DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for the benefit of US provisional patent application serial no. 62/888,739, filed Aug. 19, 2019.

Response to Amendment
The amendments filed on October 20, 2021 have been entered.
Claims 1, 10, and 18 have been amended.
Claim 19 has been cancelled. 
Claims 21-22 have been added.

          				        Response to Arguments
Applicant’s arguments filed on October 20, 2021 have been considered but are moot in view of the new grounds in the rejection in view of Murthy (Pub. No. US 2018/0097840).  

Claim Objections
Claim 21 is objected to because it recites an acronym that is not defined within the claim. The acronym is: VoIP.








Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3, 4, 6-12, 14, 16, 20, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (Pat. No. US 10,878,428), hereinafter Comeaux, in view of Murthy (Pub. No. US 2018/0097840).

		Claim 1. 	Comeaux discloses system for evaluating a network comprising:  
		the plurality of endpoint devices coupled to the network, which supports events thereon (Col. 5 lines 29-49 and Fig. 1; (Network 112); (The alert-generating servers 102, the databases 104, the system servers 106, the analyst devices 108, and the user devices 110 are connected to each other through one or more networks 112)), each of the events occurring at one of the plurality of endpoint devices (Col. 2 lines 5-36, Col. 5 lines 62-67, Col. 6 lines 1-5, and Fig. 1 (110); (Failed login (i.e., event) attempts from a user (i.e., user device 110)));  
		a network evaluation server coupled to the network (Col. 5 lines 29-49, Col. 5 lines 62-67, Col. 6 lines 1-5, and Fig. 1 (Alert generating server 102); (The alert-generating servers 102, the databases 104, the system servers 106, the analyst devices 108, and the user devices 110 are connected to each other through one or more networks 112))), the network evaluation server including a network evaluation application stored in non-transitory memory and executable by a network processor (Col. 5 lines 50-67, Col. 6 lines 1-5, Col. 7 lines 66-67, Col. 8 lines 1-35, Col. 15 lines 12-16, and Fig. 1; (Alert-generating servers 102 may be any computing devices comprising a processor, and a non-transitory machine-readable storage medium, and capable of performing various tasks and processes during execution. The alert-generating server 102 may receive log files or other machine-readable code containing various data fields describing a detected fraudulent and malicious event associated with a data channel from various types of system servers. The alert-generating server 102 may receive log files or other machine-readable code containing various data fields describing a detected fraudulent and malicious event associated with a data channel from various types of system servers. The alert-generating server 102 may execute the alert-generation model to infer whether user's network activity is fraudulent or whether the user's account has been compromised.  The alert-generation model is particularly useful in fraud detection applications where the complexity and the volume of the data make manual fraud-detection impractical, inefficient, and time-consuming. As described above, when evaluation network activity, time is an important factor because a fraudster may only need t a brief window of time to compromise a valid user account. Application data includes software instructions executed by the alert-generating server 102 and/or other components of the system 100 or data used by the such applications executed by the alert-generating server 102 and/or other components of the system 100)) configured to: 
		for each of the events: 
		obtain a service score, an event type, and a user identifier (Col. 2 lines 23-46; (The art teaches receiving, by a server, one or more fraud events from one or more fraud detection devices where each of the one or more fraud events comprises data fields associated a fraudulent activity; also, determining, by the server, a user identifier associated with a fraud event of the one or more fraud events based on the data associated with the fraudulent activity; and determining, by the server, the alert-generation model applicable to the fraud event based on the user identifier associated with the fraud event; and generating, by the server, an alert probability ; and
		determine a network score based on (i) a first number of user identifiers associated with at least one failed event and (ii) a second total number of user identifiers associated with the events (Col. 4 lines 39-49, Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1-2; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record. The alert-generating systems and apparatuses may execute one or more alert generation models that generate a fraud probability score for apparent fraudulent events. The art teaches generating an alert based on alert probability score. i.e., it is known in mathematics that the probability of a failed event(s) is calculated by the number of failed event(s) divided by the total number of events)); and output an indication of the network score (Fig. 2 (210, 212); (The art teaches generating an alert based on alert probability score)). 
Comeaux doesn’t explicitly disclose a plurality of event quality monitoring applications stored in non-transitory memory and executable by a plurality of endpoint processors, respectively, at a plurality of endpoint devices; obtain a service score evaluating a quality of service of the network for the event, an event type, and a user identifier; and when the service score for the event does not exceed a threshold service score for the event type, assign a fail indication for the event.  
		However, Murthy discloses a plurality of event quality monitoring applications stored in non-transitory memory and executable by a plurality of endpoint processors, respectively, at a plurality of endpoint devices (Parag. [0027-0029]; (The art teaches that a firewall is typically a device, a set of devices, or software executed on a device that provides a firewall function for network access. For example, a firewall can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices). The firewall can also be integrated into or executed as software applications on various types of devices or security devices. The firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall/security rules or firewall/security policies, which can be triggered based on various criteria. Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) can include various networking functions such as quality of service (QOS))); and
		obtain a service score evaluating a quality of service of the network for the event (i.e., login event) (Parag. [0027-0029] and Parag. [0042]; (The art teaches that the firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall/security rules or firewall/security policies, which can be triggered based on various criteria. Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) can include various networking functions such as quality of service (QOS). The art teaches multifactor authentication as a network service includes monitoring a session (e.g., a new or existing session) at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile. For example, an authentication profile can be selected based on matched criteria associated with a new session that is requesting access to a resource, which is based on a match to a rule of an authentication policy. The authentication profile can require specified multifactor authentication for access to the requested resource (i.e., a score indicating the multifactor authentication satisfaction). If one or more of the authentication factors are not successfully satisfied or time-out, then the firewall can block access to the resource or drop the session. Otherwise (e.g., the required authentication factors are successfully satisfied), the firewall can allow access to the resource (e.g., and the firewall can perform additional security screening based on a security policy))), an event type, and a user identifier (Parag. [0169-0173]; (The art teaches that a firewall provides a view into an authentication and User ID log (e.g., an authentication and User ID log database or other data ; and 
		when the service score for the event does not exceed a threshold service score for the event type, assign a fail indication for the event (Parag. [0042] and Parag. [0059]; (The art teaches multifactor authentication as a network service includes monitoring a session (e.g., a new or existing session) at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile. For example, an authentication profile can be selected based on matched criteria associated with a new session that is requesting access to a resource, which is based on a match to a rule of an authentication policy. The authentication profile can require specified multifactor authentication for access to the requested resource (i.e., a score indicating the multifactor authentication satisfaction). If one or more (i.e., threshold service score) of the authentication factors are not successfully satisfied or time-out, then the firewall can block access to the resource or drop the session. Further, the art teaches that detection of compromised credentials as a network service includes monitoring a plurality of sessions at a firewall, logging a plurality of failed or timed out attempts (i.e., fail indication) to authenticate at the firewall in a log (e.g., an authentication log))).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Comeaux to incorporate the teaching of Murthy. This would be convenient to protect networks from unauthorized access while permitting authorized communications to pass through (Parag. [0001]).
   
