DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Regarding claims rejected under 35 USC 101:
Applicant’s arguments, i.e., that the claimed invention “focuses on a method that improves the relevant technology” have been fully considered and are persuasive.  Accordingly, the rejection has been withdrawn. 

Regarding claims rejected under 35 USC 103:
Applicant's arguments have been fully considered but they are not persuasive. 
Applicant argues that “Thorman discloses displaying different colored objects for a plurality of objects where each color relates to a location of an object or information relating to the object such as file size, ownership, access privileges and modification or creation times, but it does not teach or render obvious displaying a symbol relating to checksum data and checksummed attributes (i.e.,partial data) of an object… Thorman, alone or in combination with Ahuja and Morris does not teach or suggest claim 1.”
In response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the Morris reference is relied upon for disclose of checksums, checksum of computer objects, and checksummed attributes. For instance, [0015] of Morris recites “at a base computer, receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored;” [0031] of Morris recites “the data including one or more of: executable instructions contained within or constituted by the object; the size of the object; the current name of the object; the physical and folder location of the object on disk; the original name of the object; the creation and modification dates of the object; vendor, product and version and any other information stored within the object; the object header or header held by the remote computer; and, events initiated by or involving the object when the object is created, configured or runs on the respective remote computers;” [0088] of Morris recites “a check sum is created for all executable files, such as (but not limited to) .exe and .dll files, which are of the type PE (Portable Executable file as defined by Microsoft). Three types of checksums are generated depending on the nature of the file;” [0109] of Morris recites “the system allows for this data itself to be summarised by the Event Checksums. Two event checksums are used utilising a variety of algorithms, such as CRC and Adler. The checksums are of the core data for an event. This allows the remote computer 2 to send the checksums of the data to the central computer 3 which may already have the data relating to those checksums stored. In this case, it does not require further information from the remote computer 2. Only if the central computer 3 has never received the checksums will it request the associated data from the remote computer 2.” As such, it can be seen that the Morris reference discloses checksum data for objects and object events. Morris further discloses “a checksum or "signature" or "key" that uniquely represents the file” in [0007].
The Thorman reference is relied upon for its disclosure of visually indicating uniqueness among, or overlap between, objects. It is further relied upon for its visual indication being symbolic in an embodiment. For instance, [0020] of Thorman recites that “different icons and/or alphanumeric labels may be used to distinguish the overlap of file objects;” [0024] of Thorman recites “information concerning the overlap or uniqueness of displayed file objects may be indicated via color and/or through various icon or other graphical means.” While the [0020], [0024], and [0031] of Thorman discuss exemplary first, second, and third colors, it is considered that first, second, and third symbols are consistent with the disclosure as per the quoted portions above. 
Accordingly, the combination of references is considered to teach the claimed invention since Morris teaches checksumming objects and object information and Thorman teaches displaying uniqueness and overlaps symbolically among a plurality of objects. 

Double Patenting
Regarding the Double Patenting rejection:
	Responsive to the approved 4/21/2022 terminal disclaimer, the rejection has been withdrawn.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-15 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Ahuja (US 2013/0246371 A1) in view of Morris (US 2007/0016953 A1) and Thorman (US 2005/0131959 A1).

