DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 3/18/2022 has been placed of record in the file.
Claims 1, 12, and 19 have been amended.
Claims 16 and 20 have been canceled.
Claims 21 and 22 have been added.
Claims 1-15, 17-19, 21, and 22 are now pending.
The applicant’s arguments with respect to claims 1-15, 17-19, 21, and 22 have been considered but are moot in view of the following new grounds of rejection.

Response to Amendment
Claims have been amended to further define the features shown by the network-wide malware mapping.  The amendment proves a change in scope to the independent claims as the independent claims now explicitly state that the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root, etc.  However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 12-14, 19, 21, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia (U.S. Patent Number 10,805,340) in view of Brown et al. (U.S. Patent Application Publication Number 2021/0037027) as listed on the Notice of References Cited dated 12/21/2021, hereinafter referred to as Brown.
Goradia disclosed techniques for generating an interactive display of a propagation of malware associated with a malicious attack.  In an analogous art, Brown disclosed techniques for providing visualizations related to malicious incidents.  Both systems are directed toward the detection and reporting of malware attacks.
Regarding claim 1, Goradia discloses a method comprising: detecting one or more malicious activities at one or more devices connected to a network (column 9, lines 31-37, detects anomalous activity); determining a malware root of the one or more malicious activities (column 12, lines 63-65, point from which detected malware originated); and generating a network-wide malware mapping indicating a hierarchical relationship between the malicious activities spawned by the malware root and the malware root (column 11, lines 10-15, generates geographical displays that illustrate infection vector and propagation of malware across network), wherein the network-wide malware mapping identifies malicious activities spawned by the malware root (column 3, lines 20-29, types of malicious activity conducted).
Goradia does not explicitly state wherein the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root.  However, visualizing malicious activity in such a fashion was well known in the art as evidenced by Brown.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Goradia by adding the ability that the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root as provided by Brown (see paragraph 109, detected activity of Host A and Host B).  One of ordinary skill in the art would have recognized the benefit that visualizing malicious behavior would assist in providing information to analysts for malware detection (see Brown, paragraph 11).
Regarding claim 2, the combination of Goradia and Brown discloses wherein determining the malware root of the one or more malicious activities includes: determining a specific device connected to the network at which a malicious application corresponding to the malware root was initially executed (Goradia, column 12, lines 63-65, device name, MAC address, IP address, etc.).
Regarding claim 3, the combination of Goradia and Brown discloses wherein generating the network-wide malware mapping includes: obtaining information from the plurality of devices connected to the network, wherein the information indicates actions performed at each of the plurality of devices during a time period following introduction of the malware root into the network (Goradia, column 3, lines 20-29, types of malicious activity conducted); and correlating, at least in time, the actions performed at each of the plurality of devices during the time period with the malware root (Goradia, column 15, lines 18-36, metadata associated with propagation of malware stored within correlation engines).
Regarding claim 5, the combination of Goradia and Brown discloses generating, at a display screen, a visual representation of the network-wide malware mapping (Goradia, column 11, lines 10-15, generates geographical displays that illustrate infection vector and propagation of malware across network).
Regarding claim 12, Goradia discloses one or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to: detect one or more malicious activities at one or more devices connected to a network (column 9, lines 31-37, detects anomalous activity); determine a malware root of the one or more malicious activities (column 12, lines 63-65, point from which detected malware originated); and generate a network-wide malware mapping indicating a hierarchical relationship between the malicious activities spawned by the malware root and the malware root (column 11, lines 10-15, generates geographical displays that illustrate infection vector and propagation of malware across network), wherein the network-wide malware mapping identifies malicious activities spawned by the malware root (column 3, lines 20-29, types of malicious activity conducted).
Goradia does not explicitly state wherein the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root.  However, visualizing malicious activity in such a fashion was well known in the art as evidenced by Brown.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Goradia by adding the ability that the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root as provided by Brown (see paragraph 109, detected activity of Host A and Host B).  One of ordinary skill in the art would have recognized the benefit that visualizing malicious behavior would assist in providing information to analysts for malware detection (see Brown, paragraph 11).
Regarding claim 13, the combination of Goradia and Brown discloses wherein the instructions executed to determine the malware root of the one or more malicious activities include instructions that, when executed by a processor, cause the processor to: determine a specific device connected to the network at which a malicious application corresponding to the malware root was initially executed (Goradia, column 12, lines 63-65, device name, MAC address, IP address, etc.).
