DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present U.S. non-provisional application is being examined under the first-inventor-to-file provisions of the AIA . The present U.S. non-provisional application, filed on October 17, 2019, claims benefit to a U.S. provisional application, filed on November 23, 2018.
Allowable Subject Matter
Claims 12, 13, 17 and 18 are objected to as being dependent upon a rejected base claim, but would be considered as allowable if rewritten in independent form to include all of the limitations of the respective base claim and any intervening claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 14-16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pietrowicz et al. (US 2017/0299633 A1) in view of Miserendino et al. (US 2013/0321458 A1).
1. A method for generating a network diagram in a computer system (Pietrowicz, FIG. 4), the method comprising: 
receiving plural first datasets of packets captured from a network (Pietrowicz, para. [0140], “IDS 216 parses the packet streams based on probe location and applies both global and region specific rules to each stream. Rules, policies and stateful modeling is performed at each layer of the custom protocol stack, with IPv4/IPv6 processing being done using the inherent capability of Snort, and all other ”); 
extracting network data for each data set representing one or more of a source or destination of the captured packets (Miserendino, para. [0027], “…The visualization module 140 can generate the visualization of the schema 150 in accordance with the hierarchical map to enable an understanding of network events that are associated with the network space. Network events can include any incoming or outgoing traffic from a given network address and/or range of addresses. As an alternative configuration, the schema 150 could also be specified in the files and map data 120 or could be located within the map module 130, for example.” emphasis added.); 
building a first network diagram of interconnected nodes based on the network data extracted from the captured packets of at least one of the plural datasets (Miserendino, para. [0027], “…The visualization module 140 can generate the visualization of the schema 150 in accordance with the hierarchical map to enable an understanding of network events that are associated with the network space. Network events can include any incoming or outgoing traffic from a given network address and/or range of addresses. As an alternative configuration, the schema 150 could also be specified in the files and map data 120 or could be located within the map module 130, for example.” emphasis added. Id.); 
overlaying one or more network diagram layers or a second network diagram on the first network diagram, the one or more network diagram layers corresponding to captured packets of the first datasets or of second datasets, the second network diagram corresponding to captured packets of the second datasets, and the overlay identifies differences between: at least two network diagram layers of the first network diagram, one or more network diagram layers including the second dataset of captured packets, or the second network diagram and the first network diagram (Miserendino, The analytics module 510 and interface 544 allows users to layer data sets on top of maps. The user may upload data files in a specialized format that identify what IP address, IP address block, or series of IP addresses (a route) they would like to highlight on the map. Users can also create, view, share, export, and edit data files through the interface 544. Data files can be represented as layers of geometries on the map such as place marks, polygons, and lines. […] The analytics module 510 queries the map database 534 and calculates the location of geometries within the virtual 2D space represented by the currently active (visible) map. The analytics module automatically clusters and declusters overlapping geometries as the user changes the resolution of the map. Locations of geometries can be different for each map and are calculated upon request as the user changes maps.” emphasis added.); and 
graphically displaying the network diagram by highlighting and/or animating one or more nodes and/or node connections based on the differences identified from the overlay (Miserendino, para. [0052], “The analytics module 510 and interface 544 allows users to layer data sets on top of maps. The user may upload data files in a specialized format that identify what IP address, IP address block, or series of IP addresses (a route) they would like to highlight on the map. Users can also create, view, share, export, and edit data files through the interface 544. Data files can be represented as layers of geometries on the map such as place marks, polygons, and lines. […] The analytics module 510 queries the map database 534 and calculates the location of geometries within the virtual 2D space represented by the currently active (visible) map. The analytics module automatically clusters and declusters overlapping geometries as the user changes the resolution of the map. Locations of geometries can be different for each map and are calculated upon request as the user changes maps.” emphasis added. Id.)
Pietrowicz et al. may not seem to describe the identical claimed invention, such as graphically displaying the network diagram by highlighting and/or animating one or more nodes and/or node connections based on the differences identified from the overlay. In the same field Miserendino, paras. [0027], [0052], Id.) The prior art disclosure and suggestion(s) of Miserendino et al. are for reasons of enabling visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable IP-space maps (Miserendino, para. [0025], “Systems and methods are provided for visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable Internet Protocol space (IP-space) maps…”) In view of the prior art of record, the claimed invention would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, for reasons of enabling visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable IP-space maps.