Regarding claim 1, Ahuja discloses: A computer program product comprising a non-transitory computer-readable medium storing thereon a set of instructions executable by a processor, the set of instructions comprising instructions for: 
receiving [Hash / Signature]data about a computer object from each of plural remote computers on which the computer object is located; 
Refer to at least [0029], [0031]-[0032], and [0044]-[0053] of Ahuja with respect to object capture and classification, the classification involving signatures
storing said [Hash / Signature]data in a database; and 
Refer to at least FIG. 5 and [0055]-[0063] of Ahuja with respect to storage of object data such as that of indexing and signature data. 
presenting, on a display and in response to receiving a selection of a first group of plural objects having commonality amongst an attribute, 
Refer to at least [0067], [0073], and [0096] of Ahuja with respect to an initial search / query focused on specific object data. 
information relating to a second group of plural objects including the first group of plural objects and additional objects not in the first group of plural objects, and information relating to one or more [Hashed / Tagged] attributes of the objects of the second group of plural objects from the database, the information relating to the second group of plural objects being arranged such that one or more values of the one or more [Hashed / Tagged] attributes and one or more symbols are shown, wherein the one or more symbols are assigned to the one or more values based on at least one of a uniqueness and a commonality among the one or more values of the one or more [Hashed / Tagged] attributes of the second group of plural objects, 
Refer to at least the abstract, [0068], [0072], [0074], [0078], and [0101] of Ahuja with respect to automatically obtaining additionally relevant object data responsive to the initial query.
Refer to at least FIG. 9A-B with respect to an exemplary display, wherein additionally relevant results are presented to the user, organized according to their relevance and frequency. 
Refer to at least [0062]-[0063], [0086], and [0092]-[0093] of Ahuja with respect to object attributes and tagging. 
wherein information relating to another group of plural objects comprises a number of objects; 
Refer to at least [0029] and [0060] of Ahuja with respect to a plurality of exemplary objects and object types. 
Ahuja does not specify: that the object is from each of plural remote computers on which the computer object is located; checksum; checksummed; a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects; presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. However, Ahuja in view of Morris discloses: from each of plural remote computers on which the computer object is located; 
Refer to at least [0015] of Morris with respect to a base computer receiving data about a computer object from each of plural remote computers on which the object or similar objects are stored.
checksum; checksummed; 
Refer to at least [0007] and [0088] of Morris with respect to checksums. 
a number of known objects that are not malware, a number of known malware objects, and a number of unknown objects;
Refer to at least [0080]-[0084] of Morris with respect to known safe, known malicious, and unknown objects. 
The teachings of both Ahuja and Morris concern securing data and creating security rules, and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja to further comprise obtaining additional data (from multiple computers and of multiple different types of objects) for at least the purpose of increasing security through increased coverage. It further would have been obvious to modify the teachings to use a checksum because the substitution of one known element for another (hashes for checksums) would have yielded predictable results to one of ordinary skill in the art at the time of the invention.
Ahuja-Morris does not disclose: presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects. However, Ahuja-Morris in view of Thorman discloses: presenting on the display, a first symbol assigned to one or more values based on the uniqueness of the one or more values among the second group of plural objects when one or more values of the one or more checksummed attributes is unique amongst the second group of plural objects; and presenting on the display, a second symbol, different from the first symbol, when one or more values of the one or more checksummed attributes is common amongst the second group of plural objects.
Refer to at least the abstract, [0020], [0024], and [0031] of Thorman with respect to information concerning the uniqueness and/or overlap of objects being indicated via color, icons, and/or other graphical means.
The teachings of Ahuja-Morris concern a GUI for displaying object information, and are considered to be combinable with those of Thorman concerning the same. 
Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris to further include graphical representations of commonality for at least the purpose of increasing ease-of-use for an analyst as per at least [0003]-[0007] of Thorman.

Regarding claim 2, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the information relating to the second group of plural objects is displayed in tabular form with rows of the table corresponding to objects and columns of the table corresponding to attributes of the objects.
Refer to at least FIG. 9A-B of Ahuja with respect to an exemplary GUI.
Refer to at least FIG. 4-8 of Thorman with respect to an exemplary GUI. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale).

Regarding claim 4, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for: identifying commonality of one or more attribute values between the second group of plural objects; and refining a query in accordance with said identified commonality.
Refer to at least the abstract, [0073]-[0078], and [0101] of Ahuja with respect to iterative search queries. 

Regarding claim 5, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for creating a rule from a user query if it is determined that the user query is deterministic in identifying malware.
Refer to at least [0077]-[0078] of Ahuja with respect to creating rules and policies from an analyst performing iterative search queries. 
Refer to at least [0110] of Morris with respect to rule creation.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 6, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale).

Regarding claim 7, it is rejected for substantially the same reasons as claim 5 above (i.e., the citations and obviousness rationale).

Regarding claim 8, Ahuja-Morris-Thorman discloses: The computer program product of claim 7, wherein the set of instructions further comprises instructions for: storing a classification of the object as safe or unsafe according to the rule in the database.
Refer to at least [0034]-[0037] of Ahuja with respect to rule creation and object classification. 

Regarding claim 9, Ahuja-Morris-Thorman discloses: The computer program product of claim 8, wherein the set of instructions further comprises instructions for: receiving an indication from a remote computer that an object classified as malware by said rule is believed not to be malware; and amending or deleting the rule in accordance with said indication.
Refer to at least [0118] of Morris with respect to continually monitoring at remote computers and updating a classification based on newer data. 
Therefore it would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify the teachings of Ahuja-Morris-Thorman to further continual monitoring and updating classifications for at least the purpose of reducing false positives and false negatives.

Regarding claim 10, Ahuja-Morris-Thorman discloses: The computer program product of claim 5, wherein the set of instructions further comprises instructions for sending the rule to a remote computer such that the remote computer can apply the rule to an object at the remote computer.
Refer to at least FIG. 3 and [0033]-[0035] of Ahuja with respect to a capture system and its capture rules; applying the rule via actions taken.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claims 11-12, they are substantially similar to claims 8-9 above, and are therefore likewise rejected for substantially the same reasons. 

Regarding claim 13, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the set of instructions further comprises instructions for receiving actor information pertaining to an actor object performing an act and victim information pertaining to a victim object upon which the act is being performed.
Refer to at least FIG. 10A of Ahuja with respect to source and destination information for rules. 

Regarding claim 14, Ahuja-Morris-Thorman discloses: The computer program product of claim 1, wherein the one or more checksummed attributes correspond to an object pathname and an object filename.
Refer to at least TABLE1-2 and [0061] of Ahuja.
Refer to at least the abstract of Morris with respect to pathname and filename.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 15, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Thorman and the obviousness rationale).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/            Examiner, Art Unit 2432