Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted was/were in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 20 is objected for minor informalities.  The claim recites “A computer program embodying program code on a non-transitory medium that…, the method comprising:”.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper claim recitation form, rewrite the claim(s) in proper independent form, or present a sufficient showing that the claim(s) complies with the statutory requirements. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1, 13 and 20 recites the limitation "computing a likelihood that the RF signals emanated from an illicit or unauthorized device; and an interface for communicating the an unauthorized device presence…"; “…RF signals that emanated from a suspect device, the characteristics including periodicity, signal strength, transmission profile, and transmitter manufacturer; and computing, based on the characteristics, a result indicative of whether the RF signals emanated from a suspect device…”, “…RF signals that emanated from a suspect device, the characteristics including periodicity, signal strength, transmission profile, and transmitter manufacturer; and computing, based on the characteristics, a result indicative of whether the RF signals emanated from a suspect device…” .  The terms “an unauthorized device, a suspect device” is not clear if the terms are new or refers to prior used terms. There is insufficient antecedent basis for this limitation in the claim. Therefore all the dependent claims 2 – 12 and 14 – 19 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hodges et al (US 20150213427), hereafter Hod and Baxley et al (US 20160127931), hereafter Bax.
Claim 1: Hod teaches a device for detecting and countering an illicit capture device, comprising (Figs. 1 and 2): an antenna for receiving RF signals from the illicit capture device, the RF signals including data indicative of personal information of a user; ([0006] an antenna for receiving and detecting, radio frequency (RF) signal data corresponding to one or more detected RF signals emitted by an ATM and/or other electronic device and located within communication range of the ATM [0004] to capture the card information and PINs entered by the customer);
a modulation circuit for demodulating the received RF signals into packets of data; ([0027] system configured to demodulate the digital data and analyze the demodulated data and analyze packets of data);
([0029] receiver transmits the identification information to skimmer RF detection server using one or more data packets and [26] the system compares the detected RF signals to data contained in a known skimmer emissions database to determine whether the detected RF signals match any known ATM skimmers);
Hod is silent on and based on the comparison of one or more of the characteristics, computing a likelihood that the RF signals emanated from an illicit or unauthorized device; and an interface for communicating the computed likelihood of an unauthorized device presence for manual inspection and intervention.
But analogous art Bax teaches and based on the comparison of one or more of the characteristics, computing a likelihood that the RF signals emanated from an illicit or unauthorized device; ([0172] based on historical data and other information, a score or other metric is assigned to a given pairing of a particular unknown radio frequency fingerprint and particular access credentials, between the unknown radio frequency fingerprint and the super-persona with which the access credentials are associated, [202] divergence from this normal behavior measured and compared to one or more thresholds to identify potential security issues);
and an interface for communicating the computed likelihood of an unauthorized device presence for manual inspection and intervention. ([0030, 171] console provides a user interface for configuring, controlling, or reviewing analysis results associated with the signal analysis system, security and safety detection systems typically generate and store activity logs during operations so that relevant personnel can inspect and review prior detection episodes, for various purposes... forensic investigation of safety or security events..., troubleshooting and the like);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea to determine likelihood of illicit access by malicious device and its presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 13: Hod teaches a method for detecting spurious communications from an unauthorized device, comprising: gathering, at a receiver disposed in a monitored environment, RF signals suspected of transporting suspect data; analyzing the RF signals for an indication that the RF signals emanated from an illicit device, analyzing further comprising: deriving one or more characteristics indicative of RF signals that emanated from a suspect device, the characteristics including periodicity, signal strength, transmission profile, and transmitter manufacturer; ([0006] an antenna for receiving and detecting, radio frequency (RF) signal data corresponding to one or more detected RF signals emitted by an ATM and/or other electronic device and located within communication range of the ATM [0004] to capture the card information and PINs entered by the customer; [0027] system configured to demodulate the digital data and analyze the demodulated data and analyze packets of data; [0029] receiver transmits the identification information to skimmer RF detection server using one or more data packets and [26] the system compares the detected RF signals to data contained in a known skimmer emissions database to determine whether the detected RF signals match any known ATM skimmers; [0036, 41] one or more of which includes information related to known skimmer devices, such as skimmer device names, the frequency or frequencies of RF signals emitted by the skimmer device, the amplitude(s) of the RF signals emitted by the skimmer device, one or more images of the skimmer device, information related to disabling the particular skimmer device, and the like... skimmer RF detection server configured to generate an alert to include information associated with characteristics of the skimmer, the identity of the ATM where the skimmer as detected, etc. Receiver provides identification information associated with the ATM that provided signals detected by antenna); 
Hod is silent on and based on the comparison of one or more of the characteristics, computing a likelihood that the RF signals emanated from an illicit or unauthorized device; and an interface for communicating the computed likelihood of an unauthorized device presence for manual inspection and intervention.