Regarding claim 14, the combination of Goradia and Brown discloses wherein the instructions executed to generate the network-wide malware mapping include instructions that, when executed by a processor, cause the processor to: obtain information from the plurality of devices connected to the network, wherein the information indicates actions performed at each of the plurality of devices during a time period following introduction of the malware root into the network (Goradia, column 3, lines 20-29, types of malicious activity conducted); and correlate, at least in time, the actions performed at each of the plurality of devices during the time period with the malware root (Goradia, column 15, lines 18-36, metadata associated with propagation of malware stored within correlation engines).
Regarding claim 19, Goradia discloses an apparatus comprising: one or more network interfaces; memory; and one or more processors configured to: detect one or more malicious activities at one or more devices connected to a network (column 9, lines 31-37, detects anomalous activity), determine a malware root of the one or more malicious activities (column 12, lines 63-65, point from which detected malware originated), and generate a network-wide malware mapping indicating a hierarchical relationship between the malicious activities spawned by the malware root and the malware root (column 11, lines 10-15, generates geographical displays that illustrate infection vector and propagation of malware across network), wherein the network-wide malware mapping identifies malicious activities spawned by the malware root (column 3, lines 20-29, types of malicious activity conducted).
Goradia does not explicitly state wherein the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root.  However, visualizing malicious activity in such a fashion was well known in the art as evidenced by Brown.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Goradia by adding the ability that the network-wide malware mapping identifies a plurality of malicious activities spawned across a plurality of devices connected to the network as a result of the malware root as provided by Brown (see paragraph 109, detected activity of Host A and Host B).  One of ordinary skill in the art would have recognized the benefit that visualizing malicious behavior would assist in providing information to analysts for malware detection (see Brown, paragraph 11).
Regarding claim 21, the combination of Goradia and Brown discloses wherein the network-wide malware mapping further identifies a plurality of non-malicious activities spawned across the plurality of devices connected to the network as a result the malware root (Brown, paragraph 99, event activity after incident).
Regarding claim 22, the combination of Goradia and Brown discloses wherein a first malicious activity spawned as a result of the malware root for a first device connected to the network is different than a second malicious activity spawned as a result of the malware root for a second device connected to the network (Brown, paragraph 109, inferred activity on Host B related to malicious activity on Host A).

12.	Claims 4, 6, 7, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia in view of Brown, further in view of Kramer et al. (U.S. Patent Application Publication Number 2007/0006304), hereinafter referred to as Kramer.
The combination of Goradia and Brown disclosed techniques for generating an interactive display of a propagation of malware associated with a malicious attack.  In an analogous art, Kramer disclosed techniques for optimizing malware recovery.  Both systems are directed toward the detection and reporting of malware attacks.
Regarding claim 4, the combination of Goradia and Brown does not explicitly state initiating, based on the network-wide malware mapping, agentless quarantine via one or more application programming interfaces (APIs) of one or more of the plurality of malicious activities spawned by the malware root.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Kramer.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia and Brown by adding the ability for initiating, based on the network-wide malware mapping, agentless quarantine via one or more application programming interfaces (APIs) of one or more of the plurality of malicious activities spawned by the malware root as provided by Kramer (see paragraph 9, quarantine).  One of ordinary skill in the art would have recognized the benefit that optimizing malware recovery would assist in addressing malware attacks that occur at a high rate of speed among networked devices (see Kramer, paragraph 18).
Regarding claim 6, the combination of Goradia and Brown does not explicitly state initiating a network-wide rollback of the plurality of malicious activities spawned across the plurality of devices connected to the network.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Kramer.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia and Brown by adding the ability for initiating a network-wide rollback of the plurality of malicious activities spawned across the plurality of devices connected to the network as provided by Kramer (see paragraph 9, rollback).  One of ordinary skill in the art would have recognized the benefit that optimizing malware recovery would assist in addressing malware attacks that occur at a high rate of speed among networked devices (see Kramer, paragraph 18).
Regarding claim 7, the combination of Goradia, Brown, and Kramer discloses wherein initiating the network-wide rollback comprises: initiating an automatic network-wide rollback of the plurality of malicious activities spawned across the plurality of devices connected to the network (Kramer, paragraph 9, rollback initiated via malware recovery optimization).
