DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
In light of the arguments discussed in the interview conducted on 3/28/2022, see the attached interview summary, the rejection of the Office action mailed on 1/3/2022 is withdrawn. However, a new rejection is issued herein.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 7, 8, 14, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Crosbie et al., U.S. Publication No. 2002/0083343 A1 (hereafter referred to as “Crosbie”), in view of NOMURA (hereafter referred to as “Nomura”).

As to claim 1, Crosbie discloses a method (¶ [0003], “a process of monitoring events occurring in a computer system or network and analyzing the events for signs of security violations”) comprising:
determining activity patterns of one or more hosts of a networked system as having security interest (¶¶ [0007] and [0068]);
displaying the activity patterns of the one or more hosts of the networked system in one or more views of a user interface on one or more output device(s) (¶ [0072]; ¶ [0086], “sends notification of any suspected intrusions to the... GUI”; ¶ [0095], “can take whatever actions the system administrator requires”; ¶ [0102]);
enabling one or more elements in the user interface as selectable (¶ [0095], where inherently one or more elements in the “management GUI” are selectable if the system administrator “can take whatever actions the system administrator requires”; ¶ [0102], wherein inherently one or more elements in the GUI are selectable if “the GUI allows the administrator to configure, control and monitor the host-based IDS system”); and
sending a command based on one or more selected elements of the user interface to respective security components running on the one or more hosts (¶ [0095], wherein a response script is run based on the intrusive activity and the script “can take whatever actions the system administrator requires”; ¶ [0102], “the GUI allows the administrator to configure, control and monitor the host-based IDS system”; ¶ [0129], wherein the administrator can examine errors in the “administrative GUI” and take actions such as restarting processes).
Crosbie is silent on a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other.
However, Nomura discloses a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other (Abstract; Figure 8; ¶¶ [0032], [0033], [0088], and [0122]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Crosbie in the aforementioned manner as taught by Nomura in order to logically and/or visually identify the space in which events occur and the time at which events occur, which may be important to formulating a response to said events.

As to claim 7, Crosbie discloses displaying one or more notification(s) in the user interface based on activity patterns of hosts of the one or more hosts having security interest (¶¶ [0069], [0083], and [0089]).

As to claim 8, Crosbie discloses a system (¶ [0003], wherein the “present invention relates generally to intrusion detection, and more particularly, to a host-based Intrusion Detection System”) comprising:
one or more processors (¶ [0065], “the present invention a computer system includes a processor and a memory coupled to the processor”); and
memory communicatively coupled to the one or more processors, the memory storing computer-executable modules executable by the one or more processors that, when executed by the one or more processors, perform associated operations, the computer-executable modules (¶ [0065]) comprising:
a detection module configured to determine activity patterns of one or more hosts of a networked system as having security interest (¶¶ [0007] and [0068]);
a visualization module configured to display the activity patterns of the one or more hosts of the networked system in one or more views of a user interface on one or more output device(s) (¶ [0072]; ¶ [0086], “sends notification of any suspected intrusions to the... GUI”; ¶ [0095], “can take whatever actions the system administrator requires”; ¶ [0102]);
an interaction module configured to enable one or more elements in the user interface as selectable (¶ [0095], where inherently one or more elements in the “management GUI” are selectable if the system administrator “can take whatever actions the system administrator requires”; ¶ [0102], wherein inherently one or more elements in the GUI are selectable if “the GUI allows the administrator to configure, control and monitor the host-based IDS system”); and
an enablement module configured to send a command based on one or more selected elements of the user interface to respective security components running on the one or more hosts (¶ [0095], wherein a response script is run based on the intrusive activity and the script “can take whatever actions the system administrator requires”; ¶ [0102], “the GUI allows the administrator to configure, control and monitor the host-based IDS system”; ¶ [0129], wherein the administrator can examine errors in the “administrative GUI” and take actions such as restarting processes).
Crosbie is silent on a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other.
However, Nomura discloses a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other (Abstract; Figure 8; ¶¶ [0032], [0033], [0088], and [0122]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Crosbie in the aforementioned manner as taught by Nomura in order to logically and/or visually identify the space in which events occur 

As to claim 14, Crosbie discloses wherein the visualization module is further configured to display one or more notification(s) in the user interface based on activity patterns of hosts of the one or more hosts having security interest (¶¶ [0069], [0083], and [0089]).

