Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsStealthpath Inc. › 19300565
Last updated: April 19, 2026
Application No. 19/300,565

Methods for Internet Communication Security

Final Rejection §103§DP
Filed
Aug 14, 2025
Examiner
GOODCHILD, WILLIAM J
Art Unit
2433
Tech Center
2400 — Computer Networks
Assignee
Stealthpath Inc.
OA Round
2 (Final)
83%
Grant Probability
Favorable
3-4
OA Rounds
3y 4m
To Grant
97%
With Interview

Interview Optional

+14.1% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 739 resolved cases, 2023–2026

Examiner Intelligence

GOODCHILD, WILLIAM J View full profile →
Grants 83% — above average
83%
Career Allow Rate
612 granted / 739 resolved
+24.8% vs TC avg
Moderate +14% lift
Without
With
+14.1%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
18 currently pending
Career history
757
Total Applications
across all art units

Statute-Specific Performance

§101
10.1%
-29.9% vs TC avg
§103
51.0%
+11.0% vs TC avg
§102
18.4%
-21.6% vs TC avg
§112
11.4%
-28.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 739 resolved cases

Office Action

§103 §DP
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 02/28/2026 have been fully considered but they are not persuasive. A – Applicant argues: In addition, Applicant notes that Hidle does not teach verifying source port authorization-Hidle teaches device-level authentication at Layer 2, not port-level authorization based on port-number associations. The Examiner relies on Hidle paragraphs 21-25 and 44-45 to teach limitation (ii), which requires "verifying that the source port is authorized to communicate with a port having the associated destination port number." Hidle discusses a system for Layer 2 encryption between endpoint devices in embedded industrial networks. Hidle's system is designed for environments such as "Honeywell's Experion PKS control system." At best, this would relate to endpoint device authentication where two endpoint devices are authorized to communicate via an encrypted link. This is fundamentally different from port- level authorization. A – The Examiner respectfully disagrees: Hidle teaches encrypted communications between node ports, successful decryption shows authorized communication with source and destination ports. Therefore the rejection is maintained. B – Applicant argues: Further, Applicant notes that Hidle does not teach a network tunnel with one-to-one correspondence to destination port numbers. Similarly, Applicant notes that Hidle does not teach a network tunnel with one-to-one correspondence with associated destination port number-Hidle teaches a single encrypted link for all traffic to/from a device, without any correspondence between the tunnel and specific destination port numbers. The Examiner relies on Hidle paragraphs 17-25 and 44-45 to teach limitation (iv), which requires "requesting transmission of the network packet through a network tunnel having a one-to-one correspondence with the associated destination port number." Hidle discusses a single encrypted link for all traffic to/from the device, which is not the same as the claimed architecture where a destination port has its own one-to-one correspondence network tunnel. The claimed invention enables security benefits that Hidle does not and cannot provide, such as isolation between different port- level communications and the ability to apply different security policies to different ports. B – The Examiner respectfully disagrees: When two endpoints are communicating, in some embodiments, they exchange a sequence of handshake packets to establish authenticity …, Therefore the rejection is maintained. C – Applicant argues: The combination of Hidle and Teh does not cure these deficiencies-Teh teaches application identifiers and data type descriptors for message routing, but neither Hidle nor Teh alone or in combination teaches port-level authorization or port-specific tunnels. The combination lacks adequate motivation-The Examiner's rationale is conclusory and does not explain why a person of ordinary skill would combine an industrial network encryption system with a wireless consumer messaging protocol. C – The Examiner respectfully disagrees: Hidle teaches communications between different nodes via ports. The teaches higher than OSI layer three, and the combination of the arts teaches the claimed invention. Further the combination is motivated by both arts related to secure communication between devices. Therefore the rejection is maintained. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-30 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No’s. 10,361,859, 10,367,811, 10,375,019, 10,374,803, 11,245,529, 10,397,186, 10,630,642. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims relate to the same concept of networked computing devices performing communication management operations. 19/300565 11,245,529 10,374,803 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a processor to perform communication management operations, the communication management operations comprising: I ) receiving a data packet from a source port, the data packet comprising a payload with a higher-than-OSI layer three portion and associated destination port number; ii) verifying that the source port is authorized to communicate with a port having the associated destination port number; iii) assembling a network packet comprising the payload, an associated user- application identifier, and a payload data type descriptor; and iv) requesting transmission of the network packet through a network tunnel having a one-to-one correspondence with the associated destination port number. 1. A method for network packet payload authorization, comprising: i) receiving a network packet at a hypervisor via a port-to-port communication pathway, the network packet comprising at least one packet parameter; ii) obtaining at least one higher-than-OSI layer three connection status parameter for the port-to-port communication pathway from a virtual machine; iii) authorizing the network packet in the hypervisor, comprising: comparing the at least one packet parameter with the at least one higher-than-OSI layer three connection status parameter; and iv) passing the authorized network packet to a virtual machine. 1. A product for authorizing network communications in a hypervisor, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable in a hypervisor to perform communication management operations, the communication management operations comprising: i) intercepting a first network packet in the hypervisor, the first network packet comprising a first higher-than-OSI layer three portion; ii) decrypting, with a single-use cryptographic key, at least a portion of the first higher-than-OSI layer three portion to obtain one or more first packet parameters; iii) authorizing the first network packet in the hypervisor, comprising: comparing the one or more first packet parameters with one or more first expected values; and iv) passing the authorized first network packet to a virtual device. 19/300565 10,361,859 10,367,811 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a processor to perform communication management operations, the communication management operations comprising: I ) receiving a data packet from a source port, the data packet comprising a payload with a higher-than-OSI layer three portion and associated destination port number; ii) verifying that the source port is authorized to communicate with a port having the associated destination port number; iii) assembling a network packet comprising the payload, an associated user- application identifier, and a payload data type descriptor; and iv) requesting transmission of the network packet through a network tunnel having a one-to-one correspondence with the associated destination port number. 