Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments and Amendments
Applicant’s arguments and amendments have been fully considered regarding the independent claims in viewing the amended limitations new grounds of rejection have been set fourth in further view of United States Patent Application Publication No.: US 2015/0039757 (Petersen et al.).
The arguments also challenge official notice without traverse. Instead the argument states with traverse and quotes the MPEP. However to adequately traverse an Official Notice, an applicant must specifically point out the supposed errors in the examiner’s action, which would include stating why the noticed fact is not considered to be common knowledge or well-known in the art.  MPEP 2144.03 Section C.
	In this case the statement should include why the basic admin interface or that data related to account takeovers as a type of malicious action were not common common knowledge or well-known in the art.
	None the less the new art Petersen et al. does provide the interface in question. And Use of the Dempster–Shafer theory to detect account takeovers in mobile money transfer services (Coppolino) has been provided to demonstrate that account takeover attempts were known in the art.

MPEP 2144.03 Reliance on Common Knowledge in the Art or "Well Known" Prior Art [R-10.2019]
C.If Applicant Traverses a Factual Assertion as Not Properly Officially Noticed or Not Properly Based Upon Common Knowledge, the Examiner Must Support the Finding With Adequate Evidence
To adequately traverse such a finding, an applicant must specifically point out the supposed errors in the examiner’s action, which would include stating why the noticed fact is not considered to be common knowledge or well-known in the art. See 37 CFR 1.111(b). See also Chevenard, 139 F.2d at 713, 60 USPQ at 241 ("[I]n the absence of any demand by appellant for the examiner to produce authority for his statement, we will not consider this contention."). A general allegation that the claims define a patentable invention without any reference to the examiner’s assertion of official notice would be inadequate. If applicant adequately traverses the examiner’s assertion of official notice, the examiner must provide documentary evidence in the next Office action if the rejection is to be maintained. See 37 CFR 1.104(c)(2). See also Zurko, 258 F.3d at 1386, 59 USPQ2d at 1697 ("[T]he Board [or examiner] must point to some concrete evidence in the record in support of these findings" to satisfy the substantial evidence test). If the examiner is relying on personal knowledge to support the finding of what is known in the art, the examiner must provide an affidavit or declaration setting forth specific factual statements and explanation to support the finding. See 37 CFR 1.104(d)(2).
If applicant does not traverse the examiner’s assertion of official notice or applicant’s traverse is not adequate, the examiner should clearly indicate in the next Office action that the common knowledge or well-known in the art statement is taken to be admitted prior art because applicant either failed to traverse the examiner’s assertion of official notice or that the traverse was inadequate. If the traverse was inadequate, the examiner should include an explanation as to why it was inadequate.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 6-8, 10-11, 13-15, 17-18, and 20-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 10,373,140 B1 (Chang et al.) in view of United States Patent Application Publication No.: US 2015/0039757 (Petersen et al.).

As Per Claim 1: Chang et al. teaches: A computing platform, comprising:
- at least one processor;
- a communication interface communicatively coupled to the at least one processor; and
- a memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
	(Change et al., Column 6, Lines 1-22,“In addition, as discussed above, the disclosed method and system for detecting fraudulent bill payment transactions using dynamic multi-parameter predictive modeling provides for the entry, processing, and dissemination, of only relevant portions of data, i.e., more accurately identified potentially fraudulent bill payment transaction data; thereby eliminating unnecessary data analysis and correction before resources are allocated to processing, and/or correcting, faulty data, and/or the faulty data is further transmitted/distributed. Consequently, using the disclosed method and system for detecting fraudulent bill payment transactions using dynamic multi-parameter predictive modeling results in more efficient use of human and non-human resources, fewer processor cycles being utilized, reduced memory utilization, and less communications bandwidth being utilized to relay data to, and from, backend systems and client systems, and various investigative systems and parties. As a result, computing systems are transformed into faster, more efficient, and more effective computing systems by implementing the method and system for detecting fraudulent bill payment transactions using dynamic multi-parameter predictive modeling.”).

