CONTINUOUS RISK ASSESSMENT FOR MOBILE DEVICES

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on October 20, 2025 has been entered. Response to arguments Claims 1-16 have been amended. No claim has been added or cancelled. Therefore, claims 1-16 are pending. Claims 1-16 are rejected under over Mahaffey, US pat. No 20180367560. (IDS submitted, 03/28/2023) in view of McCaig, US pat. No US 20180262533 A1 in further view of Alperovitch, US pat. No 20130254880. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5-11 and 13-16 are rejected under 35 U.S.C 103 as being unpatentable over Mahaffey, US pat. No 20180367560. (IDS submitted, 03/28/2023) in view of McCaig, US pat. No US 20180262533 A1. 1. Mahaffey discloses the method for continuously assessing risk on a mobile device running a mobile application, the method comprising, (See Mahaffey, [0010]; the method includes at a server accessing a database system comprising data collected from a plurality of devices, at the server, establishing a norm by processing the collected data, at the server comparing the norm with data collected from a first device of the plurality of devices, at the server determining that a deviation between the norm and the data collected from the first device is outside of a threshold deviation, and upon the determination, generating an alert by the server.) the method comprising: on the mobile device, continuously monitoring a plurality of parameters associated with the mobile application for one or more triggering events; (See Mahaffey, [0116]; the monitor is responsible for observing configuration, state, and behavior on the device. Monitoring can include behavior logging, network capture, network logging, location logging, etc. [0122]; Observations can include device events, states, state changes, configuration, user activity, application activity, duration of activity, geographic location of device during such activity (e.g., longitude and latitude), application requests (e.g., programmatic requests to operating system services and resources), date and time of occurrence, accesses to user data (e.g., accesses to user contacts), applications that have been installed, network connections that have been made, types of network connections made (e.g., virtual private network), remote services that have been called, websites that have been contacted, or combinations of these. [0123]) on the mobile device, upon detecting one or more of said triggering events, executing a fingerprinting routine configured to obtain a current state of a plurality of device fingerprint attributes of the mobile device; (See Mahaffey, [0007-0011]; the data can relate to the state of the devices, apps, web applications, users, for example, their configuration, settings, properties, content of files or data stores. The data can relate to events or sequences of events which occur on the device, involving a change in state or the invocation of apps, web applications, system services or components in software or firmware or hardware. The process of collecting such data is referred to as monitoring or acquisition. A norm is established in an analysis process using the collected data. The analysis process uses risk models, correlation of states and events or event sequences, and prior knowledge concerning known bad actors (applications, websites, etc.), and known bad behaviors (for example, malformed content, vulnerability exploits, etc.).) transmitting said current state of the plurality of device fingerprint attributes of the mobile device to a risk engine running on the server; (See Mahaffey, [0116]; in a specific implementation, the observations are transmitted to the server for evaluation and analysis) transmitting said device intelligence information to said mobile device; (See Mahaffey, [0283-[0286]]; Upon a determination that there has been a deviation from the norm (steps 920 and 1025, FIGS. 9 and 10), the system responds with a response action (steps 925 and 1030). There can be any number of and combinations of response actions. If something bad has been detected, the system may send an email or some other sort of notification to the systems administrator, the end user, or both.) and on the mobile device, undertaking one or more actions based on the intelligence information received from the server. (See Mahaffey, [0009-0010] and [0291]; In a specific implementation, the method includes at a server accessing a database system comprising data collected from a plurality of devices, at the server, establishing a norm by processing the collected data, at the server comparing the norm with data collected from a first device of the plurality of devices, at the server determining that a deviation between the norm and the data collected from the first device is outside of a threshold deviation, and upon the determination, generating an alert by the server.) Mahaffey does not appear to explicitly analyzing with said risk engine said current state of the plurality of device fingerprint attributes of the device to obtain device intelligence information, said analyzing including comparing said current state of the plurality of device fingerprint attributes of the mobile device with a previously obtained state of a the plurality of device fingerprint attributes of the mobile device associated with installing, loading or running the mobile application on the mobile device; However, McCaig discloses analyzing with said risk engine said current state of the plurality of device fingerprint attributes of the device to obtain device intelligence information, said analyzing including comparing said current state of the plurality of device fingerprint attributes of the mobile device with a previously obtained state of a the plurality of device fingerprint attributes of the mobile device associated with installing, loading or running the mobile application on the mobile device; (See McCaig, [0149], [0471], [0480] FIG. 27 shows an example system for device fingerprinting. Device fingerprinting may be used to determine the status of a device (e.g., a known device, an unknown device, a blocked device, a paused device, etc.). After fingerprinting the device, one or more actions may be taken. For example, a gateway device may permit a known device to connect to the internet, but may prevent a blocked device or paused device from connecting to the internet. Various approaches may be used to collect DHCP options strings for fingerprinting analysis. For example, a gateway 2710 may comprise a built-in DHCP server 2712 to log DHCP requests, such as DHCP request 2705 from a device 2702 (e.g., a known device). A harvester plugin 2714 may periodically collect 2716 these logs and send 2718 them to the ODP platform 2740 for analysis. The harvester plugin 2714 may send the logs to