TIME-BASED VISUALIZATION OF COMPUTER NETWORK ASSETS AND EVENTS

§102 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION 2. This action is in response to the Request for Continued Examination and Amendment filed December 12, 2025. 3. Claims 1, 13, 19, and 20 have been amended and claims 6-7 have been cancelled. 4. Claims 1-5 and 8-20 have been examined and are pending with this action. Response to Arguments 5. Applicant's arguments with respect to the newly amended independent claim 1, previously rejected under 35 U.S.C. 102(a)(1) or 102(a)(2) as being anticipated by Berger et al. (US 11,757,907 B1) have been fully considered but are persuasive in part. In response to the argument that Berger and Bollobas fails to explicitly teach the newly amended claim limitations, after further consideration, it has been determined that Berger clearly and explicitly teaches a multi-dimensional timeline panel displaying historical events associated with an asset and further teaches a user’s ability to make selections. Additional and explicit citations have been provided to explicitly disclose, teach, or in the very least suggest such features with respect to a user interface. What Berger does not explicitly teach is a “user-configurable playback speed”, “wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges”, and “automatically progressing according to the user-configurable playback speed”. Coleman, JR. et. al. (US 2016/0182327 A1), herein referenced Coleman, has been cited to better teach these feature. The subjective nature of a graphical user interface and what and how data is presented is neither novel nor inventive. What data is presented to the user, what components of information is selection by the user, or how the information is presented according to user-selection, does not prevent, modify, or change, the functional steps of obtaining, generating, receiving, generating, and automatically progressing in a novel way nor does it improve upon the functionality of a known prior art system. Therefore, it is noted what is displayed and how the information is presented is subjective, and does not, and will not be the reasons of allowability. For these reasons above and the rejection set forth below, claims 1-20 have been rejected and remain pending. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 6. Claims 1-5 and 8-20 are rejected under 35 U.S.C. 103 as being unpatentable over Berger et al. (US 11,757,907 B1) in view of Coleman, JR. et. al. (US 2016/0182327 A1). INDEPENDENT: As per claim 1, Berger teaches a method for identifying network security risks in a networked computing environment, the method comprising: obtaining at a security server at each of a sequence of timepoints, asset information associated with a set of observed assets in the networked computing environment at each of the sequence of timepoints (see Berger, col.4, lines 18-28: “The cybersecurity assessment system may be a cloud-based system that accesses and scans target networks remotely. The scan may produce data regarding the current state and properties of devices on a target network, events occurring on the target network, vulnerabilities detected in devices on the target network, and the like.”; col.12, lines 17-23: “Vulnerabilities interface 400 may then update display of dynamic vulnerabilities tracker 418 to provide a visual representation of collected statistics regarding the vulnerabilities determined to be associated with a high severity level (e.g., according to a cybersecurity framework or by the cybersecurity assessment system's own learned classification).”; and col.43, lines 48-57: “if the user has selected the cybersecurity event monitoring service in the service selection portion 2104, the user may select the devices or other event sources to be monitored, the time periods for monitoring and/or alerting (e.g., 8:00 AM-5:00 PM on business days, 24 hours daily year round, etc.), the duration over which the service is to be provided (e.g., one month, one quarter, one year, ongoing, etc.), specific use cases and rules for determining whether and how to generate alerts for particular events, and the like.”), and event information associated with observed occurrences of events associated with operation of the set of assets in the networked computing environment at each of the sequence of timepoints (see Berger, col.1, lines 58-63: “obtaining vulnerability data representing cybersecurity vulnerabilities associated with individual cybersecurity threats of the plurality of cybersecurity threats, wherein a first portion of the vulnerability data represents a first vulnerability of the first target network at a time associated with the first cybersecurity threat”; an col.4, lines 18-28: “The cybersecurity assessment system may be a cloud-based system that accesses and scans target networks remotely. The scan may produce data regarding the current state and properties of devices on a target network, events occurring on the target network, vulnerabilities detected in devices on the target network, and the like.”; and col.20, lines 36-44: “For example, a system administrator of a target network may request a determination of which threat or set of threats the target network