DETAILED ACTION
Claims 1-21 are allowed.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Michael Fainberg (Reg. No. 50441) on March 29, 2021.
The application has been amended as follows: 

1.	(Currently Amended) A method for determining threat risk of user devices to a banking service, the method comprising:
detecting an interaction between a user device and the banking service;
acquiring characteristics of the user device including at least a geographic location of the user device
acquiring data related to a threat risk state of the user device;
associating the user device with one or more clusters of user devices based on the geographic location and the threat risk state of the user device, wherein the user device is associated with at least one cluster of user devices located in the same geographic region as the user device; 
computing a threat degree of the one or more clusters based on threat risk states of the user devices associated with said cluster; and
determining that the user device is a threat risk to the banking service when the threat degree of the one or more clusters is greater than a predetermined threshold. 

2.	(Original) The method of claim 1, wherein the threat risk state of the user device is based on: a frequency of infection of user devices for a predetermined region, a frequency of infection of user devices for a plurality of different regions, or a combination of frequencies of infections of user devices for the predetermined region and the plurality of different regions. 
3.	(Original) The method of claim 1, wherein the threat risk state of the user device is based on whether or not  a root access is present on the user device. 
4.	(Original) The method of claim 1, wherein the threat risk state of the user device is determined from a security network. 
5.	(Original) The method of claim 1, wherein the acquiring of the characteristics of the user device is performed by executing a script stored on a server of the banking service, wherein the script is executed when the user device starts interacting with the server. 
6.	(Original) The method of claim 1, wherein the acquiring of the characteristics of the user device is performed by using a security application. 
7.	(Original) The method of claim 1, wherein the characteristics of the user device further include one or more of: an indication as to whether the user device is running in a virtual machine or emulator, an identification of a browser version being used for the interaction with the banking service, an identification of a plug-in installed in a browser of the user device, and identifications of vulnerable applications installed on the user device. 
8.	(Currently Amended) A system for determining threat risk of user devices to a banking service, the system comprising:

a hardware processor configured to:
detect an interaction between a user device and the banking service;
acquire and store in the database characteristics of the user device including at least a geographic location of the user device
acquire and store in the database data related to a threat risk state of the user device; and
associate the user device with one or more clusters of user devices based on the geographic location and the threat risk state of the user device, wherein the user device is associated with at least one cluster of user devices located in the same geographic region as the user device; 
compute a threat degree of the one or more clusters based on threat risk states of the user devices associated with said cluster; and
determine that the user device is a threat risk to the banking service when the threat degree of the one or more clusters is greater than a predetermined threshold. 

9.	(Original) The system of claim 8, wherein the threat risk state of the user device is based on: a frequency of infection of user devices for a predetermined region, a frequency of infection of user devices for a plurality of different regions, or a combination of frequencies of infections of user devices for the predetermined region and the plurality of different regions. 
10.	(Original) The system of claim 8, wherein the threat risk state of the user device is based on whether or not  a root access is present on the user device. 
11.	(Original) The system of claim 8, wherein the threat risk state of the user device is determined from a security network. 

13.	(Original) The system of claim 8, wherein the acquiring of the characteristics of the user device is performed by using a security application. 
14.	(Original) The system of claim 8, wherein the characteristics of the user device further include one or more of: an indication as to whether the user device is running in a virtual machine or emulator, an identification of a browser version being used for the interaction with the banking service, an identification of a plug-in installed in a browser of the user device, and identifications of vulnerable applications installed on the user device. 
15.	(Currently Amended) A non-transitory computer readable medium comprising computer executable instructions for determining threat risk of user devices to a banking service, including instructions for: 
detecting an interaction between a user device and the banking service;
acquiring characteristics of the user device including at least a geographic location of the user device
acquiring data related to a threat risk state of the user device;
associating the user device with one or more clusters of user devices based on the geographic location and the threat risk state of the user device, wherein the user device is associated with at least one cluster of user devices located in the same geographic region as the user device; 
computing a threat degree of the one or more clusters based on threat risk states of the user devices associated with said cluster; and
determining that the user device is a threat risk to the banking service when the threat degree of the one or more clusters is greater than a predetermined threshold. 


17.	(Original) The non-transitory computer readable medium of claim 15, wherein the threat risk state of the user device is based on whether or not  a root access is present on the user device.
18.	(Original) The non-transitory computer readable medium of claim 15, wherein the threat risk state of the user device is determined from a security network. 
19.	(Original) The non-transitory computer readable medium of claim 15, wherein the acquiring of the characteristics of the user device is performed by executing a script stored on a server of the banking service, wherein the script is executed when the user device starts interacting with the server. 
20.	(Original) The non-transitory computer readable medium of claim 15, wherein the acquiring of the characteristics of the user device is performed by using a security application. 
21.	(Original) The non-transitory computer readable medium of claim 15, wherein the characteristics of the user device further include one or more of: an indication as to whether the user device is running in a virtual machine or emulator, an identification of a browser version being used for the interaction with the banking service, an identification of a plug-in installed in a browser of the user device, and identifications of vulnerable applications installed on the user device. 

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “detecting an interaction between a user device and the banking service; acquiring characteristics of the user device including at least a geographic location of the user 
The following is considered to be the closest prior art of record:
Quinlan (US 2014/0283061) – teaches a security device intercepting a request from a user device and generating a device fingerprint for the user device. The device fingerprint is compared to values for known attacker devices and traffic is blocked if the user device fingerprint matches a known attacker device fingerprint.
Gathala (US 2018/0077195) – teaches generating multiple threat scores for a user device, generating a weighted average threat score, and comparing the weighted average threat score to a threshold. If the average threat score is above the threshold then the risk is too high to allow the device to access a banking app.
Etchegoyen (US 2015/0026805) – teaches determining the reputation of a user device.
Mahaffey (US 2015/0163121) – teaches monitoring the geographic location of a user device for unusual activity.
Kolkowitz (US 2015/0324802) – teaches using the geographic location of a device as part of the device signature/fingerprint for comparison to detect malicious activity.
Langton (US 2016/0092684) – teaches using a device location to detect threats.
However, the concept of acquiring a user device’s geographic location and threat risk state, associating the user device in a cluster of other user devices based on the geographic locations and threat risk states, computing a threat degrees of the entire cluster based on the threat risk states of the devices in the cluster, and determining if the particular user device is a threat when the threat degree of its associated cluster is greater than a threshold as claimed cannot be found in the prior art of record.
None of the prior art of record, either taken by itself or in any combination, would have reasonably anticipated or made obvious the invention of the present application at or before the time it was effectively filed. The concepts and features, as claimed, are considered to be a non-obvious combination of limitations not taught in the prior art. Therefore, claims 1-21 are considered to be allowable.
According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”
.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/John B King/
Primary Examiner, Art Unit 2498