As to claim 15, Crosbie discloses a computer-readable storage medium storing computer-readable instructions executable by one or more processors, that when executed by the one or more processors, cause the one or more processors to perform operations (¶ [0065]) comprising:
determining activity patterns of one or more hosts of a networked system as having security interest (¶¶ [0007] and [0068]);
displaying the activity patterns of the one or more hosts of the networked system in one or more views of a user interface on one or more output device(s) (¶ [0072]; ¶ [0086], “sends notification of any suspected intrusions to the... GUI”; ¶ [0095], “can take whatever actions the system administrator requires”; ¶ [0102]);
enabling one or more elements in the user interface as selectable (¶ [0095], where inherently one or more elements in the “management GUI” are selectable if the system administrator “can take whatever actions the system administrator requires”; ¶ [0102], wherein inherently one or more elements in the GUI are selectable if “the GUI allows the administrator to configure, control and monitor the host-based IDS system”); and
sending a command based on one or more selected elements of the user interface to respective security components running on the one or more hosts (¶ [0095], wherein a response script is run based on the intrusive activity and the script “can take whatever actions the system administrator requires”; ¶ [0102], “the GUI allows the administrator to configure, control and monitor the host-based IDS system”; ¶ [0129], wherein the administrator can examine errors in the “administrative GUI” and take actions such as restarting processes).
Crosbie is silent on a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other.
However, Nomura discloses a view comprising a subgraph of nodes representing activity patterns of a host of the one or more hosts displayed along at least a spatial dimension and a time dimension oriented orthogonal to each other (Abstract; Figure 8; ¶¶ [0032], [0033], [0088], and [0122]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Crosbie in the aforementioned manner as taught by Nomura in order to logically and/or visually identify the space in which events occur and the time at which events occur, which may be important to formulating a response to said events.

As to claim 20, Crosbie discloses displaying one or more notification(s) in the user interface based on activity patterns of hosts of the one or more hosts having security interest (¶¶ [0069], [0083], and [0089]).

Claims 4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Crosbie and Nomura as applied above, and further in view of Wadikar et al., U.S. Publication No. 2020/0159380 A1 (hereafter referred to as “Wadikar”).

As to claim 4, Crosbie and Nomura are silent on wherein a subgraph is selectable to cause the subgraph to be emphasized, de-emphasized, and/or hidden.
	However, Wadikar discloses wherein a subgraph is selectable to cause the subgraph to be emphasized, de-emphasized, and/or hidden (¶ [0036], A user may interact with the card by clicking on it to get detailed information about the event and the results associated with it.).
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Crosbie and Nomura in the aforementioned manner as taught by Wadikar in order to “get detailed information about the event and the results associated with it” (Wadikar: ¶ [0036], A user may interact with the card by clicking on it to get detailed information about the event and the results associated with it.)

As to claim 11, the claim is rejected for the same reasons as claim 4 above.

Claims 5, 6, 12, 13, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Crosbie and Nomura as applied above, and further in view of ZÖMBIK et al., U.S. Publication No. 2015/0334132 A1 (hereafter referred to as “Zömbik”).

As to claim 5, Crosbie and Nomura disclose the method of claim 1, but are silent on wherein a selected element of the user interface displays a plurality of commands each selectable to cause sending of a command to a security component running on a host of the one or more hosts.
	However, Zömbik discloses wherein a selected element of the user interface displays a plurality of commands each selectable to cause sending of a command to a security component running on a host of the one or more hosts (¶ [0067], wherein commands are sent to display selectable actions selected by a security administrator to a client for display in the client’s interface).
	It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Crosbie and Nomura in the aforementioned manner as taught by Zömbik in order to allow a security administrator to select appropriate commands to send a client for the client’s selection.

As to claims 12 and 18, the claims are rejected for the same reasons as claim 5 above.

As to claims 6, 13, and 19, the claims are rejected for the same reasons as claim 5 above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Whipple whose telephone number is 571-270-1244. The examiner can normally be reached Mon-Fri: 9:00 AM to 5:00 PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Brian Whipple/

Art Unit 2454
3/29/2022