Prosecution Insights
Last updated: July 17, 2026
Application No. 19/096,605

System and Method for Cybersecurity Threat Detection and Prevention with Discrete Event Simulation

Non-Final OA §101
Filed
Mar 31, 2025
Priority
Oct 28, 2015 — CIP of 14/925,974 +13 more
Examiner
WRIGHT, BRYAN F
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Qomplx LLC
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
1y 10m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
638 granted / 815 resolved
+20.3% vs TC avg
Strong +24% interview lift
Without
With
+24.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
20 currently pending
Career history
839
Total Applications
across all art units

Statute-Specific Performance

§101
3.7%
-36.3% vs TC avg
§103
83.1%
+43.1% vs TC avg
§102
6.8%
-33.2% vs TC avg
§112
2.6%
-37.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 815 resolved cases

Office Action

§101
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION This action is in response to applicant’s original claim submittal made on 03/31/2025. Claims 1-12 are pending. Examiner’s Note – The examiner notes for the record that applicant’s claims 1-12 submitted in this application are exactly identical to claims 1-12 in applicant’s patent no. 12,267,347. Specification (Title) The title of the invention is not descriptive. A new title is required that is clearly indicative of the invention to which the claims are directed. Double Patenting A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957). A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101. Claims 1-12 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-12 of prior U.S. Patent No. Patent No. 12,267,347 and 347’. This is a statutory double patenting rejection. (19/096605) Claim 1. A system for comprehensive data loss prevention and compliance management, comprising: a computing system comprising a processor and a memory; an observation and state estimation subsystem comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing system to: produce a cyber-physical graph representing a plurality of connected resources on a network, wherein: the connected resources comprise one or more of people, devices, systems, and organizations within the network; the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node; the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources; and the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; and an activity monitoring subsystem comprising a second plurality of programming instructions stored in the memory and operating on the processor, wherein the second plurality of programming instructions, when operating on the processor, cause the computing system to: collect data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools; analyze the collected data to identify sensitive data stored on one or more of the connected resources; update the cyber-physical graph to include information about the identified sensitive data and its location; and generate expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph; generate actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred; detect a deviation between the actual behavior data and the expected behavior data for a first node by comparing properties of the expected behavior data of the first node with properties of the actual behavior data of the first node; when a deviation is detected, transmit data relevant to the deviation to a risk analysis and scoring subsystem; and the risk analysis and scoring subsystem comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing system to: receive data relevant to the deviation; analyze severity of a threat posed by the deviation using at least one analysis algorithm; and generate a risk score based on a plurality of factors that indicate the severity of the threat. Claim 2. The system of claim 1, wherein the risk analysis and scoring subsystem further generates an impact assessment score for each affected connected resource by determining an impact on the network using the cyber-physical graph. Claim 3. The system of claim 2, wherein the impact assessment score further comprises the calculation of the overall impact of a cyberattack, wherein the calculation is based at least in part on the impact assessment score for each connected resource affected by the cyberattack. Claim 4. The system of claim 1, wherein the detection of deviations is based in part on a comparison of relationships between the connected resources against known security vulnerabilities. Claim 5. The system of claim 4, wherein the risk score is based at least in part on the results of the comparison against known security vulnerabilities. Claim 6. The system of claim 1, wherein the observation and state estimation subsystem is further configured to produce a visualization based at least in part on at least a portion of the time-series data, wherein the visualization illustrates changes to the time-series data over time. Claim 7. A method for comprehensive data loss prevention and compliance management, comprising the steps of: monitoring a plurality of connected resources on a network; producing a cyber-physical graph representing the plurality of connected resources, wherein: the connected resources comprise one or more of people, devices, systems, and organizations within the network; the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node; the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources on the network; and the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; collecting data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools; analyzing the collected data to identify sensitive data stored on one or more of the connected resources; updating the cyber-physical graph to include information about the identified sensitive data and its location; generating expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph; generating actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred; detecting a deviation between the actual behavior data of a first node and the expected behavior data of the first node; and when the deviation is detected: analyzing severity of a threat posed by the deviation using at least one analysis algorithm; generating a risk score based on a plurality of factors that indicate the severity of the threat; and displaying the risk score in text and graphical form. Claim 8. The method of claim 7, further comprising the step of generating an impact assessment score for each affected connected resource by determining an impact on the network using the cyber-physical graph. Claim 9. The method of claim 8, wherein the impact assessment score further comprises the calculation of the overall impact of a cyberattack, wherein the calculation is based at least in part on the impact assessment score for each connected resource affected by