1. A product for authenticating and authorizing provenance of information for one or more information management processes, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable on a processor to perform communication management operations, the communication management operations comprising: i) authorizing communication with a computing device on a network, comprising: a) sending a nonpublic first identification code via a communication pathway, the communication pathway pre-established on the network; b) receiving, after sending the nonpublic first identification code, a nonpublic computing device identification code via the pre-established communication pathway; and c) comparing the computing device identification code with a preconfigured value for the computing device, to confirm that the computing device is an authorized computing device on the network; ii) receiving a network packet via the communication pathway, the network packet comprising: (a) information; and (b) an encrypted parameter in an application space portion of the network packet; iii) verifying that the received information is an authorized communication from a process operating on the authorized computing device, comprising: comparing, in a processor-accessible kernel space, a decrypted form of the parameter with a preconfigured identifier for the process to confirm that the process is an authorized process; and iv) passing the information from the processor-accessible kernel space to one or more information management processes. 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of network computing devices to perform communication management operations, the communication management operations comprising: i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of network computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising: a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet; b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet; c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising: matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device; d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application; e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and <f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive the application data from the first user-application, comprising: further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application; and ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway. 19/300565 10,375,019 10,397,186 10,630,642 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a processor to perform communication management operations, the communication management operations comprising: I ) receiving a data packet from a source port, the data packet comprising a payload with a higher-than-OSI layer three portion and associated destination port number; ii) verifying that the source port is authorized to communicate with a port having the associated destination port number; iii) assembling a network packet comprising the payload, an associated user- application identifier, and a payload data type descriptor; and iv) requesting transmission of the network packet through a network tunnel having a one-to-one correspondence with the associated destination port number. 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device to perform communication management operations, the communication management operations comprising: i) consuming a first network packet to obtain an application layer first payload and a first port number, the first port number assigned to a transport layer first port for an end-user application program on a second computing device; ii) decrypting an encrypted read-only first file and identifying a data record in the first file that contains the first port number in a first port number field of the identified data record in the first file, the first file stored locally on the first computing device; iii) confirming the application layer first payload conforms to one or more formatting requirements named in the identified data record in the first file; iv) negotiating an encrypted TCP connection with a network security software running on the second computing device, the encrypted TCP connection dedicated exclusively to routing communications that are a) directed to and/or originating from the transport layer first port, and b) formatted according to the named formatting requirements; v) forming a second network packet, comprising: inserting into an application layer portion of the second network packet: a) at least a portion of the application layer first payload, b) a nonpublic identifier that is unique to the program code executable by the first computing device, c) a nonpublic user-identifier for a process owner running the program code executable by the first computing device, and d) an identifier for the one or more formatting requirements; and vi) sending the second network packet to the network security software via the encrypted TCP connection. 1. A product for securing communication between at least two networked computing devices, the product comprising at least one non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code when executed on the at least two networked computing devices performs communication management operations on the at least two networked computing devices, the communication management operations comprising: i) forming a configured communication pathway by configuring a pre-established communication pathway to be limited to dedicated communication of application data between a networked first user-application on a first computing device and a second user-application on a networked second computing device via a series of transport layer ports that are dedicated to communication of the application data, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising: a) executing application space commands by the first user-application on the first computing device, comprising: I) causing a network stack of the first computing device to send a first configuration packet from the first user-application to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet; II) receiving, after the network stack sends the first configuration packet, a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet; III) confirming that the second computing device is authorized to communicate with the first user-application, comprising: matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device; IV) further causing the network stack to send a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is unique to the first user-application, the first user, one or more content requirements for the application data, and a series of port numbers assigned to the series of dedicated transport layer ports; V) further receiving, after the network stack sends the third configuration packet, a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and VI) further confirming that the second user-application is authorized to receive the application data from the first user-application, comprising: further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is unique to the second user-application, the second user, the one or more content requirements for the application data, and the series of port numbers; and b) further executing kernel space commands on the second computing device to verify that the second user-application is authorized to receive the application data from the first user-application, comprising: obtaining the nonpublic first user-application identifier from the application layer portion of the third configuration packet and matching the obtained nonpublic first user-application identifier to a preconfigured nonpublic first user-application code; and ii) transmitting the application data via the configured communication pathway from the first user-application to the second user-application. 