DETAILED ACTION
This office action is in response to the original application filed on July 21, 2020.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 


Claims 1-20 are pending.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-16 and 18-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Raleigh (US Pub. No. 2019/0261222).

As per claim 1 Raleigh discloses:
A fraud management system comprising: (paragraph 57 of Raleigh, according to various embodiments, systems and methods are provided for securing device-assisted services (DAS) systems and for detecting and mitigating fraud in such systems).
An agent data gatherer operable with a plurality of agent computing devices for collecting and transmitting agent activity data from each of the plurality of agent computing devices; (paragraph 70 of Raleigh, service processor 115 resides on an end-user device (not shown) and communicates with service controller 122, which, in the embodiment of Figure A, resides in the cloud. As will be described below, service processor 115 and service controller 122 communicate over an access network to facilitate providing device-assisted services) and (paragraph 72 of Raleigh, service processor 115 is responsible for identifying access network communication activity by end-user device 100 and applying an access service policy to govern the communication activity) and (paragraph 308 of Raleigh, service processor 115 resides on an end-user device (not shown) and communicates with service controller 122, which, in the embodiment of Figure A, resides in the cloud. As will be described below, service processor 115 and service controller 122 communicate over an access network to facilitate providing device-assisted services) and (paragraph 309 of Raleigh, service processor 115 sends periodic or occasional device-based usage data reports (UDRs) to service controller 122. The UDRs contain information about end-user device 100's data usage).
A fraud rules database (fraud server 129 of Raleigh) containing one or more fraud rules; (paragraph 369 of Raleigh, FIG. 47 illustrates a fraud detection approach in accordance with some embodiments. UDRs (e.g., device-based usage records) are provided to rule-based detection element 2550. In some embodiments, rule-based detection element 2550 includes rules that can be applied to detect fraud scenarios that can be described deterministically).
A fraud management computing system (fraud control center 2516 of Raleigh) in communication with the agent data gathererand the fraud rules database, wherein the fraud management computing system includes, one or more processors and one or more memory devices, the one or more memory devices configured to store the one or more fraud rules and store instructions that when executed by the one or more processors cause the one or more processors to perform operations, the operations comprising: (paragraph 379 of Raleigh, fraud server 129 generates fraud events (e.g., fraud alerts) and stores them in main database 2514. Fraud control center 2516 retrieves fraud data from main database 2514. Depending on the content of the fraud data, fraud control center 2516 may display information about the fraud data on dashboard 2518, which, in some embodiments, includes a user interface such as a display).
Obtaining the agent activity data transmitted by the agent data gatherer; (paragraph 377 of Raleigh, service processor 115 also sends UDRs to gateway application server 138. Gateway application server 138 sends the UDRs to EAI server 128. In addition to device-based UDRs, EAI server 128 also receives network-based CDRs from RADIUS server 2504. EAI server 128 processes the UDRs and/or the CDRs and stores the processed records in main database 2514 (which may be within database cluster 116). EAI server 128 also sends some or all of the records to fraud server 129. Fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48).
Comparing the agent activity data to the one or more fraud rules; (paragraph 369 of Raleigh, FIG. 47 illustrates a fraud detection approach in accordance with some embodiments. UDRs (e.g., device-based usage records) are provided to rule-based detection element 2550. In some embodiments, rule-based detection element 2550 includes rules that can be applied to detect fraud scenarios that can be described deterministically. As will now be appreciated by a person having ordinary skill in the art, many of the detection approaches disclosed herein are amenable to being implemented as rules for use by rule-based detection element 2550. For example, a comparison between a policy that is supposed to be in place and information in a usage report associated with end-user device 100).
Determining whether one or more agent fraud events have occurred based, at least in part, on the comparison; (paragraph 370 of Raleigh, in the embodiment of FIG. 47, rule-based detection element 2550 also obtains CDRs. In some embodiments, rules in fraud rules 2510 are event driven and are applied to incoming events (e.g., CDRs from the carrier network or UDRs from end-user device) in real time or near-real time. As will be appreciated by a person having ordinary skill in the art in light of the disclosures herein, rule-based detection element 2550 may use only UDRs, only CDRs, or both UDRs and CDRs).
Providing a fraud alert based upon each of the one or more agent fraud events. (Paragraph 328 of Raleigh, in some embodiments, service controller 122 generates a fraud alert if a comparison between the device-based UDRs and carrier-based (or other trusted) usage reports indicates that end-user device 100 consistently under-reports its usage of data in a particular class (e.g., an application, a group of applications, a destination, a group of destinations, etc.)).

