DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 

(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not an activity records collection device (130), … arranged to operably collect…and a suspicious event analysis device (140), arranged to operably receive …  in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Objections
Claim 2 is objected to because of the following informalities:  claim 2 recites “multiple participating devices involving in the multiple suspicious events”. It appears that “involving” should have been “involved”.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claim 1 is provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of copending Application No. 16/548,439 in view of Seigel (US 2017/0063884). 

Claim 1 of Application No. 16/548,439 recites A cyber breach diagnostics system (100) for diagnosing whether a target network system (102) is breached by hackers, the cyber breach diagnostics system (100) comprising: 
a suspicious event analysis device (140), arranged to operably receive the return data (“A suspicious event analysis device (140) for diagnosing whether a target network system (102) is breached by hackers, the suspicious event analysis device (140) comprising: a display device (141); a communication circuit (143), arranged to operably receive multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102), corresponding multiple time stamps, and multiple attribute tags through internet; a storage circuit (147), arranged to operably store a suspicious event sequence diagram generating program (150); and a control circuit (149), coupled with the display device (141), the communication circuit (143), and the storage circuit (147), and arranged to operably execute the suspicious event sequence diagram generating program (150) to conduct a suspicious event sequence diagram generating operation according to the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags, so as to identify multiple suspicious events with respect to the .

Claim 1 of Application No. 16/548,439 fails to disclose  an activity records collection device (130), coupled with the target network system (102), and arranged to operably collect multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102), corresponding multiple time stamps, and corresponding multiple attribute tags, and further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data.

In the same field of endeavor, Seigel teaches an activity records collection device (130), coupled with the target network system (102), and arranged to operably collect multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102) (see [0021] and Fig. 1: “A central server 116 may receive the event logs 114(1) to 114(Q) from one or more of the agents 108, 110, or 112 via a network 118. The central server 116 may store at least a portion of the event logs 114 in a database, such as an event log database 120. For example, the central server 116 may store a portion of the events logs 114 that are classified as sufficiently important to be stored”. And see [0027]: “Each of the event logs 114 may be generated based on detecting one or more activities. At least a portion of the event logs 114 may be generated in response to detecting activities that are indicative of malicious activities performed by malware or by an unauthorized user”. And see [0033]: “in the computing system 100, the agents 108, 110, and 112 may monitor activities associated with various network elements, such as the databases 102, the user devices 104, and the servers 106. The event logs 114 may be sent to the central server 116 and stored in the event log database 120 as the stored event logs 134”. And see [0017]: “The computing system 100 may include multiple types of network elements, including a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P), where M>1, N>1, and P>1”. The Examiner interprets the computing system 100 including a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P) as the target network system. The Examiner further interprets a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P) as multiple computing devices in the target network system. The Examiner further interprets the event log database 120 storing the event logs 114 generated in agents 108, 110, and 112 “in response to detecting activities that are indicative of malicious activities” as an activity records collection device, coupled with the target network system, and arranged to operably collect multiple suspicious activities records related to multiple computing devices in the target network system), corresponding multiple time stamps (see [0031]: “Each of the event logs 114 may include a timestamp 146 identifying approximately when an associated event occurred”), and corresponding multiple attribute tags (see [0031]: “the event log 114(Q) may include (i) the username 140 of a user whose activity caused the event log 114(Q) to be generated, (ii) one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be The Examiner interprets the username 140 of a user whose activity caused the event log 114(Q) to be generated and one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be generated as corresponding multiple attribute tags), and 
further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data (see [0032] and Fig. 1: “The auditing software 122 may perform an analysis of at least a portion of the stored event logs 134. For example, a system administrator may select an identifier, such as the user name 140 or one of the device identifiers 144 and the auditing software 122 may identify one or more of the stored event logs 134, e.g., associated logs 136, that are associated with the identifier. In some cases, the system administrator may specify a time interval in addition to the identifier and the auditing software 122 may identify one or more of the stored event logs 134 associated with the identifier within the specified time interval, e.g., the associated logs 136. The auditing software 122 may group the associated logs 136 based on a location (e.g., a network element, such as one of the user devices 104) associated with each of the associated logs 136. The auditing software 122 may identify one or more sessions associated with each location…. the sessions at a same location may be displayed at a same height on the Y-axis and the sessions at different locations may be displayed at different heights on the Y-axis”. And see [0033]: “The agents 108, 110, 112 may generate the one or more event logs 114 based on monitoring the activities. Each of the event logs 114 may be associated with one (or more) activities. The event logs 114 may be sent to the central server 116 and stored in the event log database 120 as the stored event logs 134. The auditing software 122 may perform an analysis of the stored event logs 134 based on a selection of an identifier (e.g., user identifier or network element identifier) and graphically display sessions associated with the identifier”. 
Seigel inherently teaches the event log database 120 (an activity records collection device) “further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data” for the following reason: because Seigel teaches in [0033] that the auditing software 122 on the central server 116 “may perform an analysis of the stored event logs 134 based on a selection of an identifier (e.g., user identifier or network element identifier) and graphically display sessions associated with the identifier”, the event log database 120 necessarily parses the event logs 134 stored in the event log database 120 and determines whether the identifier associated with the event logs 134 (e.g., user identifier or network element identifier) matches the identifier specified by the auditing software 122 and should be returned to the auditing software 122 for graphical display, the Examiner interprets the event log database 120 parsing  the event logs 134 (the multiple suspicious activities records) and associated identifiers (the multiple attribute tags) and determining whether they should be returned to the auditing software 122 as an activity records collection device… further arranged to operably process the multiple suspicious activities records, …and the multiple attribute tags to generate a return data. Because Siegel also teaches in [0032] that “the auditing software 122 may identify one or more of the stored event logs 134 associated with the identifier within the specified time interval”, Siegel necessarily parses the timestamps associated with the stored event logs 134 and determines whether the timestamps fall within the specified time interval. Therefore, Siegel further teaches an activity records collection device… further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data).
 
