DETAILED ACTION
This final rejection is responsive to the amendment filed 30 November 2021.  Claims 15-19 are pending.  Claim 15 is an independent claim.  Claims 1-14 are cancelled.  Claims 15-19 are new. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Remarks
Claim Rejections under 35 U.S.C. 112
Applicant’s arguments have been fully considered and they are persuasive.  The rejections are withdrawn.

Claim Rejections under 35 U.S.C. 103
Applicant’s prior art arguments have been fully considered but they are not persuasive.  
Applicant argues (pg. 16) that Telang is directed to a simulated attack generator and does not detect and collect suspicious activities records and time stamps related to a computing device in which it is installed.
However, Telang teaches a cybersecurity system that monitors activity by the plurality of monitored devices.  As provided below, it is Tsironis which teaches each of the monitored devices having installed a monitoring component.  
Applicant further argues (pg. 16) that Telang is completely silent about creating attribute tags corresponding to the collected suspicious activities records.
Examiner respectfully disagrees.  First, the claims do not further define the function of the tags.  Moreover, as provided below, Telang teaches a network monitoring system and further retrieving the monitoring data as well as the IP address, hostname, a user ID, a division ID, a department ID, etc...  The foregoing data is then displayed in the interface panes of Fig. 23.  The foregoing data is interpreted as attribute tags.
Applicant further argues (pg. 16) that “Telang nowhere discloses that the network monitoring system 100 or the cybersecurity system 110 will identify multiple suspicious events related to a plurality of monitored devices 102 based on multiple suspicious activities records, multiple time stamps, and multiple created attribute tags. Telang also fails to disclose that the network monitoring system 100 or the cybersecurity system 110 will identify multiple time records respectively corresponding to the multiple suspicious events based on the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags.”
Examiner respectfully disagrees.  Telang teaches (Figs. 23-24 and ¶[0433]) capturing activity data from a network of devices and storing it.  The data includes date and/or time values.  Telang also teaches generating the IP address, hostname, a user ID, a division ID, a department ID, etc...  The foregoing data is then displayed in the interface panes of Fig. 23.  Telang teaches integrating the input and display device into a system which then displays multiple panes for filtering data.
Applicant argues (pgs. 16-17) that Tsironis also does not teach the foregoing.  However, in addition to the above, Tsironis also teaches monitoring network components and further retrieving raw data that is stored in multiple fields (Fig. 2A and ¶[0080]).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Telang (US 2018/0357422 A1) hereinafter known as Telang in view of Tsironis (US 2018/0316727 A1) hereinafter known as Tsironis.