As per claim 10 Raleigh discloses:
A computer-implemented method, the method comprising: generating, by a computing system comprising one or more computing devices, one or more fraud rules; (paragraph 57 of Raleigh, according to various embodiments, systems and methods are provided for securing device-assisted services (DAS) systems and for detecting and mitigating fraud in such systems) and (paragraph 293 of Raleigh, in some embodiments, service controller 122 (using, e.g., fraud server  129) is configured to detect fraudulent, or potentially fraudulent, activities by end-user device 100. There are several ways service controller 122 can detect fraud, including, for example, by observing whether service processor 115 exhibits expected behavior; by determining whether device-generated usage reports indicate fraudulent use of the access network resources; by examining the contents of trusted reports (e.g., reports from a trusted or secure source) of end-user device 100's data usage) and (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48).
Obtaining, by the computing system (service controller 122 of Raleigh), agent activity data (UDRs of Raleigh) from a plurality of agent computing devices (end-user device 100 of Raleigh), where the agent activity data is obtained based, at least in part, on one or more collection rules; (paragraph 308 of Raleigh, fraudulent or potentially fraudulent activity by end-user device 100 can be detected by service controller 122 by observing the behavior of end-user device 100 after service processor 115 has been authenticated. In some embodiments, detecting fraud comprises ensuring that service control device link 1691 and service control server link 1638 are operating correctly, and there is no break in a continuous heartbeat authentication sequence) and (paragraph 75 of Raleigh, service processor 115 comprises one or more software or firmware programs that execute on end-user device 100. To aid in disclosure of the invention, service processor 115 is explained using the functional elements or agents shown in FIG. 2. The specific allocation of functional elements within service processor 115 can take many forms, and the form presented in FIG. 2 is intended to illustrate basic elements but is not intended to be an exhaustive or limiting description of possible functional breakdowns of service processor 115),
Comparing the agent activity data to the one or more fraud rules; (paragraph 369 of Raleigh, FIG. 47 illustrates a fraud detection approach in accordance with some embodiments. UDRs (e.g., device-based usage records) are provided to rule-based detection element 2550. In some embodiments, rule-based detection element 2550 includes rules that can be applied to detect fraud scenarios that can be described deterministically. As will now be appreciated by a person having ordinary skill in the art, many of the detection approaches disclosed herein are amenable to being implemented as rules for use by rule-based detection element 2550. For example, a comparison between a policy that is supposed to be in place and information in a usage report associated with end-user device 100).
Determining an occurrence of one or more agent fraud events based, at least in part, on a comparison of the agent activity data and the one or more fraud rules; (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48).
Providing a fraud alert based upon each of the one or more agent fraud events. (Paragraph 328 of Raleigh, in some embodiments, service controller 122 generates a fraud alert if a comparison between the device-based UDRs and carrier-based (or other trusted) usage reports indicates that end-user device 100 consistently under-reports its usage of data in a particular class (e.g., an application, a group of applications, a destination, a group of destinations, etc.)).

Claim 19 is rejected under the same reason set forth in rejection of claim 10:

As per claim 2 Raleigh discloses:
The fraud management system of claim 1, wherein the data gatherer (service processor 115 of Raleigh) includes software installed on each of the plurality of agent computing devices (end-user device 100 of Raleigh) which collects agent activity data based, at least in part, on one or more collection rules. (Paragraph 75 of Raleigh, service processor 115 comprises one or more software or firmware programs that execute on end-user device 100. To aid in disclosure of the invention, service processor 115 is explained using the functional elements or agents shown in FIG. 2. The specific allocation of functional elements within service processor 115 can take many forms, and the form presented in FIG. 2 is intended to illustrate basic elements but is not intended to be an exhaustive or limiting description of possible functional breakdowns of service processor 115) and (paragraph 109 of Raleigh, access control integrity agent 1694 monitors the operational integrity of one or more service processor 115 elements to determine if unauthorized user modification or unauthorized user software program modification of the service processor configuration or operation has occurred. In some embodiments, access control integrity agent 1694 collects device information on one or more of service policy, service usage, service activity, agent configuration, and agent behavior).

