Prosecution Insights
Last updated: July 17, 2026
Application No. 19/221,193

GENERATION AND APPLICATION OF SYNTHETIC THREAT DATA

Non-Final OA §101§102§103
Filed
May 28, 2025
Priority
May 31, 2024 — provisional 63/654,590
Examiner
WYSZYNSKI, AUBREY H
Art Unit
Tech Center
Assignee
Royal Bank of Canada
OA Round
1 (Non-Final)
90%
Grant Probability
Favorable
1-2
OA Rounds
1y 6m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 90% — above average
90%
Career Allowance Rate
639 granted / 714 resolved
+29.5% vs TC avg
Moderate +12% lift
Without
With
+12.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
20 currently pending
Career history
745
Total Applications
across all art units

Statute-Specific Performance

§101
3.3%
-36.7% vs TC avg
§103
59.0%
+19.0% vs TC avg
§102
23.6%
-16.4% vs TC avg
§112
1.2%
-38.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 714 resolved cases

Office Action

§101 §102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-16 are pending. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-2 and 8-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. To evaluate each claim under 35 U.S.C. § 101, we must apply the USPTO’s two-part Alice/Mayo framework. Step 1: Statutory Category: Does the claim fall into one of the four statutory categories (process, machine, manufacture, or composition of matter)? Step 2A, Prong 1: Is the claim directed to a judicial exception (an abstract idea, such as a mental process, mathematical concept, or certain methods of organizing human activity)? Step 2A, Prong 2: If it is an abstract idea, does the claim integrate that exception into a practical application (e.g., an improvement to the functioning of a computer or technology)? Step 2B: If not integrated, does the claim contain an inventive concept—elements that are "significantly more" than well-understood, routine, and conventional activities? Claims 1, 9, and 10 Claim 1: A computer-implemented method for detecting computer vulnerabilities... Claim 9: A data processing system... (corresponds to Claim 1). Claim 10: A tangible, non-transitory computer-readable medium... (corresponds to Claim 1). Step 1: Statutory Categories Passes Step 1. Claim 1 is a method (process). Claim 9 is a data processing system (machine). Claim 10 is a tangible, non-transitory computer-readable medium (manufacture). The explicit use of "non-transitory" in Claim 10 properly avoids the exception for signals per se. Step 2A, Prong One: Recitation of a Judicial Exception Fails Prong One. Claim 1 recites the steps of "generating synthetic threat data," "injecting" data, "observing a protective model," and "flagging the failure." These steps represent collecting information, analyzing it, and presenting the results. Under USPTO guidelines, this constitutes an abstract idea, specifically falling under the groupings of a mental process (observing and flagging based on a set of rules) or a method of organizing human activity (testing and validating a system's performance). Step 2A, Prong Two: Integration into a Practical Application Fails Prong Two. Claim 1 is drafted at a high level of functional abstraction. It recites what is being done (generating, injecting, observing, flagging) rather than how it is being done technologically. It does not recite a specific technical improvement to computer functionality or network security at this broad level; it merely uses generic computer components ("composite data stream," "protective model") as a tool to execute the abstract idea of testing a model. Therefore, the claim is "directed to" the abstract idea. Step 2B: Significantly More Fails Step 2B. Looking at the claim elements individually and as an ordered combination, there is no "inventive concept" that transforms the abstract idea into eligible subject matter. The elements (automatically generating, injecting, observing, flagging) are recited at a high level of generality and amount to no more than applying the abstract idea on a generic computer. Claim 2 (Malicious activity is C2 activity): Merely narrows the type of data being analyzed. Fails to provide a practical application or significantly more. Claim 3 (Infecting virtual machines; collecting simulated network traffic): Passes Step 2A, Prong Two / Step 2B. This claim introduces specific, technical network architecture limitations: "infecting a plurality of virtual machines with pseudo-malicious agents" and connecting them to a "simulated network." This represents a specific technological solution to a technical problem (the inability to safely test behavioral models against true malicious activity on a live network, as noted in the specification). Claims 4-7: Because these depend on Claim 3 and add further specific technical implementations (e.g., deriving agents from configuration files in Claim 4; using an EDR tool to inject agents in Claim 6, they will also pass for the same reasons as Claim 3. Claim 8 (Synthetic data is entirely synthetic): Depends on Claim 1. Merely describing the data as "entirely synthetic" without reciting the technical means of generating it does not overcome the abstract nature of Claim 1. Claims 11, 15, and 16: Claim 11: A computer-implemented method for generating simulated network traffic containing simulated command and control data... Claim 15: A data processing system... (corresponds to Claim 11). Claim 16: A tangible, non-transitory computer-readable medium... (corresponds to Claim 11). Step 1: Statutory Categories Passes Step 1. (Process, Machine, Manufacture). Step 2A, Prong One: Recitation of a Judicial Exception Claim 11 recites "collecting simulated network traffic," which can be construed as the abstract idea of collecting information. Step 2A, Prong Two: Integration into a Practical Application Passes Prong Two. Unlike Claim 1, Claim 11 does not merely recite functional data generation. It specifically recites the technological mechanism: "automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network." This is a specific, computer-centric technique designed to emulate adversarial network activity safely. It is not a process that can be performed in the human mind, nor is it a generic method of organizing human activity. It improves the technological process of computer security testing by generating true-positive telemetry. Therefore, it integrates the abstract idea into a practical application. Because independent Claim 11 integrates the concept into a practical application and survives the § 101 analysis, these dependent claims—which add further technical specificity regarding tasking sets, configuration files (Claim 12), traffic manipulation (Claim 13), and EDR tool injection (Claim 14)—are also patent-eligible under § 101. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 2, 9, 10 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by US 10,044,746 to Vallone et al. Regarding claims 1, 9 and 10, Vallone teaches a computer-implemented method for detecting computer vulnerabilities (abstract: assessing network vulnerabilities), comprising: automatically generating synthetic threat data representative of malicious activity (abstract: assessing a target network's vulnerability to a real cyberthreat based on determining policy-based synthetic tests configured to model the behavior of the cyberthreat); injecting the synthetic threat data into genuine data to create a composite data stream (Fig. 3 and deploying synthetic instructions directly into a live production target networks to test operational sensors); observing a protective model that monitors the composite data stream to determine a failure by the protective model to detect the synthetic threat data (receiving “real time feedback” from the target network to identify whether security devices (protective models such as IDS or firewalls) successfully caught the test or if they failed to initiate an alert); and responsive to determining the failure, flagging the failure as a vulnerability (using the feedback to test for unknown vulnerabilities and identifying specific gaps where the network’s defenses failed to respond to the synthetic threat). Regarding claim 2, Vallone teaches the method of claim 1, wherein the malicious activity is command and control activity and the synthetic threat data is command and control data (simulating network based malware behaviors including creating a network communication on a specific port or to a specific destination). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 3-8 and 11-16, are rejected under 35 U.S.C. 103 as being unpatentable over Vallone as applied to claim 1 above, and further in view of US 2021/0037040 to Aleks et al. Regarding claims 3, Vallone lacks or does not expressly disclose automatically generating the synthetic threat data. However, Aleks teaches wherein automatically generating the synthetic threat data comprises: automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network; and automatically collecting simulated network traffic from the infected virtual machines, wherein the simulated network traffic contains communications from the pseudo-malicious agents; wherein the synthetic threat data comprises the simulated network traffic (0045-0050: the architectural implementation of automated simulations). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to include automatically generating synthetic threat in order to execute an automated test to prevent attackers, as taught by Aleks. Regarding claims 4, Vallone lacks or does not expressly disclose specifying tasks. However, Aleks teaches the pseudo-malicious agents are generated by: automatically specifying taskings for a plurality of tasking sets; automatically generating, from the specified taskings in the tasking sets, respective configuration files for each of the tasking sets; automatically using the configuration files to derive the respective pseudo-malicious agents (0048: orchestrating simulations using configurable tests that can be executed within a playbook). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to specifying tasks in order to execute an automated test to prevent attackers, as taught by Aleks. Regarding claims 5, Vallone, as modified above further teaches the method of claim 3, further comprising manipulating the simulated network traffic to mimic genuine network traffic while retaining characteristics of the communications from the pseudo-malicious agents (mapping specific threat characteristics to the simulation. Manipulating packet headers, payload sizes, or timing to mimic normal baseline traffic and evade detection.). Regarding claims 6, Vallone, as modified above further teaches the method of claim 3, wherein infecting the plurality of virtual machines with the pseudo-malicious agents comprises using at least one endpoint detection and response (EDR) tool to inject the pseudo-malicious agents into the virtual machines (deploying executables or scripts to endpoints via standard enterprise administration tools or EDR “live response” is well known. See Fig. 1B). Regarding claims 7, Vallone, as modified above further teaches the method of claim 3, wherein: the genuine data comprises genuine network traffic; and injecting the synthetic threat data into the genuine data to create the composite data stream comprises injecting the simulated network traffic into the genuine network traffic (executing tests on a live target network alongside regular user operations, it injects simulated traffic into genuine traffic). Regarding claims 8, Vallone, as modified above further teaches the method of claim 1, wherein the synthetic threat data is entirely synthetic (generation of synthetic tests modeled after threats rather than requiring the use of actual malware). Regarding claims 11, 15 and 16, Vallone teaches a computer-implemented method for generating simulated network traffic containing simulated command and control data representative of malware activity (abstract), the method comprising: Vallone lacks or does not expressly disclose automation. However Aleks teaches automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network; and automatically collecting simulated network traffic from the infected virtual machines (0045-0050: the architectural implementation of automated simulations). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to include automatically generating synthetic threat in order to execute an automated test to prevent attackers, as taught by Aleks. Vallone, as modified above, further teaches wherein the simulated network traffic contains communications from the pseudo-malicious agents (synthetic tests) As per claim 12-14, this is a method version of the claimed method discussed above in claims 4-6 wherein all claimed limitations have also been addressed and/or cited as set forth above. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434
Read full office action

Prosecution Timeline

May 28, 2025
Application Filed
Jul 01, 2026
Non-Final Rejection mailed — §101, §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676891
ENDPOINT SECURITY GROUPS IN PRIVATE MULTI-ACCESS EDGE COMPUTE NETWORKS
2y 6m to grant Granted Jul 07, 2026
Patent 12659351
SECURE NETWORK COMMUNICATION SYSTEM AND METHOD
2y 4m to grant Granted Jun 16, 2026
Patent 12652310
SELECTING ACTIONS RESPONSIVE TO COMPUTING ENVIRONMENT INCIDENTS BASED ON SEVERITY RATING
2y 10m to grant Granted Jun 09, 2026
Patent 12647406
CROSS APPLICATION AUTHORIZATION FOR ENTERPRISE SYSTEMS
2y 8m to grant Granted Jun 02, 2026
Patent 12641125
AUTOMATED EDGE DRIVEN COLLABORATIVE DATA PROTECTION POLICY MANAGEMENT IN LARGE SCALE EDGE ENVIRONMENTS
3y 3m to grant Granted May 26, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
90%
Grant Probability
99%
With Interview (+12.5%)
2y 8m (~1y 6m remaining)
Median Time to Grant
Low
PTA Risk
Based on 714 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month