- aggregate the first unauthorized activity event data and the second unauthorized activity event data including formatting at least one of: the first unauthorized activity event data or the second unauthorized activity event data to generate aggregated data; analyze, using machine learning, the aggregated data; generate, based on the analyzed aggregated data, a threat output; identify, based on the threat output and using machine learning, at least one mitigating action to execute; and execute the at least one mitigating action.
	(Chang et al., Column 12 Line 48 – Column 13 Line 9,  “In one embodiment, an ensemble method and/or general regression and classification fraudulent activity predictive model is constructed as a linear combination of simple potential fraudulent activity parameters/rules derived from the historical fraudulent bill payment transactions data. In one embodiment, each potential fraudulent activity parameter/rule consists of a conjunction/ensemble of a small number of simple statements concerning the values of individual potential fraudulent activity parameter/rule input variables.
	These potential fraudulent activity parameters/rules ensembles have been discovered by the Inventors to produce extremely reliable fraudulent activity predictive accuracy. In addition, because of its simple form, each potential fraudulent activity parameter/rule variable is easy to understand, as is its influence on individual fraudulent activity predictions, selected subsets of fraudulent activity predictions, or global fraudulent activity predictions over the entire space of joint input potential fraudulent activity parameter/rule input variable values. Similarly, the degree of relevance of the respective potential fraudulent activity parameter/rule input variable can be assessed globally, locally in different regions of the input space, or at individual potential fraudulent activity prediction points. Consequently, in one embodiment, the ensemble method and/or general regression and classification fraudulent activity predictive model assigns weights to the individual potential fraudulent activity parameters/rules variables, and related groups of potential fraudulent activity parameters/rules ensembles.”).
	(Chang et al., Column 16 Line 45 – Column 17 Line 20,  “In one embodiment, bill payment system 111 also includes fraudulent activity predictive model module 107 for analyzing historical fraudulent bill payment transactions data 105 using one or more machine learning algorithms of machine learning algorithms data 109. In one embodiment, fraudulent activity predictive model module 107 generates potential fraudulent bill payment transaction scoring parameters data (not shown) used to create potential fraudulent bill payment transaction scoring engine 113.
	In one embodiment, a user generates current bill payment transaction data 133 through user computing system 131 in user computing system environment 130. In one embodiment, current bill payment transaction data 133 is transferred to buffer and analysis module 112 and potential fraudulent bill payment transaction scoring engine 113.
	In one embodiment, potential fraudulent bill payment transaction scoring engine 113 determines and assigns current bill payment transaction data potential fraudulent transaction score value data 115 to current bill payment transaction data 113 based, at least in part, on analysis of one or more interconnected potential fraudulent bill payment parameters (not shown) identified in current bill payment transaction data 113.
	In one embodiment, the current bill payment transaction data potential fraudulent transaction score value data 115 associated with current bill payment transaction data 113 is compared to threshold potential fraudulent bill payment transaction score value data 117 representing one or more threshold potential fraudulent bill payment transaction score values at bill payment transaction routing module 119.
	In one embodiment, at bill payment transaction routing module 119 one of the following actions is taken.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is greater than a first threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to block bill payment transaction module 121 and the current bill payment transaction represented by current bill payment transaction data 113 is prevented/blocked.”).
	Chang et al.’s method is an ongoing operation where unauthorized events are added to the records handled with machine learning which in operation is receiving an ongoing plurality of unauthorized activity event data as it occurs.
	(Chang et al., Column 16, Lines 45-53, “In one embodiment, bill payment system 111 also includes fraudulent activity predictive model module 107 for analyzing historical fraudulent bill payment transactions data 105 using one or more machine learning algorithms of machine learning algorithms data 109. In one embodiment, fraudulent activity predictive model module 107 generates potential fraudulent bill payment transaction scoring parameters data (not shown) used to create potential fraudulent bill payment transaction scoring engine 113.”).
	The production and implementation of the scoring engine which is based on the aggregating of historical data is a mitigation action derived from machine learning analyses of unauthorized event data.

