Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
Information Disclosure Statement PTO-1449
The Information Disclosure Statement submitted by applicant on 09-16-2021 and 06-10-2021 have been considered.  Please see attached PTO-1449.
EXAMINER’S AMENDMENT
	The application has been amended as follows: 
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with applicant’s attorney Robert Rapp (Reg. No. 73210), on 02-25-2022.

Claims are amended as follows:
1. (Currently amended) A system for tracking and preventing  malware from spreading, the system comprising: 
	a malware test data evaluation computer that receives malware test data from  computing devices associated with a plurality of test layers, wherein the test data received by the malware test data evaluation computer includes a first and a second set of malware test data;

	a second set of computing devices of a second layer of the plurality of test layers that perform a second set of malware tests and that send the second set of malware test data to the evaluation computer, the second set of malware test data identifying a second set of malware 	types detected by the second set of computing devices, wherein the evaluation computer: 			evaluates the received test data to identify the first set of malware types detected 		by the first set of computing devices and the second set of malware types detected by the 		second set of computing devices, 
	generates a visualization that illustrates: 
		a first set of malware test vectors that identify the first set of malware 			types, 
		the first set of malware test vectors stopping  at the first 			test layer based on the first set of computing devices detecting and stopping the 			first set of malware types, 
			a second set of malware test vectors that identify the second set of 				malware types, and 
			the second set of malware test vectors stopping  at				the second test layer based on the second set of computing devices 					detecting and stopping the second set of malware types, 
		displays the visualization on a display, and 
over time. 

2. (Currently amended) The system of claim 1, further comprising a third set of computing devices of a third layer of the plurality of test layers that perform a third set of malware testsa third set of malware test data to the evaluation computer, the third set of malware test data identifying a third set of malware types detected by the third set of computing devices, wherein the generated visualization also illustrates: 
	a third set of malware test vectors that identify the third set of malware types, and 	the third set of malware test vectors stopping at the third test layer based 	on the  third set of computing devices detecting and stopping the third set of malware types.

	3. (currently amended) The system of claim 2, wherein the evaluation computer:
receives an input that identifies that the first set of malware tests should be disabled at the first set of computing devices,
sends a command that prevents the first set of computing devices from performing the first set of malware tests, 
receives additional test data from the second and the third set of computing devices, and  
updates the visualization to identify: 
malware computing devices 
computing devices that are stopped at the third test layer.

	4. (currently amended) The system of claim 1, wherein the  visualization [[that]] includes a geographical map and locations at the geographical map where the first set of malware types and the second set of malware types were detected.

	5. (currently amended) The system of claim [[2]] 1, further comprising a memory at the second set of computing devices that stores deep packet inspection (DPI) signatures, wherein:
at least one computing device  of the first set of computing devices 
the DPI signature data characteristic of the new malware variant is sent to the second set of computing devices such that the second set of computing devices can identify the new malware variant by matching DPI signatures generated on received data with the DPI signature data characteristic of the new malware variant.

6. (Currently amended) A method for tracking and preventing  malware from spreading, the method comprising: 
	receiving a first set of malware test data from a first set of computing devices associated with a first test layer of a plurality of test layers; 
	receiving a second set of malware test data from a second set of computing devices associated with a second test layer of the plurality of test layers;
	 generating a visualization that illustrates:
 execution of program code at the 				first set of computing devices, 
			the first set of malware test vectors stopping at the 				first test layer based on the program code executed at the first set of 				computing devices detecting and stopping the first set of malware types, 
			a second set of malware test vectors that identify a second set of 				malware types that were detected byexecution of program code at the 				second set of computing devices, and 
			the second set of malware test vectors stopping  at				the second test layer based on the program code executed at the second set 			of computing devices detecting and stopping the second set of malware 			types; 
			displaying the visualization on a display; and 
			updating information displayed on the display over time. 				

