Reasons for Allowance
This action is in response to the Application filed 04/14/2020. In the application contains claims 1-20 wherein claims 1, 8, 15 are presented in independent form. Claims 1, 8, 15 as set forth are distinguished over the art made of record when considered with all the limitations of the claims and not in isolation as no single prior art of record discloses all the elements of each claim respectively, nor are the limitations an obvious combination derived therefrom. The claims are allowed based on incorporation of subject matter not taught by the art made of record when the subject matter set forth in the Examiner’s Amendment is considered with all the limitations of each of said claims and incorporated in the independent claims in combination with ALL the limitations in the claims. 
As to claim 1, the limitation “obtaining, by a threat management system, respective wireless access point (AP) locations corresponding to one or more wireless access points; receiving, by the threat management system, one or more network status messages that include wireless access point information received by one or more endpoint devices; determining, by the threat management system, whether a discrepancy exists between the one or more access point locations and the wireless access point information; if it is determined that the discrepancy exists: sending, from the threat management system, one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with the threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving, at the threat management system, one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing, at the threat management system, the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters sent by the threat management system; and performing, at the threat management system, one or more actions to restrict the rogue access point” in combination with ALL (and not the limitation noted in isolation) the limitations of each of the claims is not fairly taught by the art made of record. Remaining dependent claims 2-7 contain the limitations noted above by virtue of dependence and are similarly distinguished over the prior art. 
As to claim 8, the limitation “obtaining respective wireless access point (AP) locations corresponding to one or more wireless access points; receiving one or more network status messages that include wireless access point information received by one or more endpoint devices; determining whether a discrepancy exists between the one or more access point locations and the wireless access point information; if it is determined that the discrepancy exists: sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with the threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point; and performing one or more actions to restrict the rogue access point” in combination with ALL (and not the limitation noted in isolation) the limitations of each of the claims is not fairly taught by the art made of record. Remaining dependent claims 9-14 contain the limitations noted above by virtue of dependence and are similarly distinguished over the prior art. 
As to claim 15, the limitation “obtaining respective wireless access point (AP) locations corresponding to one or more wireless access points; receiving one or more network status messages that include wireless access point information received by one or more endpoint devices; determining whether a discrepancy exists between the one or more access point locations and the wireless access point information; if it is determined that the discrepancy exists: sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with a threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters; and performing one or more actions to restrict the rogue access point” in combination with ALL (and not the limitation noted in isolation) the limitations of each of the claims is not fairly taught by the art made of record. Remaining dependent claims 16-20 contain the limitations noted above by virtue of dependence and are similarly distinguished over the prior art. 
The claims are distinguished over the closest art of record which includes US-20200267553 to Wagner et al (hereinafter d1), US-20070298720 to Wolman et al (hereinafter d2), US-20170026859 to Ahmadzadeh et al (hereinafter d3) and US-20160192136 to Pan et al (hereinafter d4). Wherein d1 discloses techniques for rogue device detection (see d1 para. 0085). D1 discloses geo-location and can put controls in place, such that movement of the access device by the resource provider will require updated registration. wherein a rogue hacker's ability to simulate a legitimate access device, would have to have the rogue mobile device's location match that of the legitimate access device (see d1 para. 0087). D1 also discloses comparing of  the geo-location from the certificate to the geo-location of the mobile device; wherein the device may determine its geolocation by using a location determination system such as a GPS system. If the two geo-locations match or are otherwise proximate to each other, then the mobile device  may determine that the access device 404 is an authentic access device (see d1 para. 0095). The disclosure of d1 at best disclose using matching location to determine a rogue device, but fails to set forth the dual-layer determination of the present application including sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with a threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters; and performing one or more actions to restrict the rogue access point. 
Turning to d2, d2 discloses detecting rogue devices that are coupled to a wired network without generating false negative or false positive alerts. Wherein d2 discloses sensing wireless communication, wherein components that can sense communication on the specific network. Once an observed service set identifier (SSID) and/or an observed basic service set identifier (BSSID) is detected on the wireless network, a listing of authorized SSIDs and/or BSSIDs is checked. However, if this check indicates that the SSID and/or BSSID is on the authorized list, the method performs at least one additional test so that a false negative does not occur. Additionally, or alternatively, if the check of the list indicates that the SSID and/or BSSID is not authorized, at least one additional test is performed to determine whether the device is actually connected to the specific wired network of concern. The disclosure of d2 at best discloses using network information to determine a rogue device, but fails to set forth the dual-layer determination of the present application including sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with a threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters; and performing one or more actions to restrict the rogue access point. 