1. A product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a first computing device of the plurality of networked computing devices to perform communication management operations, the communication management operations comprising: i) forming a configured communication pathway by configuring a pre-established communication pathway to exclusively communicate application data between a first user-application on the first computing device and a second user-application on a second computing device of the plurality of networked computing devices, the first user-application operated by a first user and the second user-application operated by a second user, the configuring comprising: a) sending a first configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the first configuration packet containing a nonpublic first device identifier for the first computing device in an application layer portion of the first configuration packet; b) receiving a second configuration packet from the second computing device, the second configuration packet containing a nonpublic second device identifier for the second computing device in an application layer portion of the second configuration packet; c) confirming, in a kernel space of the first computing device, that the second computing device is authorized to communicate with the first user-application, comprising: matching the nonpublic second device identifier to a preconfigured nonpublic second device code for the second computing device; d) further sending a third configuration packet from the first computing device to the second computing device via the pre-established communication pathway, the third configuration packet containing a nonpublic first user-application identifier in an application layer portion of the third configuration packet, wherein the nonpublic first user-application identifier is exclusive to the first user-application and the second user-application; e) further receiving a fourth configuration packet from the second computing device, the fourth configuration packet containing a nonpublic second user-application identifier in an application layer portion of the fourth configuration packet; and f) further confirming, in the kernel space of the first computing device, that the second user-application is authorized to receive outgoing application data from the first user-application via the configured communication pathway, comprising: further matching the nonpublic second user-application identifier to a preconfigured nonpublic second user-application code, wherein the preconfigured nonpublic second user-application code is exclusive to the second user-application and the first user-application; ii) preventing any transport layer ports used by the configured communication pathway from being used by any other communication pathway; iii) verifying that incoming application data received via the configured communication pathway conforms to a plurality of content requirements, the plurality of content requirements comprising: a) a data type; b) a data range; and c) a command type authorized to be present in the incoming application data; and iv) passing the verified incoming application data to the first user-application; wherein the nonpublic first user-application identifier is unique to the first user-application, the first user, and the plurality of content requirements; wherein the preconfigured nonpublic second user-application code is unique to the second user-application, the second user, and the plurality content requirements; and wherein files containing values for the nonpublic first device identifier, the preconfigured nonpublic second device code, the nonpublic first user-application identifier, and the preconfigured nonpublic second user-application code are sent to the first computing device and to the second computing device from a provisioning server prior to performing the communication management operations. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6, 8-22, 24, 29-30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle, (US Publication No. 2009/0113202, hereinafter “Hidle”, and further in view of Teh, (US Publication No. 2004/0122964), hereinafter “Teh”. Regarding claim 1, Hidle discloses a product for securing communications of a plurality of networked computing devices, the product comprising a non-transitory computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code executable by a processor to perform communication management operations [Hidle, paragraphs 17, 21-22, figure 2], the communication management operations comprising: i) receiving a data packet from a source port [Hidle, paragraphs 21-22, 44-45, figure 2, the two end point devices verify encryption keys by exchanging and testing (decrypting and verifying) an encrypted message], Hidle, paragraphs 21-22, 44-45, figure 2, a plurality of embedded node ports configured to be connected to and communicate with embedded nodes]; ii) verifying that the source port is authorized to communicate with a port having the associated destination port number [Hidle, paragraphs 21-25, 44-45, figure 2]; iii) assembling a network packet comprising the payload [Hidle, paragraphs 21-30, 44-45, figures 2-3], iv) requesting transmission of the network packet through a network tunnel having a one-to-one correspondence with the associated destination port number [Hidle, paragraphs 17-25, 44-45, figure 2]. Hidle does not specifically disclose, however Teh teaches the data packet comprising a payload with a higher-than-OSI layer three portion [Teh, paragraph 15, figures 2, 4]; an associated user-application identifier, and a payload data type descriptor [Teh, paragraph 15, figures 2, 4]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include an application with the app identifier and the data type within the message for allowing the user to access the message. It would have been obvious to combine Teh with Hidle as both arts are related to a similar concept. Regarding claim 2, Hidle-Teh further discloses wherein the performing communication processing functions further comprise requesting transmission of network packets through encrypted communication pathways, wherein the network packets comprise a port number of one of the port numbers and one of the assembled packet segments, wherein the encrypted communication pathways having a one-to-one correspondence with one of the port numbers [Hidle, paragraphs 21-25, 44-45, figure 2]. Regarding claim 3, Hidle-Teh further discloses wherein the network tunnel is an encrypted communication pathway [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 4, Hidle-Teh further discloses wherein the communication management operations further comprises performing communication processing functions on all or substantially all data packets [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 5, Hidle-Teh further discloses wherein the communication management operations are transparent to a user-application process [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 6, Hidle-Teh further discloses wherein the communication management operations are executed in a kernel space accessed by the processor [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 8, Hidle-Teh further discloses wherein the communication management operations further comprise performing communication processing functions on at least a portion of port-to-network communications or on all port-to-network communications [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 9, Hidle-Teh further discloses wherein a parameter in at least the