Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8-29-2019 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites a computing platform captures information identifying devices present at a first enterprise location during a malicious event. Then, the computing platform generates alerts when one of the devices present at the first enterprise location during the malicious event is detected at a second enterprise location.
Step 1: The claims 1, 16 and 20 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 16 and 20 recites: a computing platform captures information identifying devices present at a first enterprise location during a malicious event. Then, the computing platform generates alerts when one of the devices present at the first enterprise location during the malicious event is detected at a second enterprise location, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper with/without a generic computer. Except for words ‘system with memory and processors’, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper and is akin to investigative agencies detecting a malicious device based on the wireless device’s signals and location and can also be perceived to be done manually by human in an orderly fashion. In the context of these claims encompasses taking remedial measures like sending alerts accordingly. 
Dependent claims 2 – 13 and 17 – 19 which in turn recite receiving alerts from different places, sending commands to capture device signatures at locations, determining forensic data, determining the malicious device based on different signal statistics is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: a computing platform captures information identifying devices present at a first enterprise location during a spec. [0034]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, a computing platform captures information identifying devices present at a first enterprise location during a malicious event. Then, the computing platform generates alerts when one of the devices present at the first enterprise location during the malicious event is detected at a second enterprise location amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 13 and 17 – 19 are also rejected for the same rationale.
Note: Claims 14 and 15 are not considered abstract and therefore if incorporated in all the independent shall overcome this rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 13 and 16 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Selinger et al (US 10109166), hereafter Sel and Ladnai et al (US 20190258800), hereafter Lad.
Claim 1: Sel teaches a computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to (Fig. 1): receive, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location; (C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L27-29) a security checkpoint network is used to triangulate the location of a particular mobile device);
in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capture first device information identifying a first plurality of devices present at the first enterprise location [during a time period] corresponding to the first malicious event; (C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices);
(C6L40-43: the database of fingerprints enables the filtering and sorting of data to determine movement patterns and potentially early warning of crimes);
after storing the first device information identifying the first plurality of devices present at the first enterprise location [during a time period] corresponding to the first malicious event, receive, via the communication interface, from a second enterprise center monitoring system associated with a second enterprise location, second device information identifying a second plurality of devices present at the second enterprise location; (C2L45-50: monitoring an area for the presence of a mobile device, detecting one or more radio signals emitted by the mobile device, generating a device fingerprint that positively identifies a mobile device, and uploading the device fingerprint to a device fingerprint database to be accessed by a network of other security checkpoints);
identify that a first device of the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location; (C6L13-20: each security checkpoint in the network captures and contribute certain details about a given mobile device that were not captured by other checkpoints in the network and in-turn the network creates a more certain and unique "fingerprint" for a given device, if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect);
in response to identifying that the first device of the first plurality of devices present at the first enterprise location [during a time period] corresponding to the first malicious event is present at the second enterprise location, generate an alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location [during the time period] corresponding to the first malicious event; (C6L13-20: if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect and (C8L7-13) the security checkpoint determines whether any foreign or unrecognized devices are in the area and flag those for further consideration. Additionally, the security checkpoint filters and compare information in the database to determine if there is any correlation or pattern between the mobile device(s) that were in the vicinity at similar crimes, the security checkpoint then use that pattern information to provide alerts to citizens and law enforcement when one of those flagged device(s) enters a monitored area);
and send, via the communication interface, to the second enterprise center monitoring system associated with the second enterprise location, the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location [during the time period] corresponding to the first malicious event. (C6L43-49: the database can be filtered to see what devices were in an area when a crime occurred and whether any of those same devices were in a different area when a similar crime occurred. This information is then used to provide an alert when any of those devices enter an area that is covered by one of the security checkpoints that are integrated with the database);
Sel teaches the concept but is silent on identifying presence of devices during a time period.
But analogous art Lad teaches identifying presence of devices during a time period. ([0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window, where the predetermined time window has a different duration for at least two types of computing objects and [0028, 37] and in a plurality of geographical locations and policies are defined for ...network location, time of day... or the like).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sel to include the idea of identifying presence of devices during time windows as taught by Lad so that the security policy intending to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware ([0118]).
