DETAILE ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-60 are presented for examination whereas claims 1-30 are cancelled without prejudice and disclaimer and claims 31-60 are now being examined. 
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 01/31/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 31-40, 42-60 are rejected under 35 U.S.C. 103 as being unpatentable over Doppke et al. (US pub, 2018/0077189) in view of Yamane (US pub, 20180268036 A1)
Referring to claims 31, 46 Doppke teaches a computer-implemented method, comprising:
receiving a request to access a graphical user interface (GUI) including a visualization of instances of network activity involving a plurality of networked computing devices of an information technology (IT) environment ([abs], Fig. 2, [049], GUI receives the request including visualization of instance of network traffic flowing in the network of interconnected devices illustrated in Fig. 1 in an IT environment);
obtaining, from a data store of a data intake ([020], obtaining data from repository or storage medium [031], [035]), timestamped event data indicating instances of network activity involving the plurality of networked computing devices ([029], time stamp data including source and destination address), wherein each instance of network activity is identified by:
a source device’s network address ([029], source information/address of host),
a destination device’s network address ([029], destination information/address of host), and a timestamp associated with the instance of network activity ([029], timestamp associated with network traffic); and 
causing display of the GUI including the visualization of the instances of network activity (see Fig. 3, Fig. 4, [008]-[010]), wherein the visualization includes:
a first axis and a second axis each representing an entire range of network addresses ([049], range of IP addresses) of an Internet Protocol (IP) network address space (Claim 1, first 
a plurality of data points corresponding to the instances of network activity ([063], a plurality of tick marks plotted in the horizontal axis), wherein each data point of the plurality of data points is displayed in the displayed GUI at a location relative to the first axis [064], tick marks displayed in the GUI at location relative to the horizontal axis) and the second axis based on a source device’s network address and a destination device’s network address indicated by a corresponding instance of network activity ([059], Vertical axis activity based on source and destination network address [070], [071]).
Doppke teaches the GUI each representing characteristics of network traffic but lacks a query system. 
However, Yamane teaches a query unit 103 that manages a measure value of plurality of items with respect to communication of network activity. (Para [047], [049], [067], see Query Unit 103).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Doppke’s GUI that monitor and visualizes network threat to include a query system coupled with its database in order to efficiently visualize high-level information related to network activity occurring across an entire network address space enabling network analysts and other users to readily analyze characteristics of computer networks.
Referring to claim 32, Yamane teaches the computer-implemented method of claim 31, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses point ([095], [100], display parameter “range of address”).
Referring to claim 33, Yamane teaches the computer-implemented method of claim 31, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses, and wherein the range of source device network addresses corresponds is defined by network addresses having a same first two bytes, and wherein the range of destination device network addresses is defined by network addresses having a same first two bytes (see paragraph [120], measured value "1.2.3.4 . . . " & "1.2.5.6 . . . " (FIG. 15, described later) are associated having same network location wherein first two Octets of IP address represent first two bytes as subnetwork).
Referring to claim 34, Doppke teaches the computer-implemented method of claim 31, wherein at least one of the instances of network activity corresponds to one or more of: a network session involving a pair of networked computing devices, a network flow involving a pair of networked computing devices, and a network connection involving a pair of networked computing devices ([029], network traffic alert data between source and a destination, i.e. pair of network computing devices).
Referring to claim 35, Doppke teaches the computer-implemented method of claim 31, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a number of instances of network activity represented by the data point (see paragraph [070], each point is displayed as a shape having an area corresponding to number of network activity shown with graphic indicators [064]).
Referring to claim 36, Yamane teaches the computer-implemented method of claim 31, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a value associated with instances of network activity represented by the data point [071].
Referring to claim 37, Doppke teaches the computer-implemented method of claim 31, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to at least one value associated with instances of network activity represented by the data point, wherein the at least one value includes at least one of: a number of packets transferred, an amount of data transferred, a duration of time, or a data transfer rate ([031], number of byte per second… is the data rate).
Referring to claim 38, Doppke teaches the computer-implemented method of claim 31, further comprising: receiving a selection of at least one characteristic of the instances of network activity ([044], network characteristics of network traffic), the at least one characteristic including one or more:
a quantity of instances of network activity, a number of packets transferred ([031], processing received packets), an amount of data transferred, a duration of time ([081], duration of time), and a data transfer rate ([031], data rate =, bytes per second); and
updating the display of the plurality of data points based on the at least one characteristic (see paragraph [053] GUI updated during subsequent iterations).
Referring to claim 39, Doppke teaches the computer-implemented method of claim 31, wherein each data point is displayed with a variable characteristic based on an age of the instances of network activity associated with the data point, and wherein the variable characteristic is at least one or more of: opacity, color, area, shape, or color intensity (see paragraphs [060]-[062]. Unique color as a characteristics”).
Referring to claim 40, Doppke teaches the computer-implemented method of claim 31, wherein the timestamped event data is derived from log data, and wherein at least one of the instances of network activity corresponds to one or more log entries of the log data ([047], receive data from log files).