2. The method according to claim 1, comprising: 
capturing the first and second datasets of packets at regular or irregular intervals (Pietrowicz, para. [0262], “…Yet another feature of the MeshView application is the ability to show a timeline of packet transmissions based on packet timestamp and to replay packets to observe the time sequence of the communication…”)
3. The method according to claim 2, wherein each dataset includes raw network data (Pietrowicz, para. [0262], Id.)
4. The method according to claim 3, wherein each dataset includes data associated with a vulnerability scan of the network (Miserendino, para. [0056], “Users may create their own analytic ”)
5. The method according to claim 1, comprising: 
storing the received datasets in memory (Pietrowicz, para. [0140], Id.)
6. The method according to claim 1, wherein extracting the network data from the captured packets comprises: 
reading one or more of the plural data files from memory (Miserendino, para. [0027], Id.)
7. The method according to claim 1, wherein building the network diagram comprises: 
analyzing the network data in the captured packets to identify devices and connections in the network (Miserendino, paras. [0027], [0052], Id.)
8. The method according to claim 7, wherein building the network diagram comprises: 
generating a representation of each identified device and device connection on the network and a health assessment of the network (Miserendino, paras. [0027], [0052], [0059], “…Visualization of analytic and analytic component status can be provided (e.g., reports on if an analytic component is running, percent completion, resource usage, and so forth). Analytic structure (a description of the daisy-chain) can be saved as a sharable file. Use of graphical interfaces (analytic graphs) to control collection and eventing of an IDS, firewall, or cyber security product, for example, can be provided...”), wherein each identified device and device connection corresponds to a node and node connection in the network diagram (Miserendino, paras. [0027], [0052], Id.)
Miserendino, para. [0056], Id.), and wherein the health assessment of the network comprises: 
determining a threat level for one or more nodes and/or node connections based on threats identified by the vulnerability scan (Miserendino, para. [0067], “FIG. 9 illustrates an example output 900 depicting threat status symbols in accordance with an aspect of the present invention. The components of each symbol can be used to express different element attributes. This concept is embodied in MIL-STD 2525 which defines the composition, construction, and display of tactical symbols and tactical graphics for physical space displays. No extension of MIL-STD 2525, however, exists to cover the cyber domain. Until such a standard is adopted, the principles of symbology in MIL-STD 2525 can be extended on a best-effort basis to any cyber situational awareness tool and depicted in the output examples 500...”)
10. The method according to claim 9, comprising: 
displaying configuration information of the network, a health assessment, and/or the threat level associated with one or more threats identified for a selected node or node connection in the network diagram (Miserendino, paras. [0059], [0067], Id.)
11. The method according to claim 9, comprising: 
analyzing the one or more nodes and/or node connections associated with each threat to identify false positive threats (Pietrowicz, para. [0121], “…The cyber threat analysis team reviews each alert in detail by retrieving the traffic trace from the trace repository that generated the alert. The cyber threat analysis team also sets the appropriate filters in MeshView to retrieve the communications and nodes of interest at the time of the alert. The cyber threat analysis team analyses the traffic patterns and node behavior before, during and after the event, and compares the behavior to known baselines. If ”)
14. The method according to claim 1, comprising: 
validating new or changed nodes and/or node connections in the network diagram from the identified differences between the at least two network diagram layers of the first network diagram, between the one or more network diagram layers of the second dataset of captured packets and the first network diagram, or between the second network diagram and the first network diagram (Pietrowicz, para. [0262], “…A key feature of the MeshView application is that it constructs the logical and GIS-based connectivity and routing maps of FAN subnets based on traffic observations, which do not require full band capture, i.e. a sampling of channels over time in a frequency hopping system can be used to render the network topology, routing and connectivity diagrams. Another key feature of the MeshView application is the ability to apply powerful filters to the traffic observations to distill specific traffic of interest in the analysis and visualization. Yet another feature of the MeshView application is the ability to show a timeline of packet transmissions based on packet timestamp and to replay packets to observe the time sequence of the communication. The replay functionality is applied to the routing maps to observe how AP subnet routes form, change, and degrade over time in both the logical and GIS-based map views…” Id.)
15. The method according to claim 1, wherein the network diagram is a two- dimensional representation of the network, a three-dimensional representation of the network, or a three-dimensional virtual reality representation of the network (Miserendino, para. [0073], “…At 1240, the method 1200 includes determining a virtual space (e.g., 2D or 3D space) for the network ownership data in the map hierarchy. At 1250, the method 1200 includes generating image tiles of the virtual space at differing resolution levels of the map hierarchy. At 1260, the method 1200 includes determining a ”)
16. A system for generating a network diagram (Pietrowicz, FIG. 4, Id.), comprising: 
a first interface (Pietrowicz, FIG. 4, Id.) for receiving one or more first datasets of network data (Pietrowicz, para. [0140], Id.); 
a processor (Miserendino, FIG. 5) configured to generate a first network diagram and identify changes in a network represented by the network diagram by overlaying one or more network diagram layers or a second network diagram on the first network diagram, wherein the one or more network diagram layers correspond to captured packets of the first datasets or captured data packets of second datasets and the second network diagram corresponds to captured packets of the second datasets (Miserendino, paras. [0027], [0052], Id.); and 
a second interface (Miserendino, FIG. 5, Id.) for graphically displaying the network diagram by highlighting and/or animating one or more nodes and/or node connections based on at least one of the identified changes from the overlay (Miserendino, paras. [0027], [0052], Id. cf. Claim 1).