the ODP platform 2740 via the protocol agent 2726. One advantage of this approach is that an existing DHCP server 2710 on the gateway 2710 may be leveraged. The gateway 2710 may use IPTables 2720 to mirror DHCP user datagram protocol (UDP) traffic to a dedicated harvester application, which may forward the requests to the ODP platform 2740. Several advantages of this system exist. This system may work if another DHCP service is in use. Event driven notifications to the protocol agent 2726 may be possible because the listener service 2722 may publish messages to the protocol agent 2726 as soon as they are seen on the network. This functionality may be turned on and off at a per-device level (e.g., using MAC address-based rules in iptables). See also [0590] Each device may be recognized by its unique media access control (MAC) address, an IP address, or other unique identifier. A computing device, such as a gateway device, may whitelist a plurality (e.g., all) known devices (e.g., devices that have previously successfully connected to the network). If a user selects an away mode option, new MAC addresses (or other unique device identifiers) identified by the network may be compared to the whitelist and rejected after a connection attempt. On the other hand, if a known device attempts to connect to the network, the computing device may compare an identifier for the known device to the whitelist. The known device may be granted access to the network based on the comparison. FIG. 51A shows a user interface 5100 indicating options for viewing and/or selecting mode(s) for a network. The user interface 5100 may display one or more selectable options for entering different modes. For example, an option 5105 for a first mode (e.g., away mode) may be displayed. Selecting the option 5105 may cause the user device to transmit an instruction, such as to a gateway device, to enter into an away mode. See also [0490]; The system may comprise a web or application server 2920. The web or application server 2920 that may be interested in determining the MAC address (or other identifier) of a specific device within a network (e.g., a home network) may initiate a MAC lookup request. There may be two or more steps in the process. If a connected device makes an initial request to the server 2920 (e.g., initial page load, application data, etc.), and the device MAC (or other identifier) is currently unknown, the web/app server 2920 may request a session identifier from the device identity service 2910 and may direct the connected device to initiate a MAC lookup flow with the device identity service 2910. The web/app server 2920 may initiate a long poll connection to the device identity service 2910, and may wait for the MAC address for the current session.) Mahaffey and McCaig are analogous art because they are from the same field of endeavor which is data monitoring. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mahaffey with the teaching of McCaig to include the device fingerprint because it would have been useful when Data transmitted and/or received by one or more of the devices may be captured and monitored to determine various parameters associated with the one or more devices. Data associated with the gateway device may also be captured and monitored. Signal strengths, device statuses, network security, and/or other metrics may be determined based on monitored data. (See McCaig, [0004]) 2. The combination of Mahaffey and McCaig discloses the method according to claim 1 further comprising saving to database information indicative of the current state of a plurality of device fingerprint attributes of the mobile device. (See Mahaffey, [0116-0117] ) 3. The combination of Mahaffey and McCaig discloses the method according to claim 2 wherein said information indicative of the current state of a plurality of device fingerprint attributes of the mobile device is a delta between the mobile device fingerprint attributes at the current state and at a previous state of the mobile device. (See Mahaffey, [0122]; Observations can include device events, states, state changes, configuration, user activity, application activity, duration of activity, geographic location of device during such activity (e.g., longitude and latitude), application requests (e.g., programmatic requests to operating system services and resources), date and time of occurrence, accesses to user data (e.g., accesses to user contacts), applications that have been installed, network connections that have been made, types of network connections made (e.g., virtual private network), remote services that have been called, websites that have been contacted, or combinations of these. ) 5. The combination of Mahaffey and McCaig discloses the method according to claim 1 wherein said device intelligence information includes qualitative information indicative of what types of trigger events are associated with the current mobile application session on the mobile device. (See Mahaffey, [0008-0009], [0283-0286], [0291]; additional response actions can include retrieving an anomalous object from the device, in whole or part, and metadata related to the anomalous object (e.g., filesystem permissions, location within the filesystem, times and dates of creation, update, and last access, etc.) and transmitting the object and related data to a server for remote analysis, evaluation, or classification.) 6. The combination of Mahaffey and McCaig discloses the method according to claim 1 wherein said one or more actions include one or more of the following: continue monitoring the mobile device, send the user a warning, terminate a user running the mobile application, and shut down the mobile application. (See Mahaffey, [0008-0009], [0283-0286], [0291]) 7. The combination of Mahaffey and McCaig discloses the method according to claim 1 wherein said one or more predetermined triggering events include one or more event types selected from a list consisting of the following events of the mobile device: a risk module is installed; a risk module is initialized; the mobile application is resumed; a display configuration has been changed; a screenshot is taken; a GPS provider change is detected; a network change is detected; and a change in tools is detected. (See Mahaffey, [0122-0125]; Observations can include device events, states, state changes, configuration, user activity, application activity, duration of activity, geographic location of device during such activity (e.g., longitude and latitude), application requests (e.g., programmatic requests to operating system services and resources), date and time of occurrence, accesses to user data (e.g., accesses to user contacts), applications that have been installed, network connections that have been made, types of network connections made (e.g., virtual private network), remote services that have been called, websites that have been contacted, or combinations of these.) 