Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is a continuation of U.S. patent application Ser. No. 15/179,547, filed Jun. 10, 2016, the entirety of which is herein incorporated herein by reference. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/08/2022 was filed after the mailing date of the Non-Final Office Action on 04/28/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to an amendment application received on 07/28/2022. In the amendment, applicant has amended claims 1, 4, and 17-18. Claims 5-6 have been cancelled. Claims 21-22 have been added as new claims. Claims 2-3, 7-16 and 19-20 remain original. 
For this Office Action, claims 1-4, and 7-22 have been received for consideration and have been examined. 
Response to Arguments
Claims Rejection under 35 USC § 103
Applicant’s arguments, filed 07/28/2022, with respect to the rejection(s) of claim(s) under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4 and 7-16 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu., (US9852294B1) in view of Blaisdell., (US20120137364A1) and further in view of Wyatt et al., (US20120324568A1).
Regarding claim 1, Zhu discloses:
A method for securing a mobile device against malware, the method comprising:
monitoring a plurality of events (i.e., entry-point function call to the data-access API and/or a call to the data-transfer API of the application) caused by an application executing on a mobile device (Col. 6, Line # 33-35: FIG. 3 is a flow diagram of an exemplary computer-implemented method 300 for detecting suspicious applications based on how entry-point functions are triggered; Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 45-47; In at least one example, application-identifying module 104 may identify an application that is installed and/or executing on a computing device; See Col. 9, Line # 1-9; At step 304, one or more of the systems described herein may identify an entry-point function of the application whose execution results in a call to the data-access API and/or a call to the data-transfer API.
Examiner would like to note that triggering of entry-point function of an application is an indication that the application is being executed by the computing device; See Col. 9, Line # 9-16 for “entry-point function”), 
the plurality of events occurring during execution of the application on the mobile device (Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 24-27; application-identifying module 104 may identify an application while monitoring applications presented by and/or made available through an application store or marketplace; Col. 8, Line # 39-41; In some examples, application-identifying module 104 may identify an application in response to a request to install the application; Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device);
detecting a first event (i.e. accessing a data-access API and/or a data-transfer API) in the plurality of events having occurred during execution (i.e. while an application is executing on a computing device) (Col. 6, Line # 43-46; As illustrated in FIG. 3, at step 302 one or more of the systems described herein may identify an application that is capable of accessing a data-access API and/or a data-transfer API; Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device), 
wherein the first event is an unexpected event (i.e. “automatically-initiated function for which the user may be unaware”) generated by an application executing on the mobile device while a user of the mobile device is not interacting with the application (Col. 12, Line # 10-13: Accordingly, as used herein, the term “automatically-initiated function” may refer to any function that may not be triggered in response to a user's interaction with an application; Col. 13, Line # 58-62: the systems and methods described herein may determine that an application is or is likely malware or grayware by determining that one or more of the application's entry-point functions are not triggered in response to a user interacting with the application; Examiner Note: as disclosed by Zhu, “automatically-initiated function” is interpreted as “an unexpected event” generated by an application executing on the mobile device while the user is not interacting with the application);
evaluating the first event in a context of the mobile device (i.e., unauthorized data access or data leak activity) to determine whether the first event is potentially unauthorized (Col. 12, Line # 35-38: At step 308, one or more of the systems described herein may determine whether the application identified as part of step 302 is suspicious based on how the entry-point function identified as part of step 304 is triggered; Also see Col. 12; Line # 44-65 disclosing evaluating and determining if the application is suspicious based on triggering of entry-point functions [data-access API/data-transfer API] of the application which may lead to unauthorized data access or data leak activity on the computing device); and
when the first event is a potentially unauthorized event, presenting a warning (i.e., notifying the user about potential malicious application due to suspicious activity by the entry point functions of the application) to the user on the mobile device that the potentially unauthorized event has occurred (Col. 13, Line # 25-29; At step 310, one or more of the systems described herein may perform a security action based on whether the application identified as part of step 302 is suspicious. For example, security module 112 may perform a security action after determining that application 216 is suspicious; Col. 13, Line # 42-49; security module 114 may perform a security action on a suspicious application by preventing an installation of the application, by uninstalling the application, by notifying a user who has installed or is attempting to install the application that the application is potentially malicious and/or that the application may leak the user's sensitive information without the user interacting with the application).