But analogous art Bax teaches and computing, based on the characteristics, a result indicative of whether the RF signals emanated from a suspect device; and rendering the result for subsequent inspection and intervention. ([0172] based on historical data and other information, a score or other metric is assigned to a given pairing of a particular unknown radio frequency fingerprint and particular access credentials, between the unknown radio frequency fingerprint and the super-persona with which the access credentials are associated, [202] divergence from this normal behavior measured and compared to one or more thresholds to identify potential security issues; [0030, 171] console provides a user interface for configuring, controlling, or reviewing analysis results associated with the signal analysis system, security and safety detection systems typically generate and store activity logs during operations so that relevant personnel can inspect and review prior detection episodes, for various purposes... forensic investigation of safety or security events..., troubleshooting and the like);
([0028]).
Claim 20: Hod teaches a computer program embodying program code on a non-transitory medium that, when executed by a processor, performs steps for implementing a method of detecting spurious communications from an illicit capture device, the method comprising (Figs. 1 and 2): gathering, at a receiver disposed in a monitored environment, RF signals suspected of transporting suspect data; analyzing the RF signals for an indication that the RF signals emanated from an illicit device, analyzing further comprising: deriving one or more characteristics indicative of RF signals that emanated from a suspect device, the characteristics including periodicity, signal strength, transmission profile, and transmitter manufacturer; ([0006] an antenna for receiving and detecting, radio frequency (RF) signal data corresponding to one or more detected RF signals emitted by an ATM and/or other electronic device and located within communication range of the ATM [0004] to capture the card information and PINs entered by the customer; [0027] system configured to demodulate the digital data and analyze the demodulated data and analyze packets of data; [0029] receiver transmits the identification information to skimmer RF detection server using one or more data packets and [26] the system compares the detected RF signals to data contained in a known skimmer emissions database to determine whether the detected RF signals match any known ATM skimmers; [0036, 41] one or more of which includes information related to known skimmer devices, such as skimmer device names, the frequency or frequencies of RF signals emitted by the skimmer device, the amplitude(s) of the RF signals emitted by the skimmer device, one or more images of the skimmer device, information related to disabling the particular skimmer device, and the like... skimmer RF detection server configured to generate an alert to include information associated with characteristics of the skimmer, the identity of the ATM where the skimmer as detected, etc. Receiver provides identification information associated with the ATM that provided signals detected by antenna); 
Hod is silent on and based on the comparison of one or more of the characteristics, computing a likelihood that the RF signals emanated from an illicit or unauthorized device; and an interface for communicating the computed likelihood of an unauthorized device presence for manual inspection and intervention.
But analogous art Bax teaches and computing, based on the characteristics, a result indicative of whether the RF signals emanated from a suspect device; and rendering the result for subsequent inspection and intervention. ([0172] based on historical data and other information, a score or other metric is assigned to a given pairing of a particular unknown radio frequency fingerprint and particular access credentials, between the unknown radio frequency fingerprint and the super-persona with which the access credentials are associated, [202] divergence from this normal behavior measured and compared to one or more thresholds to identify potential security issues; [0030, 171] console provides a user interface for configuring, controlling, or reviewing analysis results associated with the signal analysis system, security and safety detection systems typically generate and store activity logs during operations so that relevant personnel can inspect and review prior detection episodes, for various purposes... forensic investigation of safety or security events..., troubleshooting and the like);
([0028]).
Claim 2: the combination of Hod and Bax teaches the device of claim 1 wherein the logic includes instructions for identifying transmission features indicative of the malicious device characteristics, the features including periodicity, transmission hardware components, signal strength, and transmission profile. (Hod: [0036, 41] one or more of which includes information related to known skimmer devices, such as skimmer device names, the frequency or frequencies of RF signals emitted by the skimmer device, the amplitude(s) of the RF signals emitted by the skimmer device, one or more images of the skimmer device, information related to disabling the particular skimmer device, and the like, [26] and/or the period of time that the particular RF emissions are detected... skimmer RF detection server configured to generate an alert to include information associated with characteristics of the skimmer, the identity of the ATM where the skimmer as detected, etc. Receiver provides identification information associated with the ATM that provided signals detected by antenna).
Claim 3: the combination of Hod and Bax teaches the device of claim 1 wherein the logic includes instructions for measuring a periodicity of the received data packets, and based on a duration and recurrence of the received data packets, computing whether the data packets emanated from a suspect device. (Hod: [0006] operations include determining whether the one or more unidentified RF signals are present for a predetermined period of time, and determining whether a skimmer is present at the ATM based on a determination that the one or more unidentified RF signals are present for the predetermined period of time, [46] skimmer RF detection server configured to set a threshold timer to begin measuring the duration of the detected RF signal(s) which exceed the threshold level).