is most likely to experience, given the current state of the target network.”); generating from the event information, a multi-dimensional timeline panel of a user interface that includes at least one event lane associated with an event category, wherein the event lane comprises a graphical plot of timing, relative to a timeline, of the observed occurrences of the events that fall within the event category (see Berger, FIG. 2-FIG. 5; col.5, lines 46-48, “generating a dynamic user interface for viewing the vulnerabilities identified by the vulnerability scan”; col.10, lines 43-51: “Different visual characteristics of portions of displayed tracker may be dynamically determined to representing different dimensions of the vulnerability data being represented. Illustratively, color may be varied to represent severity, length may be varied to represent a count of vulnerabilities, width may be varied to represent a count of affected devices, other visual characteristics may be varied, other dimensions of vulnerability data may be used, and/or other combinations may be implemented”; col.11, lines 16-19: “In some embodiments, the cybersecurity status interface 300 may incorporate data from previous and current cybersecurity reports, and present a dynamic visualization of the change in cybersecurity status over time.”; col.11, lines 55-60: “FIG. 4 is a user interface diagram of a vulnerabilities interface 400 showing cybersecurity vulnerability information for a target network 100. The vulnerabilities interface 400 comprises a chart 410 displaying historical statistics regarding the amount of vulnerabilities over a given time period.”; and col.14, lines 12-22: “Event chart 510 visually displays historical data regarding alerts and warnings detected by the cybersecurity assessment system 120. In some embodiments, event chart 510 may illustrate a change in the amount of alerts the system receives over a set period in time (e.g., over the course of a week, month, or year). In some embodiments, control elements 520A, 520B, and 520C may be used to filter the results shown in the ticker entries 530, 540, and 550. For example, if a user clicks on button 520C, then the ticker interface 500 may only display cybersecurity events associated with a “WARNING” Priority category.”); receiving, via user interface input, a selection of a historical playback time on the timeline in the multi-dimensional timeline panel for replaying network state changes from the historical playback time (see Berger, col.5, lines 1-5: “For example, the data may include scan data regarding the current state of devices on the network, cybersecurity events occurring on the network, current vulnerabilities on the network, and the like.”; col.5, lines 48-59: “Illustratively, the vulnerability user interface may be an interactive display that summarizes the vulnerabilities detected across the network, provides detailed information regarding individual vulnerabilities, and allows presentation at various degrees of granularity between these extremes. For example, the vulnerability user interface may include color-coded severity indicators and display objects that represent groups of vulnerabilities (e.g., groups of devices that each exhibit a particular vulnerability or set of vulnerabilities). A user may activate an individual display object to obtain more information about the group of devices/vulnerabilities that the display object represents.”; col.11, lines 57-60, “The vulnerabilities interface 400 comprises a chart 410 displaying historical statistics regarding the amount of vulnerabilities over a given time period”; col.11, line 62-col.12, line 14, “For example, the vulnerability record dated Jan. 1, 2018 in chart 410 comprises a total of 600 vulnerabilities that are divided into three top-level categories corresponding to three severity levels. Illustratively, chart 410 may be a bar chart with individual bars divided into sections 414A, 414B, and 414C, wherein section 414A represents the vulnerabilities associated with a critical severity level, section 414B represents vulnerabilities associated with a high severity level, and section 414C represent vulnerabilities associated with a medium severity level… each section 414A, 414B, and 414C may be selectable via a user input. Selecting a section 414A, 414B, or 414C may allow a user to further view details regarding the vulnerabilities of the selected severity level in dynamic vulnerabilities tracker 418.”; and col.14, lines 12-22, “Event chart 510 visually displays historical data regarding alerts and warnings detected by the cybersecurity assessment system 120. In some embodiments, event chart 510 may illustrate a change in the amount of alerts the system receives over a set period in time (e.g., over the course of a week, month, or year). In some embodiments, control elements 520A, 520B, and 520C may be used to filter the results shown in the ticker entries 530, 540, and 550. For example, if a user clicks on button 520C, then the ticker interface 500 may only display cybersecurity events associated with a “WARNING” Priority category.”); generating, from the asset information, a computer network visualization panel of the user interface presented