites ([BROWN, para. 0049] “Malicious code inhibitor 11 preferably conduct scans for malicious activity in real-time, instead of via a scheduled scanning. Malicious code inhibitor 11 is preferably configured to conduct a scanning operation every time a call or access is made to the protected website. The protected website thereby benefits by continuous scanning performed in real-time”) ([BROWN, para. 0002] “This application relates to information security, and, more particularly, to a system and method for preventing exploitation of vulnerabilities in websites”). Regarding claim 8, this claim recites of method claim which performs the steps of system claim 1. Therefore, claim 8 is rejected in a similar manner as in the rejection of claim 1. Regarding claim 15, this claim recites of non-transitory computer-readable medium that stores instructions, wherein when the instructions are executed by a processor performs the steps of system claim 1. Therefore, claim 15 is rejected in a similar manner as in the rejection of claim 1. Regarding claims 2, 9, and 16, PENG-BROWN teach all limitations of claims 1, 8, and 15. BROWN further teaches “wherein the one or more actions comprise: blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code; rerouting the network communications originated from the IP address associated with the malicious code; or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address. ([BROWN, para. 0050] “If malicious code inhibitor 11 detects that a recent attack has occurred on computer 10, malicious code inhibitor 11 may, for example, send the information related to that attack to a centralized database that stores information on hacking attempts. The information preferably includes data, which may identify the hacker to other computers (e.g., an IP address). The centralized database preferably then sends this information immediately to other instances of malicious code inhibitor 11 running on computers 20, 30. The other instances of malicious code inhibitor 11 may then block all access by the attacker based on the attacker's identification information (e.g. the IP address)”). The same motivation to modify PENG with BROWN as in the rejection of claim 1 applies. Regarding claims 5, 12, and 19, PENG-BROWN teach all limitations of claims 1, 8, and 15. PENG further teaches “wherein the set of configuration parameter values comprises at least one of: a number of visits to the web application; a location from which the web application is visited; a number of times a database associated with the web application is accessed; a number of failed login attempts at the web application; a number of failures to load one or more web pages associated with the web application; a number of Application Programming Interface (API) calls made to the web application; or a number of API responses made by the web application. ([PENG, para. 0066] “Step S406: Obtain a plurality of first access requests sent to the website within a preset time range, where the first access request carries at least one first attribute feature, and the at least one first attribute feature is one or a combination of several of Accept, Cookie, Referer, and User-Agent”) [Examiner’s note: Examiner is interpreting a plurality of first requests sent to the website as a number of visits to the web application.] Regarding claims 6, 13, and 20, PENG-BROWN teach all limitations of claims 1, 8, and 15. PENG further teaches “wherein determining that the malicious code is executed on the web application is in response to determining that more than a threshold number of set of configuration parameter values are deviating from counterpart historical configuration parameter values. ([PENG, para. 0124] “S1005: Detect whether the quantity of times that the first attribute feature appears is greater than an appearance time quantity threshold.”) ([PENG, para. 0071] “if the parameter value of the information aggregation degree parameter of the field that is calculated by the calculation module 511 exceeds a corresponding first preset range or a variation degree of the parameter value of the information aggregation degree parameter of the field exceeds a corresponding second preset range, determine that the website suffers a CC attack”) ([PENG, para. 0062] “and if the parameter value of the information aggregation degree parameter of the field exceeds a corresponding first preset range, perform step S405”) Regarding claims 7 and 14, PENG-BROWN teach all limitations of claims 1 and 8. BROWN further teaches “wherein, determining, based at least in part upon the function associated with the malicious code, the one or more actions to counter the malicious code comprises: in response to determining that the malicious code is executed to gain unauthorized access to non-public information associated with the web application, the at least one of the one or more actions comprises blocking network communications originated from an Internet Protocol (IP) address associated with the malicious code or adding the IP address associated with the malicious code to a firewall configuration as a malicious IP address; in response to determining that the malicious code is executed to cause performance degradation at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application; or in response to determining that the malicious code is executed to cause network traffic congestion at the web application, the at least one of