independent claim 15, Telang teaches:
... detect and collect suspicious activities records and time stamps related to a computing device in which it is installed, and further arranged to operably create attribute tags corresponding to the suspicious activities records; and  (Telang: ¶[0049] and ¶[0128]; Telang teaches a network monitoring system and further retrieving the monitoring data as well as the IP address, hostname, a user ID, a division ID, a department ID, etc...  The foregoing data is then displayed in the interface panes of Fig. 23.)
a multi-frame cyber security analysis device (140), comprising: a display device (141);  Telang: Fig. 3 and ¶[0085]-¶[0086]; Telang teaches a display.)
an input device (145), arranged to operably receive operation commands issued by a user;  (Telang: Fig. 3 and ¶[0085]-¶[0086]; Telang teaches an input interface.)
a non-volatile storage circuit (147), arranged to operably store a database (152) for storing multiple suspicious activities records related to the multiple computing devices (111~115), multiple time stamps corresponding to the multiple suspicious activities records, and multiple attribute tags corresponding to the multiple suspicious activities records generated by the multiple device activities reporting programs (120);  (Telang: Fig. 1 and ¶[0075] and ¶[0102]-¶[0103]; Telang teaches capturing activity data from a network of devices and storing it.  The data includes date and/or time values.  ¶[0128]; Telang teaches generating the IP address, hostname, a user ID, a division ID, a department ID, etc...  The foregoing data is then displayed in the interface panes of Fig. 23.)
a control circuit (149), coupled with the display device (141), the input device (145), and the non-volatile storage circuit (147);  (Telang: Figs. 3-4 and 23-24 and ¶[0093]-¶[0094], ¶[0426], and ¶[0433]; Telang teaches integrating the input and display device into a system which then displays multiple panes for filtering data.)
wherein the control circuit (149) is arranged to operably conduct a data frame generating operation for generating multiple associated data frames (510, 520, 530, 1020) related to the target network system (102) according to data stored in the database (152), and BIRCH, STEWART, KOLASCH & BIRCH, LLPGH/GH/ghApplication No.: 16/548,158Docket No.: 6024-0307PUS4Reply dated November 30, 2021Page 4 of 18Reply to Office Action of September 01, 2021arranged to operably control the display device (141) to display contents of the multiple associated data (Telang: Fig. 23 and ¶[0426]; Telang teaches displaying multiple panes for filtering data.)
wherein the multiple associated data frames (510, 520, 530, 1020) comprise a navigator frame (510), a first global data frame (520), and a local data frame (530), and the data frame generating operation comprises: identifying multiple suspicious events related to the target network system (102) based on the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags;  (Telang: Fig. 23 and ¶[0426]; Telang teaches displaying a date frame, IP address/user frame, and the results summary pane that display records of risk activity.  The user is able to select the appropriate time window and filter the data based on peer group and country, which are interpreted as attribute tags (further defined in ¶[0128]).)
 identifying multiple time records respectively corresponding to the multiple suspicious events based on the multiple suspicious activities records, the multiple time stamps, and the multiple attribute tags;  (Telang: Fig. 23 and ¶[0426]; Telang teaches displaying a date frame, IP address/user frame, and the results summary pane that display records of risk activity.  The user is able to select the appropriate time window and filter the data based on peer group and country, which are interpreted as attribute tags (further defined in ¶[0128]).)
... ;
generating multiple global property data related to a portion of or all devices in the target network system (102) according to data stored in the database (152), wherein the multiple global property data comprise a first global property data and a second global property data;  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select a time window which is a date range.  The date range is interpreted as multiple filtering conditions.  Based on the time window, it provides the matching item indicators listed in 2300.  Telang teaches frame 2300 which displays the search results pane of IP addresses/users based on the time window that the user has selected.)
selecting one of the multiple global property data as a first target global property data;  (Telang: Fig. 23 and ¶[0426]; Telang teaches the user selecting item 2302.)
establishing a first global data frame (520) comprising the first target global property data;  (Telang: Fig. 23 and ¶[0426]; Telang teaches the user selecting item 2302 and highlighting the item.)
 in the first target global property data, respectively utilizing multiple main visual objects (521, 523, 525) to represent a portion of or all devices involved in the identified suspicious events in the target network system (102), wherein the multiple main visual objects (521, 523, 525) comprise a first main visual object (521) corresponding to theBIRCH, STEWART, KOLASCH & BIRCH, LLPGH/GH/ghApplication No.: 16/548,158Docket No.: 6024-0307PUS4Reply dated November 30, 2021Page 5 of 18Reply to Office Action of September 01, 2021 first computing device (111) and a second main visual object (523) corresponding to a second computing device (112);  (Telang: Fig. 23 and ¶[0426]; Telang teaches frame 2300 which displays the search results pane of IP addresses/users based on the time window that the user has selected.  Each IP address is interpreted as computing device.)
when the first target global property data being currently displayed in the first global data frame (520) is a first global property data corresponding to a first filtering condition, if a candidate object being currently selected in the navigator frame (510) is changed from a first candidate object (511) corresponding to the first filtering condition to a second candidate object (513) corresponding to a second filtering condition, replacing the first target global property data being currently displayed in the first global data frame (520) with a second global property data corresponding to the second filtering condition; and  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select a time window which is a date range.  Accordingly, the user can change the time window to change what is displayed in the IP addresses window 2300.)
when the second global property data is displayed in the first global data frame (520) and a target data group being currently displayed in the local data frame (530) is a first data group corresponding to a first computing device (111), if a main visual object being currently selected in the first global data frame (520) is changed from the first main visual object (521) to the second main visual object (523), replacing the first data group being currently displayed in the local data frame (530) with a second data group corresponding to the second computing device (112), but not changing contents being displayed in the navigator frame (510).  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select the desired IP address to further view the results in window 1812.  Accordingly, the foregoing teaches the user being able to further select another IP address to view the results for that IP address.)