Chang et al. does not explicitly teach the following limitations however Petersen et al. in analogous art does teach the following limitations:
- receive, in real-time and from a first enterprise unit of an enterprise organization, first unauthorized activity event data;
- receive, in real-time and from a second enterprise unit of the enterprise organization, second unauthorized activity event data;
	(Petersen et al., Paragraph [0011], “As will be discussed herein, the present utilities serve to provide a single platform that allows administrators, troubleshooters, and other users to perform various types of analyses of structured data (e.g., log, transactional, activity) such as correlative, behavioral, statistical, corroborative, and the like. More specifically, the present utilities can be customized (e.g., in conjunction with a console or user interface) to dynamically detect a wide range of various combinations of network and other occurrences, such as the above example, in a manner that eliminates or limits the weaknesses in traditional notions of structured data-monitoring and detection (e.g., such as event correlation). Among other abilities, the present utilities can process a significant volume of structured or normalized data spread across multiple systems and devices in a memory and CPU efficient manner and irrespective of a time in which data is processed to extract or glean numerous types of useful information from the processed data (e.g., detecting sophisticated intrusions following known patterns and insider threats that may be effectively "invisible" to the organization). The analyses may be performed in real time to identify suspicious activity and known issues as they occur by providing a scalable solution that is capable of indexing and analyzing significant quantities of structured data and providing various analysis technique such as correlative analyses (e.g., generating an event if events a, b or c are observed followed by event d in timeframe z), statistical analyses (e.g., creating an event if data sent exceeds quantity a in timeframe z), behavioral analyses (e.g., creating an event if a user is observed authenticating to a network during timeframes that are significantly different than previously established usage patterns) corroborative analyses (e.g., creating an event if an attack is observed against a system known to be vulnerable to a), and the like.”).
	(Petersen et al., Paragraph [0052], “Turning to FIG. 1, a system 10 is provided that generally provides for the collection, processing, management, and analysis of various types of data generated by or gleaned from one or more devices, networks, processes, and the like. As shown, the system 10 may includes one or more root data sources 14 responsible for generating one or more types of data 18 that may be analyzed in numerous manners to extract meaningful information as will be discussed herein. The root data sources 14 may be represented by hosts or devices 22 (e.g., computers, servers, routers, switches) and networks 26 (although numerous other forms of root data sources 14 are also envisioned), and may each generate a plurality of text files describing various occurrences or developments associated with the operations of the root data source 14. The generated text files may also be routinely updated by the root data sources 14 as various events transpire during the root data sources' 14 operations, a process that may be referred to as "logging." Additionally, while text files are often used for logging because of their readily manageable format and because a person can more easily understand the information contained therein for diagnostic purposes when problems arise, data such as log messages may come in other formats as well.”).
	Petersen et al. is receiving the event data from multiple hosts and/or devices.

- the analyzing the aggregated data including mining data logs at pre-determined intervals;
- the threat output including a vulnerability in one of: the first enterprise unit or the second enterprise
unit based on the analysis of the aggregated data;
	(Petersen et al., Paragraph [0082], “In one arrangement, the AIE 100 may maintain a "unique value" indexing structure 158 that allows for the efficient determination of the count of unique values seen of a specific data field (e.g., destination IP addresses) of facts over a particular interval of time. Initially, the AIE 100 may monitor for the number of unique values of the specific data field (e.g., the key) in each of a plurality of time intervals (e.g., "bins"), where the sum of the various bins equals the particular time period over which the unique values are to be measured. For instance, for a 30 minute time period, the AIE 100 may monitor three 10-minute bins, thirty 1-minute bins, etc. In any case, the AIE 100 may then perform a query to examine the bins and efficiently ascertain the total number of unique occurrences of the key in the 30 minute time period (e.g., via performing "set union" operations with like-type sets from other bins). The AIE 100 may automatically request creation of a unique values indexing structure 158 to efficiently manage RB queries.”).
	(Petersen et al., Paragraph [0056], “The information that the log manager 30 may extract from the logs may ultimately be used to generate alarm messages that may be useful to an end user. For example, the log manager 30 may process thousands of log messages and detect certain occurrences from the volume of data contained therein by way of processing the received log messages against one or more rules. The log manager 30 may aggregate log data into a manageable format that summarizes, for example, the frequency of a particular event. Additionally, the log manager 30 may archive the above data for future reporting uses. This aggregation and archival may generally be referred to as management.”).
	(Petersen et al., Paragraph [0058], “With continued reference to FIG. 1, the system 10 may include at least one advanced intelligence engine (AIE) 50 that is broadly operable to analyze and process numerous types of structured or normalized data (e.g., data 18 which may be received directly from the data sources 14; data which has been processed by one or more log managers 30; data related to identity, asset, configuration and vulnerability management, etc.) using one or more log processing, structured data, or AIE rules to detect what may be complex events/conditions/developments/etc. occurring in relation to the data sources 14 while not being limited to use of traditional notions of "correlation". Part of the analyses performed by the AIE 50 may involve conducting one or more types of quantitative, correlative, behavioral and corroborative analyses to detect events from one or more disparate data sources, even when the data would otherwise be considered unimportant or non-relevant. Events generated by the AIE 50 may be passed to the event manager 38 which to determine whether further action is required such as reporting, remediation, and the like.”).
	Incorporating the teachings of Petersen et al. into the method of Chang et al. would be an obvious variation to one of ordinary skill in the art before the effective filing date of the claimed invention readily implemented with expectations of success as Petersen et al. provides a refined and expanded variety of malicious action detection techniques applicable to Chang et al.’s method.