higher-than-OSI-layer three portion of the first payload is evaluated to confirm the payload is authorized to communicate [Teh, paragraph 14-16] with the port having the associated destination port number [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 10, Hidle-Teh further discloses wherein a parameter in at least the higher-than-OSI-layer three portion of the first payload is evaluated to confirm the payload is authorized to communicate [Teh, paragraph 14-16] with the port having the associated destination port number [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 11, Hidle-Teh further discloses wherein a parameter in at least the higher-than-OSI-layer three portion of the first payload is evaluated to confirm the payload is authorized to communicate [Teh, paragraph 14-16] with the port having the associated destination port number [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 12, Hidle-Teh further discloses wherein the parameter is a payload data type descriptor [Teh, paragraph 14-16]. Regarding claim 13, Hidle-Teh further discloses wherein the parameter is a payload data type descriptor [Teh, paragraph 14-16]. Regarding claim 14, Hidle-Teh further discloses wherein the parameter is a payload data type descriptor [Teh, paragraph 14-16]. Regarding claim 15, Hidle-Teh further discloses wherein the communication management operations further comprise assembling network packet, wherein the network packet further comprises an associated user-application process identifier, and a payload data type descriptor [Hidle, paragraphs 17-25, 44-45, figure 2]. Regarding claim 16, Hidle-Teh further discloses wherein the communication management operations further comprise access control policies [Hidle, paragraphs 25-28, 44-47, figure 2]. Regarding claim 17, Hidle-Teh further discloses wherein the access control policies comprise identifying applications based on application identifiers or identifying applications based on application identifiers at layer 7 [Teh, paragraph 14-16]. Regarding claim 18, Hidle-Teh further discloses wherein the privilege access policies employ least- privileged access [Hidle, paragraphs 25-28, 44-47, figure 2]. Regarding claim 19, Hidle-Teh further discloses wherein the communication management operations based in part on the privilege access policies continuously verify trust [Hidle, paragraphs 25-28, 44-47, figure 2]. Regarding claim 20, Hidle-Teh further discloses wherein the communication management operations based in part on the access control policies revoke access based on changes in user behavior or app behavior [Hidle, paragraphs 17-28, 44-47, figure 2]. Regarding claim 21, Hidle-Teh further discloses wherein the communication management operations based in part on the access control policies verify the user or confirm the security level of the user device[Hidle, paragraphs 17-28, 44-47, figure 2]. Regarding claim 22, Hidle-Teh further discloses wherein the communication management operations based in part on the access control policies provide application access control for users, including remote users [Hidle, paragraphs 17-28, 44-47, 52, figure 2]. Regarding claim 24, Hidle-Teh further discloses wherein the communication management operations based in part on the access control policies conduct user and device checks for every application session for users, including remote users [Hidle, paragraphs 17-28, 44-47, 52, figure 2]. Regarding claim 29, Hidle-Teh further discloses wherein the communication management operations support multiple identity provider configurations [Hidle, paragraphs 17-28, 44-47, 52, figure 2]. Regarding claim 30, Hidle-Teh further discloses wherein the communication management operations identify port-based rules [Hidle, paragraphs 17-28, 44-47, 52, figure 2]. Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle-Teh as applied to claim 1 above, and further in view of Chang, (US Publication No. 2002/0120758), hereinafter “Chang”. Regarding claim 7, Hidle-Teh further discloses wherein the communication management operations further comprise receiving data packets from a user-application process [Hidle, paragraphs 17-28, 44-47, 52, figure 2], Hidle-Teh does not specifically disclose, however Chang teaches via a loopback interface [Chang, paragraphs 51, 53, 55]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include a loopback process for the packets in order to maintain a priority of the packets while maintaining flow and security for the system. It would have been obvious to combine Chang with Hidle-Teh as all arts are related to similar concepts. Claim(s) 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle-Teh as applied to claim 16 above, and further in view of Lear et al., (US Publication No. 2007/0204333), hereinafter “Lear”. Regarding claim 23, Hidle-Teh does not specifically disclose, however Lear teaches wherein the access control includes role-based access control [Lear, paragraph 26]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include role based (groups) for access control in order to provide access for similar users based on roles while providing security for the system. It would have been obvious to combine Lear with Hidle-Teh as each art relates to network communication. Claim(s) 25, 27 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle-Teh as applied to claims 1, 16 above, and further in view of Kashyap, (US Publication No. 2012/0317611), hereinafter “Kashyap”. Regarding claim 25, Hidle-Teh does not specifically disclose, however Kashyap teaches wherein the communication management operations based in part on the access control policies conduct user and device checks for applications in a data center [Kashyap, paragraph 3]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include access control rules at a data center for packets in order to provide and maintain security for the system. It would have been obvious to combine Kashyap with Hidle-Teh as all references are related to network communications. Regarding claim 27, Hidle-Teh-Kashyap further discloses wherein the communication management operations conduct user and device checks for applications [Hidle, paragraphs 17-28, 44-47, 52, figure 2, verification] in a data center [Kashyap, paragraph 3]. Claim(s) 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle-Teh as applied to claim 1 above, and further in view of Hope et al., (US Publication No. 2018/0302409), hereinafter “Hope”. Regarding claim 26, Hidle-Teh does not specifically disclose, however Hope teaches wherein the communication management operations check whether the device has an endpoint security agent [Hope, Abstract, paragraph 61]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include security agents installed on the endpoint devices in order to maintain security of the system. It would have been obvious to combine Hope with Hidle-Teh as each art is related to network communications. Claim(s) 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hidle-Teh as applied to claim 1 above, and further in view of Bandhole et al., (US Publication No. 2008/0051066), hereinafter “Bandhole”. Regarding claim 28, Hidle-Teh does not specifically disclose, however Bandhole teaches wherein the communication management operations enable customizable automated incident response [Bandhole, Abstract, paragraph 7]. It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include customizable responses in order to provide a proper response to proper personnel to allow the users to protect the system. It would have been obvious to combine Bandhole with Hidle-Teh as each art is related to network communications. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /William J. Goodchild/Primary Examiner, Art Unit 2433
Read full office action