As per claim 3 Raleigh discloses:
The fraud management system of claim 2, wherein the one or more collection rules are based on a plurality of agent inputs that may be received by any one of the plurality of agent computing devices. (Paragraph 75 of Raleigh, service processor 115 comprises one or more software or firmware programs that execute on end-user device 100. To aid in disclosure of the invention, service processor 115 is explained using the functional elements or agents shown in FIG. 2. The specific allocation of functional elements within service processor 115 can take many forms, and the form presented in FIG. 2 is intended to illustrate basic elements but is not intended to be an exhaustive or limiting description of possible functional breakdowns of service processor 115) and (paragraph 109 of Raleigh, access control integrity agent 1694 monitors the operational integrity of one or more service processor 115 elements to determine if unauthorized user modification or unauthorized user software program modification of the service processor configuration or operation has occurred. In some embodiments, access control integrity agent 1694 collects device information on one or more of service policy, service usage, service activity, agent configuration, and agent behavior).

Claim 11 is rejected under the same reason set forth in rejection of claim 3:

As per claim 4 Raleigh discloses:
The fraud management system of claim 3, wherein the one or more fraud rules are based on one or more agent computing commands, which are symptomatic of one of the agent fraud events being performed on one or more of the agent computing devices. (Paragraph 309 of Raleigh, service processor 115 sends periodic or occasional device-based usage data reports (UDRs) to service controller 122. The UDRs contain information about end-user device 100's data usage. For example, the UDRs may indicate how many bytes of data associated with a particular application, such as a map application, or service, such as a music streaming service, end-user device used since the last report, or during a particular time period) and (paragraph 370 of Raleigh, rule-based detection element 2550 also obtains CDRs. In some embodiments, rules in fraud rules 2510 are event driven and are applied to incoming events (e.g., CDRs from the carrier network or UDRs from end-user device) in real time or near-real time) and (paragraph 371 of Raleigh, FIG. 48 illustrates a procedure that rule-based detection element 2550 may use to apply rules to detect fraud. At step 2560, rule-based detection element 2550 obtains device events or reports, e.g., UDRs and/or CDRs. At step 2562, rule-based detection element 2550 places the obtained device events in working memory. At step 2564, rule-based detection element 2550 obtains one or more rules and processes the device events using those rules. At step 2566, rule-based detection element 2550 determines whether the results of the processing indicate a fraud event. If so, then at step 2568, rule-based detection element 2550 stores the fraud event in main database 2514).

Claim 12 is rejected under the same reason set forth in rejection of claim 4:

As per claim 5 Raleigh discloses:
The fraud management system of claim 4, wherein a fraud severity level corresponds to each of the fraud rules and wherein the operations executed by the one or more processors further comprise: determining a fraud severity level for the each of the one or more agent fraud events; and determining if the fraud severity level corresponding to any of the one or more agent fraud events exceeds a severity level threshold. (Paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48. Fraud models 2512 includes one or more models that fraud server 129 may apply to determine whether to generate a fraud score, as, for example, described in the context of Figures SS and TT).

Claim 13 is rejected under the same reason set forth in rejection of claim 5:

As per claim 6 Raleigh discloses:
The fraud management system of claim 5, wherein when the fraud severity level corresponding to one or more agent fraud events is equal to or exceeds the severity level threshold, the operations executed by the one or more processors further comprise: generating a quarantine command; and transmitting the quarantine command to one or more of the agent computing devices. (Paragraph 300 of Raleigh, each output value is between a minimum value and a maximum value (e.g., between 0 and 1, or between values A and B, inclusive, etc.), and the maximum value is associated with a high likelihood of fraudulent behavior by end-user device 100. In some embodiments, each output value is between 0 and 1, and each output value represents a probability of fraudulent behavior on the part of end-user device 100) and (paragraph 307 of Raleigh, if the fraud score indicates a policy implementation error (e.g., likely fraudulent behavior by end-user device 100), service controller 122 takes an action comprising one or more of: generating a fraud alert; flagging end-user device 100 or a user associated with end-user device 100 for further evaluation; charging for end-user device 100's usage at a pre-determined rate associated with end-user device 100 being in a fraudulent state; notifying a user of end-user device 100; notifying a network administrator; quarantining end-user device 100 or a user's access to the access network; suspending end-user device 100 or a user of end-user device 100 from the access network).