Pietrowicz et al. may not seem to describe the identical claimed invention, such as a second interface for graphically displaying the network diagram by highlighting and/or animating one or more nodes and/or node connections based on at least one of the identified changes from the overlay. In the same field of endeavor, Miserendino et al. provides prior art disclosure and suggestion(s) for the claimed invention, such as a second interface for graphically displaying the network diagram by highlighting and/or animating one or more nodes and/or node connections based on at least one of the identified changes from the overlay (Miserendino, paras. [0027], [0052], Id.) The prior art disclosure and suggestion(s) of Miserendino et al. are for reasons of Miserendino, para. [0025], Id.) In view of the prior art of record, the claimed invention would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, for reasons of enabling visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable IP-space maps.
19. The system according to claim 11, wherein each dataset includes current or historical network data (Pietrowicz, para. [0140], Id.)
20. A method for generating a network diagram (Pietrowicz, FIG. 4, Id.), comprising: 
receiving plural datasets of packets captured from a network (Pietrowicz, para. [0140], Id.); 
extracting Internet Protocol (IP) data from the captured packets (Miserendino, paras. [0027], [0052], Id.); 
enriching the IP data based on data flow between network nodes (Miserendino, paras. [0027], [0052], Id.); and 
generating a visualization of the data flow, the visualization including animated properties of one or more nodes and node connections based on the enriched IP data (Miserendino, paras. [0027], [0052], Id.)
Pietrowicz et al. may not seem to describe the identical claimed invention, such as generating a visualization of the data flow, the visualization including animated properties of one or more nodes and node connections based on the enriched IP data. In the same field of endeavor, Miserendino et al. provides prior art disclosure and suggestion(s) for the claimed Miserendino, paras. [0027], [0052], Id.) The prior art disclosure and suggestion(s) of Miserendino et al. are for reasons of enabling visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable IP-space maps (Miserendino, para. [0025], Id.) In view of the prior art of record, the claimed invention would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, for reasons of enabling visualization of cyber domain information to enhance understanding of network events and enable a common view of cyberspace via configurable IP-space maps.
Conclusion
The prior art made of record (PTO-1449, PTO-892) and not relied upon is considered pertinent to the subject matter of the present U.S. non-provisional application.
Germain et al. (US 2003/0020764 A1) provides additional prior art disclosure and suggestion(s) considered pertinent to the claimed invention (Germain, Abstract, “A system and method are used for visually representing performance and flow analysis of a communication network having devices connected by links. The system includes a first memory for storing a graphical representation of the communication network and showing the devices connected by links and a second memory storing data representing performance and flows in the communication network. A processing system is operatively connected to the first and the second memory and to a display. The processing system selectively maps the data on the graphical representation of the communication network by varying visual characteristics of the devices and the links for viewing on the display.”)
Tateishi, Abstract, “A screen display device (200) displays a three-dimensional display screen on which network (NW) devices, links, paths, obstruction points (alarms) are displayed on a map representation. The screen display device (200) defines rungs on the basis of attributes of the devices so that a device of a lower rung (a terminal device in the NW) is placed at a lower position while a device of a higher rung is placed at a higher position on the three-dimensional display screen. Further, for an area where devices are on multiple rungs, the screen display device (200) displays a mark at the area to make the rung height of each device more recognizable. Also, the screen display device (200) provides an indication enclosing devices that form an active system/backup system pair to make it easy to understand whether there is a system that remains normal so that service can be offered.”)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Timothy J. Weidner whose telephone number is (571) 270-1825. The examiner can normally be reached Monday - Friday, 8:00 AM - 5:00 PM, Eastern Standard Time.
Examiner interviews are available via telephone, in-person, and video conferencing by using a USPTO supplied web-based collaboration tool. To schedule an interview, the applicant    is encouraged to use the USPTO Automated Interview Request (AIR) form provided at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ayaz R. Sheikh can be reached on (571) 272-3795. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications 




/TIMOTHY J WEIDNER/Primary Examiner, Art Unit 2476