Telang does not explicitly teach:
multiple device activities reporting programs (120), respectively installed in multiple computing devices (111~115) of a target network system (102), wherein each of the multiple...  
storing the activities records in a database;

However, Tsironis teaches:
multiple device activities reporting programs (120), respectively installed in multiple computing devices (111~115) of a target network system (102), wherein each of the multiple activities reporting programs (120) is arranged to operably detect ...  (Tsironis: Fig. 1 and ¶[0059]-¶[0060]; Tsironis teaches a monitoring component on each client device 102
storing the activities records in a database;  (Tsironis: ¶[0103]; Tsironis teaches event data being stored in a database.)

Telang and Tsironis are in the same field of endeavor as the present invention, as the references are directed to interfaces for security threat analysis.  It would have been obvious, before the effective filing date of the claimed invention, to a person of ordinary skill in the art, to combine a drilldown interface where the user can filter stored activity data for cyber security threat analysis as taught in Telang with reporting programs installed on the monitored clients and the activities data being stored in a database as taught in Tsironis.  Telang already teach storing activities data.  However, Telang does not explicitly teach reporting programs installed on the monitored client and storing the activities data in a database.  Accordingly, Tsironis provides this additional functionality.  As such, it would have been obvious to one of ordinary skill in the art to modify the teachings of Telang to include teachings of Tsironis because the combination would allow quick retrieval of the data.




Regarding claim 16, Telang in view of Tsironis further teaches the cyber breach diagnostics system (100) of claim 15 (as cited above).

Telang further teaches:
wherein the data frame generating operation further comprises:BIRCH, STEWART, KOLASCH & BIRCH, LLPGH/GH/ghApplication No.: 16/548,158Docket No.: 6024-0307PUS4Reply dated November 30, 2021Page 6 of 18Reply to Office Action of September 01, 2021 generating multiple candidate objects (511, 513, 515) respectively corresponding to multiple filtering conditions, wherein the multiple candidate objects (511, 513, 515) comprise the first candidate object (511) and the second candidate object (513);  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select a time window which is a date range.  The date range is interpreted as multiple filtering conditions.  Based on the time window, it provides the matching item indicators listed in 2300.)
establishing the navigator frame (510) comprising the multiple candidate objects (511, 513, 515);  (Telang: Fig. 23 and ¶[0426]; Telang teaches frame 2300 which displays the search results pane of IP addresses/users based on the time window that the user has selected.)
generating multiple data groups respectively corresponding to the multiple computing devices (111~115) according to data stored in the database (152), wherein the multiple data groups comprise the first data group and the second data group;  (Telang: Fig. 23 and ¶[0426]; Telang teaches frame 2300 which displays the search results pane of IP addresses/users based on the time window that the user has selected.)
selecting one of the multiple data groups as the target data group;  (Telang: Fig. 23 and ¶[0426]; Telang teaches the user selecting item 2302 and highlighting the item.)
establishing the local data frame (530) comprising the target data group;  (Telang: Fig. 23 and ¶[0426]; Telang teaches frame 1812 which contains the summary pane for the selected IP address.)
utilizing the display device (141) to display contents of the navigator frame (510), the first global data frame (520), and the local data frame (530) at the same time; and  (Telang: Fig. 23 and ¶[0426]; Telang teaches frame 1812 which contains the summary pane for the selected IP address.)
controlling an associated relationship among the navigator frame (510), the first global data frame (520), and the local data frame (530), to render contents of the first global data frame (520) to change when the navigator frame (510) is manipulated by the user, and contents of the local data frame (530) to change when the first global data frame (520) is manipulated by the user, but contents of the navigator frame (510) not to change when the first global data frame (520) is manipulated by the user.  (Telang: Fig. 23 and ¶[0426]; Telang teaches a drilldown filtering system where the user first selects the time window, then selects the IP address, and is then able to view results.  Changing the IP address does not change the time window.)