Claim 14 is rejected under the same reason set forth in rejection of claim 6:

As per claim 7 Raleigh discloses:
The fraud management system of claim 6, wherein a fraud severity level corresponds to each of the fraud rules and wherein the operations executed by the one or more processors further comprise: determining a fraud severity level for each of the one or more agent fraud events; (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48. Fraud models 2512 includes one or more models that fraud server 129 may apply to determine whether to generate a fraud score, as, for example, described in the context of Figures SS and TT).
Comparing fraud severity level for each of the one or more agent fraud events to a severity level threshold; (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 300 of Raleigh, each output value is between a minimum value and a maximum value (e.g., between 0 and 1, or between values A and B, inclusive, etc.), and the maximum value is associated with a high likelihood of fraudulent behavior by end-user device 100. In some embodiments, each output value is between 0 and 1, and each output value represents a probability of fraudulent behavior on the part of end-user device 100).
Generating an aggregate fraud level when the fraud severity level for all of the agent fraud events is less than the severity level threshold; (paragraph 66 or Raleigh, comparing an aggregation of two or more classifications of the end-user device's usage to an aggregate limit on usage to determine if the difference between the two measures is within a specified tolerance) and (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48. Fraud models 2512 includes one or more models that fraud server 129 may apply to determine whether to generate a fraud score, as, for example, described in the context of Figures SS and TT).
Comparing the aggregate fraud level to the severity level threshold; (Paragraph 66 or Raleigh, comparing an aggregation of two or more classifications of the end-user device's usage to an aggregate limit on usage to determine if the difference between the two measures is within a specified tolerance)  and (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach).
Generating a quarantine command when the aggregate fraud level meets or exceeds the severity level threshold; and transmitting the quarantine command to one or more of the agent computing devices. (paragraph 307 of Raleigh, if the fraud score indicates a policy implementation error (e.g., likely fraudulent behavior by end-user device 100), service controller 122 takes an action comprising one or more of: generating a fraud alert; flagging end-user device 100 or a user associated with end-user device 100 for further evaluation; charging for end-user device 100's usage at a pre-determined rate associated with end-user device 100 being in a fraudulent state; notifying a user of end-user device 100; notifying a network administrator; quarantining end-user device 100 or a user's access to the access network; suspending end-user device 100 or a user of end-user device 100 from the access network).

Claim 15 is rejected under the same reason set forth in rejection of claim 7:

As per claim 8 Raleigh discloses:
The fraud management system of claim 7, wherein the aggregate fraud level comprises the sum of the fraud severity levels for each of the one or more agent fraud events. (Paragraph 66 or Raleigh, comparing an aggregation of two or more classifications of the end-user device's usage to an aggregate limit on usage to determine if the difference between the two measures is within a specified tolerance) and (paragraph 376 of Raleigh, fraud control center 2516 retrieves fraud data from main database 2514 and performs one or more of the following functions: an aggregate analysis of various fraud metrics (events and/or scores) to determine whether end-user device 100 is likely operating fraudulently; presentation of fraud-related information through a dashboard (e.g., a user interface)).

Claim 16 is rejected under the same reason set forth in rejection of claim 8:

