DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the amendment filed December 23, 2020. Claims 1-20 are pending, claims 1, 3, 8, 10, 15 and 17 were amended by applicant, and no claims were cancelled or added in the amendment.

Response to Amendment
The amendment filed on December 23, 2020 has been entered. 

Response to Arguments
Applicant's arguments filed December 23, 2020 with respect to the rejections of claims 1-20 under 35 U.S.C. 103, have been carefully and fully considered but they are not persuasive.
With reference to amended claim 1, applicant asserts that “Bushey fails to disclose ‘obtaining a feature extraction algorithm matching the series of historical status index data by: introducing the series of historical status index data into a pre-trained recommended feature extraction model to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm, the obtained feature extraction algorithm being a recommended feature extraction algorithm, wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model' as recited in amended claim 1.” (applicant’s remarks, pages 13-14, emphasis in original). 
With continued reference to amended claim 1 and paragraph 15 of the primary Bushey reference, applicant asserts that “the matching the data to normal or threatened behaviors is different from ‘matching the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm,’ since the normal or threatened behaviors of Bushey are not equivalent to the feature extraction algorithm of amended claim 1.” (applicant’s remarks, page 14). 
With apparent, continued reference to amended claim 1, Applicant then asserts “Ide fails to remedy the deficiency of Bushey. Like Bushey, Ide also does not disclose the specific process of obtaining a feature extraction algorithm matching the series of historical status index data (i.e., how to obtain a feature extraction algorithm matching the series of historical status index data).” (applicant’s remarks, page 15). 
With reference to amended claims 8 and 15, applicant states “While the independent claims differ in scope, independent claims 8 and 15 include limitations similar to the limitations of claim 1 discussed above. Accordingly, claims 8 and 15 are believed to be patentable at least for similar reasons to those discussed above with reference to claim 1, where applicable.” Id.
Accordingly, applicant appears to argue that the claim limitation that was revised in claims 1, 8 and 15 in the amendment filed on December 23, 2020, i.e., the above-noted “obtaining a feature extraction algorithm matching the series of historical status 
The examiner respectfully disagrees with applicant’s arguments and assertions and points applicant to the below discussion of Bushey and Ide. 
Regarding the “obtaining a feature extraction algorithm matching the series of historical status index data” limitation added to independent claims 1, 8 and 15, the examiner points to FIG. 3 of Bushey which depicts “FEATURE EXTRACTION” element 352 and to paragraphs 26-27, 31 and 37 of Bushey, which disclose “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., a feature extraction algorithm], “deep learning features (e.g., generated by mining experimental and/or historical data sets)” [i.e., generate deep learning features/algorithms matching series/sets of historical data], “real-time threat detection platform 350 may receive the boundaries along with streams of data from the monitoring nodes [i.e., stream/series of status data for the monitored system]. The platform 350 may include a feature extraction on each monitoring node element” and “a historical batch with pertinent feature vector information may be kept for some duration of time.” 
Regarding the “by: introducing the series of historical status index data into a pre-trained recommended feature extraction model to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm” limitation recited in amended independent claims 1, 8 and 15, the examiner points to The examiner additionally points to paragraphs 13, 15 and 26 of Bushey, which disclose “a series of normal values over time that represent normal operation of an industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior) .… threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 … a cloud database that correlates multiple attacks on a wide range of plant assets” [i.e., introduce/provide streams/series of historical data from data source 110 to pre-trained threat detection/extraction model 155 trained to detect normal or threatened behaviors/features] and “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., introducing the stream/series of historical status data into a pre-trained feature extraction algorithm/model].
The examiner further points to paragraphs 26-28 and 31 of Bushey, which disclose “a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened 
Regarding “the obtained feature extraction algorithm being a recommended feature extraction algorithm” limitation recited in amended independent claims 1, 8 and 15, the examiner points to FIG. 3 of Bushey which depicts “FEATURE EXTRACTION” element 352 and to paragraphs 26 and 45 of Bushey, which disclose “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., the obtained feature extraction algorithm], “embodiments may provide an advanced anomaly detection algorithm” [i.e., being an advanced, recommended algorithm] and “predictive modeling information) and/an output device … to … transmit recommendations” [i.e., including a recommended algorithm].
Also, regarding the “wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the u of D … we call this feature vector an activity vector”, “[o]ur feature extraction technique provides a natural way to summarize the information contained in D … and the activity vector extraction technique allows us to further reduce the degrees of freedom … of each of sub-problems … the feature vector has a clear interpretation that is comprehensible to system administrators” [i.e., a relationship between the series of status data/feature vector and the feature extraction technique/algorithm], “extract a typical pattern from the past activity vectors, and … calculate the dissimilarity of the present activity vector from this typical one” and “infer that an anomalous situation is occurring in the system.” [i.e., feature extraction model characterizes a corresponding relationship between a series of status index data/activity vectors and the feature extraction algorithm].
Regarding dependent claims 2-7, 9-14 and 16-20, applicant generally alleges that “the dependent claims are patentable for at least reasons similar to those articulated above with respect to their respective independent claims” and “[t]he 
The examiner respectfully disagrees and respectfully submits that Applicant's arguments with regard to the rejections of dependent claims 2-7, 9-14 and 16-20 under 35 U.S.C. 103, do not comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. 
Further, as noted above and discussed in detail below, the combination of Bushey and Ide (i.e., Bushey in view of Ide) teaches the limitations of amended independent claims 1, 8 and 15. Also, as discussed in detail below, the combination of Bushey and Ide teaches the limitations dependent claims 6, 7, 13, 14 and 20. 
Additionally, as discussed in detail below, the combinations of Bushey and Ide with Parandehgheibi and Guan and (i.e., Bushey in view of Ide and Parandehgheibi, and Bushey in view of Ide and Guan) teach the limitations of claims 2-5, 9-12 and 16-19.
Applicant’s amendments have necessitated the claim rejections under 35 U.S.C. 112(b) and 103 discussed below.

