DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/03/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 408, 410, 412, 414, 416, 418, 510, 520, 530, 540, 550 and many references from Fig. 6 to Fig. 12.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The disclosure is objected to because of the following informalities:
In section 0020, line 1, “refers” should read “refer”
Appropriate correction is required.

Claim Objections
Claims 6, and 14 are objected to because of the following informalities:  
In claims 6 and 14, references 1157 and 1167 are mentioned which can not be found in the description or the drawings. 
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Dai (US 20200374306 A1) in view of Manni et al. (US 9311479 B1), hereinafter Manni.
Regarding claim 1, Dai teaches a suspicious event analysis device for diagnosing whether a target network system is breached by hackers, (Paragraph [0002] “The present disclosure relates to the field of network security, for example, relates to a network traffic anomaly "whether a target network system is breached by hackers" detection method and apparatus, a computer device "suspicious event analysis device".”)  
the suspicious event analysis device comprising: a display device (Paragraph [0045] update a display content of an anomaly display interface "display device" according to the counting result “analysis”);
a communication circuit (143), arranged to operably receive multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102), (Paragraph [0016] “In step 102, network traffic data “multiple suspicious activities 
a storage circuit (147), arranged to operably store a suspicious event sequence diagram generating program (Paragraph [0007] “The present disclosure further provides a computer device, including a processor which, when executing computer programs stored in a memory “storage circuit”, implements any network traffic anomaly detection method "suspicious event sequence diagram generating program".”);
and a control circuit (149), coupled with the display device (141), the communication circuit (143), and the storage circuit (147), and arranged to operably execute the suspicious event sequence diagram generating program (150) to conduct a suspicious event sequence diagram generating operation. (Paragraph [0006] “The present disclosure further provides a network traffic anomaly detection apparatus "device", which includes a collection unit "communication circuit", an establishment unit “control circuit” and a determining unit “storage circuit”. The collection unit is configured to collect network traffic data in real time, and store the network traffic data in a first preset database. The establishment unit is configured to determine network traffic anomaly detection model data according to network traffic data collected within a preset time period stored in the first preset database. The determining unit is configured to determine “conduct a suspicious event sequence diagram generating operation” whether network traffic data collected after the preset time period is anomalous according to the 
DAI does not teach about incorporating multiple time stamps, multiple attribute tags into the suspicious event sequence diagram generating program. However, Manni teaches about analyzing data according to the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags, so as to identify multiple suspicious events with respect to the target network system (Paragraph [0013] “analytic data "suspicious activity records" associated with suspicious network content that has been analyzed by that MCD system for malware. The analytic data comprises (1) information “suspicious activities record” that identifies the suspicious network content (e.g., a time-stamp value “multiple time stamps”, monotonic count value, or another type of identifier); (2) input attributes "multiple attribute tags"; and (3) analysis attributes.)
Dai and Manni are both considered to be analogous to the claimed invention because they are in the same field of analyzing suspicious events in network security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Dai to incorporate the teachings of Manni and provide an event analysis device to generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious activities events and multiple time records. It would be obvious to one of ordinary skill in the art to use this preexisting known method of analyzing data using time records. Doing so would aid in using different metrics in the analysis to generate the event sequence diagram more accurately and keeping track of suspicious events occurring at different time periods. 
 Dai teaches a computer program product (150), stored in a storage circuit (147) of a suspicious event analysis device (140), and enabling the suspicious event analysis device (140) to conduct a suspicious event sequence diagram generating operation (Paragraph [0007] “The present disclosure further provides a computer device, including a processor which, when executing computer programs stored in a memory “storage circuit”, implements any network traffic anomaly detection method "suspicious event sequence diagram generating operation".”), 
the suspicious event sequence diagram generating operation comprising: identifying multiple suspicious events with respect to the target network system (102) according to multiple suspicious activities records related to multiple computing devices (111~115) in a target network system (102) (Paragraph [0006] “The determining unit is configured to determine “conduct a suspicious event sequence diagram generating operation” whether network traffic data collected after the preset time period is anomalous according to the network traffic anomaly detection model data "execute the suspicious event sequence diagram generating program" ”),
DAI does not teach about incorporating multiple time stamps, multiple attribute tags into the suspicious event sequence diagram generating program. However Manni teaches about analyzing data according to the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags, so as to identify multiple suspicious events with respect to the target network system (Paragraph [0013] “ analytic data "suspicious activity records" associated with suspicious network content that has been analyzed by that MCD system for malware. The analytic data comprises (1) information “suspicious activities record” that identifies the suspicious network content (e.g., a time-stamp value “multiple time stamps”, 
Dai and Manni are both considered to be analogous to the claimed invention because they are in the same field of analyzing suspicious events in network security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Dai to incorporate the teachings of Manni and provide an event analysis device to generate and display a suspicious event sequence diagram corresponding to the multiple suspicious events according to the multiple suspicious activities events and multiple time records. It would be obvious to one of ordinary skill in the art to use this preexisting known method of analyzing data using time records. Doing so would aid in using different metrics in the analysis to generate the event sequence diagram more accurately and keeping track of suspicious events occurring at different time periods.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-16 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of copending Application No. 16/548,002(reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because:
Regarding claim 1 of current application, Claim 1 of application No. 16/548,002 teaches a cyber-breach diagnostics system "A suspicious event analysis device" (100) for diagnosing 
arranged to operably receive the return data generated by the activity records collection device (130), and conduct a suspicious event sequence diagram generating operation "by the suspicious event sequence diagram generating program" according to the return data "multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags", so as to identify multiple suspicious events with respect to the target network system (102), identify multiple time records respectively corresponding to the multiple suspicious events, and generate and display a suspicious event sequence diagram (550) corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records.