Therefore it would have been obvious to improve the cyber breach diagnostics system of Claim 1 of Application No. 16/548,439 by adding the activity records collection device taught by Siegel. One having ordinary skill in the art would have been motivated to make such a modification to predictably .

This is a provisional nonstatutory double patenting rejection.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim 1 is rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Seigel (US 2017/0063884).

Regarding claim 1, Seigel teaches A cyber breach diagnostics system (100) for diagnosing whether a target network system (102) is breached by hackers (see title: “CORRELATING EVENT LOGS TO IDENTIFY A POTENTIAL SECURITY BREACH”. And see [0035]: “a company with a computer network that includes the computer system 100 of FIG. 1 may determine that confidential data was breached. To , the cyber breach diagnostics system (100) comprising: 
an activity records collection device (130), coupled with the target network system (102), and arranged to operably collect multiple suspicious activities records related to multiple computing devices (111~115) in the target network system (102) (see [0021] and Fig. 1: “A central server 116 may receive the event logs 114(1) to 114(Q) from one or more of the agents 108, 110, or 112 via a network 118. The central server 116 may store at least a portion of the event logs 114 in a database, such as an event log database 120. For example, the central server 116 may store a portion of the events logs 114 that are classified as sufficiently important to be stored”. And see [0027]: “Each of the event logs 114 may be generated based on detecting one or more activities. At least a portion of the event logs 114 may be generated in response to detecting activities that are indicative of malicious activities performed by malware or by an unauthorized user”. And see [0033]: “in the computing system 100, the agents 108, 110, and 112 may monitor activities associated with various network elements, such as the databases 102, the user devices 104, and the servers 106. The agents 108, 110, 112 may generate the one or more event logs 114 based on monitoring the activities. Each of the event logs 114 may be associated with one (or more) activities. The event logs 114 may be sent to the central server 116 and stored in the event log database 120 as the stored event logs 134”. And see [0017]: “The computing system 100 may include multiple types of network elements, including a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P), where M>1, N>1, and P>1”. The Examiner interprets the computing system 100 including a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P) as the target network system. The Examiner further interprets a representative one or more databases, such as a database 102(1) to a database 102(M), a representative one or more user devices, such as a user device 104(1) to a user device 104(N), and a representative one or more servers, such as a server 106(1) to a server 106(P) as multiple computing devices in the target network system. The Examiner further interprets the event log database 120 storing the event logs 114 generated in agents 108, 110, and 112 “in response to detecting activities that are indicative of malicious activities” as an activity records collection device, coupled with the target network system, and arranged to operably collect multiple suspicious activities records related to multiple computing devices in the target network system), corresponding multiple time stamps (see [0031]: “Each of the event logs 114 may include a timestamp 146 identifying approximately when an associated event occurred”), and corresponding multiple attribute tags (see [0031]: “the event log 114(Q) may include (i) the username 140 of a user whose activity caused the event log 114(Q) to be generated, (ii) one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be generated, or (iii) both the user name 140 and the device identifier(s) 144”. The Examiner interprets the username 140 of a user whose activity caused the event log 114(Q) to be generated and one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be generated as corresponding multiple attribute tags), and 
further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data (see [0032] and Fig. 1: “The auditing software 122 may perform an analysis of at least a portion of the stored event logs 134. For example, a system administrator may select an identifier, such as the user name 140 or one of the device identifiers 144 and the auditing software 122 may identify one or more of the stored event logs 134, e.g., associated logs 136, that are associated with the identifier. In some cases, the system administrator may specify a time interval in addition to the identifier and the auditing software 122 may identify one or more of the stored event logs 134 associated with the identifier within the specified time interval, e.g., the associated logs 136. The auditing software 122 may group the associated logs 136 based on a location (e.g., a network element, such as one of the user devices 104) associated with each of the associated logs 136. The auditing software 122 may identify one or more sessions associated with each location…. the sessions at a same location may be displayed at a same height on the Y-axis and the sessions at different locations may be displayed at different heights on the Y-axis”. And see [0033]: “The agents 108, 110, 112 may generate the one or more event logs 114 based on monitoring the activities. Each of the event logs 114 may be associated with one (or more) activities. The event logs 114 may be sent to the central server 116 and stored in the event log database 120 as the stored event logs 134. The auditing software 122 may perform an analysis of the stored event logs 134 based on a selection of an identifier (e.g., user identifier or network element identifier) and graphically display sessions associated with the identifier”. 