As Per Claim 3: The rejection of claim 1 is incorporated and further Chang et al. teaches:
- the at least one mitigating action includes modifying authentication requirements to access at least one system of the enterprise organization.
	(Chang et al., Column 16, Lines 45-53, “In one embodiment, bill payment system 111 also includes fraudulent activity predictive model module 107 for analyzing historical fraudulent bill payment transactions data 105 using one or more machine learning algorithms of machine learning algorithms data 109. In one embodiment, fraudulent activity predictive model module 107 generates potential fraudulent bill payment transaction scoring parameters data (not shown) used to create potential fraudulent bill payment transaction scoring engine 113.”).
	(Chang et al., Column 17, Lines 1-64, “In one embodiment, the current bill payment transaction data potential fraudulent transaction score value data 115 associated with current bill payment transaction data 113 is compared to threshold potential fraudulent bill payment transaction score value data 117 representing one or more threshold potential fraudulent bill payment transaction score values at bill payment transaction routing module 119.
	In one embodiment, at bill payment transaction routing module 119 one of the following actions is taken.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is greater than a first threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to block bill payment transaction module 121 and the current bill payment transaction represented by current bill payment transaction data 113 is prevented/blocked.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is less than the first threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117 and greater than a second threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to inspect bill payment transaction module 123 where the current bill payment transaction represented by current bill payment transaction data 113 is placed on hold until the current bill payment transaction is authorized through the bill payment transaction inspection system. If the current bill payment transaction is analyzed/inspected and then authorized through the bill payment transaction inspection system, current bill payment transaction data 113 is transferred to allow bill payment transaction module 125 and the current bill payment transaction represented by current bill payment transaction data 113 is allowed to proceed to payment authorization module 143 of payment source computing system 141 in payment source computing environment 140. If the current bill payment transaction is analyzed/inspected and then not authorized through the bill payment transaction inspection system, current bill payment transaction data 113 is transferred to block bill payment transaction module 121 where the current bill payment transaction represented by current bill payment transaction data 113 is prevented/blocked.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is less than the second threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to allow bill payment transaction module 125 and the current bill payment transaction represented by current bill payment transaction data 113 is allowed to proceed to payment authorization module 143 of payment source computing system 141 in payment source computing environment 140.”).
	The potential fraudulent bill payment transaction scoring engine is modifies the threshold for authentication responsive the results of the machine learning results.

As Per Claim 4: The rejection of claim 1 is incorporated and further Chang et al. teaches:
- the at least one mitigating action includes modifying operation of at least one system of the enterprise organization.
	(Chang et al., Column 16, Lines 45-53, “In one embodiment, bill payment system 111 also includes fraudulent activity predictive model module 107 for analyzing historical fraudulent bill payment transactions data 105 using one or more machine learning algorithms of machine learning algorithms data 109. In one embodiment, fraudulent activity predictive model module 107 generates potential fraudulent bill payment transaction scoring parameters data (not shown) used to create potential fraudulent bill payment transaction scoring engine 113.”).
	(Chang et al., Column 17, Lines 1-7, “In one embodiment, the current bill payment transaction data potential fraudulent transaction score value data 115 associated with current bill payment transaction data 113 is compared to threshold potential fraudulent bill payment transaction score value data 117 representing one or more threshold potential fraudulent bill payment transaction score values at bill payment transaction routing module 119.”).
	Changing the threshold is modifying operation.