the cyberattack. Claim 10. The method of claim 7, wherein the detection of deviations is based in part on a comparison of relationships between the connected resources against known security vulnerabilities. Claim 11. The method of claim 10, wherein the risk score is based at least in part on the results of the comparison against known security vulnerabilities. Claim 12. The method of claim 7, further comprising the step of producing a visualization based at least in part on at least a portion of the time-series data, wherein the visualization illustrates changes to the time-series data over time. MAPS to (764’) Claim 1. A system for comprehensive data loss prevention and compliance management, comprising: a computing system comprising a processor and a memory; an observation and state estimation subsystem comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing system to: produce a cyber-physical graph representing a plurality of connected resources on a network, wherein: the connected resources comprise one or more of people, devices, systems, and organizations within the network; the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node; the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources; and the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; and an activity monitoring subsystem comprising a second plurality of programming instructions stored in the memory and operating on the processor, wherein the second plurality of programming instructions, when operating on the processor, cause the computing system to: collect data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools; analyze the collected data to identify sensitive data stored on one or more of the connected resources; update the cyber-physical graph to include information about the identified sensitive data and its location; and generate expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph; generate actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred; detect a deviation between the actual behavior data and the expected behavior data for a first node by comparing properties of the expected behavior data of the first node with properties of the actual behavior data of the first node; when a deviation is detected, transmit data relevant to the deviation to a risk analysis and scoring subsystem; and the risk analysis and scoring subsystem comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing system to: receive data relevant to the deviation; analyze severity of a threat posed by the deviation using at least one analysis algorithm; and generate a risk score based on a plurality of factors that indicate the severity of the threat. Claim 2. The system of claim 1, wherein the risk analysis and scoring subsystem further generates an impact assessment score for each affected connected resource by determining an impact on the network using the cyber-physical graph. Claim 3. The system of claim 2, wherein the impact assessment score further comprises the calculation of the overall impact of a cyberattack, wherein the calculation is based at least in part on the impact assessment score for each connected resource affected by the cyberattack. Claim 4. The system of claim 1, wherein the detection of deviations is based in part on a comparison of relationships between the connected resources against known security vulnerabilities. Claim 5. The system of claim 4, wherein the risk score is based at least in part on the results of the comparison against known security vulnerabilities. Claim 6. The system of claim 1, wherein the observation and state estimation subsystem is further configured to produce a visualization based at least in part on at least a portion of the time-series data, wherein the visualization illustrates changes to the time-series data over time. Claim 7. A method for comprehensive data loss prevention and compliance management, comprising the steps of: monitoring a plurality of connected resources on a network; producing a cyber-physical graph representing the plurality of connected resources, wherein: the connected resources comprise one or more of people, devices, systems, and organizations within the network; the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node; the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources on the network; and the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; collecting data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools; analyzing the collected data to identify sensitive data stored on one or more of the connected resources; updating the cyber-physical graph to include information about the identified sensitive data and its location; generating expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph; generating actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred; detecting a deviation between the actual behavior data of a first node and the expected behavior data of the first node; and when the deviation is detected: analyzing severity of a threat posed by the deviation using at least one analysis algorithm; generating a risk score based on a plurality of factors that indicate the severity of the threat; and displaying the risk score in text and graphical form. Claim 8. The method of claim 7, further comprising the step of generating an impact assessment score for each affected connected resource by determining an impact on the network using the cyber-physical graph. Claim 9. The method of claim 8, wherein the impact assessment score further comprises the calculation of the overall impact of a cyberattack, wherein the calculation is based at least in part on the impact assessment score for each connected resource affected by the cyberattack. Claim 10. The method of claim 7, wherein the detection of deviations is based in part on a comparison of relationships between the connected resources against known security vulnerabilities. Claim 11. The method of claim 10, wherein the risk score is based at least in part on the results of the comparison against known security vulnerabilities. 