Claim 16: Sel teaches a method, comprising: at a computing platform comprising at least one processor, a communication interface, and memory (Fig. 1): receiving, by the at least one processor, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location; in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capturing, by the at least one processor, first device information identifying a first plurality of devices present at the (C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L27-29) a security checkpoint network is used to triangulate the location of a particular mobile device; C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices; C6L40-43: the database of fingerprints enables the filtering and sorting of data to determine movement patterns and potentially early warning of crimes; C2L45-50: monitoring an area for the presence of a mobile device, detecting one or more radio signals emitted by the mobile device, generating a device fingerprint that positively identifies a mobile device, and uploading the device fingerprint to a device fingerprint database to be accessed by a network of other security checkpoints; C6L13-20: each security checkpoint in the network captures and contribute certain details about a given mobile device that were not captured by other checkpoints in the network and inturn the network creates a more certain and unique "fingerprint" for a given device, if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect; C6L13-20: if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect and (C8L7-13) the security checkpoint determines whether any foreign or unrecognized devices are in the area and flag those for further consideration. Additionally, the security checkpoint filters and compare information in the database to determine if there is any correlation or pattern between the mobile device(s) that were in the vicinity at similar crimes, the security checkpoint then use that pattern information to provide alerts to citizens and law enforcement when one of those flagged device(s) enters a monitored area; C6L43-49: the database can be filtered to see what devices were in an area when a crime occurred and whether any of those same devices were in a different area when a similar crime occurred. This information is then used to provide an alert when any of those devices enter an area that is covered by one of the security checkpoints that are integrated with the database);
Sel teaches the concept but is silent on identifying presence of devices during a time period.
But analogous art Lad teaches identifying presence of devices during a time period. ([0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window, where the predetermined time window has a different duration for at least two types of computing objects and [0028, 37] and in a plurality of geographical locations and policies are defined for ...network location, time of day... or the like).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sel to include the idea of identifying presence of devices during time windows as taught by Lad so that the security policy intending ([0118]).
Claim 20: Sel teaches a one or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to (Fig. 1): receive, via the communication interface, from a first enterprise center monitoring system associated with a first enterprise location, information indicating that a first malicious event has been detected at the first enterprise location; in response to receiving the information indicating that the first malicious event has been detected at the first enterprise location, capture first device information identifying a first plurality of devices present at the first enterprise location [during a time period] corresponding to the first malicious event; store the first device information identifying the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event; after storing the first device information identifying the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event, receive, via the communication interface, from a second enterprise center monitoring system associated with a second enterprise location, second device information identifying a second plurality of devices present at the second enterprise location; identify that a first device of the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event is present at the second enterprise location based on the second device information received from the second enterprise center monitoring system associated with the second enterprise location; in response to identifying that the first device of the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event is present at the (C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L27-29) a security checkpoint network is used to triangulate the location of a particular mobile device; C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices; C6L40-43: the database of fingerprints enables the filtering and sorting of data to determine movement patterns and potentially early warning of crimes; C2L45-50: monitoring an area for the presence of a mobile device, detecting one or more radio signals emitted by the mobile device, generating a device fingerprint that positively identifies a mobile device, and uploading the device fingerprint to a device fingerprint database to be accessed by a network of other security checkpoints; C6L13-20: each security checkpoint in the network captures and contribute certain details about a given mobile device that were not captured by other checkpoints in the network and inturn the network creates a more certain and unique "fingerprint" for a given device, if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect; C6L13-20: if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect and (C8L7-13) the security checkpoint determines whether any foreign or unrecognized devices are in the area and flag those for further consideration. Additionally, the security checkpoint filters and compare information in the database to determine if there is any correlation or pattern between the mobile device(s) that were in the vicinity at similar crimes, the security checkpoint then use that pattern information to provide alerts to citizens and law enforcement when one of those flagged device(s) enters a monitored area; C6L43-49: the database can be filtered to see what devices were in an area when a crime occurred and whether any of those same devices were in a different area when a similar crime occurred. This information is then used to provide an alert when any of those devices enter an area that is covered by one of the security checkpoints that are integrated with the database);
Sel teaches the concept but is silent on identifying presence of devices during a time period.