As per claim 9 Raleigh discloses:
The fraud management system of claim 4, wherein a fraud severity level corresponds to each of the one or more agent fraud events and wherein the operations executed by the one or more processors further comprise: determining a fraud severity level for each of the one or more agent fraud events; (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 377 of Raleigh, fraud server 129 includes fraud rules 2510 and fraud models 2512. Fraud rules 2510 includes one or more rules that fraud server 129 may apply to determine whether to generate a fraud event, as, for example, described in the context of FIG. 48. Fraud models 2512 includes one or more models that fraud server 129 may apply to determine whether to generate a fraud score, as, for example, described in the context of Figures SS and TT).
Comparing fraud severity level for each of the one or more fraud events to a severity level threshold; (paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 300 of Raleigh, each output value is between a minimum value and a maximum value (e.g., between 0 and 1, or between values A and B, inclusive, etc.), and the maximum value is associated with a high likelihood of fraudulent behavior by end-user device 100. In some embodiments, each output value is between 0 and 1, and each output value represents a probability of fraudulent behavior on the part of end-user device 100).
Generating an aggregate fraud level when the fraud severity level for all of the agent fraud events is less than the severity level threshold; (paragraph 307 of Raleigh, if the fraud score indicates a policy implementation error (e.g., likely fraudulent behavior by end-user device 100), service controller 122 takes an action comprising one or more of: generating a fraud alert; flagging end-user device 100 or a user associated with end-user device 100 for further evaluation; charging for end-user device 100's usage at a pre-determined rate associated with end-user device 100 being in a fraudulent state; notifying a user of end-user device 100; notifying a network administrator; quarantining end-user device 100 or a user's access to the access network; suspending end-user device 100 or a user of end-user device 100 from the access network).
Comparing the aggregate fraud level to the severity level threshold; (paragraph 66 or Raleigh, comparing an aggregation of two or more classifications of the end-user device's usage to an aggregate limit on usage to determine if the difference between the two measures is within a specified tolerance) and Paragraph 294 of Raleigh, service controller 122 applies a policy error detection procedure to generate a fraud score, wherein the fraud score indicates a level of confidence or a likelihood that the analyzed activity or set of activities is fraudulent. In some embodiments, service controller 122 (using, e.g., fraud server 129) determines whether data usage by end-user device 100 is fraudulent by using what may be called a “layered” or “tiered” approach) and (paragraph 301 of Raleigh, a high fraud score is associated with a high likelihood of fraudulent behavior on the part of end-user device 100. In some such embodiments, if the fraud score generated by combiner 2810 based on the results of N initial tests is greater than (or greater than or equal to) a threshold, service controller 122 generates a fraud alert. In some embodiments, if the fraud score generated by combiner 2810 based on the results of N initial tests, where N is less than the maximum number of tests available, is greater than (or greater than or equal to) a threshold, additional tests are run).
Modifying the fraud severity level corresponding to each of the one or more agent fraud events when the aggregate fraud level is less than the severity level threshold. (Paragraph 66 or Raleigh, comparing an aggregation of two or more classifications of the end-user device's usage to an aggregate limit on usage to determine if the difference between the two measures is within a specified tolerance) and (paragraph 376 of Raleigh, fraud control center 2516 retrieves fraud data from main database 2514 and performs one or more of the following functions: an aggregate analysis of various fraud metrics (events and/or scores) to determine whether end-user device 100 is likely operating fraudulently; presentation of fraud-related information through a dashboard (e.g., a user interface)).  

Claim 18 is rejected under the same reason set forth in rejection of claim 9:

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Raleigh (US Pub. No. 2019/0261222) in view of Dean (US 11,030,562).

As per claim 17:
Raleigh teaches the method of retrieving fraud data from main database and performing an aggregate analysis of various fraud metrics to determine whether end-user device is likely operating fraudulent activity (see paragraph 376 of Raleigh) but fails to disclose:
The computer-implemented method of claim 15, wherein the aggregate fraud level comprises the average of the fraud severity levels for each of the one or more agent fraud events.
However, in the same field of endeavor, Dean teaches this limitation as, (column 9, line 15-25 of Dean, In other embodiments, the fraud risk scores may be compared and converted into a risk score, such as a risk score that indicates a current fraud risk (e.g., cumulative across all the consumers) and/or a risk score that indicates a change in fraud risk scores over times, such as a comparison of a previous aggregate fraud risk score (e.g., average of fraud risk scores of all individuals on the scan list) with a current aggregate fraud risk score).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Raleigh and include the above limitation using the teaching of Dean in order to monitor data breach and provide information that is useful to predict if the computing data is secure or not (see abstract of Dean). 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Jakobsson (US Pub. No. 2014/0047544). Jakobsson discloses the methods and systems for detecting malware on a plurality of networked unit from a server-side system. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434