12. The method of claim 7, further comprising the step of producing a visualization based at least in part on at least a portion of the time-series data, wherein the visualization illustrates changes to the time-series data over time. Claims 1 and 7 are rejected on the ground of non-statutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,681,074 and 074’ hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the following: (19/096605) Claim 1. A system for comprehensive data loss prevention and compliance management, comprising: a computing system comprising a processor and a memory; an observation and state estimation subsystem comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing system to: produce a cyber-physical graph representing a plurality of connected resources on a network, wherein: the connected resources comprise one or more of people, devices, systems, and organizations within the network; the cyber-physical graph comprises nodes representing the connected resources, with each node having one or more properties associated with the connected resource represented by that node; the cyber-physical graph comprises edges representing logical or physical relationships between pairs of the connected resources; and the cyber-physical graph includes information about sensitive data stored on one or more of the connected resources; and an activity monitoring subsystem comprising a second plurality of programming instructions stored in the memory and operating on the processor, wherein the second plurality of programming instructions, when operating on the processor, cause the computing system to: collect data from a plurality of sources within the network, wherein the plurality of sources includes one or more of: system endpoints, infrastructure servers, perimeter security devices, and network security monitoring tools; analyze the collected data to identify sensitive data stored on one or more of the connected resources; update the cyber-physical graph to include information about the identified sensitive data and its location; and generate expected behavior data of at least some of the plurality of connected resources on the network by applying a behavioral model to nodes of the cyber-physical graph; generate actual behavior data of at least some of the plurality of connected resources on the network from time-series data comprising a record of network events and the respective times at which each network event occurred; detect a deviation between the actual behavior data and the expected behavior data for a first node by comparing properties of the expected behavior data of the first node with properties of the actual behavior data of the first node; when a deviation is detected, transmit data relevant to the deviation to a risk analysis and scoring subsystem; and the risk analysis and scoring subsystem comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing system to: receive data relevant to the deviation; analyze severity of a threat posed by the deviation using at least one analysis algorithm; and generate a risk score based on a plurality of factors that indicate the severity of the threat; maps to (074’) Claim 1. A system for comprehensive data loss prevention and compliance management, comprising: a hardware processor and memory; time series and graph-based data store comprising at least a plurality of programming instructions stored in the memory of, and operating on at least one hardware processor of, a computing device, wherein the plurality of programming instructions, when operating on the hardware processor, cause the computing device to: monitor a plurality of network events; produce time-series data comprising at least a record of a network event and the time at which the event occurred; an observation and state estimation module comprising at least a plurality of programming instructions stored in the memory of, and operating on at least one hardware processor of, a computing device, wherein the plurality of programming instructions, when operating on the hardware processor, cause the computing device to: monitor a plurality of connected resources on a network; produce a cyber-physical graph representing at least a portion of the plurality of connected resources, the cyber-physical graph comprising at least the logical relationships between the portion of the plurality of connected resources on the network and the physical relationships between any connected resources that comprise at least a hardware device; a directed computational graph module comprising at least a plurality of programming instructions stored in the memory of, and operating on at least one hardware processor of, a computing device, wherein the plurality of programming instructions, when operating on the hardware processor, cause the computing device to: perform a plurality of analysis and transformation operations on at least a portion of the time-series data; perform a plurality of analysis and transformation operations on at least a portion of the cyber-physical graph; an activity monitoring engine comprising at least a plurality of programming instructions stored in the memory of, and operating on at least one processor of, a computing device, wherein the plurality of programming instructions, when operating on the hardware processor, cause the computing device to: access models of expected behavior of people, devices, systems, and organizations within a network; gather and store data on actual behaviors of people, devices, systems, and organizations within a network by monitoring a plurality of network events; detect deviations of the actual behaviors of people, devices, systems, and organizations from the expected behaviors of people, devices, systems, and organizations using at least one comparative algorithm; when deviations are detected, send information about the deviation to a risk analysis and scoring engine; and a risk analysis and scoring engine comprising at least a plurality of programming instructions stored in the memory of, and operating on at least one hardware processor of, a computing device, wherein the plurality of programming instructions, when operating on the hardware processor, cause the computing device to: receive deviation information from the activity monitoring engine; analyze the severity of the threat posed by the deviation using at least one analysis algorithm; generate a risk score based on a plurality of factors which indicate the severity of the threat; display the risk score in text and graphical form. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BRYAN F WRIGHT/ Examiner, Art Unit 2497
Read full office action

Prosecution Timeline

Mar 31, 2025
Application Filed
Jul 01, 2026
Non-Final Rejection mailed — §101 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12665918
Predefined signatures for inspecting private application access
4y 0m to grant Granted Jun 23, 2026
Patent 12648451
SECURE CHIPS WITH SERIAL NUMBERS
3y 0m to grant Granted Jun 02, 2026
Patent 12640913
COHERENT KEY MANAGEMENT ACROSS MULTIPLE CHIPLETS
2y 8m to grant Granted May 26, 2026
Patent 12640932
SECURING GROUP MESSAGES OVER HYPERTEXT TRANSFER PROTOCOL WITH KEY MANAGEMENT AND ROTATION FOR MULTI-PARTY GROUPS
10m to grant Granted May 26, 2026
Patent 12627509
Cryptographically Authenticated Database Representing a Multiple-Key-Pair Root Certificate Authority
2y 9m to grant Granted May 12, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+24.0%)
3y 2m (~1y 10m remaining)
Median Time to Grant
Low
PTA Risk
Based on 815 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month