the one or more actions comprises rerouting the network communications coming from the IP address associated with the malicious code to another application. ([BROWN, para. 0004] “An XSS vulnerability exists when a web-based application fails to correctly validate user input data before returning it to the client system. By causing the victim's browser to execute injected code under the same permissions as the web application domain, the attacker bypasses the traditional security restrictions, which can result in cookie theft, account hijacking, spreading of a web mail worm, etc.”) ([BROWN, para. 0050] “If malicious code inhibitor 11 detects that a recent attack has occurred on computer 10, malicious code inhibitor 11 may, for example, send the information related to that attack to a centralized database that stores information on hacking attempts. The information preferably includes data, which may identify the hacker to other computers (e.g., an IP address). The centralized database preferably then sends this information immediately to other instances of malicious code inhibitor 11 running on computers 20, 30. The other instances of malicious code inhibitor 11 may then block all access by the attacker based on the attacker's identification information (e.g. the IP address)”). The same motivation to modify PENG with BROWN as in the rejection of claim 1 applies. Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over PENG-BROWN in view of OLSON (US-20150244734-A1). Regarding claims 3, 10, and 17, PENG-BROWN teaches all limitations of claims 1, 8, 15. However, PENG-BROWN does not teach “wherein the processor is further configured to: display the one or more actions on a screen; receive user input indicating that the at least one of the one or more actions is confirmed; and use the user input as feedback for further events where the malicious code is detected on web applications, such that when the malicious code is detected on a second web application, the at least one of the one or more actions is executed.”. In analogous teaching OLSON teaches “wherein the processor is further configured to: display the one or more actions on a screen; receive user input indicating that the at least one of the one or more actions is confirmed; and use the user input as feedback for further events where the malicious code is detected on web applications, such that when the malicious code is detected on a second web application, the at least one of the one or more actions is executed.” ([OLSON, para. 0018] “malware refers to any software that is capable of obtaining information from, or producing a function in, computers of others without their knowledge or without their consent. Malware often exploits known vulnerabilities in common software such as, for example, server programs. Malware can be conceptually grouped into malware families of like software … Malware operators may utilize a website, which can be defined according to uniform resource locator (URL) or internet protocol (IP) address”) ([OLSON, para. 0088] “At block 606, the method acts on the countermeasure. This action may take different forms. Some embodiments, for example, present the countermeasure(s) to a user, e.g., by causing them to be displayed on a computer monitor. In such embodiments, the user may be able to select a specific embodiment, e.g., by clicking on it. That is, selecting a specific countermeasure may activate that countermeasure. Other embodiments may proceed to automatically implement the countermeasure(s), e.g., if the attack is within a certain fixed time interval of the current time”) ([OLSON, para. 0142] “the threat mitigation measures may be applied manually, automatically, or some combination of the two, to ease the work load on the system administrator”). Thus, given the teaching of OLSON, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of displaying mitigation actions to a user by OLSON into the teaching of a system for detecting and countering malicious code as taught by PENG-BROWN. One of ordinary skill in the art would have been motivated to do so because OLSON recognizes the need to mitigate threats and ease work load on administrators ([OLSON, para. 0020] “embodiments generate intelligence graphs that, when displayed on a computer monitor, illustrate the interconnected data in a suggestive and informative manner. The intelligence graphs may be used to automatically identify attacks or other events, predict attacks or other events, and provide or suggest countermeasures thereto”) ([OLSON, para. 0142] “threat mitigation measures may be applied manually, automatically, or some combination of the two, to ease the work load on the system administrator”) Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over PENG-BROWN in view of MCKENDALL (US-20210014245-A1). Regarding claims 4, 11, and 18, PENG-BROWN teaches all limitations of claims 1, 8, and 15. However, PENG-BROWN does not teach “wherein the processor is further configured to: detect a user interaction session at the web application, wherein the user interaction session involves a user attempting to access a user profile on the web application; and in response to determining that the malicious code is executed on the web application, terminate the user interaction session.” In analogous teaching MCKENDALL teaches “wherein the processor is further configured to: detect a user interaction session at the web application, wherein