As Per Claim 6: The rejection of claim 1 is incorporated and further Chang et al. does not explicitly teach the following limitations however Petersen et al. in analogous art does teach the following limitations:
- generating the threat output further includes generating a user interface including data identifying a potential threat.
	(Petersen et al., Paragraph [0011], “As will be discussed herein, the present utilities serve to provide a single platform that allows administrators, troubleshooters, and other users to perform various types of analyses of structured data (e.g., log, transactional, activity) such as correlative, behavioral, statistical, corroborative, and the like. More specifically, the present utilities can be customized (e.g., in conjunction with a console or user interface) to dynamically detect a wide range of various combinations of network and other occurrences, such as the above example, in a manner that eliminates or limits the weaknesses in traditional notions of structured data-monitoring and detection (e.g., such as event correlation). Among other abilities, the present utilities can process a significant volume of structured or normalized data spread across multiple systems and devices in a memory and CPU efficient manner and irrespective of a time in which data is processed to extract or glean numerous types of useful information from the processed data (e.g., detecting sophisticated intrusions following known patterns and insider threats that may be effectively "invisible" to the organization). The analyses may be performed in real time to identify suspicious activity and known issues as they occur by providing a scalable solution that is capable of indexing and analyzing significant quantities of structured data and providing various analysis technique such as correlative analyses (e.g., generating an event if events a, b or c are observed followed by event d in timeframe z), statistical analyses (e.g., creating an event if data sent exceeds quantity a in timeframe z), behavioral analyses (e.g., creating an event if a user is observed authenticating to a network during timeframes that are significantly different than previously established usage patterns) corroborative analyses (e.g., creating an event if an attack is observed against a system known to be vulnerable to a), and the like.”).
	Incorporating the teachings of Petersen et al. into the method of Chang et al. would be an obvious variation to one of ordinary skill in the art before the effective filing date of the claimed invention readily implemented with expectations of success as Petersen et al. simply demonstrates manual administrative/management tools and interfaces use as normal to a computing environment in security management.

As Per Claim 7: The rejection of claim 1 is incorporated and further Chang et al. teaches:
- after executing the at least one mitigating action, receive mitigation data; and validate one or more machine learning datasets based on the received mitigation data.
	(Chang et al., Column 16, Lines 45-53, “In one embodiment, bill payment system 111 also includes fraudulent activity predictive model module 107 for analyzing historical fraudulent bill payment transactions data 105 using one or more machine learning algorithms of machine learning algorithms data 109. In one embodiment, fraudulent activity predictive model module 107 generates potential fraudulent bill payment transaction scoring parameters data (not shown) used to create potential fraudulent bill payment transaction scoring engine 113.”).
	(Chang et al., Column 17, Lines 1-64, “In one embodiment, the current bill payment transaction data potential fraudulent transaction score value data 115 associated with current bill payment transaction data 113 is compared to threshold potential fraudulent bill payment transaction score value data 117 representing one or more threshold potential fraudulent bill payment transaction score values at bill payment transaction routing module 119.
	In one embodiment, at bill payment transaction routing module 119 one of the following actions is taken.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is greater than a first threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to block bill payment transaction module 121 and the current bill payment transaction represented by current bill payment transaction data 113 is prevented/blocked.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is less than the first threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117 and greater than a second threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to inspect bill payment transaction module 123 where the current bill payment transaction represented by current bill payment transaction data 113 is placed on hold until the current bill payment transaction is authorized through the bill payment transaction inspection system. If the current bill payment transaction is analyzed/inspected and then authorized through the bill payment transaction inspection system, current bill payment transaction data 113 is transferred to allow bill payment transaction module 125 and the current bill payment transaction represented by current bill payment transaction data 113 is allowed to proceed to payment authorization module 143 of payment source computing system 141 in payment source computing environment 140. If the current bill payment transaction is analyzed/inspected and then not authorized through the bill payment transaction inspection system, current bill payment transaction data 113 is transferred to block bill payment transaction module 121 where the current bill payment transaction represented by current bill payment transaction data 113 is prevented/blocked.
	If the current bill payment transaction data potential fraudulent bill payment transaction score value represented by current bill payment transaction data potential fraudulent transaction score value data 115 is less than the second threshold potential fraudulent bill payment transaction score value represented in threshold potential fraudulent bill payment transaction score value data 117, current bill payment transaction data 113 is transferred to allow bill payment transaction module 125 and the current bill payment transaction represented by current bill payment transaction data 113 is allowed to proceed to payment authorization module 143 of payment source computing system 141 in payment source computing environment 140.”).
	Chang et al.’s method is an ongoing operation where unauthorized events are added to the records handled with machine learning which in operation is receiving an ongoing plurality of unauthorized activity event data as it occurs. When the potential fraudulent bill payment transaction scoring engine is modified validation is being performed on the mitigated system where the machine learning structure is continuing to observe conditions.