Claim 3. 	Comeaux in view of Murthy discloses the system of claim 1, 
		Comeaux further discloses wherein the network evaluation server is configured to determine the network score when a total number of events exceeds a threshold number of events (Col. 12 lines 18-27; (The art teaches that the alert-generating server monitors or otherwise subscribe to fraudulent and/or authentication events generated and published by the server (e.g. payment server). The payment server communicate the fraudulent and/or authentication events with the alert-generating server over the network, using any number compatible data formats and protocols. The fraudulent and/or authentication events may indicate .   
 
Claim 4. 	Comeaux in view of Murthy discloses the system of claim 1,   
		Comeaux further discloses wherein the network evaluation server is configured to determine the network score for events occurring within a predetermined period of time (Col. 4 lines 62-67 and Col. 5 line 1; (The art teaches that the alert-generating systems and apparatuses sort the fraudulent events according to a priority, based on the relative fraud probability scores. Also, the alert-generating systems and apparatuses update the fraud probability scores of the fraudulent events periodically as more fraudulent events are detected and received from one or more fraud detection servers)).  
 
Claim 6. 	Comeaux in view of Murthy discloses the system of claim 1, 
Comeaux further discloses wherein the network evaluation server is further configured to: 
		identify one or more subsections of the network (Col. 4 lines 28-38; (The art teaches that the alert-generating server generate alerts based on inputs from one or more servers that are operable to track, monitor, and flag for potentially fraudulent and malicious network activity. The alerts contains various data fields indicating threats of fraud or attempts to penetrate an enterprise network, and indicating one or more particular users of the system associated with an alert (often the target of a type of fraud))); and 
for each subsection of the network, determine a subsection score based on a number of failed events associated with the subsection and a total number of events associated with the subsection (Col. 4 lines 39-61, Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and .  
 