8. The combination of Mahaffey and McCaig discloses the method according to claim 1 wherein said plurality of device fingerprint attributes of the mobile device includes fingerprint attributes from one or more attribute categories selected from a list consisting of: device hardware; network; software; screen; and location. (See Mahaffey, [0122-0125]; Observations can include device events, states, state changes, configuration, user activity, application activity, duration of activity, geographic location of device during such activity (e.g., longitude and latitude), application requests (e.g., programmatic requests to operating system services and resources), date and time of occurrence, accesses to user data (e.g., accesses to user contacts), applications that have been installed, network connections that have been made, types of network connections made (e.g., virtual private network), remote services that have been called, websites that have been contacted, or combinations of these.) 9. As to claim 9, the claim is rejected under the same rationale as claim 1. See the rejection of claim 1 above. 10. The combination of Mahaffey and McCaig discloses the system according to claim 9 wherein said server is further configured to save to a database information indicative of the current state of a plurality of device fingerprint attributes of the mobile device. (See Mahaffey, [0116-0117]) 11. The combination of Mahaffey and McCaig discloses the system according to claim 10 wherein said information indicative of the current state of a plurality of device fingerprint attributes of the mobile device is a delta between the device fingerprint attributes at the current state of the mobile device and at a previous state of the mobile device. (See Mahaffey, [0122]) 13. The combination of Mahaffey and McCaig discloses the system according to claim 9 wherein said device intelligence information includes qualitative information indicative of what types of trigger events are associated with the current mobile application session at the mobile device. (See Mahaffey, [0008-0009], [0283-0286], [0291]) 14. The combination of Mahaffey and McCaig discloses the system according to claim 9 wherein said one or more actions include one or more of the following events at the mobile device: continue to monitor the mobile device, send the user a warning, terminate a user running the mobile application, and shut down the mobile application. (See Mahaffey, [0008-0009], [0283-0286], [0291]) 15. The combination of Mahaffey and McCaig discloses the system according to claim 9 wherein said one or more predetermined triggering events include one or more event types selected from a list consisting of the following events at the mobile device: a risk module is installed; a risk module is initialized; the mobile application is resumed; a display configuration has been changed; a screen shot is taken; a GPS provider change is detected; a network change is detected; and a change in tools is detected. (See Mahaffey, [0122-0125]) 16. The combination of Mahaffey and McCaig discloses the system according to claim 9 wherein said plurality of device fingerprint attributes includes one or more fingerprint attributes types from a list consisting of the following attributes of the mobile device: device hardware—device brand, device name, device model, IMEI, battery level, battery temperature, brand, manufacturer, model, hardware, host, device, ID and CPU; network—carrier name, carrier country, battery technology, battery voltage, battery health, carrier country code, carrier network code, Wi-Fi name, Wi-Fi IP address and WIFI mac address; software—OS version, merchant app version, version incremental, version release and version codename; screen—screen resolution, screen size, pixel density and display; location—GPS country, GPS coordinates, IP country and IP address; and miscellaneous—timezone, user language and user agent. (See Mahaffey, [0084], [0122-0125]) Claim 4 is rejected under 35 U.S.C 103 as being unpatentable over Mahaffey, US pat. No 20180367560. (IDS submitted, 03/28/2023) in view of McCaig, US pat. No US 20180262533 A1 in further view of Alperovitch, US pat. No 20130254880. 4. The combination of Mahaffey and McCaig does not appear to explicitly disclose the method according to claim 1 wherein said device intelligence information includes a quantitative risk score that indicates the level of risk associated with the current mobile application session session on the mobile device. However, Alperovitch discloses wherein said device intelligence information includes a quantitative risk score that indicates the level of risk associated with the current mobile application session session on the mobile device. (See Alperovitch, [0013]; Cloud 16 may comprise a reputation engine 20 for collecting and assessing mobile application reputations, also called herein as "reputation scores" (both terms may be interchangeably used throughout the Specification). A reputation score is a value (e.g., numeric, textual, pictorial, etc.) that denotes a relative level of trustworthiness of the mobile application on a spectrum (e.g., continuous or discrete) from benign (e.g., reputable) to malicious (e.g., non-reputable). Reputation score may indicate a probability that a mobile application is a malicious software. For example, mobile applications that have a high probability of being malicious may have a low reputation score) Mahaffey, McCaig and Alperovitch are analogous art because they are from the same field of endeavor which is mobile fraud detection. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mahaffey and McCaig with the teaching of Alperovitch to include the reputation score because it would have allowed to assist IT administrators in the effective control and management of applications on mobile devices within computer and communication network environments. (See Alperovitch, [0002]) 12. As to claim 12, the claim is rejected under the same rationale as claim 4. See the rejection of claim 4 above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Dang, US20150180908, title “System and method for whitelisting applications in a mobile network environment”. Shahidzadeh, US11005839, title “System and method to identify abnormalities to continuously measure transaction risk”. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSNEL JEUDY whose telephone number is (571)270-7476. The examiner can normally be reached M-F 10:00-8:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arani T Taghi can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Date: 1/7/2026 /JOSNEL JEUDY/ Primary Examiner, Art Unit 2438