Seigel inherently teaches the event log database 120 (an activity records collection device) “further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data” for the following reason: because Seigel teaches in [0033] that the auditing software 122 on the central server 116 “may perform an analysis of the stored event logs 134 based on a selection of an identifier (e.g., user identifier or network element identifier) and graphically display sessions associated with the identifier”, the event log database 120 necessarily parses the event logs 134 stored in the event log database 120 and determines whether the identifier associated with the event logs 134 (e.g., user identifier or network element identifier) matches the identifier specified by the auditing software 122 and should be returned to the auditing software 122 for graphical display, the Examiner interprets the event log database 120 parsing  the event logs 134 (the multiple suspicious activities records) and associated identifiers (the multiple attribute tags) and determining whether they should be returned to the auditing software 122 as an activity records collection device… further arranged to operably process the multiple suspicious activities records, …and the multiple attribute tags to generate a return data. Because Siegel also teaches in [0032] that “the auditing software 122 may identify one or more of the stored event logs 134 associated with the identifier within the specified time interval”, Siegel further teaches an activity records collection device… further arranged to operably process the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags to generate a return data); and 
a suspicious event analysis device (140), arranged to operably receive the return data generated by the activity records collection device (130) (see [0022] and Fig. 1: “The central server 116 may include one or more processors and one or more computer readable storage media to store auditing software 122. The auditing software 122 may be executed by the one or more processors of the central server 116 to perform various functions. For example, the auditing software 122 may receive an identifier, analyze and correlate events stored in the event log database 120, group the events based on location, identify sessions in each group of events, and render the sessions for display on a display device, such as a monitor device”. The Examiner interprets the central server 116 executing the auditing software 122 and receiving the return data generated by the event log database 120 (the activity records collection device) as a suspicious event analysis device, arranged to operably receive the return data generated by the activity records collection device), and 
conduct a suspicious event sequence diagram generating operation according to the return data (see [0033] and Fig. 3: “The auditing software 122 may perform an analysis of the stored event logs 134 based on a selection of an identifier (e.g., user identifier or network element identifier) and graphically display sessions associated with the identifier. For example, the sessions may be displayed , 
so as to identify multiple suspicious events with respect to the target network system (102), identify multiple time records respectively corresponding to the multiple suspicious events (see [0048]: “In FIG. 3, around 7:00 AM, a user successfully logs on to the first network element 208 (e.g., one of the user devices 104) using the first credentials 204, causing an agent (one of the agents 108, 110, or 112 of FIG. 1) to generate an event log for the logon event 310. Around 4:00 PM, the user logs off of the first network element 208, causing an agent to generate an event log for the logoff event 312. Around 8:00 PM, the user logs on to the first network element 208 using the first credentials 204, causing an agent to generate an event log for the logon event 314”), and 
generate and display a suspicious event sequence diagram (550) corresponding to the multiple suspicious events according to the multiple suspicious events and the multiple time records (see [0047] and Fig. 3: “For each location (e.g., the network elements 208, 210), the auditing software 122 may identify one or more sessions. For example, the auditing software 122 may identify a first session 302 and second session 304 associated with the first network element 208 and identify a third session 306 associated with the second network element 210. The sessions 302, 304, and 306 may be aligned with a common timeline 308. The auditing software 122 may identify the first session 302 based on a logon event 310 and a logoff event 304. The auditing software 122 may identify the second session 304 based on a logon event 314 and a logoff event 316, and may identify the third session 306 based on a logon event 318 and a logoff event 320. FIG. 3 illustrates how two or more sessions, such as the sessions 302, 304, may be displayed at a same height on the Y-axis when the sessions occur on the same network element using the same set of credentials. Sessions that occur on a different network element (or that use different credentials) may be displayed at different heights on the Y-axis. For example, the third session 306 may be displayed at a different height on the Y-axis than the sessions 302, 304 because the third session 306 includes events associated with the second network element 210 while the sessions 302, 304 include events associated with the first network element 208”).