Claim 2 of application No. 16/548,002 teaches the display device that generates multiple visual objects in suspicious event sequence diagram. 
Claim 6 of application No. 16/548,002 also teaches multiple device activities reporting programs (120), respectively stored “a storage circuit (147), arranged to operably store a suspicious event sequence diagram generating program” in the multiple computing devices (111~115), and arranged to operably generate the multiple suspicious activities records related to 
Regarding claim 2 of current application, Claim 2 of application No. 16/548,002 teaches the cyber breach diagnostics system "The suspicious event analysis device" (100) of claim 1, wherein the multiple suspicious events comprise multiple device internal events and multiple device interaction events, while the suspicious event sequence diagram generating operation further comprises: establishing multiple main visual objects (701~705; 901~909) respectively corresponding to multiple participating devices involving in the multiple suspicious events, wherein at least a part of the multiple main visual objects (701~705; 901~909) corresponds to computing devices of the target network system (102); horizontally arranging the multiple main visual objects (701~705; 901~909) in an upper area (710) of the suspicious event sequence diagram (550);
establishing multiple vertical patterns (731~735; 931~939) respectively corresponding to the multiple main visual objects (701~705; 901~909); respectively arranging the multiple vertical patterns (731~735; 931~939) below the multiple main visual objects (701~705; 901~909); establishing multiple auxiliary visual objects (741~746; 941~946) respectively corresponding to the multiple device internal events; arranging one or more auxiliary visual objects corresponding to respective participating devices on a vertical pattern below a corresponding main visual object from top to bottom according to a chronological order of corresponding device internal events; establishing multiple relation lines (751~756; 951~956) respectively corresponding to the multiple device interaction events; arranging the multiple relation lines (751~756; 951~956) from top to bottom according to their chronological order, and 
Regarding claim 3 of current application, Claim 3 of application No. 16/548,002 teaches the cyber breach diagnostics system "The suspicious event analysis device" (100) of claim 2, wherein the suspicious event sequence diagram generating operation further comprises: displaying a concise description of a participating device corresponding to each main visual object; and displaying a concise description of a device internal event corresponding to each auxiliary visual object.
Regarding claim 4 of current application, Claim 4 of application No. 16/548,002 teaches the cyber breach diagnostics system "The suspicious event analysis device" (100) of claim 3, wherein the suspicious event sequence diagram generating operation further comprises: displaying a corresponding time record of a device internal event corresponding to each auxiliary visual object; and displaying a corresponding time record of a device interaction event corresponding to each relation line.
Regarding claim 5 of current application, Claim 5 of application No. 16/548,002 teaches the cyber breach diagnostics system "The suspicious event analysis device" (100) of claim 2, wherein the suspicious event sequence diagram generating operation further comprises: repeatedly displaying the multiple main visual objects (701~705; 901~909) in a lower area (720) of the suspicious event sequence diagram (550) according to an identical sequence of the multiple main visual objects (701~705; 901~909) in the upper area (710). 

comparing the time difference with a predetermined threshold value; establishing a speculated relation line (1157) corresponding to a device interaction event of the predetermined type if the time difference is less than the predetermined threshold value; rendering two ends of the speculated relation line (1157) to respectively touch the first vertical pattern (933) and the second vertical pattern (935); configuring a corresponding orientation symbol (1167) on the speculated relation line (1157) according to a relative magnitude of the first time record and the second time record, so as to indicate an orientation of the device interaction event of the predetermined type; and displaying a concise description of the device interaction event of the predetermined type.

Regarding claim 8 of current application, Claim 10 of application No. 16/548,002 teaches the cyber breach diagnostics system "The suspicious event analysis device" (100) of claim 2, wherein when the multiple participating devices comprise one or more malicious file providing devices (160) located outside the target network system (102), at least a part of the multiple main visual objects (701~705; 901~909) corresponds to the one or more malicious file providing devices (160).
