Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 9, 11 - 17 are pending.  Claims 1 - 7, 9 have been amended.  Claims 11 - 17 are new.  Claim 10 has been canceled.  Claims 1, 8, 9 are independent.   File date is 4-26-2019.  

Claim Rejections - 35 USC § 102  
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

3.        Claims 1, 2, 4, 8, 9 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Matsumoto (US PGPUB No. 20170054742).     	
 
Regarding Claims 1, 8, 9, Matsumoto discloses an incident effect range estimation device and an incident effect range estimation method in an incident effect range estimation device and a non-transitory computer readable storage medium storing therein an incident effect range estimation program for causing a computer to perform incident effect range estimation processing, the device, the method, and the computer readable storage medium comprising:
a)  a processor; and b) a memory having stored therein computer instructions, wherein the processor executes the instructions (Matsumoto ¶ 260, ll 1-4: programs are stored in to:
c)  acquire log information of an occurrence source device related to occurrence of an incident; (Matsumoto ¶ 092, ll 1-9: based on attack communication log information received by receiving unit, an attacked terminal log information identification unit retrieves terminal log information on the data processing information related to the attack data communication, from among the terminal log information (process log information, access log information) in client terminal log recording apparatus and server terminal log recording apparatus)    
d)  acquire, based on the log information of the occurrence source device, log information of a communication destination device being a communication destination of the occurrence source device; (Matsumoto ¶ 113, ll 1-9: when a file transferred is executed at a transfer destination as indicated in a log record in the terminal log information (process log information) or when a file transferred is accessed as a terminal file at a transfer destination as indicated in a log record in the infection activity terminal log information (access log information); infection activity identification unit determines that the transfer destination has been infected; (occurrence at destination device)) and
e)  estimate an extent of influence of the incident, based on the log information of the communication destination device. (Matsumoto ¶ 089, ll 1-3: transmitting unit 

Regarding Claim 2, Matsumoto discloses the incident effect range estimation device according to claim 1, wherein,
a)  based on the log information acquired, in the acquiring log information of a communication destination device, recursively repeating acquisition of log information of a next communication destination device being a next communication destination, (Matsumoto ¶ 207, ll 1-11: if attacked terminal log information identification unit receives infection activity terminal log information and infection activity terminal log information, or infection activity communication log information from infection activity identification unit, attacked terminal log information identification unit repeats processes after step with respect to terminal log information on terminal of an infection activity destination) and
b)  in the estimating, estimating an extent of influence of the incident, based on the log information of the next communication destination device, which is repeatedly acquired. (Matsumoto ¶ 208, ll 1-5: retrieval of terminal log information by attacked terminal log information identification unit and identification of terminal that may be infected with malware by infection activity identification unit are repeated)    

Regarding Claim 4, Matsumoto discloses the incident effect range estimation device according to claim 2, wherein in the acquiring log information of a communication destination device, repeating acquisition of log information of the next communication destination device, based on weighting related to communication. (Matsumoto ¶ 233, ll 1-4: attack steps are weighted and a user who has been involved in an attack with a certain threshold value or more is regarded as an attack user)    

Claim Rejections - 35 USC § 103  
4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claim 3 are rejected under 35 U.S.C. 103 as being unpatentable over Matsumoto in view of Ashley (US Patent No. 9,444,829).

Regarding Claim 3, Matsumoto discloses the incident effect range estimation device according to claim 2. 
Matsumoto does not explicitly disclose repeating acquisition of log information of next communication destination device a predetermined number of times.
However, Ashley discloses wherein in the acquiring log information of a communication destination device, repeating acquisition of log information of the next communication destination device a predetermined number of times. (Ashley col 12, ll 5-12: performance module may infer the existence a second, earlier, inferred infection from originating source computing device; performance module may tentatively infer that infecting computing device is 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Matsumoto for repeating acquisition of log information of next communication destination device a predetermined number of times as taught by Ashley.  One of ordinary skill in the art would have been motivated to employ the teachings of Ashley for the benefits achieved from a system that enables 
recording and collecting information about security events at endpoint computing devices and providing the recorded data in the form of log data. (Ashley col 1, ll 11-15)

6.        Claims 5, 6, 11 - 17 are rejected under 35 U.S.C. 103 as being unpaentable over Matsumoto in view of Tuvell et al. (US PGPUB No. 20080086773).  