    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 2-7 are rejected under 35 U.S.C. 103 as being unpatentable over Seigel (US 2017/0063884), and further in view of Wang (US 2019/0081968).

Regarding claim 2, Seigel further teaches wherein the multiple suspicious events comprise multiple device internal events (see [0048] and Fig. 3: “In FIG. 3, around 7:00 AM, a user successfully logs on to the first network element 208 (e.g., one of the user devices 104) using the first credentials 204, causing an agent (one of the agents 108, 110, or 112 of FIG. 1) to generate an event log for the logon event 310. Around 4:00 PM, the user logs off of the first network element 208, causing an agent to generate an event log for the logoff event 312”) and multiple device interaction events (see [0049] and Fig. 3: “The user copies data from the directory on the second network element 210 to the file created on the first network element 208, causing an agent to generate an event log for a read event 326”), while the suspicious event sequence diagram generating operation further comprises: 
establishing multiple main visual objects (701~705; 901~909) respectively corresponding to multiple participating devices involving in the multiple suspicious events, wherein at least a part of the multiple main visual objects (701~705; 901~909) corresponds to computing devices of the target network system (102) (see [0035]: “The network element 208 or 210 may be one of the databases 102, the user devices 104, or the servers 106 of FIG. 1”. The Examiner interprets “1st NETWORK ELEMENT 208” and “2nd NETWORK ELEMENT 210” shown in Fig. 3 as multiple main visual objects respectively corresponding to multiple participating devices involving in the multiple suspicious events, wherein at least a part of the multiple main visual objects corresponds to computing devices of the target network system. And see [0047]: “FIG. 3 illustrates how two or more sessions, such as the sessions 302, 304, may be displayed at a same height on the Y-axis when the sessions occur on the same network element using the same set of credentials. Sessions that occur on a different network element (or that the second network element 210 while the sessions 302, 304 include events associated with the first network element 208”); 
(see [0047]: “FIG. 3 illustrates how two or more sessions, such as the sessions 302, 304, may be displayed at a same height on the Y-axis when the sessions occur on the same network element using the same set of credentials. Sessions that occur on a different network element (or that use different credentials) may be displayed at different heights on the Y-axis”. The Examiner interprets the sessions 302, 304, 306 including event sequences shown in Fig. 3 as the suspicious event sequence diagram. The Examiner interprets “1st NETWORK ELEMENT 208” and “2nd NETWORK ELEMENT 210” shown in left area of Fig. 3 as 
[AltContent: oval]
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale
); 
establishing multiple (see [0047] and Fig. 3: “the auditing software 122 may identify a first session 302 and second session 304 associated with the first network element 208 and identify a third session 306 associated with the second network element 210”. The Examiner interprets the horizontally displayed sessions 302, 304, 306 corresponding to the first network element 208 and the second network element 210 as multiple );
[AltContent: oval][AltContent: oval] respectively arranging the multiple (see Fig. 3 reproduced below. The Examiner interprets arranging the horizontal sessions 302, 304, 306 to the right of  “1st NETWORK ELEMENT 208” and “2nd NETWORK ELEMENT 210” (the multiple main visual objects) as respectively arranging the multiple  
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale

; 
establishing multiple auxiliary visual objects (741~746; 941~946) respectively corresponding to the multiple device internal events (see [0057]: “in FIG. 3, a first group of event logs associated with the first network element 208 may include the events 310, 312, 314, 316, 324, and 326. The first group of event logs may be used to identify the first session 302 and the second session 304. A second group of event logs associated with the second network element 210 may include the events 318, 320, 322, and 326”. The Examiner interprets establishing the circles and squares representing events 310, 312, 314, 316, 324, 318, 320, and 322 occurring in the first network element 208 and the second network element 210 in Fig. 3 as establishing multiple auxiliary visual objects respectively corresponding to the multiple device internal events); 
arranging one or more auxiliary visual objects corresponding to respective participating devices on a (the Examiner interprets arranging the circles and squares representing events 310, 312, 314, 316, 324, 318, 320, and 322 (one or more auxiliary visual objects) occurring in the first network element 208 and the second network element 210 (respective participating devices) on a horizontal pattern to the right of “1st NETWORK ELEMENT 208” and “2nd NETWORK ELEMENT 210” (a corresponding main visual object) from left to right according to a chronological order shown in Fig. 3 as arranging one or more auxiliary visual objects corresponding to respective participating devices on a ); 
establishing multiple relation lines (751~756; 951~956) respectively corresponding to the multiple device interaction events (see [0049] and Fig. 3: “The user copies data from the directory on the second network element 210 to the file created on the first network element 208, causing an agent a read event 326”. The Examiner interprets establishing the line in the arrow corresponding to the read event 326 as establishing multiple relation lines respectively corresponding to the multiple device interaction events); 
arranging the multiple relation lines (751~756; 951~956) from (see the relation line in the arrow corresponding to the read event 326 below:
[AltContent: oval]
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale
); 
configuring a corresponding orientation symbol (761~766, 961~966) on each relation line according to a content of a device interaction event corresponding to the relation line to indicate an orientation of the device interaction event (see [0049] and Fig. 3: “The user copies data from the directory on the second network element 210 to the file created on the first network element 208, a read event 326”.The Examiner interprets the arrowhead in the arrow corresponding to the read event 326 as a corresponding orientation symbol on each relation line according to a content of a device interaction event corresponding to the relation line to indicate an orientation of the device interaction event); and 
displaying a concise description of a device interaction event corresponding to each relation line (the Examiner interprets displaying the description “READ EVENT” near the arrow 326 in Fig. 3 as displaying a concise description of a device interaction event corresponding to each relation line).

Siegel differs from claim 2 in that the event sequence diagram is horizontal instead of vertical.
In the same field of endeavor, Wang teaches a vertical event sequence diagram (see Fig. 4 reproduced below). 

    PNG
    media_image2.png
    833
    707
    media_image2.png
    Greyscale

the auditing software 122 may display the correlated event logs using other types of visual representations besides what is illustrated in FIG. 2”. 
When such a modification is made, Siegel modified in view of Wang would teach while the suspicious event sequence diagram generating operation further comprises: 
…
horizontally arranging the multiple main visual objects (701~705; 901~909) in an upper area (710) of the suspicious event sequence diagram (550); 
establishing multiple vertical patterns (731~735; 931~939) respectively corresponding to the multiple main visual objects (701~705; 901~909); 
respectively arranging the multiple vertical patterns (731~735; 931~939) below the multiple main visual objects (701~705; 901~909); 
…
arranging one or more auxiliary visual objects corresponding to respective participating devices on a vertical pattern below a corresponding main visual object from top to bottom according to a chronological order of corresponding device internal events; 
…
arranging the multiple relation lines (751~756; 951~956) from top to bottom according to their chronological order, and rendering two ends of each relation line to respectively touch two vertical patterns corresponding to two involving participating devices;…
	Regarding claim 3, Seigel further teaches wherein the suspicious event sequence diagram generating operation further comprises: displaying a concise description of a participating device corresponding to each main visual object (see below: “1st NETWORK ELEMENT 208” and “2nd NETWORK ELEMENT 210”); and displaying a concise description of a device internal event corresponding to each auxiliary visual object (see below: “LOGOFF EVENT” 312).
[AltContent: oval][AltContent: oval]
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale


Regarding claim 4, Seigel further teaches wherein the suspicious event sequence diagram generating operation further comprises: displaying a corresponding time record of a device internal event corresponding to each auxiliary visual object (see [0048]: “In FIG. 3, around 7:00 AM, a user successfully logs on to the first network element 208 (e.g., one of the user devices 104) using the first credentials 204, causing an agent (one of the agents 108, 110, or 112 of FIG. 1) to generate an event log for the logon event 310. Around 4:00 PM, the user logs off of the first network element 208, causing an 
[AltContent: oval][AltContent: oval]
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale
).

Seigel fails to teach displaying a corresponding time record of a device interaction event corresponding to each relation line. However, Seigel teaches displaying a corresponding time record of a device internal event corresponding to each auxiliary visual object (see above). 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the cyber breach diagnostics system of Seigel by extending displaying a corresponding time record of a device internal event corresponding to each auxiliary visual object taught by Seigel to a device interaction event taught by Seigel. It would have been obvious because displaying a corresponding time record of a device interaction event corresponding to each relation line.

Regarding claim 5, Seigel fails to teach wherein the suspicious event sequence diagram generating operation further comprises: repeatedly displaying the multiple main visual objects (701~705; 901~909) in a lower area (720) of the suspicious event sequence diagram (550) according to an identical sequence of the multiple main visual objects (701~705; 901~909) in the upper area (710).
In the same field of endeavor, Wang teaches wherein the (see Fig. 4 reproduced below). 
[AltContent: oval][AltContent: oval]
    PNG
    media_image2.png
    833
    707
    media_image2.png
    Greyscale

wherein the suspicious event sequence diagram generating operation further comprises: repeatedly displaying the multiple main visual objects (701~705; 901~909) in a lower area (720) of the suspicious event sequence diagram (550) according to an identical sequence of the multiple main visual objects (701~705; 901~909) in the upper area (710).

Regarding claim 6, Seigel further teaches multiple device activities reporting programs (120), respectively stored in the multiple computing devices (111~115), and arranged to operably generate the multiple suspicious activities records related to the multiple computing devices (111~115) (see [0018] and Fig. 1: “The network elements of the computing system 100 may have an associated agent that monitors a particular component and generates an event log, such as one of event logs 114(1) to 114(Q) (where Q>1), when an event occurs… the agents 108 may generate an event log each time one of the databases 102 is accessed, e.g., each time (i) data is added to one of the databases 102, (ii) deleted from one of the databases 102, (iii) changed in one of the databases 102, or (iv) data is read from one of the databases 102”. And see [0019]: “the agents 110 may generate an event log each time a login occurs on one of the user devices 104, each time of the user devices 104 is used to access one of the databases 102 or one of the servers 106, etc”. And see [0020]: “the agents 112 may generate an The Examiner interprets the agents 108, 110 and 112 as multiple device activities reporting programs) as well as the multiple time stamps (see [0031]: “Each of the event logs 114 may include a timestamp 146 identifying approximately when an associated event occurred”), and to operably establish the multiple attribute tags respectively corresponding to the multiple suspicious activities records (see [0031]: “the event log 114(Q) may include (i) the username 140 of a user whose activity caused the event log 114(Q) to be generated, (ii) one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be generated, or (iii) both the user name 140 and the device identifier(s) 144”. The Examiner interprets the username 140 of a user whose activity caused the event log 114(Q) to be generated and one or more device identifiers 144 (e.g., IP address or other unique identifier) of the network elements 102, 104, or 106 associated with the activity that caused the event log 114(Q) to be generated as corresponding multiple attribute tags).