Claim 7. 	Comeaux in view of Murthy discloses the system of claim 6, 
Comeaux further discloses wherein the subsections comprise one or more of: distinct offices associated with the network; distinct regions of the network; distinct sub- networks of the network; and different services supported by the network (Col. 4 lines 28-38; (The art teaches that the alerts contains various data fields indicating threats of fraud or attempts to penetrate an enterprise network (i.e., offices associated with the network))).  

Claim 8. 	Comeaux in view of Murthy discloses the system of claim 6,   
Comeaux further discloses wherein the network evaluation server is configured to determine the subsection score when the total number of events associated with the subsection exceeds a threshold number of events (Col. 12 lines 18-27; (The art teaches that the alert-generating server monitors or otherwise subscribe to fraudulent and/or authentication events generated and published by the server (e.g. payment server). The payment server communicate the fraudulent and/or authentication events with the alert-generating server over the network, using any number compatible data formats and protocols. The fraudulent and/or authentication events may indicate a status of payments transactions, such as an irregular transaction amount is identified above a threshold amount)).     
 
Claim 9. 	Comeaux in view of Murthy discloses the system of claim 1,   
Comeaux further discloses wherein the network evaluation server is configured to: 
		compare the network score with a threshold network score (Col. 18 lines 20-31; (The art teaches that the alert-generating server compares the fraud probability score corresponding to the fraud event with a pre-defined threshold score)); and  
		when the network score is below the threshold network score, output a supplementary indication that the network score is below the threshold network score (Col. 18 lines 32-41; (The art teaches that upon determining that the alert probability score . 

Claim 10. 	Comeaux discloses a method of evaluating a network comprising:  23P8836US01 
for each of a plurality of events on the network:  
obtaining, by a processor, a service score and an event type (Col. 2 lines 23-46; (The art teaches receiving, by a server, one or more fraud events from one or more fraud detection devices where each of the one or more fraud events comprises data fields associated a fraudulent activity; also, determining, by the server, a user identifier associated with a fraud event of the one or more fraud events based on the data associated with the fraudulent activity; and determining, by the server, the alert-generation model applicable to the fraud event based on the user identifier associated with the fraud event; and generating, by the server, an alert probability score corresponding to the fraud event, based on the execution of the alert-generation model applicable to the fraud event determined based on the user identifier associated with the fraud event, on the data fields associated with the fraudulent activity contained in the fraud event)); and  
determining, by a processor, a network score for the network based on (i) a number of failed events and (ii) a total number of plurality of events (Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)); and 
outputting an indication of the network score (Fig. 2 (210, 212); (The art teaches generating an alert based on alert probability score)).  
Comeaux doesn’t explicitly disclose obtaining, by a processor, a service score evaluating a quality of service of the network for the event and an event type; and when the service score does not exceed a threshold service score for the event type, assigning, by a processor, a fail indication indicative of a failed event.
However, Murthy obtaining, by a processor, a service score evaluating a quality of service of the network for the event (i.e., login event) (Parag. [0027-0029] and Parag. [0042]; (The art teaches that the firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall/security rules or firewall/security policies, which can be triggered based on various criteria. Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) can include various networking functions such as quality of service (QOS). The art teaches multifactor authentication as a network service includes monitoring a session (e.g., a new or existing session) at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile. For example, an authentication profile can be selected based on matched criteria associated with a new session that is requesting access to a resource, which is based on a match to a rule of an authentication policy. The authentication profile can require specified multifactor authentication for access to the requested resource (i.e., a score indicating the multifactor authentication satisfaction). If one or more of the authentication factors are not successfully satisfied or time-out, then the firewall can block access to the resource or drop the session. Otherwise (e.g., the required authentication factors are successfully satisfied), the firewall can allow access to the resource (e.g., and the firewall can perform additional security screening based on a security policy))) and an event type (Parag. [0169-0173]; (The art teaches that a firewall provides a view into an authentication and User ID log (e.g., an authentication and User ID log database or other data format). The interface of the firewall can also display various other monitored information, such as the following: Event Type (e.g., logon, logoff); Begin Port (e.g., User ID for a terminal services session); End Port (e.g., User ID for a terminal services session))); and 
		when the service score does not exceed a threshold service score for the event type, assigning, by a processor, a fail indication indicative of a failed event (Parag. [0042] and  authentication as a network service includes monitoring a session (e.g., a new or existing session) at a firewall, applying an authentication profile based on the new session, and performing an action based on the authentication profile. For example, an authentication profile can be selected based on matched criteria associated with a new session that is requesting access to a resource, which is based on a match to a rule of an authentication policy. The authentication profile can require specified multifactor authentication for access to the requested resource (i.e., a score indicating the multifactor authentication satisfaction). If one or more (i.e., threshold service score) of the authentication factors are not successfully satisfied or time-out, then the firewall can block access to the resource or drop the session. Further, the art teaches that detection of compromised credentials as a network service includes monitoring a plurality of sessions at a firewall, logging a plurality of failed or timed out attempts (i.e., fail indication) to authenticate at the firewall in a log (e.g., an authentication log))).
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Comeaux to incorporate the teaching of Murthy. This would be convenient to protect networks from unauthorized access while permitting authorized communications to pass through (Parag. [0001]). 