Regarding claim 17, Telang in view of Tsironis further teaches the cyber breach diagnostics system (100) of claim 16 (as cited above).

Telang further teaches:
wherein the data frame generating operation further comprises: replacing the target data group being currently displayed in the local data frame (530) with a predetermined data group corresponding to the second filtering condition.  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select the desired time window and IP address to further view the results in window 1812.  Accordingly, the foregoing teaches the user being able to further select another IP address or another time window to view the results for that IP address and time.)




Regarding claim 18, Telang in view of Tsironis further teaches the cyber breach diagnostics system (100) of claim 16 (as cited above).

Telang further teaches:
wherein the multiple global property data further comprise a third global property data corresponding to the first filtering condition and a fourth global property data corresponding to the second filtering condition, and the data frame generating operation further comprises: selecting the third global property data as a second target global property data; establishing a second global data frame (1020) comprising the second target global property data; displaying the second global data frame (1020) at the same time when displaying the first global data frame (520); and in the second target global property data, respectively utilizing multiple main visual objects (521, 523, 525) to represent a portion of or all devices in the target network system (102).  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select the desired time window.  The foregoing teaches third and fourth global property data that correspond to the first and second filtering conditions, respectively.  Moreover, upon selection of a time window, frame 2300 will display all the associated IP addresses, which are interpreted as the main visual objects.  In addition, frame 1812 can be interpreted as two frames with the top and bottom parts.  In this case, the top part displays the selected IP address.  In other words, this frame utilizes the visual objects from frame 2300.)




Regarding claim 19, Telang in view of Tsironis further teaches the cyber breach diagnostics system (100) of claim 18 (as cited above).

Telang further teaches:
wherein the data frame generating operation further comprises: in a situation of that a candidate object being currently selected in the navigator frame (510) is the first candidate object (511), the first target global property data being currently displayed in the first global data frame (520) is the first global property data, and the second target global property data being currently displayed in the second global data frame (1020) is the third global property data, if the user then selects the second candidate object (513) in the navigator frame (510) through the input device (145), replacing the first target global property data being currently displayed in the first global data frame (520) with the second global property data corresponding to the second filtering condition and BIRCH, STEWART, KOLASCH & BIRCH, LLPGH/GH/ghApplication No.: 16/548.158Docket No.: 6024-0307PUS4 Reply dated November 30, 2021Page 8 of 18 Reply to Office Action of September 01, 2021 also replacing the second target global property data being currently displayed in the second global data frame (1020) with the fourth global property data corresponding to the second filtering condition.  (Telang: Fig. 23 and ¶[0426]; Telang teaches allowing the user to select the desired time window.  The foregoing teaches third and fourth global property data that correspond to the first and second filtering conditions, respectively.  Moreover, upon selection of a time window, frame 2300 will display all the associated IP addresses, which are interpreted as the main visual objects.  In addition, frame 1812 can be interpreted as two frames with the top and bottom parts.  In this case, the top part displays the selected IP address.  In other words, this frame utilizes the visual objects from frame 2300.)




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to Applicants’ disclosure.  Applicants are required under 37 C.F.R. § 1.111(c) to consider these references fully when responding to this action.
It is noted that any citation to specific pages, columns, lines, or figures in the prior art references and any interpretation of the references should not be considered to be limiting in any way.  A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art. In re Heck, 699 F.2d 1331, 1332-33, 216 U.S.P.Q. 1038, 1039 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 U.S.P.Q. 275, 277 (C.C.P.A. 1968)).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX OLSHANNIKOV whose telephone number is (571)270-0667.  The examiner can normally be reached on M-F 9:30-6.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Adam Queler can be reached on 571-272-4140.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.


/ALEKSEY OLSHANNIKOV/Primary Examiner, Art Unit 2145