([0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window, where the predetermined time window has a different duration for at least two types of computing objects and [0028, 37] and in a plurality of geographical locations and policies are defined for ...network location, time of day... or the like).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sel to include the idea of identifying presence of devices during time windows as taught by Lad so that the security policy intending to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware ([0118]).
Claim 2: the combination of Sel and Lad teaches the computing platform of claim 1, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at a staffed enterprise service center. (Sel: C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L16-20) then a security event is initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect).
Claim 3: the combination of Sel and Lad teaches the computing platform of claim 1, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has (Sel: C6L59-65: the security checkpoint is integrated with other sensors alarms including motion detectors, glass break sensors, and door alarms such that a list of devices in the vicinity are automatically recorded whenever one of those alarms is tripped. The security checkpoint is integrated with local law enforcement and emergency radio and dispatch frequencies).
Claim 4: the combination of Sel and Lad teaches the computing platform of claim 1, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises: generating one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location; and sending, to the first enterprise center monitoring system, the one or more commands directing the first enterprise center monitoring system to scan for devices present at the first enterprise location. (Sel: C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices).
Claim 5: the combination of Sel and Lad teaches the computing platform of claim 4, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises: receiving, from the first enterprise center monitoring system, forensic data associated with one or more devices that have scanned for available wireless connections at the first enterprise location. (Sel: C6L3-7: the security checkpoint hardware apparatus prepares a database of detected "fingerprints." Combining the "fingerprints" (C2L47-48: generating a device fingerprint that positively identifies the mobile device) within an active central station allows for an additional layer of security).
Claim 6: the combination of Sel and Lad teaches the computing platform of claim 1, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises: capturing information identifying at least one device present at the first enterprise location before the time period corresponding to the first malicious event; and capturing information identifying at least one device present at the first enterprise location after the time period corresponding to the first malicious event. (Sel: C7L6-9: the security checkpoint hardware apparatus may employ strategies that encourage nearby devices to provide information to the security checkpoint hardware apparatus and (C5L47-50) monitor for a wide spectrum of radio frequency signals simultaneously, thereby detecting a variety of communication devices that enter and exit the vicinity of the hardware apparatus).
Claim 7: the combination of Sel and Lad teaches the computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises: generating a unique device signature for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event; and storing the unique device signature generated for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event. (Sel: C1L46-48: "fingerprint" is comprised of one or more identifiers that are unique to the signals being generated by the given device and (C2L16-18) stored in compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices).
Claim 8: the combination of Sel and Lad teaches the computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location [during the time period] corresponding to the first malicious event comprises: storing a timestamp, location identifier, and event-type identifier for each device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event. (Sel: C2L40-42: the communications means are operably connected and are further configured to triangulate a location of said mobile device and (C8L5-7) when crime or similar security event is detected, the security checkpoint checks for what mobile devices are in the vicinity).
Lad teaches events identified for a time period. (Lad: [0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sel to include the idea of identifying presence of devices during time windows as taught by Lad so that the security policy intending to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware ([0118]).
Claim 9: the combination of Sel and Lad teaches the computing platform of claim 1, wherein storing the first device information identifying the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event comprises: filtering out at least one enterprise-affiliated device from the first plurality of devices present at (Sel: C6L40-43: the database of fingerprints enables the filtering and sorting of data to determine movement patterns and potentially early warning of crimes).
Claim 10: the combination of Sel and Lad teaches the computing platform of claim 1, wherein receiving the second device information identifying the second plurality of devices present at the second enterprise location comprises receiving, from the second enterprise center monitoring system, forensic data associated with one or more devices that have scanned for available wireless connections at the second enterprise location. (Sel: C6L3-7: the security checkpoint hardware apparatus prepares a database of detected "fingerprints." Combining the "fingerprints" (C2L47-48: generating a device fingerprint that positively identifies the mobile device) within an active central station allows for an additional layer of security).