Regarding claim 7, Seigel further teaches multiple device activities reporting programs (120), respectively stored in the multiple computing devices (111~115), and arranged to operably generate the multiple suspicious activities records related to the multiple computing devices (111~115) (see [0018] and Fig. 1: “The network elements of the computing system 100 may have an associated agent that monitors a particular component and generates an event log, such as one of event logs 114(1) to 114(Q) (where Q>1), when an event occurs… the agents 108 may generate an event log each time one of the databases 102 is accessed, e.g., each time (i) data is added to one of the databases 102, (ii) deleted from one of the databases 102, (iii) changed in one of the databases 102, or (iv) data is read from one of the databases 102”. And see [0019]: “the agents 110 may generate an event log each time a login occurs on one of the user devices 104, each time of the user devices 104 is used to access one of the agents 112 may generate an event log each time one of the servers 106 is accessed”. The Examiner interprets the agents 108, 110 and 112 as multiple device activities reporting programs) as well as the multiple time stamps (see [0031]: “Each of the event logs 114 may include a timestamp 146 identifying approximately when an associated event occurred”);
wherein the activity records collection device (130) is further arranged to operably establish the multiple attribute tags respectively corresponding to the multiple suspicious activities records (see [0029]: “the auditing software 122 may receive the event logs 114, assign a severity 132 to each of the events logs 114, and store the event logs 114 in the event log database 120”. The Examiner interprets the severities 132 assigned to the event logs 114 as the multiple attribute tags respectively corresponding to the multiple suspicious activities records).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel (US 2017/0063884), further in view of Wang (US 2019/0081968), and further in view of Sim (US 10,354,287).

Regarding claim 8, Seigel modified in view of Wang further teaches wherein the suspicious event sequence diagram (550) comprises: a first main visual object (903) corresponding to a first participating device (111) (“1st NETWORK ELEMENT 208” in Fig. 3 below), a second main visual object (905) corresponding to a second participating device (112) (“2nd NETWORK ELEMENT 210” in Fig. 3 below), a first vertical pattern (933) corresponding to the first main visual object (903) (2ND SESSION 304 in Fig. 3 below), and a second vertical pattern (935) corresponding to the second main visual object (905) (3RD SESSION 306 in Fig. 3 below).
[AltContent: oval][AltContent: oval]
    PNG
    media_image1.png
    751
    1087
    media_image1.png
    Greyscale


Seigel modified in view of Wang fails to teach “wherein when the suspicious event analysis device (140) identifies that a first device internal event took place in the first participating device (111), and a second device internal event took place in the second participating device (112), but whether a device interaction event of a predetermined type took place between the first participating device (111) and the second participating device (112) cannot be confirmed, the suspicious event sequence diagram generating operation further comprises: calculating a time difference between a first time record corresponding to the first device internal event and a second time record corresponding to the second device internal event; comparing the time difference with a predetermined threshold value; establishing a speculated relation line (1157) corresponding to a device interaction event of the predetermined type if the time difference is less than the predetermined threshold value”.
wherein when the (see claim 1. “A method comprising: accessing, by an online system, an ad history associated with a user identifier of a user of the online system, the ad history identifying advertisements presented to the user; selecting an ad for presentation to a client device of the user; transmitting the selected ad for display from the online system to the client device; storing, by the online system, a content identifier (ID) associated with the selected ad and a time stamp when the selected ad was transmitted to the client device in the ad history associated with the user identifier of the user; receiving, by the online system, the user identifier of the user, a content ID after a conversion event has occurred using a different device associated with the user, and a time of the conversion event from the different device associated with the user; retrieving, by the online system, the ad history associated with the received user identifier; matching, by the online system, the received content ID with the content ID associated with the selected ad stored in the ad history; determining, by the online system, that the ad caused the conversion event based at least in part on whether a difference between the time of the conversion event received from the different device associated with the user and the time stamp when the selected ad was transmitted to the client device is less than a threshold time period for conversion of the ad; and determining, by the online the determination that the ad caused the conversion event”).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the cyber breach diagnostics system of Seigel modified in view of Wang by letting the event sequence diagram generating operation further comprise: calculating a time difference between a first time record corresponding to the first device internal event and a second time record corresponding to the second device internal event; comparing the time difference with a predetermined threshold value; establishing… speculated …a device interaction event of the predetermined type if the time difference is less than the predetermined threshold value, when the event analysis device identifies that a first device internal event took place in the first participating device, and a second device internal event took place in the second participating device, but whether a device interaction event of a predetermined type took place between the first participating device and the second participating device cannot be confirmed, as taught by Sim. It would have been obvious because doing so predictably achieves the benefit of accurately determining whether a device interaction event of a predetermined type took place between the first participating device and the second participating device. 
When such a modification is made, Seigel modified in view of Wang and Sim would teach wherein when the suspicious event analysis device (140) identifies that a first device internal event took place in the first participating device (111), and a second device internal event took place in the second participating device (112), but whether a device interaction event of a predetermined type took place between the first participating device (111) and the second participating device (112) cannot be confirmed, the suspicious event sequence diagram generating operation further comprises: calculating a time difference between a first time record corresponding to the first device internal event and a second time record corresponding to the second device internal event; comparing the time difference with a predetermined threshold value; establishing 
In addition, Seigel modified in view of Wang teaches (see the rejection of claim 2) establishing a 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the cyber breach diagnostics system of Seigel modified in view of Wang and Sim by adding the steps of establishing a establishing a speculated relation line (1157) corresponding to a device interaction event of the predetermined type if the time difference is less than the predetermined threshold value; rendering two ends of the speculated relation line (1157) to respectively touch the first vertical pattern (933) and the second vertical pattern (935); configuring a corresponding orientation symbol (1167) on the speculated relation line (1157) according to a relative magnitude of the first time record and the second time record, so as to indicate an orientation of the device interaction event of the predetermined type; and displaying a concise description of the device interaction event of the predetermined type.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel (US 2017/0063884), further in view of Wang (US 2019/0081968), further in view of Sim (US 10,354,287), and further in view of Sallam (US 7,509,680). 