Regarding claim 15, the combination of Goradia and Brown does not explicitly state instructions that, when executed by a processor, cause the processor to: initiate, based on the network-wide malware mapping, agentless quarantine via one or more application programming interfaces (APIs) of one or more of the plurality of malicious activities spawned by the malware root.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Kramer.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia and Brown by adding the ability for instructions that, when executed by a processor, cause the processor to: initiate, based on the network-wide malware mapping, agentless quarantine via one or more application programming interfaces (APIs) of one or more of the plurality of malicious activities spawned by the malware root as provided by Kramer (see paragraph 9, quarantine).  One of ordinary skill in the art would have recognized the benefit that optimizing malware recovery would assist in addressing malware attacks that occur at a high rate of speed among networked devices (see Kramer, paragraph 18).
Regarding claim 17, the combination of Goradia and Brown does not explicitly state instructions that, when executed by a processor, cause the processor to: initiate a network-wide rollback of the plurality of malicious activities spawned across the plurality of devices connected to the network.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Kramer.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia and Brown by adding the ability for instructions that, when executed by a processor, cause the processor to: initiate a network-wide rollback of the plurality of malicious activities spawned across the plurality of devices connected to the network as provided by Kramer (see paragraph 9, rollback).  One of ordinary skill in the art would have recognized the benefit that optimizing malware recovery would assist in addressing malware attacks that occur at a high rate of speed among networked devices (see Kramer, paragraph 18).

13.	Claims 8-11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Goradia in view of Brown, in view of Kramer, further in view of Berrington et al. (U.S. Patent Application Publication Number 2021/0035116), hereinafter referred to as Berrington.
The combination of Goradia, Brown, and Kramer disclosed techniques for generating an interactive display of a propagation of malware associated with a malicious attack.  In an analogous art, Berrington disclosed techniques for generating cybersecurity remediation recommendations.  Both systems are directed toward the detection and reporting of malware attacks.
Regarding claim 8, the combination of Goradia, Brown, and Kramer does not explicitly state wherein prior to initiating the network-wide rollback, the method comprises: assessing one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Berrington.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia, Brown, and Kramer by adding the ability that prior to initiating the network-wide rollback, the method comprises: assessing one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network as provided by Berrington (see paragraph 135, determines efficacy of remediation solution).  One of ordinary skill in the art would have recognized the benefit that providing detailed IT audits would assist in generating more useful remediation recommendations (see Berrington, paragraph 39).
Regarding claim 9, the combination of Goradia, Brown, Kramer, and Berrington discloses wherein assessing one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network comprises: assessing an impact, on at least a first one of at least one of the plurality of devices, of performing a rollback of an action previously performed on at least one of the plurality of devices connected to the network (Berrington, paragraph 114, remedial recommendation based on impact on security issues).
Regarding claim 10, the combination of Goradia, Brown, Kramer, and Berrington discloses wherein assessing one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network comprises: assessing a risk associated with performing a rollback of an action previously performed on at least one of the plurality of devices connected to the network (Berrington, paragraph 113, remediation of security issue in context of risk profile).
Regarding claim 11, the combination of Goradia, Brown, Kramer, and Berrington discloses wherein assessing one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network comprises: performing a simulation to assess one or more of an impact or risk associated with performing a rollback of an action previously performed on at least one of the plurality of devices connected to the network (Berrington, paragraph 135, remediation solution simulated).
Regarding claim 18, the combination of Goradia, Brown, and Kramer does not explicitly state instructions that, when executed by a processor, cause the processor to: prior to executing the instructions to initiate the network-wide rollback, assess one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network.  However, responding to malicious attacks in such a fashion was well known in the art as evidenced by Berrington.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Goradia, Brown, and Kramer by adding the ability for instructions that, when executed by a processor, cause the processor to: prior to executing the instructions to initiate the network-wide rollback, assess one or more effects of the network-wide rollback on at least one of the plurality of devices connected to the network as provided by Berrington (see paragraph 135, determines efficacy of remediation solution).  One of ordinary skill in the art would have recognized the benefit that providing detailed IT audits would assist in generating more useful remediation recommendations (see Berrington, paragraph 39).

Conclusion
14.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493