Claim 11. 	Comeaux in view of Murthy discloses the method of claim 10, 
Comeaux further discloses wherein determining the network score comprises: filtering the plurality of events to obtain events occurring during a predetermined period of time; and determining the network score for the network during the predetermined period of time (Col. 4 lines 62-67 and Col. 5 line 1; (The art teaches that the alert-generating systems and apparatuses sort the fraudulent events according to a priority, based on the relative fraud probability scores. Also, the alert-generating systems and apparatuses update the fraud probability scores of the fraudulent events periodically as more fraudulent events are detected and received from one or more fraud detection servers)).   

Claim 12. 	Comeaux in view of Murthy discloses the method of claim 10,  
Comeaux further discloses wherein determining the network score comprises: identifying a first number of users experiencing at least one failed event based on user identifiers associated with the failed events; identifying a second number of users experiencing at least one event based on user identifiers associated with the plurality of evenst; and determining the network score based on (i) the first number of users and (ii) the second number of users (Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)).

Claim 14. 	Comeaux in view of Murthy discloses the method of claim 10,  
Comeaux further discloses wherein determining the network score is performed when the total number of events exceeds a threshold number of events (Col. 12 lines 18-27; (The art teaches that the alert-generating server monitors or otherwise subscribe to fraudulent and/or authentication events generated and published by the server (e.g. payment server). The payment server communicate the fraudulent and/or authentication events with the alert-generating server over the network, using any number compatible data formats and protocols. The fraudulent and/or authentication events may indicate a status of payments transactions, such as an irregular transaction amount is identified above a threshold amount)).   

Claim 16. 	Comeaux in view of Murthy discloses the method of claim 10, 
Comeaux further discloses the method further comprising: 
identifying one or more subsections of the network (Col. 4 lines 28-38; (The art teaches that the alert-generating server generate alerts based on inputs from one or more servers that are operable to track, monitor, and flag for potentially fraudulent and malicious network activity. The alerts contains various data fields indicating threats of fraud or attempts to penetrate ; 
for each subsection of the network, determining a subsection score based on a number of failed events associated with the subsection and a total number of events associated with the subsection (Col. 4 lines 39-61, Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)); and 
outputting an indication of the subsection score for each of the one or more subsections of the network (Col. 4 lines 39-61, Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record. The art teaches generating an alert based on alert probability score)).  

Claim 20. 	Comeaux in view of Murthy discloses the method of claim 16,  
Comeaux further discloses the method further comprising: 
subdividing at least one of the one or more subsections into one or more subdivisions (Col. 4 lines 28-38; (The art teaches that the alert-generating server generate alerts based on inputs from one or more servers that are operable to track, monitor, and flag for potentially fraudulent and malicious network activity. The alerts contains various data fields indicating threats of fraud or attempts to penetrate an enterprise network (i.e., subsection of a network), and indicating one or more particular users of the system associated with an alert (often the target of a type of fraud))); and 
for each subdivision, determining a subdivision score based on a number of failed events associated with the subdivision and a total number of events associated with the subdivision (Col. 4 lines 39-61, Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)).

Claim 22. 	Comeaux in view of Murthy discloses the system of claim 1,  
Comeaux further discloses wherein the service score is based on user feedback indicating quality of the event (Col. 2 lines 23-46; (The art teaches receiving, by a server, one or more fraud events from one or more fraud detection devices where each of the one or more fraud events comprises data fields associated a fraudulent activity; also, determining, by the server, a user identifier associated with a fraud event of the one or more fraud events based on the data associated with the fraudulent activity; and determining, by the server, the alert-.

Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (Pat. No. US 10,878,428), hereinafter Comeaux, in view of Murthy (Pub. No. US 2018/0097840), and in view of Kakani et al. (Pub. No. US 2020/0106660), hereinafter Kakani.
 	
