DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 10/10/2022 has been placed of record in the file.
Claims 1 and 15 have been amended.
The objection to claims 15, 18, and 19 is withdrawn in view of the amendment.
Claims 1, 3, 5-15, 18, and 19 are pending.
The applicant’s arguments with respect to claims 1, 3, 5-15, 18, and 19 have been considered but are moot in view of the following new grounds of rejection.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/10/2022 has been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 3, 5-15, 18, and 19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1 and 15 include the limitation “illustrating a lack of associated geographic area” in relation to the second visualization.  Support for this limitation could not be found in the specification.  In the remarks, the applicant points to paragraphs 6-9 of the specification as containing support for the claim amendments.  However, this part of the specification only describes the creation of a second visualization “for malware samples not having geographic data” for a command and control server.  The samples used in the visualization “not having geographic data” related to them is substantively different from explicit illustration of the lack of associated geographic data.  The applicant’s specification appears to make no mention of explicitly illustrating the lack of associated geographic data, nor does the disclosure anywhere consider how this might be accomplished.  Claims 3, 5-14, 18, and 19 are rejected due to their dependence on the independent claims.

Claim Rejections - 35 USC § 103
11.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
12.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

13.	Claims 1, 3, 5-15, 18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Hazay et al. (U.S. Patent Application Publication Number 2019/0364057), hereinafter referred to as Hazay, in view of Rathor et al. (U.S. Patent Number 10,027,689), hereinafter referred to as Rathor, further in view of Smith et al. (U.S. Patent Application Publication Number 2015/0220927).
Hazay disclosed techniques for detecting infections based on monitored network activity.  In an analogous art, Rathor disclosed techniques for infection detection and visualization.  Also in an analogous art, Smith disclosed techniques for ensuring secure transactions between networked devices.  All of these systems are directed to security in computer networks.
Regarding claim 1, Hazay discloses a method of analyzing detected malware, comprising: selecting related malware for evaluation from a database of observed malware (paragraph 24, performs operations on data collected and stored in data warehouse); extracting static and dynamic features of the malware samples from the selected malware in the database and an observation time of each of the malware samples from the selected malware (paragraph 28, analyzing header data and performing DPI operations, and paragraph 26, date and time of activity); creating a report illustrating change in at least one of static and dynamic features of the selected malware over time (paragraph 24, generates analytics report, and paragraph 53, determines or re-confirms infected devices based on characteristics); and extracting a geographic location of a command and control server associated with the malware samples having an associated geographic location, wherein the created report further illustrates the number of distinct geographic areas in which the malware was found (paragraph 26, geo-location information of servers), and wherein creating the report further comprises creating a first report illustrating the distinct geographic areas in which the malware was found for malware samples having geographic location data for a command and control server and creating a second report for malware samples not having geographic data for a command and control server (paragraph 26, activity data may or may not include geo-location information, and geo-location information includes name of country).
Hazay does not explicitly state that the related malware is a family of related malware and that the report is a visualization.  However, analyzing malware in such a fashion was well known in the art as evidenced by Rathor.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Hazay by adding the ability for selecting a family of related malware and creating a visualization of the selected malware family as provided by Rathor (see column 2, lines 48-66, malware family, and visual representation).  One of ordinary skill in the art would have recognized the benefit that providing visual representations of malware detection would assist in allowing security personnel to better understand potential effects caused by malicious exploits (see column 1, lines 40-48).
The combination of Hazay and Rathor does not explicitly state that creating the second visualization includes illustrating a lack of associated geographic area for malware samples not having geographic data for a command and control server.  However, maintaining such information was well known in the art as evidenced by Smith.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hazay and Rathor by adding the ability for illustrating a lack of associated geographic area for malware samples not having geographic data as provided by Smith (see paragraph 47, context information includes unknown geographic location).  One of ordinary skill in the art would have recognized the benefit that collecting node attestation information would assist in mitigating risks in network communications (see paragraph 13).
Regarding claim 3, the combination of Hazay, Rathor, and Smith discloses wherein the distinct geographic regions comprise different countries (Hazay, paragraph 26, Russia, China, etc.).
Regarding claim 5, the combination of Hazay, Rathor, and Smith discloses wherein creating a visualization further comprises combining data by observation time period for visualization (Hazay, paragraph 26, activity over recent time period).
Regarding claim 6, the combination of Hazay, Rathor, and Smith discloses wherein the observation time period for combining data comprises a day, a week, a month, or three months (Hazay, paragraph 26, past 24 hours, past 7 days, etc.).
Regarding claim 7, the combination of Hazay, Rathor, and Smith discloses wherein the database comprises malware detections received from a network of installed anti-malware tools configured to report detected malware to a central service (Hazay, paragraph 23, network probe units).
Regarding claim 8, the combination of Hazay, Rathor, and Smith discloses wherein creating the visualization further comprises illustrating a cluster of malware detections as an object having a size indicating the number of features in the clustered malware detections (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 26, characteristics of activity, where utilizing objects of various sizes to display data of the prior art would have been an obvious variation for one of ordinary skill with knowledge of related visualizations).