Zhu fails to teach:
the unexpected event is an attempt to make an unauthorized purchase; presenting a warning to the user on the mobile device that the potentially unauthorized event has occurred, and requesting user confirmation that the potentially unauthorized event be allowed to continue.
However, Blaisdell discloses:
	the unexpected event is an attempt to make an unauthorized purchase [i.e., incurring a charge for a purchase to a billing account of a user] ([0008] the monitoring is performed using a special code monitor that is in communication with the secure attestation module. An NFC chip and an electronic wallet service are disabled if it is detected that the electronic wallet service was used to make an unauthorized purchase; [0054] if an eWallet app is used to make unauthorized purchases, the NFC chip and eWallet secure service on the device are immediately disabled).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhu reference and include detection of an unexpected event in an electronic device wherein the unexpected event comprises an unauthorized purchases, as disclosed by Blaisdell.
	The motivation to detect the unexpected event such as an unauthorized purchases is to disable a service on a mobile device when abnormal behavior is detected in an operating system of the device.
	In addition, with respect to “the unexpected event incurring a charge for a purchase to a billing account of the user”, this is an intended result of a process. According to MPEP 2111.04 I, clause in a claim is not given weight when it simply expresses the intended result of a process step positively recited” (Minton v. Nat'l Ass'n of Securities Dealers, Inc., 336 F.3d 1373, 1381, 67 USPQ2d 1614, 1620 (Fed. Cir. 2003))". Also, a clause that merely states the result of the limitations in the claim adds nothing to the patentability or substance of the claim ((Texas Instruments Inc. v. International Trade Commission 26, USPQ2d 1010 (Fed. Cir. 1993); Griffin v. Bertina, 62 USPQ2d 1431 (Fed. Cir. 2002); Amazon.com Inc. v. Barnesandnoble.com Inc., 57 USPQ2d 1747 (CAFC 2001)).
The combination of Zhu and Blaisdell fails to disclose: 
presenting a warning to the user on the mobile device that the potentially unauthorized event has occurred, and requesting user confirmation that the potentially unauthorized event be allowed to continue.
However, Wyatt discloses:
	presenting a warning (i.e., displaying warning message) to the user on the mobile device that the potentially unauthorized event has occurred, and requesting user confirmation that the potentially unauthorized event be allowed to continue ([0105] in a step 550, enforcer module 315 (FIG. 3) can permit the intercepted request, block the intercepted request, or conditionally permit the intercepted request; [0107] the enforcer module 315 (FIG. 3) may conditionally permit the intercepted request. In this specific implementation, conditionally permitting the intercepted request includes displaying warning message on the mobile device where the warning message includes a first option for the user to allow the request and a second option for the user to cancel the request. For example, the system may have determined that the intercepted identifier specifies a possibly unsafe web page, that the web page is not in compliance with one or more policies, the evaluation otherwise indicates that a warning message should be displayed, or combinations of these; [0108] An example warning message is shown in FIG. 9. This message includes text such as “WARNING! The first application program is requesting that the web page “www.pirategames.com” be loaded. This web page may not be safe. Do you want to continue?”).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Zhu reference and include enforcer module in the mobile client to enforce the user to select available permissions for the intercepted malicious request, as disclosed by Wyatt.
	The motivation to include enforcer module in the mobile client is to enforce the user to select available permissions for the intercepted malicious request so that user is aware of his/her choice of permitting a malicious intercepted request in case user deliberately wants to allow the malicious request to proceed (See Wyatt [0107-0108]).
Regarding claim 2, the combination of Zhu, Blaisdell and Wyatt discloses:
	The method of claim 1, wherein the application controls a camera of the mobile device (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 13-14; a camera access API programmed to provide access to a camera sensor).
Regarding claim 3, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the application controls a microphone of the mobile device (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 24-25; a microphone access API programmed to provide access to a microphone sensor).
Regarding claim 4, the combination of Zhu, Blaisdell and Wyatt discloses:
	The method of claim 1, wherein the application includes at least one of a communication application, a phone application, and an instant messaging application (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 17-19: a message access API programmed to provide access to messages sent to or received by a computing device (e.g., text messages or email messages)).