Claim 2. 	Comeaux in view of Murthy discloses the system of claim 1, 
Comeaux further discloses wherein the network evaluation server is configured to determine the network score according to probability equation is based the number of user identifiers associate with at least one failed event and the total number of user identifiers associated with at least one event  (Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)).  
Comeaux doesn’t explicitly disclose a probability equation (1-(F/T))*100, wherein F represents the first number associate with at least one failed event and T represents the second total number associated with the events.
However, Kakani discloses a probability equation (1-(F/T))*100, wherein F represents the first number associate with at least one failed event and T represents the second total number associated with the events (Parag. [0029]; (The art teaches that a statistical power is inversely related to beta where beta is the probability of making a Type II error (power=1-beta) (i.e., beta is the probability for a failed event) (i.e.., equivalent to 1-(F/T), wherein beta is equivalent to F/T). Note: The number of failed event (F) divided by the total number of events (T) would represent how many failed event occur which is an element to determine the probability, which would be equivalent to beta (i.e., F/T))). 
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Comeaux to incorporate the teaching of Kakani. This would be convenient to aid in troubleshooting issues and outages in a network (Parag. [0002]).

Claim 13. 	Comeaux in view of Murthy discloses the method of claim 12, 
Comeaux further discloses wherein determining the network score according to probability equation is based the number of user identifiers associate with at least one failed event and the total number of user identifiers associated with at least one event  (Col. 10 lines 48-67, Col. 11 lines 1-10, and Fig. 1; (The art teaches that when a system server determines that a user fails multiple times to authenticate himself or herself as valid and recognized user of the system, the system server transmit potential fraudulent event (including data associated with the event comprising multiple times failed authentication) to the alert-generating server. The alert-generating server then executes an alert-generation model to determine an alert probability score for this event. The alert-generation model executed by the alert-generating server calculates the alert probability score for this event based on details regarding any previous history of the user for failed authentication events, and whether a device ID from which the user is attempting to log in matches with user device data. The set of one or more acceptable and authorized device IDs of the user (i.e., user identifiers) are predetermined to satisfy a safety acceptability threshold required by the system and stored in a user record)).  
Comeaux doesn’t explicitly disclose a probability equation (1-(F/T))*100, wherein F represents the first number of users, and T represents the second number of users.
However, Kakani discloses a probability equation (1-(F/T))*100, wherein F represents the first number of users, and T represents the second number of users. (Parag. [0029]; (The art teaches that a statistical power is inversely related to beta where beta is the probability of . 
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Comeaux to incorporate the teaching of Kakani. This would be convenient to aid in troubleshooting issues and outages in a network (Parag. [0002]).

		Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (Pat. No. US 10,878,428), hereinafter Comeaux, in view of Murthy (Pub. No. US 2018/0097840), and in view of Langton et al. (Pub. No. US 2016/0294851), hereinafter Langton. 

Claim 5. 	Comeaux in view of Murthy discloses the system of claim 1,    
Comeaux further discloses wherein the network evaluation server is configured to one or more of: generate a report including the indication of the network score; generate an alarm at an output device associated with the server; and send a message to a client device including the network score and/or the alarm (Col. 5 lines 5-8 and Fig. 2 (210, 212); (The art teaches generating an alert based on alert probability score. The art teaches generating an alert based on alert probability score. The art also teaches that analyst computers query and fetch the alerts from a database and present the alerts to be addressed by an analyst)).   
The combination doesn’t explicitly disclose generating an alarm when the network score is below a threshold network score. 
		However, Langton discloses generating an alarm when the network score is below a threshold network score (Parag. [0050], Parag. [0066], and Parag. [0072]; (The art teaches that a security device 220 may generate a network activity score for network activity associated with client device 210, and may determine that the network activity score satisfies a threshold. The art teaches that the security device generates, for each client device, a network activity score representing a measure of similarity of network activity of each client device to the network activity profile. Based on comparing the network activity scores to a threshold (e.g., a 75% match), security device identifies the client devices as being infected. The security device .
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teaching of Langton. This would be convenient to determine whether the malicious file is operating on a client device of the set of client devices (Parag. [0012]). 