Regarding claim 9, Claim 1 of application No. 16/548,002 teaches a cyber breach diagnostics system “a computer program product stored in storage circuit of a suspicious event analysis device” (100) comprising: an activity records collection device (130), coupled with the target network system (102), and arranged to operably collect multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102), corresponding multiple time stamps, and corresponding multiple attribute tags, and further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data; and a suspicious event analysis device (140), arranged to operably receive the return data generated by the activity records collection device (130), and conduct a suspicious event sequence diagram generating operation according to the return data, so as to identify multiple suspicious events with respect to the target network system (102), identify multiple time records respectively corresponding to the multiple suspicious events, and generate and display a suspicious event sequence diagram (550) 
Regarding claim 10, Claim 2 of application No. 16/548,002 teaches the computer program product of claim 1, wherein the multiple suspicious events comprise multiple device internal events and multiple device interaction events, while the suspicious event sequence diagram generating operation further comprises: establishing multiple main visual objects (701~705; 901~909) respectively corresponding to multiple participating devices involving in the multiple suspicious events, wherein at least a part of the multiple main visual objects (701~705; 901~909) corresponds to computing devices of the target network system (102); horizontally arranging the multiple main visual objects (701~705; 901~909) in an upper area (710) of the suspicious event sequence diagram (550);
establishing multiple vertical patterns (731~735; 931~939) respectively corresponding to the multiple main visual objects (701~705; 901~909); respectively arranging the multiple vertical patterns (731~735; 931~939) below the multiple main visual objects (701~705; 901~909); establishing multiple auxiliary visual objects (741~746; 941~946) respectively corresponding to the multiple device internal events; arranging one or more auxiliary visual objects corresponding to respective participating devices on a vertical pattern below a corresponding main visual object from top to bottom according to a chronological order of corresponding device internal events; establishing multiple relation lines (751~756; 951~956) respectively corresponding to the multiple device interaction events; arranging the multiple relation lines (751~756; 951~956) from top to bottom according to their chronological order, and rendering two ends of each relation line to respectively touch two vertical patterns corresponding to two involving participating devices; configuring a corresponding orientation symbol 
Regarding claim 11 of current application, Claim 3 of application No. 16/548,002 teaches the computer program product of claim 2, wherein the suspicious event sequence diagram generating operation further comprises: displaying a concise description of a participating device corresponding to each main visual object; and displaying a concise description of a device internal event corresponding to each auxiliary visual object.
Regarding claim 12 of current application, Claim 4 of application No. 16/548,002 teaches the computer program product of claim 3, wherein the suspicious event sequence diagram generating operation further comprises: displaying a corresponding time record of a device internal event corresponding to each auxiliary visual object; and displaying a corresponding time record of a device interaction event corresponding to each relation line.
Regarding claim 13 of current application, Claim 5 of application No. 16/548,002 teaches the computer program product of claim 2, wherein the suspicious event sequence diagram generating operation further comprises: repeatedly displaying the multiple main visual objects (701~705; 901~909) in a lower area (720) of the suspicious event sequence diagram (550) according to an identical sequence of the multiple main visual objects (701~705; 901~909) in the upper area (710). 
Regarding claim 14 of current application, Claim 8 of application No. 16/548,002 teaches the computer program product of claim 2, wherein the suspicious event sequence diagram (550) comprises: a first main visual object (903) corresponding to a first participating device (111), a second main visual object (905) corresponding to a second participating device (112), a first 
comparing the time difference with a predetermined threshold value; establishing a speculated relation line (1157) corresponding to a device interaction event of the predetermined type if the time difference is less than the predetermined threshold value; rendering two ends of the speculated relation line (1157) to respectively touch the first vertical pattern (933) and the second vertical pattern (935); configuring a corresponding orientation symbol (1167) on the speculated relation line (1157) according to a relative magnitude of the first time record and the second time record, so as to indicate an orientation of the device interaction event of the predetermined type; and displaying a concise description of the device interaction event of the predetermined type.
Regarding claim 15 of current application, Claim 9 of application No. 16/548,002 teaches the computer program product of claim 8, wherein both the first device internal event and the second device internal event are file generating events with respect to a same file.
Regarding claim 16 of current application, Claim 10 of application No. 16/548,002 teaches the computer program product of claim 2, wherein when the multiple participating .

This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Allowable Subject Matter
Claims 2-8 and 10-16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Ponnuswamy et al. (US 20180367541 A1) teaches a system and method for migrating to and maintain a white-list network security model.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346.  The examiner can normally be reached on Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached on 5712703351.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Y.J./                                                                                                                                                                                                        
/TOM Y LU/Primary Examiner, Art Unit 2667