Claim 4: the combination of Hod and Bax teaches the device of claim 1 wherein the logic includes instructions for: locating, in the received data packets, fields indicative of circuit components employed for transmitting the received RF signals; extracting, from the located fields, an identity of the manufacturer of the circuit components; and comparing the identity to manufacturers of components associated with illicit devices. (Hod: [0009, 36] comparing the location of the determined one or more differences to known locations for unauthorized devices, and determining whether an unauthorized device is present at the ATM based on a determination that the one or more differences are located at a known location for unauthorized devices, [75] unauthorized device detection server is set by a device or component manufacturer or by a user of unauthorized device detection server and/or terminal using an input device).
Claim 5: the combination of Hod and Bax teaches the device of claim 1 wherein the logic includes instructions for: determining a signal strength of the received RF signals for a plurality of data packets; computing a variance of the signal strength for the plurality of data packets; and determining, based on the variance, whether the RF signals emanated from a suspect device. (Bax: [0241] signals transmitted from a specific version of a radio have... modulation variances, spurious emission levels, spurious emission frequencies, power spectrum envelopes, and other electromagnetic characteristics, [128] device classification module performs anomaly analysis, which compares the features associated with each data throughput feature vector into an aggregate metric and if the aggregate metric exceeds one or more established anomaly thresholds the associated wireless device is flagged as malicious or potentially malicious).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining information about malicious device and its presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 6: the combination of Hod and Bax teaches the device of claim 1 wherein the logic includes instructions for: determining, from at least one of the received packets, a transmission profile indicative of an intended use of the received packets; and computing, based on the transmission profile, whether the transmission profile is associated with transmissions from illicit capture devices. (Hod: [0029] receiver transmits the identification information to skimmer RF detection server using one or more data packets and [26] the system compares the detected RF signals to data contained in a known skimmer emissions database to determine whether the detected RF signals match any known ATM skimmers).
Claim 7: the combination of Hod and Bax teaches the device of claim 6 wherein the logic is further operable to conclude that if the transmission profile designates a serial port protocol, then there is a likelihood that the transmission emanates from an illicit capture device. (Bax: [0046-48] threats transmitted through a variety of different channels, such as different frequencies, protocols, or wireless services, each given wireless device, the metadata includes physical layer specifications such as modulation, protocols, symbol rates, bandwidths, or frequencies; a likelihood metric that the device is rogue, unauthorized, or malicious; a type of attack, if any, being employed by the device; and other wireless devices that the particular device is likely to be communicating with).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining malicious device’s presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 8: the combination of Hod and Bax teaches the device of claim 4 wherein the logic further includes instructions for locating a BD_ADDR field in a Bluetooth packet, referencing the Organizationally Unique Identifier (OUI) and device ID fields in the Bluetooth packet, and determining if the manufacturer denoted by the OUI is commonly associated as a source for the illicit devices. (Bax: [0059] a malicious wireless device can spoof medium access control information, or other addressing information, to configure network nodes into a vulnerable state, [82] the particular radio frequency signal detected at a particular antenna contains a Bluetooth signal, [0246]  manufacturer information determined to relate fingerprints and determined from unique identifiers or form radio frequency signatures such as timing, spurious emissions, modulation variations, context changes, or so forth).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining information about malicious device and its presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 9: the combination of Hod and Bax teaches the device of claim 5 wherein the logic further includes instructions for determining, if the signal strength is invariant over transmission of a plurality of data packets, then the data packets likely emanated from a suspect device. (Bax: [0245] signal strengths are evaluated to relate fingerprints. Two radio frequency fingerprints, even if from different communication modalities have similar relative power levels when originating from the same wireless device or the same entity, [229] visualization features including..., pair-wise wireless communication links between devices, estimates of the data throughput being transmitted by devices, attack types being perpetrated, malicious devices, victim devices, and so forth).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining information about malicious device and its presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 10: the combination of Hod and Bax teaches the device of claim 3 wherein the logic further includes instructions for: determining if the transmission of the data packets occurs at a repeated transmission window of time iterated at regular or daily intervals; and concluding that a regular pattern of transmission windows with intervening dormant periods indicates that the transmission of the data packets emanated from a suspect device. (Bax: [0117] space-time-frequency analysis module resolves redundant signal detection when the same signal is detected at more than one sensor, [157] electromagnetic persona engine receives and associate time signals with a particular electronic device that indicate a time of detection of the electronic device and/or a detection interval associated with the electronic device and [150] detected when such behaviors are expected, unexpected, erratic, associated with unknown entities, or associated with known malicious entities).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining information about malicious device and its presence as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 11: the combination of Hod and Bax teaches the device of claim 1 wherein the received RF signals are modulated to include Bluetooth transmissions in the range of 2.402 GHz to 2.480 GHz. (Bax: [0149] the broad range of frequency bands that can be received might be 15 MHz to 6 GHz).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining bluetooth range as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).