	7. (currently amended) The method of claim 6, further comprising receiving a third set of malware test data from a third set of computing devices, wherein the visualization also illustrates: 
a third set of malware test vectors that identify [[the]] a third set of malware types associated with a third test layer of the plurality of test layers, and 
the third set of malware test vectors stopping at the third test layer based on the third set of computing devices detecting and stopping the third set of malware types.


receiving an input that identifies that the first set of malware tests should be disabled at the first set of computing devices;
sending a command that prevents the first set of computing devices from performing the first set of malware tests; 
receiving additional test data from the second set and the third set of computing devices, and 
updating the visualization to identify: 
malware  computing devices that are stopped at the second test layer, and  
malware etected at the third set of computing devices  that are stopped at the third test layer. 

	9. (currently amended) The method of claim 6, wherein the visualization [[that]] includes a geographical map and locations at the geographical map where the first set of malware types and the second set of malware types were detected.

	10. (currently amended) The method of claim [[7]] 6, further comprising storing deep packet inspection (DPI) signatures in a memory at the second set of computing devices  wherein:
at least one computing device  of the first set of computing devices  identifies DPI signature data characteristic of a new malware variant, and
the DPI signature data characteristic of the new malware variant is sent to the second set of computing devices such that the second set of computing devices can identify the new malware variant by data characteristic of the new malware variant.

	11. (currently amended) The method of claim 9, further comprising:
identifying areas associated with the spreading of a detected malware type associated with the first set or the second set of malware types, wherein the [[new]] visualization includes one or more geometric shapes associated with the detected malware type and sizes of the one or more geometric shapes correspond to [[the]] a first location of the geographic map currently affected by the detected malware type;
identifying that the detected malware type has spread to a second geographical location; and
updating the visualization to include a vector that illustrates that the detected malware type has spread from the first location to the second geographical location.

	12. (currently amended) The method of claim 6,  wherein the visualization [[that]] includes a map and locations where , and further comprising:
receiving additional test data at a second point in time that is after the first point in time; and
updating the visualization to include pdated location information on the map, the updated location information providing an indication of a movement of at least one malware type of [[the]] a plurality of malware types from a first location on the map to a second location on the map. 

 visualization includes the identifying colors for each of the respective members of the first and the second set of malware test vectors.

	14. (currently amended) A non-transitory computer-readable storage medium having embodied thereon a program executable by a computer processor to implement a method for tracking and preventingfrom spreading, the method comprising:
receiving a first set of malware test data from a first set of computing devices associated with a first test layer of a plurality of test layers;
receiving a second set of malware test data from a second set of computing devices associated with a second test layer of the plurality of test layers;
generating a visualization that illustrates:
a first set of malware test vectors that identify a first set of malware types that were detected by [[the]] execution of program code at the first set of computing devices, 
the first set of malware test vectors stopping at the first test layer based on the program code executed at the first set of computing devices detecting and stopping the first set of malware types,
a second set of malware test vectors that identify a second set of malware types that were detected by [[the]] execution of program code at the second set of computing devices, and
the second set of malware test vectors stopping at the second test layer based on the program code executed at the second set of computing devices detecting and stopping the second set of malware types;
displaying the visualization on a display; and 
over time. 

	15. (currently amended) The non-transitory computer-readable storage medium of claim 14, the program further executable to receive a third set of malware test data from a third set of computing devices, wherein the visualization also illustrates: 
a third set of malware test vectors that identify [[the]] a third set of malware types associated with a third test layer of the plurality of test layers, and 
the third set of malware test vectors stopping at the third test layer based on the third set of computing devices detecting and stopping the third set of malware types.

	16. (currently amended) The non-transitory computer-readable storage medium of claim [[16]] 15, the program further executable to:
receive an input that identifies that the first set of malware tests should be disabled at the first set of computing devices;
send a command that prevents the first set of computing devices from performing the first set of malware tests;
receive additional test data from the second set and the third set of computing devices, and 
update the visualization to identify: 
malware computing devices  that are stopped at the second test layer, and  
malware  computing devices  that are stopped at the third test layer. 

wherein the visualization [[that]] includes a geographical map and locations at the geographical map where the first set of malware types and the second set of malware types were detected. 

	18. (currently amended) The non-transitory computer-readable storage medium of claim [[7]] 14, wherein: 
at least one computing device of the first set of computing devices  identifies DPI signature data characteristic of a new malware variant, and
the DPI signature data characteristic of the new malware variant is sent to the second set of computing devices such that the second set of computing devices can identify the new malware variant by matching DPI signatures generated on received data with the DPI signature data characteristic of the new malware variant.