Referring to claim 42, Doppke teaches the computer-implemented method of claim 31, further comprising causing display of an animated series of data points, wherein each instance of the animated series of data points is displayed in a chronological order based on timestamps associated with instances of network activity represented by the data points (see paragraph (Figs, 3-5, [010], [068], [079] time series graph based on time associated with instance of network activity such as alerts, traffic flows etc.).
Referring to claim 43, Doppke teaches the computer-implemented method of claim 31, further comprising: receiving input indicating a range of time associated with the instances of network activity ([081], duration of first and second time period); and causing display of an animated series of data points, wherein the animated series of data points is based on instances of network activity associated with timestamps within the indicated range of time, and wherein each instance of the animated series of data points is displayed in a chronological order based on the timestamps associated with the instances of network activity ([063] – [065], tick marks 316 with respected time within range of time displayed in chronological order).
Referring to claim 44, Doppke teaches the computer-implemented method of claim 31, further comprising: causing display of an animated series of data points, wherein each instance of the animated series of data points is displayed in a chronological order based on timestamps associated with instances of network activity represented by the data points (Figs, 3-5, [010], [068], [079] time series graph based on time associated with instance of network activity such as alerts, traffic flows etc.);
receiving input indicating a request to temporally scan the animated series of data points, wherein temporally scanning the animated series of data points includes one or more of: rewinding, fast-forwarding, pausing, and restarting; and causing display of the animated series of data points according to the input ([066], display screen 300 can cause data associated with a next time interval to be displayed, allowing a user to scroll backwards and forwards through time).
Referring to claim 45, Doppke teaches the computer-implemented method of claim 31, further comprising: wherein the visualization includes a timeline interface element including a selectable range of time associated with the instances of network activity (see paragraph [043]- [044], user selectable portion of include selected window of time);
receiving, via the timeline interface element, a selection of a time segment from the range of time([081], The duration of the first and second time periods can be selectable); and
based on the selection of the time segment, causing display of data points associated with the time segment (see paragraph [082]- [083], display visually indicating elements based on time scales explained in [081], & [082]).
Referring to claim 47, Yamane teaches the non-transitory computer-readable storage medium of claim 46, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses point ([095], [100], display parameter “range of address”).
Referring to claim 48, Yamane teaches the non-transitory computer-readable storage medium of claim 46, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses, and wherein the range of source device network addresses corresponds is defined by network addresses having a same first two bytes, and wherein the range of destination device network addresses is defined by network addresses having a same first two bytes (see paragraph [120], measured value "1.2.3.4 . . . " & "1.2.5.6 . . . " (FIG. 15, described later) are associated having same network location wherein first two Octets of IP address represent first two bytes as subnetwork).
Referring to claim 49, Doppke teaches the non-transitory computer-readable storage medium of claim 46, wherein at least one of the instances of network activity corresponds to one or more of: a network session involving a pair of networked computing devices, a network flow involving a pair of networked computing devices, and a network connection involving a pair of networked computing devices ([029], network traffic alert data between source and a destination, i.e. pair of network computing devices).
Referring to claim 50, Doppke teaches the non-transitory computer-readable storage medium of claim 46, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a number of instances of network activity represented by the data point (see paragraph [070], each point is displayed as a shape having an area corresponding to number of network activity shown with graphic indicators [064]).
Referring to claim 51, Doppke teaches the non-transitory computer-readable storage medium of claim 46, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a value associated with instances of network activity represented by the data point (see paragraph [070], each point is displayed as a shape having an area corresponding to number of network activity shown with graphic indicators [064]).
Referring to claim 52, Doppke teaches the non-transitory computer-readable storage medium of claim 46, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to at least one value associated with instances of network activity represented by the data point, wherein the at least one value includes at least one of: a number of packets transferred, an amount of data transferred, a duration of time, or a data transfer rate  ([031], number of byte per second… is the data rate).
Referring to claim 53, Doppke teaches an apparatus, comprising: one or more processors (see paragraph [008], processor); and
a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors [(101], non-transitory computer readable storage medium), causes the apparatus to: 
receive a request to access a graphical user interface (GUI) including a visualization of instances of network activity involving a plurality of networked computing devices of an information technology (IT) environment ([abs], Fig. 2, [049], GUI receives the request including visualization of instance of network traffic flowing in the network of interconnected devices illustrated in Fig. 1 in an IT environment);
obtain, from a data store of a data intake ([020], obtaining data from repository or storage medium [031], [035]), timestamped event data indicating instances of network activity involving the plurality of networked computing devices ([029], time stamp data including source and destination address), wherein each instance of network activity is identified by:
a source device’s network address ([029], source information/address of host), a destination device’s network address ([029], destination information/address of host), and a timestamp associated with the instance of network activity ([029], timestamp associated with network traffic); and 
cause display of the GUI including the visualization of the instances of network activity (see Fig. 3, Fig. 4, [008]-[010]), wherein the visualization includes:
a first axis and a second axis each representing an entire range of network addresses ([049], range of IP addresses) of an Internet Protocol (IP) network address space (Claim 1, first axis displaying characteristics of network traffic flowing in a network & Claim 5, second axis representing a series of categories), and 
a plurality of data points corresponding to the instances of network activity ([063], a plurality of tick marks plotted in the horizontal axis), wherein each data point of the plurality of data points is displayed in the displayed GUI at a location relative to the first axis ([064], tick marks displayed in the GUI at location relative to the horizontal axis) and the second axis based on a source device’s network address and a destination device’s network address indicated by a corresponding instance of network activity ([059], Vertical axis activity based on source and destination network address [070], [071]).