 Turning to d3, d3 discloses determining whether the first set of observed parameters of the potential network access point matches expected parameters for a network access point, and establish a second level of communications with the potential network access point in response to determining that the first set of observed parameters matches expected parameters of the network access point. The disclosure of d3 at best discloses using network information to determine a rogue device, but fails to set forth the dual-layer determination of the present application including sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with a threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters; and performing one or more actions to restrict the rogue access point.
Turning to d4, d4 discloses identifying rogue access points having an actual location different from a registered location include a computing device to receive a unique identifier of each access point of a plurality of access points within a communication range of the computing device from the corresponding access point. The computing device determines a registered physical location of each access point based on the unique identifier. Additionally, the computing device determines a reference distance between the computing device and each access point based on a transmitted signal received from each corresponding access point and a spatial distance between each access point and each other access point based on the registered locations of the access points. Based on the spatial distances and reference distances, the computing device identifies which of the access points are rogue access points. The disclosure of d4 at best discloses using physical location to determine a rogue device, but fails to set forth the dual-layer determination of the present application including sending one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with a threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters; and performing one or more actions to restrict the rogue access point.
None of d1, d2, d3, d4 alone fairly disclose the two fold procedure of the present application including receiving, by the threat management system, one or more network status messages that include wireless access point information received by one or more endpoint devices; determining, by the threat management system, whether a discrepancy exists between the one or more access point locations and the wireless access point information, coupled in the same method with if it is determined that the discrepancy exists: sending, from the threat management system, one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with the threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving, at the threat management system, one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing, at the threat management system, the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters sent by the threat management system; and performing, at the threat management system, one or more actions to restrict the rogue access point. In consideration of the teaching of d1, d2, d3 and d4 in a reasonable combination, no reasonable combination thereof can be reasonably construed as disclosing the limitation.  Further, no aspects of D1- D4 would lead one of ordinary skill in the art to make modifications to any art made of record to result in the features including receiving, by the threat management system, one or more network status messages that include wireless access point information received by one or more endpoint devices; determining, by the threat management system, whether a discrepancy exists between the one or more access point locations and the wireless access point information; if it is determined that the discrepancy exists: sending, from the threat management system, one or more parameters to one or more selected access points from among the one or more access points, wherein the one or more selected access points are selected from among access points registered with the threat management system and the one or more parameters cause the one or more selected access points to modify an operational aspect; receiving, at the threat management system, one or more subsequent status messages containing subsequent access point information received by one or more endpoint devices; programmatically analyzing, at the threat management system, the subsequent access point information to identify a rogue access point, wherein the rogue access point is identified as an access point that did not modify the operational aspect according to the one or more parameters sent by the threat management system; and performing, at the threat management system, one or more actions to restrict the rogue access point. One must look at the claim limitations as a whole, without improper hindsight reasoning gleaned from the Applicant specification. Therefore, when all the limitations of independent claims 1, 8 an 15 considered as a whole, the limitations are distinguished over the art made of record. The only teaching of these features is found in the Applicant’s disclosure. Therefore, claims 1, 8, 15 are both novel and non-obvious over the art made of record.
Therefore, the prior art made of record alone or in any reasonable combination, fail to disclose the limitations noted above with respect to claims 1, 8, 15, in combination with all the limitations of each respective claims (and not in isolation). All remaining pending dependent claim contain the noted limitations by virtue of dependence, wherein the limitation in the dependent claim is not fairly taught by the art made of record. Therefore, the remaining pending dependent claims contain the limitation by virtue of dependence and therefore are also allowable. Therefore, for the foregoing reasons, the subject matter of claims 1-20 are novel and non-obvious in view of the prior art made of record. Therefore claims 1-20 are allowed. 
 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NATHAN SCOTT TAYLOR whose telephone number is (571)270-3189.  The examiner can normally be reached on Mon. - Thurs. 9:00-4:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JINSONG HU can be reached on 5712723965.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NATHAN S TAYLOR/             Primary Examiner, Art Unit 2643