Claim 12: the combination of Hod and Bax teaches the device of claim 1 further comprising an interface to a database of characteristics of malicious devices, the database including properties of transmissions denoting malicious capture activity and a likelihood, for each property, that the property is indicative of a malicious RF interception. (Hod: [0036] include one or more interconnected information storage databases. The database entries contain a plurality of fields, one or more of which include information related to known skimmer devices, skimmer device names, the frequency or frequencies of RF signals emitted by the skimmer device, the amplitude(s) of the RF signals emitted by the skimmer device, one or more images of the skimmer device, information related to disabling the particular skimmer device, and the like).
Claim 14: the combination of Hod and Bax teaches the method of claim 13 further comprising deriving characteristics indicative of periodicity, transmission hardware components, signal strength, and transmission profile. (Hod: [0036, 41] one or more of which may include information related to known skimmer devices, such as, for example, skimmer device names, the frequency or frequencies of RF signals emitted by the skimmer device, the amplitude(s) of the RF signals emitted by the skimmer device, one or more images of the skimmer device, information related to disabling the particular skimmer device, and the like... skimmer RF detection server configured to generate an alert to include information associated with characteristics of the skimmer, the identity of the ATM where the skimmer as detected, etc. Receiver provides identification information associated with the ATM that provided signals detected by antenna).
Claim 15: the combination of Hod and Bax teaches the method of claim 13 wherein deriving the characteristics includes measuring a periodicity of the received data packets, and based on a duration and recurrence of the received data packets, computing whether the data packets emanated from a suspect device. (Hod: [0006] operations include determining whether the one or more unidentified RF signals are present for a predetermined period of time, and determining whether a skimmer is present at the ATM based on a determination that the one or more unidentified RF signals are present for the predetermined period of time, [46] skimmer RF detection server configured to set a threshold timer to begin measuring the duration of the detected RF signal(s) which exceed the threshold level).
Claim 16: the combination of Hod and Bax teaches the method of claim 13 wherein deriving the characteristics further includes: locating, in the received data packets, fields indicative of circuit components employed for transmitting the received RF signals; extracting, from the located fields, an identity of the manufacturer of the circuit components; and comparing the identity to manufacturers of components associated with illicit devices. (Hod: [0009] comparing the location of the determined one or ore differences to known locations for unauthorized devices, and determining whether an unauthorized device is present at the ATM based on a determination that the one or more differences are located at a known location for unauthorized devices, [75] unauthorized device detection server is set by a device or component manufacturer or by a user of unauthorized device detection server and/or terminal using an input device).
Claim 17: the combination of Hod and Bax teaches the method of claim 13 wherein analyzing the RF signals further includes: determining a signal strength of the received RF signals for a plurality of data packets; computing a variance of the signal strength for the plurality of data packets; and determining, based on the variance, whether the RF signals emanated from a suspect device. (Bax: [0241] signals transmitted from a specific version of a radio have... modulation variances, spurious emission levels, spurious emission frequencies, power spectrum envelopes, and other electromagnetic characteristics, [128] device classification module performs anomaly analysis, which compares the features associated with each data throughput feature vector into an aggregate metric and if the aggregate metric exceeds one or more established anomaly thresholds the associated wireless device is flagged as malicious or potentially malicious).
([0028]).
Claim 18: the combination of Hod and Bax teaches the method of claim 13 wherein deriving the characteristics further includes: determining, from at least one of the received packets, a transmission profile indicative of an intended use of the received packets, and; computing, based on the transmission profile, whether the transmission profile is associated with transmissions from illicit devices. (Hod: [0029] receiver transmits the identification information to skimmer RF detection server using one or more data packets and [26] the system compares the detected RF signals to data contained in a known skimmer emissions database to determine whether the detected RF signals match any known ATM skimmers).
Claim 19: the combination of Hod and Bax teaches the method of claim 13 further comprising receiving RF signals modulated to include Bluetooth transmissions in the range of 2.402 GHz to 2.480 GHz. (Bax: [0149] the broad range of frequency bands that can be received might be 15 MHz to 6 GHz).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Hod to include the idea of determining bluetooth range as taught by Bax so that a network of multiple attacking wireless devices are identified without using pair-wise link information depending upon the type of attack ([0028]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.