Claim 11: the combination of Sel and Lad teaches the computing platform of claim 1, wherein identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location comprises identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location based on a unique device signature generated for the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event. (Sel: C6L13-20: each security checkpoint in the network captures and contribute certain details about a given mobile device that were not captured by other checkpoints in the network and inturn the network creates a more certain and unique "fingerprint" for a given device, if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect).
Claim 12: the combination of Sel and Lad teaches the computing platform of claim 1, wherein generating the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event comprises: inserting a timestamp, location identifier, and event-type identifier obtained from the first device information into the alert indicating that the first device of the first plurality of devices is present at the second enterprise location and was present at the first enterprise location during the time period corresponding to the first malicious event. (Sel: C6L13-20: if one security checkpoint hardware apparatus detects the presence of a foreign device before a crime is committed and that same device is later detected by a different security checkpoint, then a security event could be initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect and (C8L7-13) the security checkpoint determines whether any foreign or unrecognized devices are in the area and flag those for further consideration. Additionally, the security checkpoint filters and compare information in the database to determine if there is any correlation or pattern between the mobile device(s) that were in the vicinity at similar crimes, the security checkpoint then use that pattern information to provide alerts to citizens and law enforcement when one of those flagged device(s) enters a monitored area).
Lad: [0007] a number of events, for an identified computing object with an IP address, within the sequence of events are preserved for a predetermined time window).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Sel to include the idea of identifying presence of devices during time windows as taught by Lad so that the security policy intending to detect malware and the like, while also detecting other types of unwanted computing objects and events that do not qualify as malware ([0118]).
Claim 13: the combination of Sel and Lad teaches the computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: in response to identifying that the first device of the first plurality of devices present at the first enterprise location during the time period corresponding to the first malicious event is present at the second enterprise location, generate one or more commands directing a video surveillance system at the second enterprise location to capture one or more images of a user in possession of the first device; and send, via the communication interface, to the video surveillance system at the second enterprise location, the one or more commands directing the video surveillance system at the second enterprise location to capture the one or more images of the user in possession of the first device, wherein sending the one or more commands directing the video surveillance system at the second enterprise location to capture the one or more images of the user in possession of the first device to the video surveillance system at the second enterprise location causes the video surveillance system at the second enterprise location to take and store the one or more images of the user in possession of the first device. (Sel: C6L52-58: the security checkpoint hardware apparatus could be integrated with security cameras. When a foreign device is detected by the security checkpoint, the security checkpoint could cause the video feed from a nearby camera to be brought to the attention of the appropriate person, including playback of video preceding the initial detection of the foreign device).
Claim 17: the combination of Sel and Lad teaches the method of claim 16, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at a staffed enterprise service center. (Sel: C5,6L65-67, 1-2: the security checkpoint hardware apparatus detects the presence of an unrecognized or foreign device and indicates the presence of an unauthorized individual or potential threat and (C6L16-20) then a security event is initiated whereby other persons in the areas are notified as to the potential threat and the authorities are alerted as to the probable location of the device and in turn the possible suspect).
Claim 18: the combination of Sel and Lad teaches the method of claim 16, wherein receiving the information indicating that the first malicious event has been detected at the first enterprise location comprises receiving information indicating that the first malicious event has been detected at an automated enterprise service center. (Sel: C6L59-65: the security checkpoint is integrated with other sensors alarms including motion detectors, glass break sensors, and door alarms such that a list of devices in the vicinity are automatically recorded whenever one of those alarms is tripped. The security checkpoint is integrated with local law enforcement and emergency radio and dispatch frequencies).
Claim 19: the combination of Sel and Lad teaches the method of claim 16, wherein capturing the first device information identifying the first plurality of devices present at the first enterprise (Sel: C1L42-48: security system that monitors the radio frequency signals generated by mobile phones and similar mobile computing devices to then create a unique identifier or "fingerprint" for each such mobile device and (C2L15-18) record all mobile devices that are in range of the system as potential suspect devices, compare the potential suspect devices against recognized devices in the device fingerprint database, and generate a list of one or more suspect devices).

Allowable Subject Matter
Claims 14 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.