Regarding claim 7, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 4, wherein the first event is an instant message (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 17-19; a message access API programmed to provide access to messages sent to or received by a computing device (e.g., text messages or email messages)).
Regarding claim 8, the combination of Zhu, Blaisdell and Wyatt discloses:
	The method of claim 4, wherein the first event includes a Uniform Resource Locator (URL) request (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 9-10; a browser-bookmark access API programmed to provide access to browser bookmarks)).
Regarding claim 9, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes one or more other events functionally associated with the first event (Zhu: Col. 11, Line # 56-61; an entry-point function whose execution may result in a call to a sensitive data-access API, a sensitive data-transfer API, or a leak path is triggered may be indicative of whether the application that includes the entry-point function is or is not likely to be malicious. Examiner’s Note: an entry-point function whose execution may result in a call to a sensitive data-access API, a sensitive data-transfer API is construed as the detection of several linked events (or events that are otherwise functionally associated with the event) may provide further context as to whether the first event is expected).
Regarding claim 10, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes one or more other events temporally associated with the first event (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 9-10; an inter-process communication API programmed to allow two applications to exchange information. Examiner’s note: inter-process communication between two application is interpreted as temporally associated with the first event where the timing and frequency of the event in connection with associated events may be used to determine whether the first event is expected, or whether the first event is potentially unauthorized).
Regarding claim 11, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes a history of recent user interactions with the mobile device (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 10-12; a browser-history access API programmed to provide access to browsing histories).
Regarding claim 12, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes a history of recent user interactions with the application (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 10-12; a browser-history access API programmed to provide access to browsing histories).
Regarding claim 13, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the first event includes access to one or more of a browsing history, personal contacts, and a communications log on the mobile device (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 9-15; a browser-history access API programmed to provide access to browsing histories, a calendar access API programmed to provide access to calendar events, a camera access API programmed to provide access to a camera sensor, a contact access API programmed to provide access to contact lists).
Regarding claim 14, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes a time of the first event (Zhu: Col. 8, Line # 6-14; Many computing platforms may require applications to have permission to use data-access APIs or data-transfer APIs. As used herein, the term “permission” may refer to any permission, privilege, designated access right, and/or authentication for accessing, sharing, using, manipulating, viewing, and/or transferring information via an application programming interface. In some examples, permissions may be granted by a user at the time of installation of an application).
Regarding claim 15, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 1, wherein the context includes a reputation of the application (Zhu: Col. 13, Line # 10-18; suspicion-determining module 110 may also determine whether an application is suspicious based on prevalence data relating to the application (e.g., data that indicates the number of devices on which the application is installed), release data relating to the application (e.g., data indicating that the application was or was not recently released), reputation data relating to the application (e.g., information that indicates that the application is or is not on a whitelist of trusted applications)).
Regarding claim 16, the combination of Zhu, Blaisdell and Wyatt discloses:
The method of claim 15, wherein the reputation is based on one or more of a popularity of the application, a reputation of a provider of the application, and an installed base of the application among a population of users (Zhu: Col. 13, Line # 10-18; suspicion-determining module 110 may also determine whether an application is suspicious based on prevalence data relating to the application (e.g., data that indicates the number of devices on which the application is installed), release data relating to the application (e.g., data indicating that the application was or was not recently released), reputation data relating to the application (e.g., information that indicates that the application is or is not on a whitelist of trusted applications)).



Claims 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu., (US9852294B1) in view of Blaisdell., (US20120137364A1).
Regarding claim 17, Zhu discloses:
	A computer program product for securing a mobile device against malware, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executing on a mobile device, performs the steps of:
monitoring a plurality of events (i.e., call to the data-access API and/or a call to the data-transfer API of the application) caused by an application executing on a mobile device (Col. 6, Line # 33-35: FIG. 3 is a flow diagram of an exemplary computer-implemented method 300 for detecting suspicious applications based on how entry-point functions are triggered; Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 45-47; In at least one example, application-identifying module 104 may identify an application that is installed and/or executing on a computing device; See Col. 9, Line # 1-9; At step 304, one or more of the systems described herein may identify an entry-point function of the application whose execution results in a call to the data-access API and/or a call to the data-transfer API.