Regarding claim 9, the combination of Hazay, Rathor, and Smith discloses wherein the object illustrating the cluster of malware detections has a size indicating the number of dynamic features in the clustered malware detections (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 26, characteristics of activity, and paragraph 28, DPI operations, where utilizing objects of various sizes to display data of the prior art would have been an obvious variation for one of ordinary skill with knowledge of related visualizations).
Regarding claim 10, the combination of Hazay, Rathor, and Smith discloses wherein the object illustrating the cluster of malware detections has a size indicating the number of dynamic plus static features in the clustered malware detections (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 26, characteristics of activity, and paragraph 28, DPI operations and header data, where utilizing objects of various sizes to display data of the prior art would have been an obvious variation for one of ordinary skill with knowledge of related visualizations).
Regarding claim 11, the combination of Hazay, Rathor, and Smith discloses wherein creating the visualization further comprises illustrating a cluster of malware detections as an object having a size indicating the number of malware detections (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 32, detects multiple accesses, where utilizing objects of various sizes to display data of the prior art would have been an obvious variation for one of ordinary skill with knowledge of related visualizations).
Regarding claim 12, the combination of Hazay, Rathor, and Smith discloses wherein creating the visualization further comprises illustrating a cluster of malware detections as an object having a color indicating the number of different command and control servers associated with the malware detections in the cluster (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 31, detects C&C servers, where utilizing objects of various colors to display data of the prior art would have been an obvious variation for one of ordinary skill with knowledge of related visualizations).
Regarding claim 13, the combination of Hazay, Rathor, and Smith discloses wherein different command and control servers are grouped by country (Hazay, paragraph 26, Russia, China, etc.).
Regarding claim 14, the combination of Hazay, Rathor, and Smith discloses wherein the object illustrating the cluster of malware detections has a characteristic indicating the number of features that vary between the clustered malware detections (Rathor, column 3, lines 28-44, grouping of events, and column 22, lines 1-14, identifies events not observed).
Regarding claim 15, Hazay discloses a malware characterization system, comprising: a processor; a memory; a data structure configured to store information related to observed malware (paragraph 24, data warehouse); and software instructions stored in a machine-readable medium that when executed on the processor are operable to: cause the system to select related malware for evaluation from a database of observed malware (paragraph 24, performs operations on data collected and stored in data warehouse), extract static and dynamic features of the malware samples from the selected malware in the database and an observation time of each of the malware samples from the selected malware (paragraph 28, analyzing header data and performing DPI operations, and paragraph 26, date and time of activity); and create a report illustrating change in at least one of static and dynamic features of the selected malware over time (paragraph 24, generates analytics report, and paragraph 53, determines or re-confirms infected devices based on characteristics); and extracting a geographic location of a command and control server associated with the malware samples having an associate geographic location (paragraph 26, geo-location information of servers), wherein creating the report further comprises creating a first report illustrating the distinct geographic areas in which the malware was found for malware samples having geographic location data for a command and control server and creating a second report for malware samples not having geographic data for a command and control server (paragraph 26, activity data may or may not include geo-location information, and geo-location information includes name of country).
Hazay does not explicitly state that the related malware is a family of related malware and that the report is a visualization.  However, analyzing malware in such a fashion was well known in the art as evidenced by Rathor.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Hazay by adding the ability for selecting a family of related malware and creating a visualization of the selected malware family as provided by Rathor (see column 2, lines 48-66, malware family, and visual representation).  One of ordinary skill in the art would have recognized the benefit that providing visual representations of malware detection would assist in allowing security personnel to better understand potential effects caused by malicious exploits (see column 1, lines 40-48).
The combination of Hazay and Rathor does not explicitly state that creating the second visualization includes illustrating a lack of associated geographic area for malware samples not having geographic data for a command and control server.  However, maintaining such information was well known in the art as evidenced by Smith.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hazay and Rathor by adding the ability for illustrating a lack of associated geographic area for malware samples not having geographic data as provided by Smith (see paragraph 47, context information includes unknown geographic location).  One of ordinary skill in the art would have recognized the benefit that collecting node attestation information would assist in mitigating risks in network communications (see paragraph 13).
Regarding claim 18, the combination of Hazay, Rathor, and Smith discloses wherein creating a visualization further comprises combining data by observation time period for visualization (Hazay, paragraph 26, activity over recent time period), the time period for combining data comprises a day, a week, a month, or three months (Hazay, paragraph 26, past 24 hours, past 7 days, etc.).
Regarding claim 19, the combination of Hazay, Rathor, and Smith discloses wherein creating the visualization further comprises illustrating a cluster of malware detections as an object having characteristics indicating one or more of the number of features in the clustered malware detections, the number of malware detections during a period of time, the number of different command and control servers associated with the malware detections in the cluster, and the number of features that vary between the clustered malware detections (Rathor, column 3, lines 28-44, grouping of events, and Hazay, paragraph 26, characteristics of activity).



Conclusion
14.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493