As Per Claim 8: Claim 8 is substantially a restatement of the computing platform of claim 1 as a method and is rejected under substantially the same reasoning.

As Per Claim 10: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 3 as a method and is rejected under substantially the same reasoning.

As Per Claim 11: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 4 as a method and is rejected under substantially the same reasoning.
As Per Claim 13: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 6 as a method and is rejected under substantially the same reasoning.

As Per Claim 14: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 7 as a method and is rejected under substantially the same reasoning.

As Per Claim 15: Claim 15 is substantially a restatement of the computing platform of claim 1 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

As Per Claim 17: The rejection of claim 15 is incorporated and further claim 17 is substantially a restatement of the computing platform of claim 3 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

As Per Claim 18: The rejection of claim 15 is incorporated and further claim 18 is substantially a restatement of the computing platform of claim 4 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

As Per Claim 20: The rejection of claim 15 is incorporated and further claim 20 is substantially a restatement of the computing platform of claim 6 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

As Per Claim 21: The rejection of claim 15 is incorporated and further claim 21 is substantially a restatement of the computing platform of claim 7 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.







Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 5, 12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent No.: US 10,373,140 B1 (Chang et al.) in view of United States Patent Application Publication No.: US 2015/0039757 (Petersen et al.) in further view of Use of the Dempster–Shafer theory to detect account takeovers in mobile money transfer services (Coppolino).

As Per Claim 5: The rejection of claim 1 is incorporated and further Chang et al. and Petersen et al. do not explicitly state:
- the first unauthorized activity event data and the second unauthorized activity event data include data associated with account takeover attempts.
	At this level of detail the limitation is only noting a type of malicious action. The title of Coppolino - Use of the Dempster–Shafer theory to detect account takeovers in mobile money transfer services Shows this is know in the art the rest of the document provides an available methodology for seeking to guard against this type of action this type of malicious action.
	As a system looking for malicious activity in general this would be an obvious interchangeable  variation on the method of Chang et al. and Petersen et al. to one of ordinary skill in the art before the effective filing date of the claimed invention readily implemented with expectations of success.
	Chang et al. is implicit of such issues such as seen as follows:
	(Chang et al., Column 13, Lines 22-41, “In one embodiment, the individual potential fraudulent activity parameter/rule input variable types include, but are not limited to, one of the one or more individual potential fraudulent activity parameter/rule variable types selected from the group of individual potential fraudulent activity parameter/rule input variable types including, but not limited to: personal data associated with the user of the bill payment system; account information data associated with the account being utilized; historical user data representing historical bill payment transactions made through the bill payment system; and current bill payment transaction details data.
	In one embodiment, the personal data associated with the user individual potential fraudulent activity parameter/rule input variable type includes at least one individual potential fraudulent activity parameter/rule input variable selected from the group of individual potential fraudulent activity parameter/rule input variables including, but not limited to: the domain name of an email address associated with the user; and the zip code of an address associated with the user.”).

As Per Claim 12: The rejection of claim 8 is incorporated and further claim 9 is substantially a restatement of the computing platform of claim 5 as a method and is rejected under substantially the same reasoning.

As Per Claim 19: The rejection of claim 15 is incorporated and further claim 19 is substantially a restatement of the computing platform of claim 5 as a non-transitory computer-readable media and is rejected under substantially the same reasoning.

Additional Cited Art
	United States Patent Application Publication No.: US 2017/0251013 A1 (Kirti et al.) as a system of security management in the computing environment of an organization in analogous art.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170. The examiner can normally be reached 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN A KAPLAN/Examiner, Art Unit 2434