Examiner would like to note that triggering of entry-point function of an application is an indication that the application is being executed by the computing device), 
the plurality of events occurring during execution of the application on the mobile device (Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 24-27; application-identifying module 104 may identify an application while monitoring applications presented by and/or made available through an application store or marketplace; Col. 8, Line # 39-41; In some examples, application-identifying module 104 may identify an application in response to a request to install the application; Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device);
detecting a first event (i.e. accessing a data-access API and/or a data-transfer API) in the plurality of events having occurred during execution (i.e. while an application is executing on a computing device) (Col. 6, Line # 43-46; As illustrated in FIG. 3, at step 302 one or more of the systems described herein may identify an application that is capable of accessing a data-access API and/or a data-transfer API; Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device), 
wherein the first event is an unexpected event (i.e. “automatically-initiated function for which the user may be unaware”) generated by an application executing on the mobile device while a user of the mobile device is not interacting with the application (Col. 12, Line # 10-13: Accordingly, as used herein, the term “automatically-initiated function” may refer to any function that may not be triggered in response to a user's interaction with an application; Col. 13, Line # 58-62: the systems and methods described herein may determine that an application is or is likely malware or grayware by determining that one or more of the application's entry-point functions are not triggered in response to a user interacting with the application; Examiner Note: as disclosed by Zhu, “automatically-initiated function” is interpreted as “an unexpected event” generated by an application executing on the mobile device while the user is not interacting with the application);
evaluating the first event in a context of the mobile device (i.e., unauthorized data access or data leak activity) to determine whether the first event is potentially unauthorized (Col. 12, Line # 35-38: At step 308, one or more of the systems described herein may determine whether the application identified as part of step 302 is suspicious based on how the entry-point function identified as part of step 304 is triggered; Also see Col. 12; Line # 44-65 disclosing evaluating and determining if the application is suspicious based on triggering of entry-point functions [data-access API/data-transfer API] of the application which may lead to unauthorized data access or data leak activity on the computing device); and
when the first event is a potentially unauthorized event, presenting a warning (i.e., notifying the user about potential malicious application due to suspicious activity by the entry point functions of the application) to the user on the mobile device that the potentially unauthorized event has occurred (Col. 13, Line # 25-29; At step 310, one or more of the systems described herein may perform a security action based on whether the application identified as part of step 302 is suspicious. For example, security module 112 may perform a security action after determining that application 216 is suspicious; Col. 13, Line # 42-49; security module 114 may perform a security action on a suspicious application by preventing an installation of the application, by uninstalling the application, by notifying a user who has installed or is attempting to install the application that the application is potentially malicious and/or that the application may leak the user's sensitive information without the user interacting with the application).
Zhu fails to teach:
the unexpected event is an attempt to make an unauthorized purchase.
However, Blaisdell discloses:
	the unexpected event is an attempt to make an unauthorized purchase [i.e., incurring a charge for a purchase to a billing account of a user] ([0008] the monitoring is performed using a special code monitor that is in communication with the secure attestation module. An NFC chip and an electronic wallet service are disabled if it is detected that the electronic wallet service was used to make an unauthorized purchase; [0054] if an eWallet app is used to make unauthorized purchases, the NFC chip and eWallet secure service on the device are immediately disabled).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhu reference and include detection of an unexpected event in an electronic device wherein the unexpected event comprises an unauthorized purchases, as disclosed by Blaisdell.
	The motivation to detect the unexpected event such as an unauthorized purchases is to disable a service on a mobile device when abnormal behavior is detected in an operating system of the device.
	In addition, with respect to “the unexpected event incurring a charge for a purchase to a billing account of the user”, this is an intended result of a process. According to MPEP 2111.04 I, clause in a claim is not given weight when it simply expresses the intended result of a process step positively recited” (Minton v. Nat'l Ass'n of Securities Dealers, Inc., 336 F.3d 1373, 1381, 67 USPQ2d 1614, 1620 (Fed. Cir. 2003))". Also, a clause that merely states the result of the limitations in the claim adds nothing to the patentability or substance of the claim ((Texas Instruments Inc. v. International Trade Commission 26, USPQ2d 1010 (Fed. Cir. 1993); Griffin v. Bertina, 62 USPQ2d 1431 (Fed. Cir. 2002); Amazon.com Inc. v. Barnesandnoble.com Inc., 57 USPQ2d 1747 (CAFC 2001)).