the user interaction session involves a user attempting to access a user profile on the web application; and in response to determining that the malicious code is executed on the web application, terminate the user interaction session.” ([MCKENDALL, para. 0083] “FIGS. 11A and 11B illustrate a third embodiment in which the invention detects a Web inject attack occurring on a user computer. FIG. 11A illustrates how a malicious user 21 may steal sensitive information from a user via malicious software”) ([MCKENDALL, para. 0084] “When the user interacts with Web application 60 over Internet link 244 in order to submit account login information (for example), the Web application includes a form 240 that is downloaded as part of a Web page over link 244 to the user computer 30. The malware executing upon the user computer, however, modifies form 240 in order to produce a fake or modified form 242 that appears on the Web page in the user's browser—instead of the original form 240 returned by the origin server. The fake form 242 appears to also require that the user type in their personal identification number (PIN). Once the user does this, the malware captures this information and sends it surreptitiously over link 248 to the C&C software 61 on the malicious user's server computer”) ([MCKENDALL, para. 0092] “all of the calculated pairs match. For example, the fingerprint of form 240 will be compared to the fingerprint of form 242, etc. If any pair does not match, then in step 744 the integrity engine determines that a Web inject attack has taken place and generates an alert, logs the discrepancy, redirects the session to another server, the session may be terminated, a customer-defined action may be taken, or takes other action such as locking the user's account”). Thus, given the teaching of MCKENDALL, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of terminating user session by MCKENDALL into the teaching of a system for detecting and countering malicious code as taught by PENG-BROWN. One of ordinary skill in the art would have been motivated to do so because MCKENDALL recognizes the need to protect sensitive information ([MCKENDALL, para. 0003] “Risks to Web applications, to user host computers, to user private data (including user accounts and credentials), and to online transactions continue to increase due to proliferation of malware and due to its increased sophistication. Unfortunately, traditional approaches only address part of this problem and have had mixed results”) ([MCKENDALL, para. 0010] “Embodiments of the present invention: prevent the theft of sensitive information (from malware that tries to exfiltrate data or interfere with the user performing sensitive transactions); protect the Web application (from direct attacks and robot networks)”). Pertinent Art The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. PAVLYUSHCHIK (US-20170004309-A1): This prior art teaches of system and method for detecting malicious code in address space of a process. An exemplary method comprises: detecting a first process executed on the computer in association with an application; intercepting at least one function call made by the first process to a second process; determining one or more attributes associated with the at least one function call; determining whether to perform malware analysis of code associated with the at least one function call in an address space associated with the second process based on application of one or more rules to the one or more attributes; and upon determining to perform malware analysis of the code, determining whether the code in the address space is malicious. CHOI (US-20160212157-A1): This prior art teaches of system for analyzing large-scale malicious codes includes a malicious code management server dividing suspected malicious traffic collected into a plurality of first suspected malicious executable files and transmitting the plurality of first suspected malicious executable files to at least one or more virtualization analysis servers; and the at least one or more virtualization analysis servers executing the plurality of first suspected malicious executable files through a plurality of virtualization analysis agents load-balanced correspondingly to the plurality of first suspected malicious executable files and extracting first API call information called by malicious codes in user level and in kernel level. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.A./ 06/21/2026 /AFAQ ALI/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

Mar 18, 2025
Application Filed
Jun 24, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665926
System And Methods Of Defense Against DDoS Attacks For Applications On A Multi-Substrate Multi-Ingress Shared Infrastructure With Multiple Cloud Architectures
1y 9m to grant Granted Jun 23, 2026
Patent 12639404
Authorization of Access Rights Licenses
2y 2m to grant Granted May 26, 2026
Patent 12627679
CYBER SECURITY SYSTEM APPLYING NETWORK SEQUENCE PREDICTION USING TRANSFORMERS
2y 3m to grant Granted May 12, 2026
Patent 12585791
ENCRYPTED COMMUNICATION METHOD AND ELECTRONIC DEVICE
3y 7m to grant Granted Mar 24, 2026
Patent 12572656
CONTROL FLOW INTEGRITY MONITORING BASED INSIGHTS
3y 2m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+13.3%)
2y 5m (~1y 1m remaining)
Median Time to Grant
Low
PTA Risk
Based on 137 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month