Regarding Claims 5, 11, 12, 13, Matsumoto discloses the incident effect range estimation device according to claim 1 and the incident effect range estimation device according to claim 2 and the incident effect range estimation device according to claim 3 and the incident effect range estimation device according to claim 4, wherein in the acquiring log information of an occurrence source device and in the acquiring log information of a communication destination device. (Matsumoto ¶ 092, ll 1-9: based on attack communication log information received by receiving unit, an attacked terminal log information identification unit retrieves terminal log information on the data processing information related to the attack data communication, from 

Matsumoto does not explicitly disclose acquiring log information according to a type of the incident.  
However, Tuvell discloses wherein acquiring log information according to a type of the incident. (Tuvell ¶ 027, ll 1-6: analysis component receives information from receiver component regarding the presence, effects and types of malware impacting a mobile network; analysis component able to synthesize malware data received from the plurality of sources to better analyze the nature and effect of malware; ¶ 035, ll 24-25: malware reports include malware data, such as information regarding infected files, type, or name of infection)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Matsumoto for acquiring log information according to a type of the incident as taught by Tuvell. One of ordinary skill in the art would have been motivated to employ the teachings of Tuvell for the benefits achieved from a system which can quickly and effectively implement methods to combat new malware before the malware has had a chance to widely proliferate. (Tuvell ¶ 005, ll 13-18)  
 
Regarding Claims 6, 14 - 17, Matsumoto discloses the incident effect range estimation device according to claim 1 and the incident effect range estimation device according to claim 2 and the incident effect range estimation device according to claim 3 and the incident effect range estimation device according to claim 4 and the incident effect range estimation device according to claim 5. 

However, Tuvell discloses wherein in the estimating, generating a graph in which the occurrence source device and the communication destination device are nodes. (Tuvell ¶ 063, ll 1-15: analysis component uses both stored and real-time information, including network traffic and individual user information, to generate statistics and dynamic graphs depicting malware activity and network statistics necessary to quantify relative levels of malware activity; analysis component generates malware analyses, which can be presented by a user interface as straightforward visual reports to alert managers and operators as to which platforms (source and destination devices) are infected with the most viruses, which viruses are spreading the fastest, the most recently infected mobile devices, and which infected mobile devices are spreading the most viruses)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Matsumoto for generating a graph in which an occurrence source device and a communication destination device are nodes as taught by Tuvell. One of ordinary skill in the art would have been motivated to employ the teachings of Tuvell for the benefits achieved from a system which can quickly and effectively implement methods to combat new malware before the malware has had a chance to widely proliferate. (Tuvell ¶ 005, ll 13-18)    

7.        Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Matsumoto in view of Tuvell and further in view of Chauhan et al. (US Patent No. 9,363,149).  

Regarding Claim 7, Matsumoto-Tuvell discloses the incident effect range estimation device according to claim 6. 
Tuvell discloses information based on a generated graph as stated in claim 6 above.
Matsumoto-Tuvell does not explicitly disclose determining a priority level of node. 
However, Chauhan discloses wherein in the estimating, determining a priority level of the node. (Chauhan col 41, ll 21-27: user uses priority level selector to assign a particular priority level (e.g., critical, high, medium, low, info) to investigation associated with the displayed investigation timeline; priority level associated with each investigation to assist a network security manager in prioritizing investigations for completion)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Matsumoto-Tuvell for determining a priority level of node as taught by Chauhan.  One of ordinary skill in the art would have been motivated to employ the teachings of Chauhan for the benefits achieved from a system that enables enabling network security analysts to efficiently identify, investigate, and report on incidents related to security of a computer network. (Chauhan col 1, ll 7-10)    

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KYUNG H SHIN/                                                                                                    3-24-2022Primary Examiner, Art Unit 2452