Regarding claim 18, Zhu discloses:
	A mobile device comprising:
a display; a communications interface configured to couple the mobile device in a communicating relationship with a network; a processor; and a memory bearing computer code that, when executing on the processor, 
performs the steps of monitoring a plurality of events generated by an application executing on the mobile device (Col. 6, Line # 33-35: FIG. 3 is a flow diagram of an exemplary computer-implemented method 300 for detecting suspicious applications based on how entry-point functions are triggered; Col. 6, Line # 43-46; As illustrated in FIG. 3, at step 302 one or more of the systems described herein may identify an application that is capable of accessing a data-access API and/or a data-transfer API); Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 45-47; In at least one example, application-identifying module 104 may identify an application that is installed and/or executing on a computing device),
the plurality of events occurring during execution of an application on the mobile device (Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways; Col. 8, Line # 24-27; application-identifying module 104 may identify an application while monitoring applications presented by and/or made available through an application store or marketplace; Col. 8, Line # 39-41; In some examples, application-identifying module 104 may identify an application in response to a request to install the application; Col. 8, Line # 19-20; Returning to FIG. 3, application-identifying module 104 may identify applications in any of a variety of ways;  Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device);
detecting a first event (i.e. accessing a data-access API and/or a data-transfer API) in the plurality of events having occurred during execution (i.e. while an application is executing on a computing device) of the application (Col. 6, Line # 43-46; As illustrated in FIG. 3, at step 302 one or more of the systems described herein may identify an application that is capable of accessing a data-access API and/or a data-transfer API; Col. 8, Line # 45-47; application-identifying module 104 may identify an application that is installed and/or executing on a computing device), 
wherein the first event is an unexpected event generated by an application executing on the mobile device while a user of the mobile device is not interacting with the application (Col. 12, Line # 10-13: Accordingly, as used herein, the term “automatically-initiated function” may refer to any function that may not be triggered in response to a user's interaction with an application; Col. 13, Line # 58-62: the systems and methods described herein may determine that an application is or is likely malware or grayware by determining that one or more of the application's entry-point functions are not triggered in response to a user interacting with the application; Examiner’s Note: as disclosed by Zhu, “automatically-initiated function” is interpreted as “an unexpected event” generated by an application executing on the mobile device while the user is not interacting with the application);
evaluating the first event in context of the mobile device (i.e., unauthorized data access or data leak activity) to determine whether the first event is potentially unauthorized (Col. 12, Line # 35-38: At step 308, one or more of the systems described herein may determine whether the application identified as part of step 302 is suspicious based on how the entry-point function identified as part of step 304 is triggered); and
when the first event is a potentially unauthorized event, presenting a warning to the user on the mobile device that the potentially unauthorized event has occurred (Col. 13, Line # 25-29; At step 310, one or more of the systems described herein may perform a security action based on whether the application identified as part of step 302 is suspicious. For example, security module 112 may perform a security action after determining that application 216 is suspicious; Col. 13, Line # 42-49; security module 114 may perform a security action on a suspicious application by preventing an installation of the application, by uninstalling the application, by notifying a user who has installed or is attempting to install the application that the application is potentially malicious and/or that the application may leak the user's sensitive information without the user interacting with the application).
Zhu fails to teach:
the unexpected event is an attempt to make an unauthorized purchase.
However, Blaisdell discloses:
	the unexpected event is an attempt to make an unauthorized purchase [i.e., incurring a charge for a purchase to a billing account of a user] ([0008] the monitoring is performed using a special code monitor that is in communication with the secure attestation module. An NFC chip and an electronic wallet service are disabled if it is detected that the electronic wallet service was used to make an unauthorized purchase; [0054] if an eWallet app is used to make unauthorized purchases, the NFC chip and eWallet secure service on the device are immediately disabled).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhu reference and include detection of an unexpected event in an electronic device wherein the unexpected event comprises an unauthorized purchases, as disclosed by Blaisdell.