Doppke teaches the GUI each representing characteristics of network traffic but lacks a query system. 
However, Yamane teaches a query unit 103 that manages a measure value of plurality of items with respect to communication of network activity. (Para [047], [049], [067], see Query Unit 103).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Doppke’s GUI that monitor and visualizes network threat to include a query system coupled with its database in order to efficiently visualize high-level information related to network activity occurring across an entire network address space enabling network analysts and other users to readily analyze characteristics of computer networks.
Referring to claim 54, Yamane teaches the apparatus of claim 53, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses point ([095], [100], display parameter “range of address”).
Referring to claim 55, Yamane teaches the apparatus of claim 53, wherein each data point of the plurality of data points represents a range of source device network addresses and a range of destination device network addresses, and wherein the range of source device network addresses corresponds is defined by network addresses having a same first two bytes, and wherein the range of destination device network addresses is defined by network addresses having a same first two bytes (see paragraph [120], measured value "1.2.3.4 . . . " & "1.2.5.6 . . . " (FIG. 15, described later) are associated having same network location wherein first two Octets of IP address represent first two bytes as subnetwork).
Referring to claim 56, Doppke teaches the apparatus of claim 53, wherein the instructions, wherein at least one of the instances of network activity corresponds to one or more of: a network session involving a pair of networked computing devices, a network flow involving a pair of networked computing devices, and a network connection involving a pair of networked computing devices ([029], network traffic alert data between source and a destination, i.e. pair of network computing devices).
Referring to claim 57, Doppke teaches the apparatus of claim 53, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a number of instances of network activity represented by the data point (see paragraph [070], each point is displayed as a shape having an area corresponding to number of network activity shown with graphic indicators [064]).
Referring to claim 58, Doppke teaches the apparatus of claim 53, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to a value associated with instances of network activity represented by the data point (see paragraph [070], each point is displayed as a shape having an area corresponding to number of network activity shown with graphic indicators [064]).
Referring to claim 59, Doppke teaches the apparatus of claim 53, wherein each data point of the plurality of data points is displayed as a shape having an area corresponding to at least one value associated with instances of network activity represented by the data point, wherein the at least one value includes at least one of: a number of packets transferred, an amount of data transferred, a duration of time, or a data transfer rate  ([031], number of byte per second… is the data rate).
Referring to claim 60, Doppke teaches the apparatus of claim 53, wherein the instructions, when executed by the one or more processors, further cause the apparatus to:
receive a selection of at least one characteristic of the instances of network activity ([044], network characteristics of network traffic), the at least one characteristic including one or more: a quantity of instances of network activity, a number of packets transferred ([031], processing received packets), an amount of data transferred, a duration of time, and a data transfer rate ([031], data rate =, bytes per second); and
update the display of the plurality of data points based on the at least one characteristic (see paragraph [053] GUI updated during subsequent iterations).
Claim 41 are rejected under 35 U.S.C. 103 as being unpatentable over Doppke et al. (US pub, 2018/0077189) in view of Yamane in further view of Deshpande (US pub, 20180032605)
Referring to claim 41, Doppke teaches the computer-implemented method of claim 31 where the GUI visualizations represents characteristics of network traffic but lacks a query system. 
Yamane teaches a query unit 103 that manages a measure value of plurality of items with respect to communication of network activity. (Para [047], [049], [067], see Query Unit 103).
Neither Doppke nor Yamane expressly teaches the visualization to include a bubble chart.
However, Deshpande teaches the visualization includes a bubble chart, and wherein each data point of the plurality of data points is displayed as a bubble having an area corresponding to at least one characteristic of the instances of network activity represented by the data point ([057], data analytic enhancement… to prepare bubble chart display obtaining flow from end user device via computer network that causes rendering of the display)
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Doppke’s GUI that monitor and visualizes network threat to include a query system coupled with its database to further include 3D bubble chart in to the GUI that represents visualizations of network traffic in order to efficiently visualize high-level information related to network activity occurring across an entire network address space enabling network analysts and other users to readily analyze characteristics of computer networks.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The examiner also requests, when responding to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFTAB N. KHAN whose telephone number is (571)270-5172.  The examiner can normally be reached on Monday-Friday 8AM-5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AFTAB N. KHAN/
Primary Examiner, Art Unit 2454