concurrently with the multi-dimensional timeline panel in the user interface, wherein the compute network visualization panel depicts a graphical view of a network state associated with the selected playback time, the graphical view of the network state including a visual representation of at least a subset of the observed assets and connections between the subset of the observed assets that were observed at the selected playback time, (see Berger, FIG. 2-FIG. 5; col.4, lines 15-28, “The present disclosure is directed to a cybersecurity assessment system for monitoring, assessing, and addressing the cybersecurity status of a target network and/or a hierarchical group of target networks… The scan may produce data regarding the current state and properties of devices on a target network, events occurring on the target network, vulnerabilities detected in devices on the target network, and the like.”; col.5, lines 1-5: “For example, the data may include scan data regarding the current state of devices on the network, cybersecurity events occurring on the network, current vulnerabilities on the network, and the like.”; col.11, lines 3-11, “Cybersecurity status interface 300 may be used for presenting the current status of the target network 100 with respect to a particular framework in substantially real-time”; col.11, lines 16-19: “In some embodiments, the cybersecurity status interface 300 may incorporate data from previous and current cybersecurity reports, and present a dynamic visualization of the change in cybersecurity status over time.”; col,11, lines 57-60, “historical statistics regarding the amount of vulnerabilities over a given time period”; and col.14, lines 12-22, “Event chart 510 visually displays historical data regarding alerts and warnings detected by the cybersecurity assessment system 120. In some embodiments, event chart 510 may illustrate a change in the amount of alerts the system receives over a set period in time (e.g., over the course of a week, month, or year)”); and automatically progressing the playback time on the timeline of the multi-dimensional timeline panel, and at each time step, synchronously updating display of the graph in the computer network visualization panel that is presented concurrently with the multi-dimensional timeline to reflect the network state corresponding to the playback time at each time step as it progresses relative to the timeline (see Berger, Abstract: “automatically provisions the selected services based on the provided data, such as duration of time elected, service metrics, and the like.”; col.3, lines 7-9: “FIG. 5 is a user interface diagram showing a real-time ticker of cybersecurity events according to some embodiments.”; col.4, lines 24-28: “The cybersecurity assessment system can analyze the scan data and determine a degree to which the current status of the target network satisfies a particular cybersecurity assessment framework, and how the status changes over time.”; col.5, lines 46-48, “generating a dynamic user interface for viewing the vulnerabilities identified by the vulnerability scan”; col.11, lines 50-54, “While FIG. 3 illustrates a snapshot of the target network's cybersecurity posture, it will be appreciated that the interface 300 may change dynamically to reflect changes to the user system in real-time.”; col.12, lines 17-23: “Vulnerabilities interface 400 may then update display of dynamic vulnerabilities tracker 418 to provide a visual representation of collected statistics regarding the vulnerabilities determined to be associated with a high severity level (e.g., according to a cybersecurity framework or by the cybersecurity assessment system's own learned classification)”; and col.14, lines 12-22, “Event chart 510 visually displays historical data regarding alerts and warnings detected by the cybersecurity assessment system 120. In some embodiments, event chart 510 may illustrate a change in the amount of alerts the system receives over a set period in time (e.g., over the course of a week, month, or year). In some embodiments, control elements 520A, 520B, and 520C may be used to filter the results shown in the ticker entries 530, 540, and 550. For example, if a user clicks on button 520C, then the ticker interface 500 may only display cybersecurity events associated with a “WARNING” Priority category.”). Berger does not explicitly teach the historical playback time is according to a user-configurable playback speed; wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges; and automatically progressing according to the user-configurable playback speed. Coleman teaches wherein a historical playback time is according to a user-configurable playback speed (see Coleman, [0082]: “The rate of playback is user configurable to allow the user to control how fast or slow the data moment is advanced.”); wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges (see Coleman, FIG. 6A); and automatically progressing according to the user-configurable playback speed (see Coleman, [0082]: “The time stepping mechanism has an option that allows the data to be advanced automatically after every specifiable time, such as 1 second to the next moment in the time series when using the time stepping playback mode.”). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Berger in view of Coleman so that the historical playback time is according to a user-configurable playback speed; wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges; and automatically progressing according to the user-configurable playback speed. One would be motivated to do so because Berger teaches in column 10, lines 5-51, “Portal interface 200 may comprise various options 210, 214, 218, and 222 that a user may select to view specific presentations associated with the cybersecurity assessment system 120… Different visual characteristics of portions of displayed tracker may be dynamically determined to representing different dimensions of the vulnerability data being represented. Illustratively, color may be varied to represent severity, length may be varied to represent a count of vulnerabilities, width may be varied to represent a count of affected devices, other visual characteristics may be varied, other dimensions of vulnerability data may be used, and/or other combinations may be implemented.”). As per claim 19, Berger and Coleman teach a non-transitory computer-readable storage medium storing instructions for identifying network security risks in a networked computing environment, the instructions when executed by a processor cause the processor to perform steps (see Berger, col.16, lines 22-31: “In some embodiments, process 700 may be executed according to a predetermined or dynamically determined schedule. When process 700 is initiated, a set of executable program instructions stored on one or more non-transitory computer-readable (e.g., random access memory or “RAM”) of a computing device. For example, cybersecurity analysis instructions 2574 shown in FIG. 25 may be loaded into memory 2566 of a cybersecurity assessment system computing device 2550 and executed by one or more processors 2560.”) including: obtaining at a security server at each of a sequence of timepoints, asset information associated with a set of observed assets in the networked computing environment at each of the sequence of timepoints, and event information associated with observed occurrences of events associated with operation of the set of assets in the networked computing environment at each of the sequence of timepoints; generating from the event information, a multi-dimensional timeline panel of a user interface that includes at least one event lane associated with an event category, wherein the event lane comprises a graphical plot indicating timing, relative to a timeline, of the observed occurrences of the events that fall within the event category; receiving, via user interface input, a selection of a historical playback time on the timeline in the multi-dimensional timeline panel for replaying network state changes from the historical playback time according to a user-configurable playback speed; generating from the asset information, a computer network visualization panel of the user interface presented concurrently with the multi-dimensional timeline panel in the user interface, wherein the computer network visualization panel depicts a graphical view of a network state associated with the selected playback time, the graphical view of the network state including a visualization of at least a subset of the observed assets and connections between the subset of the observed assets that were observed at the selected playback time, wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges; and automatically progressing the playback time on the timeline of the multi-dimensional timeline panel according to the user-configurable playback speed and at each time step, synchronously updating display of the network topology graph in computer network visualization panel that is presented concurrently with the multi-dimensional timeline to reflect the network state corresponding to the playback time at each time step as it progresses relative to the timeline (see Claim 1 rejection above). As per claim 20, Berger and Coleman teach a computer system comprising: one or more processors (see Berger, col.16, lines 31-34: “In some embodiments, process 700 or portions thereof may be implemented on multiple processors (on the same or separate computing devices), serially or in parallel.”); and a non-transitory computer-readable storage medium storing instructions for identifying network security risks in a networked computing environment, the instructions when executed by the one or more processors cause the one or more processors to perform steps (see Berger, col.16, lines 22-31: “In some embodiments, process 700 may be executed according to a predetermined or dynamically determined schedule. When process 700 is initiated, a set of executable program instructions stored on one or more non-transitory computer-readable (e.g., random access memory or “RAM”) of a computing device. For example, cybersecurity analysis instructions 2574 shown in FIG. 25 may be loaded into memory 2566 of a cybersecurity assessment system computing device 2550 and executed by one or more processors 2560.”) including: obtaining at a security server at each of a sequence of timepoints, asset information associated