	The motivation to detect the unexpected event such as an unauthorized purchases is to disable a service on a mobile device when abnormal behavior is detected in an operating system of the device.
	In addition, with respect to “the unexpected event incurring a charge for a purchase to a billing account of the user”, this is an intended result of a process. According to MPEP 2111.04 I, clause in a claim is not given weight when it simply expresses the intended result of a process step positively recited” (Minton v. Nat'l Ass'n of Securities Dealers, Inc., 336 F.3d 1373, 1381, 67 USPQ2d 1614, 1620 (Fed. Cir. 2003))". Also, a clause that merely states the result of the limitations in the claim adds nothing to the patentability or substance of the claim ((Texas Instruments Inc. v. International Trade Commission 26, USPQ2d 1010 (Fed. Cir. 1993); Griffin v. Bertina, 62 USPQ2d 1431 (Fed. Cir. 2002); Amazon.com Inc. v. Barnesandnoble.com Inc., 57 USPQ2d 1747 (CAFC 2001)).
Regarding claim 19, the combination of Zhu and Blaisdell discloses:
	The mobile device of claim 18, wherein the mobile device is at least one of a smart phone and a tablet (Zhu: Col. 3, Line # 28-33; Computing device 202 generally represents any type or form of computing device capable of reading computer-executable instructions and detecting suspicious applications based on how entry-point functions are triggered. Examples of computing device 202 include, without limitation, laptops, smartphones, tablets).
Regarding claim 20, the combination of Zhu and Blaisdell discloses:
The mobile device of claim 18, further comprising at least one of a camera and a microphone (Zhu: Col. 7, Line # 1-4; As used herein the term “data-access API” may refer to any function, code, interface, or other mechanism that an application may use to access information located on a computing device; Col. 7, Line # 13-14; a camera access API programmed to provide access to a camera sensor; Col. 7, Line # 24-25; a microphone access API programmed to provide access to a microphone sensor).

Claims 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu., (US9852294B1) in view of Blaisdell., (US20120137364A1) in view of Wyatt et al., (US20120324568A1) and further in view of Chiu et al., (US20170099306A1).
Regarding claim 21, the combination of Zhu, Blaisdell and Wyatt fails to disclose:
The method of claim 1, further comprising: logging a time of the first event with a security application; wherein evaluating whether the first event in a context of the mobile device to determine whether the first event is a potentially unauthorized event includes evaluating whether the time of the first event is different than other historical events associated with the user of the mobile device.
However, Chiu discloses:
	logging a time of the first event with a security application ([0038] discloses collecting [logging] normal operation events including time of the events); 
wherein evaluating whether the first event in a context of the mobile device to determine whether the first event is a potentially unauthorized event includes evaluating whether the time of the first event is different than other historical events associated with the user of the mobile device ([0035] discloses using schedule definition rules to determine if the access to the critical assets outside their normal access times may be deemed to be abnormal; [0038] discloses ‘a correlator’ evaluates whether access to critical asset is outside its normal access time).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhu, Blaisdell and Wyatt references and include a system which identifies access event(s) to be malicious in real-time based on comparing the access time to normal access times, as disclosed by Chiu.
The motivation to include such a system is to be able detect network intrusions and malwares and preventing them from spreading inside the network.
Regarding claim 22, the combination of Zhu, Blaisdell and Wyatt fails to disclose:
The method of claim 1, wherein the context of the mobile device includes a comparison of an executed time of the first event to historically executed times for the first event.
However, Chiu discloses:
wherein the context of the mobile device includes a comparison of an executed time of the first event to historically executed times for the first event ([0035] discloses using schedule definition rules to determine if the access to the critical assets outside their normal access times may be deemed to be abnormal; [0038] discloses ‘a correlator’ evaluates whether access to critical asset is outside its normal access time)).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Zhu, Blaisdell and Wyatt references and include a system which identifies access event(s) to be malicious in real-time based on comparing the access time to normal access times, as disclosed by Chiu.
The motivation to include such a system is to be able detect network intrusions and malwares and preventing them from spreading inside the network.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432