Regarding claim 9, Seigel modified in view of Wang and Sim fails to teach wherein both the first device internal event and the second device internal event are file generating events with respect to a same file.
In the same field of endeavor, Sallam teaches wherein both the first device internal event and the second device internal event are file generating events with respect to a same file (see Abstract: “A worm detection manager detects computer worms when they arrive at target computers via open network shares. The worm detection manager monitors incoming file system traffic, and determines the source of incoming files. The worm detection manager determines that an incoming file is infected with a worm, responsive to circumstances such as substantially the same file being written to the target computer by a requisite plurality of computers; substantially the same file being written to the target computer a requisite number of times by the same computer; substantially the same file being written .
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the cyber breach diagnostics system of Seigel modified in view of Wang and Sim by letting both the first device internal event and the second device internal event be file generating events with respect to a same file, as taught by Sallam. It would have been obvious because Sallam teaches that doing so detects computer worms in a network.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Seigel (US 2017/0063884), further in view of Wang (US 2019/0081968), and further in view of Sallam (US 7,509,680). 

Regarding claim 10, Seigel modified in view of Wang fails to teach wherein when the multiple participating devices comprise one or more malicious file providing devices (160) located outside the target network system (102), at least a part of the multiple main visual objects (701~705; 901~909) corresponds to the one or more malicious file providing devices (160).
In the same field of endeavor, Sallam teaches wherein when the multiple participating devices comprise one or more malicious file providing devices (160) located outside the target network system (102) (see Abstract: “A worm detection manager detects computer worms when they arrive at target computers via open network shares. The worm detection manager monitors incoming file system traffic, and determines the source of incoming files. The worm detection manager determines that an incoming file is infected with a worm, responsive to circumstances such as substantially the same file being written to the target computer by a requisite plurality of computers; substantially the same file being written to the target computer a requisite number of times by the same computer; substantially the same file being written to the target computer a requisite number of times within a requisite time The Examiner interprets the source of an incoming file infected with a worm taught by Sallam as one or more malicious file providing devices (160) located outside the target network system (102)).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve the cyber breach diagnostics system of Seigel modified in view of Wang by letting the multiple participating devices comprise one or more malicious file providing devices located outside the target network system, as taught by Sallam. It would have been obvious because doing so predictably achieves the commonly understood benefit of graphically indicating interactions between the malicious file providing devices and the target network to an analyst. Because Seigel modified in view of Wang teaches “establishing multiple main visual objects (701~705; 901~909) respectively corresponding to multiple participating devices involving in the multiple suspicious events” (see the rejection of claim 2), when the above modification is made, Seigel modified in view of Wang and Sallam would teach wherein when the multiple participating devices comprise one or more malicious file providing devices (160) located outside the target network system (102), at least a part of the multiple main visual objects (701~705; 901~909) corresponds to the one or more malicious file providing devices (160).

	Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495                                                                                                                                                                                                        

/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495