Prosecution Timeline

Aug 14, 2025
Application Filed
Nov 19, 2025
Non-Final Rejection — §103, §DP
Feb 28, 2026
Response Filed
Mar 16, 2026
Final Rejection — §103, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/626,431
Patent 12591666
DETECTING MODEL INVERSION ATTACKS IN FEDERATED LEARNING
2y 5m to grant Granted Mar 31, 2026
17/973,274
Patent 12587551
TECHNIQUES FOR MONITORING PRIVILEGED USERS AND DETECTING ANOMALOUS ACTIVITIES IN A COMPUTING ENVIRONMENT
2y 5m to grant Granted Mar 24, 2026
18/416,593
Patent 12580925
DETERMINING SECURITY RISKS ASSOCIATED WITH AN ACCESS DESIGN BASED ON ACCESS HEALTH SCORES
2y 5m to grant Granted Mar 17, 2026
18/079,933
Patent 12574355
Zero Trust Network Access and Virtual Private Network Client Offloading
2y 5m to grant Granted Mar 10, 2026
18/292,382
Patent 12574248
METHOD FOR VERIFYING DIGITAL SIGNATURES, VEHICLE COMPUTING UNIT AND VEHICLE
2y 5m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
83%
Grant Probability
97%
With Interview (+14.1%)
3y 4m
Median Time to Grant
Moderate
PTA Risk
Based on 739 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month