	19. (currently amended) The non-transitory computer-readable storage medium of claim [[9]] 17, the program further executable to:
identify areas associated with the spreading of a detected malware type associated with the first set or the second set of malware types, wherein the [[new]] visualization includes one or more geometric shapes associated with the detected malware type and sizes of the one or more geometric shapes correspond to [[the]] a first location of the geographic map currently affected by the detected malware type;
identify that the detected malware type has spread to a second geographical location; and
update the visualization  to include a vector that illustrates that the detected malware type has spread from the first location to the second geographical location.

[6]] 14, wherein the visualization [[that]] includes a map and locations where respective types of malware were identified as being detected at a first point in time, the program further executable to:
receive additional test data at a second point in time that is after the first point in time; and
update the visualization to include updated location  information on the map, the updated location information providing an indication of a movement of at least one malware type of [[the]] a plurality of malware types from a first location on the map to a second location on the map.  


Allowable Subject Matter
             Claims 1-20 are allowed.
             The following is an examiner’s statement of reasons for allowance:
The prior art Albetson et al. (US Patent No. 9,009,827) of record discloses, Systems and techniques for sharing security data are described herein. Security rules and/or attack data may be automatically shared, investigated, enabled, and/or used by entities. A security rule may be enabled on different entities comprising different computing systems to combat similar
security threats and/or attacks. Security rules and/or attack data may be modified to redact sensitive information and/or configured through access controls for sharing.
	The prior art Mushtaq (US Patent No. 10,701,086) of record discloses, an Active Intelligence method and system for detecting malicious servers using an automated machine learning active intelligence manager. The Active Intelligence method and system automatically and covertly extract forensic data and intelligence related to a selected server in real time to 
	The prior art Newman et al. (US Publication No. 2018/0191771) of record discloses, threat intelligence management is provided in a security and compliance environment. A threat explorer platform or module of a security and compliance service may detect, investigate, manage, and provide actionable insights for threats at an organizational level. Working with a data insights platform that collects different types of signals (metadata, documents, activities, etc.) and correlates in a multi-stage evaluation, the threat intelligence module may provide actionable visual information on potential threats, affected areas, and actionable insights derived from internal threat data and external information using contextual correlation of data within the data insight platform. User experience may be dynamically adjusted at multiple levels based
on context and allow users to drill down arbitrarily deep.
However, prior arts taken singly or in combination, fail to anticipate or render the following limitation:
generates a visualization that illustrates: a first set of malware test vectors that identify the first set of malware types, the first set of malware test vectors stopping at the first test layer based on the first set of computing devices detecting and stopping the first set of malware types, a second set of malware test vectors that identify the second set of malware types, and the second set of malware test vectors stopping at the second test layer based on the second set of computing devices detecting and stopping the second set of malware types, displays the visualization on a as claimed in claim 1); generating a visualization that illustrates: a first set of malware test vectors that identify a first set of malware types that were detected by  execution of program code at the first set of computing devices, the first set of malware test vectors stopping at the first test layer based on the program code executed at the first set of computing devices detecting and stopping the first set of malware types, a second set of malware test vectors that identify a second set of malware types that were detected by execution of program code at the second set of computing devices, and the second set of malware test vectors stopping at the second test layer based on the program code executed at the second set of computing devices detecting and stopping the second set of malware types; displaying the visualization on a display (as claimed in claim 6); and generating a visualization that illustrates: a first set of malware test vectors that identify a first set of malware types that were detected by  execution of program code at the first set of computing devices, the first set of malware test vectors stopping at the first test layer based on the program code executed at the first set of computing devices detecting and stopping the first set of malware types, a second set of malware test vectors that identify a second set of malware types that were detected by execution of program code at the second set of computing devices, and the second set of malware test vectors stopping at the second test layer based on the program code executed at the second set of computing devices detecting and stopping the second set of malware types; displaying the visualization on a display (as claimed in claim 14).
Claims are allowed in light of the above claim limitations when in combination with the remaining claim limitations.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Conclusion
                  Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from  (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437