with a set of observed assets in the networked computing environment at each of the sequence of timepoints, and event information associated with observed occurrences of events associated with operation of the set of assets in the networked computing environment at each of the sequence of timepoints; generating from the event information, a multi-dimensional timeline panel of a user interface that includes at least one event lane associated with an event category, wherein the event lane comprises a graphical plot indicating timing, relative to a timeline, of the observed occurrences of the events that fall within the event category; receiving, via user interface input, a selection of a historical playback time on the timeline in the multi-dimensional timeline panel for replaying network state changes from the historical playback time according to a user- configurable playback speed; generating, from the asset information, a computer network visualization panel of the user interface presented concurrently with the multi-dimensional timeline panel in the user interface, wherein the computer network visualization panel depicts a graphical view of a network state associated with the selected playback time, the graphical view of the network state including a visualization of at least a subset of the observed assets and connections between the subset of the observed assets that were observed at the selected playback time, wherein the graphical view includes a network topology graph in which the assets are represented as nodes and the connections are represented as edges; and automatically progressing the playback time on the timeline of the multi-dimensional timeline panel according to the user-configurable playback speed, and at each time step, synchronously updating display of the network topology graph in the computer network visualization panel that is presented concurrently with the multi-dimensional timeline to reflect in the network state corresponding to the playback time at each step as it progresses relative to the timeline (see Claim 1 rejection above). DEPENDENT: As per claim 2, which depends on claim 1, Berger further teaches wherein the at least one event lane includes at least two event lanes associated with different event categories (see Berger, FIG. 3-FIG. 5; and col.11, lines 55-62: “The vulnerabilities interface 400 comprises a chart 410 displaying historical statistics regarding the amount of vulnerabilities over a given time period. In some embodiments, chart 410 may categorize vulnerabilities according to category, such as a severity level. For example, the vulnerability record dated Jan. 1, 2018 in chart 410 comprises a total of 600 vulnerabilities that are divided into three top-level categories corresponding to three severity levels.”). As per claim 3, which depends on claim 1, Berger further teaches wherein the at least one event lane depicts the observed occurrences of the events using visually distinguishable features corresponding to different attributes of the events defined in the event information (see Berger, FIG. 3-FIG. 5; and Claim 1 rejection above). As per claim 4, which depends on claim 3, Berger further teaches wherein the visually distinguishable features comprise at least one of: color, shape, size, text, and animation type (see Berger, col.10, lines 43-51: “Different visual characteristics of portions of displayed tracker may be dynamically determined to representing different dimensions of the vulnerability data being represented. Illustratively, color may be varied to represent severity, length may be varied to represent a count of vulnerabilities, width may be varied to represent a count of affected devices, other visual characteristics may be varied, other dimensions of vulnerability data may be used, and/or other combinations may be implemented.”; col.12, lines 35-39: “Certain visual characteristics (e.g., length, width, color, visual texture) of each of sections 420A, 420B, 420C, and 420D may be customized to indicate how many detected vulnerabilities are determined to affect a quantity of different devices.”; and col.44, lines 29-33: “For example, the status summary portion 2202 may be a graphical status bar with a visual aspect (e.g., color, texture, etc.) that changes to indicate where the current status of provisioning is within a range of completeness.”). As per claim 5, which depends on claim 3, Berger further teaches wherein the different attributes of the events comprise at least one of: an event time, an event duration, an event size, event severity, and an event type (see Berger, FIG. 3-FIG. 5; and Abstract: “Once the metadata has been collected, the cybersecurity assessment system automatically provisions the selected services based on the provided data, such as duration of time elected, service metrics, and the like.”). As per claim 8, which depends on claim 1, Berger further teaches wherein the one or more active timepoints comprises at least a first selected timepoint and a second selected timepoint, and wherein the graphical view of the network state represents a differential between a first network state associated with the first selected timepoint and a second network state associated with