Claim 15. 	Comeaux in view of Murthy discloses the method of claim 10,  
Comeaux further discloses wherein outputting the indication of the network score comprises one or more of: generating a report including the indication of the network score; generating an alarm at an output device; and sending a message to a client device including the network score and/or the alarm (Col. 5 lines 5-8 and Fig. 2 (210, 212); (The art teaches generating an alert based on alert probability score. The art also teaches that analyst computers query and fetch the alerts from a database and present the alerts to be addressed by an analyst)).  
The combination doesn’t explicitly disclose generating an alarm when the network score is below a threshold network score. 
		However, Langton discloses generating an alarm when the network score is below a threshold network score (Parag. [0050], Parag. [0066], and Parag. [0072]; (The art teaches that a security device 220 may generate a network activity score for network activity associated with client device 210, and may determine that the network activity score satisfies a threshold. The art teaches that the security device generates, for each client device, a network activity score representing a measure of similarity of network activity of each client device to the network activity profile. Based on comparing the network activity scores to a threshold (e.g., a 75% match), security device identifies the client devices as being infected. The security device provides, to administrator device, a notification regarding the infected client devices, and, as shown by reference number, the notification is displayed as an alert on administrator device. further, the art teaches that satisfying a threshold may refer to a value being less than the threshold)).
.

   Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (Pat. No. US 10,878,428), hereinafter Comeaux, in view of Murthy (Pub. No. US 2018/0097840), in view of Doddala et al. (Pub. No. US 2018/0308001), hereinafter Doddala, and in view of Thapliya et al. (Pub. No. US 2015/0281026), hereinafter Thapliya. 
  
Claim 18. 	Comeaux in view of Murthy discloses the method of claim 16, 
The combination doesn’t explicitly disclose the method further comprising, when the total number of events associated with the subsection is below a threshold number of events, assigning the subsection score to be NULL, and when the total number of events associated with the subsection is below a threshold number of events, assigning the subsection score to be 100%.  
		However, Doddala discloses when the total number of events associated with the subsection is below a threshold number of events, assigning the subsection score to be NULL (Parag. [0051]; (The art teaches that if the number of events is less than the threshold number, the metric is converted into a feature value of zero (i.e., NULL))). 
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teaching of Doddala. This would be convenient for ensuring smooth IT operations, managing troubleshooting problems, and detecting anomalous activity in the IT infrastructure (Parag. [0003]).
		Thapliya discloses when the total number of events associated with the subsection is below a threshold number of events, assigning the subsection score to be 100% (Parag. [0059] and Fig. 6 (d); (The art teaches that if the number of packet loss events is 2, which is less than the threshold y, the packet loss event recorded. Fig. 6(d) shows an indication using binary “1” (i.e., equivalent to 100%) to indicate the number of packet loss events)).  
.
	
Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (Pat. No. US 10,878,428), hereinafter Comeaux, in view of Murthy (Pub. No. US 2018/0097840), and in view of Minhazuddin et al. (Pub. No. US 2004/0073641), hereinafter Minhazuddin. 
			
Claim 21. 	Comeaux in view of Murthy discloses the system of claim 1,  
The combination doesn’t explicitly disclose wherein the service score for a VoIP call includes a rating factor computed based on latency, jitter, packet loss, and a codec used during the VoIP call.
However, Minhazuddin discloses wherein the service score for a VoIP call includes a rating factor computed based on latency, jitter, packet loss, and a codec used during the VoIP call (Parag. [0031] and Parag. [0034]; (The art teaches a session monitor includes in memory a statistic collection agent to collect and store information from the end points, a network reconfiguration agent to reconfigure resources of the network to meet QoS requirements for a session, and a database comprising statistics and other information collected from the end points. Other components of the session monitor can include those currently available in products such as VoIP Monitoring Manager.TM. by Avaya, Inc. Further, the art teaches that the user can obtain information regarding each end point, information regarding specific RTP sessions between end points (e.g., whether or not a session end point triggered the detailed monitoring state, the end point triggering the detailed monitoring state, when the detailed monitoring state was triggered, the codec used, the RSVP status, the session start and end times, the communications controller with which the end point is registered), and a list of sessions with levels of jitter, jitter buffer delay, latency, available bandwidth, and/or packet loss above certain user-defined levels)).  
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify the combination to incorporate the teaching of Minhazuddin. This would be convenient for determining when a problem is occurring in order to .

Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Niemoeller (US 2016/0226733) – Related art in the area of method and score management for supporting service evaluation, (Abstract; A score management node receives network measurements related to at least one service event when the service is delivered to the user, and determines, in a first scoring module, a quality score Q reflecting the user's perception of quality of the delivered service and an associated significance S reflecting the user's perception of importance of the delivered service, based on the received network measurements).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Examiner, Art Unit 2442

/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442