the second selected timepoint (see Berger, col.4, lines 24-28: “The cybersecurity assessment system can analyze the scan data and determine a degree to which the current status of the target network satisfies a particular cybersecurity assessment framework, and how the status changes over time.”; and col.44, lines 29-33: “For example, the status summary portion 2202 may be a graphical status bar with a visual aspect (e.g., color, texture, etc.) that changes to indicate where the current status of provisioning is within a range of completeness.”). As per claim 9, which depends on claim 1, Berger teaches further comprising: generating a detailed inspector panel of the user interface that displays at least a subset of the asset information or the event information for one or more selected assets or one or more selected events (see Berger, FIG. 3-FIG. 5; col.5, lines 47-59: “Illustratively, the vulnerability user interface may be an interactive display that summarizes the vulnerabilities detected across the network, provides detailed information regarding individual vulnerabilities, and allows presentation at various degrees of granularity between these extremes. For example, the vulnerability user interface may include color-coded severity indicators and display objects that represent groups of vulnerabilities (e.g., groups of devices that each exhibit a particular vulnerability or set of vulnerabilities). A user may activate an individual display object to obtain more information about the group of devices/vulnerabilities that the display object represents.”; and col.10, lines 2-4: “Users may also access more detailed cybersecurity information through the portal interface 200 if desired.”). As per claim 10, which depends on claim 1, Berger further teaches wherein the user interface comprises a set of user-composable panels or tabs that are configurable with respect to one or more of: position, size, number, and type (see Berger, FIG. 3-FIG. 5; col.6, lines 39-42: “Within an instance, access to the cybersecurity information of the entities in the hierarchy may be enforced according to standardized or customized configuration policies.”; col.8, lines 28-33: “A single cybersecurity assessment system 120 may be configured to assess the cybersecurity status of any number of target networks 100. In some embodiments, a single target network 100 may be assessed by multiple cybersecurity assessment systems 120.”; and col.10, lines 13-24: “Option 214 is titled “Continuous Cybersecurity Monitoring” and may be associated with reports, controls, and configuration settings for managing the aspects of the cybersecurity assessment system. Option 218 is titled “Cyber Status.” Selection of option 218 may cause presentation of an interface, such as cybersecurity status interface 300 discussed in greater detail below, that uses information generated through a cybersecurity status assessment process to visually represent the cybersecurity status of the target network 100 with respect to one or more cybersecurity assessment frameworks.”). As per claim 11, which depends on claim 10, Berger further teaches wherein the user-composable panels or tabs include at least two panels or tabs of a same type that are configurable with different filtering criteria (see Berger, col.12, lines 44-52: “Similarly, visual characteristics of section 420B may be customized to indicate that a set of 152 vulnerabilities affect each of a set of 5 different devices in target network 100, visual characteristics of section 420C may be customized to indicate that a set of 9 vulnerabilities affect each of a set of 3 different devices, and visual characteristics of section 420D may be customized to indicate that a set of 8 vulnerabilities affect each of a set of 8 different devices in the target network 100.”; and col.34, line 66-col.34, line 7: “With the access controls, the graphical user interfaces can be customized for particular entities, administrators, staff, or members. Data presented in the graphical user interfaces can be downloaded or exported by users. Individualized reports can also be viewed, generated, or downloaded according to allowed privileges. The cybersecurity system can provide graphical user interfaces or configurations to define granular access controls, such as user roles and responsibilities.”). As per claim 12, which depends on claim 10, Berger further teaches wherein the user-composable panels or tabs all update synchronously responsive to the changes in the one or more active timepoints and to the one or more interactions (see Claim 1 rejection above). As per claim 13, which depends on claim 1, Berger teaches further comprising: receiving an updated selection of an updated playback time on the timeline of the multi-dimensional timeline panel (see Claim 1 and Claim 7 rejections above; and col.13, line 62-col.14, line 2: “Ticker 505 may display recent alerts that are responsive to events in real-time and represent all detected use cases or cybersecurity events. In some embodiments, ticker 505 may dynamically update to include warnings or alerts from cybersecurity events that occur in real-time. Alerts and warnings displayed in the ticker 505 may be selected via user input to display detailed information regarding the selected alert or warning.”); and updating the network state in the computer network visualization panel responsive to the updated selection (see Berger, col. lines 20-24: “The scan may produce data regarding the current state and properties of devices on a target network, events occurring on the target network, vulnerabilities detected in devices on the target network, and the like.”; col.4, line 67-col.5, line 5: “The data may be obtained remotely, without necessarily requiring installation of any hardware or software at the target network site. For example, the data may include scan data regarding the current state of devices on the network, cybersecurity events occurring on the network, current vulnerabilities on the network, and the like.”; and col.12, lines 17-23: “Vulnerabilities interface 400 may then update display of dynamic vulnerabilities tracker 418 to provide a visual representation of collected statistics regarding the vulnerabilities determined to be associated with a high severity level (e.g., according to a cybersecurity framework or by the cybersecurity assessment system's own learned classification).”). As per claim 14, which depends on claim 1, Berger further teaches wherein receiving the one or more interactions and synchronously updating the multi-dimensional timeline panel and the computer network visualization panel comprises: receiving a selection of a user interface element representing an asset in the computer network visualization panel (see Claim 1 rejection above); and updating the multi-dimensional timeline panel to indicate one or more timepoints of events associated with the asset (see Claim 1 rejection above). As per claim 15, which depends on claim 1, Berger further teaches wherein receiving the one or more interactions and synchronously updating the multi-dimensional timeline panel and the computer network visualization panel comprises: receiving a selection of an event lane associated with an event category in the multi-dimensional timeline panel (see Claim 1 rejection above); and updating the computer network visualization panel to visually identify assets associated with event occurrences in the event category (see Claim 1 rejection above). As per claim 16, which depends on claim 1, Berger further teaches wherein receiving the one or more interactions and synchronously updating the multi-dimensional timeline panel and the computer network visualization panel comprises: receiving search or filter query associated with one or more attributes (see Berger, col.26, line 66-col.27, line 19 : “the application component or some other component of an instance of the cybersecurity assessment system 120 may receive a request to access cybersecurity information regarding a hierarchy of target networks. In some embodiments, the request may be initiated via a desktop or mobile device user interface, such as the cybersecurity portal interface described in greater detail above… The user may access the cybersecurity portal to view cybersecurity information regarding the target network 1240, and the other target networks in hierarchy 1204. The user may submit a request for information about the hierarchy 1204, such as by clicking a link on a home page of the cybersecurity portal, activating menu option in a mobile application, etc. The instance of the cybersecurity assessment system 120 can identify the current target network associated with the account from which the request was received.”); and updating the computer network visualization panel and the multi-dimensional timeline panel to visually identify assets and events meeting the search or filter query (see Claims 1 rejection above). As per claim 17, which depends on claim 1, Berger further teaches wherein receiving the one or more interactions and synchronously updating the multi-dimensional timeline panel and the computer network visualization panel comprises: receiving a selection of a set of events in the multi-dimensional timeline panel (see Claim 1 rejection above); and displaying a visualization in the computer network visualization panel indicating assets associated with the set of events see Berger, FIG. 3-FIG. 5). As per claim 18, which depends on claim 1, Berger further teaches wherein the event category is indicative of at least one of: a type of event, a type of device associated with the event, a type of application associated with the event, user associated with event, one or more network identifiers, and one or more asset identifiers (see Berger, col.14, lines 45-49: “The information for a given device may include: hardware characteristics (e.g., device type, device vendor, installed hardware components); software characteristics (e.g., operating system type and version, installed application components, etc.)”; and col.37, lines 31-33: “Training a model 1808 may involve a variety of different operations, depending upon the particular type of model being trained.”). Conclusion 7. For the reasons above, claims 1-5 and 8-20 have been rejected and remain pending. 8. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993. The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Michael Won/Primary Examiner, Art Unit 2443