Claim Objections
Claims 1-20 are objected to because of the following informalities: 
the feature extraction algorithm”. For examination purposes, the recitations of “match the series of historical status index data to a feature extraction algorithm” have been interpreted as “match the series of historical status index data to” the previously-introduced “feature extraction algorithm”. Appropriate correction is required.
Claims 1, 8 and 15 each include recitations of “the series of status index data” (see, e.g., lines 8, 11 and 17-18 of claim 1). Applicant previously introduced “the series of historical status index data” (see, e.g., lines 4-5 of claim 1). Accordingly, it appears that the recitations of “the series of status index data” should read “the series of historical status index data”. For examination purposes, the recitations of “the series of status index data” have been interpreted as the previously-introduced “the series of historical status index data”. Appropriate correction is required.
Dependent claims 2, 3, 5, 9, 10, 12, 16, 17 and 19 each recite “the series of status index data” (see, e.g., line 6 of claim 2). Applicant previously introduced “the series of historical status index data” in base claims 1, 8 and 15 (see, e.g., lines 4-5 of claim 1). Thus, the recitations of “the series of status index data” in claims 2, 3, 5, 9, 10, 12, 16, 17 and 19 should read “the series of historical status index data”. For examination purposes, the recitations of “the series of status index data” have been 
Amended dependent claims 3, 10 and 17 each recite “match the series of historical status index data to a feature extraction algorithm” (see, e.g., lines 4-5 of claim 3). Applicant previously-introduced “a feature extraction algorithm matching the series of historical status index data” in each of these claims (see, e.g., lines 2-3 of claim 3). Accordingly, it appears that the recitations of “match the series of historical status index data to a feature extraction algorithm” should read “match the series of historical status index data to [[a]] the feature extraction algorithm”. For examination purposes, the recitations of “match the series of historical status index data to a feature extraction algorithm” have been interpreted as “match the series of historical status index data to” the previously-introduced “feature extraction algorithm”. Appropriate correction is required.
Each of claims 3, 10 and 17 recite “a feature extraction algorithm with a highest matching degree” (see, e.g., line 13 in the last step of claim 3). Applicant previously introduced “obtain feature extraction algorithms with a matching degree” in each of these claims (see, e.g., line 10 of claim 3). As such, it appears that the recitations of “a feature extraction algorithm with a highest matching degree” in claims 3, 10 and 17 should read “a feature extraction algorithm of the obtained feature extraction algorithms with a highest matching degree”. For examination purposes, the recitations of “a feature extraction algorithm with a highest matching degree” have been interpreted as “a feature extraction algorithm of the obtained feature extraction algorithms with a highest matching degree”. Appropriate correction is required.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Amended independent claims 1, 8 and 15 each recite “the feature extraction algorithm” (see, e.g., lines 11-12 of claim 1) after reciting “the feature extraction algorithm, the obtained feature extraction algorithm being a recommended feature extraction algorithm” (see, e.g., lines 9-10 of claim 1). These claims also include subsequent recitations of “the recommended feature extraction algorithm” (see, e.g., lines 16-17, 20 and 22-23 of claim 1). However, it is unclear whether the above-noted recitation of “the feature extraction algorithm” refers to the previously-introduced “the obtained feature extraction algorithm”, the previously-introduced “recommended feature extraction algorithm”, or if all three of these feature extraction algorithms are a single “feature extraction algorithm”. For the purposes of determining patent eligibility and comparison with the prior art, the examiner is interpreting the above-noted recitation of “the feature extraction algorithm” as any of the previously-introduced “the feature 
Also, claims 2-7, 9-14, and 16-20, which each depend directly or indirectly from claims 1, 8 and 15, respectively, are rejected under 35 U.S.C. 112(b) as being indefinite under the same rationale as claims 1, 8 and 15.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 6-8, 13-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bushey et al. (U.S. Patent Application Pub. No. 2017/0359366 A1, hereinafter “Bushey”) in view of non-patent literature Ide et al. ("Eigenspace-based anomaly detection in computer systems." Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, pages 440-449, 2004, hereinafter “Ide”). Bushey was filed on June 10, 2016, and this date is before the effective filing date of this application, i.e., September 9, 2016. Therefore, Bushey constitutes prior art under 35 U.S.C. 102(a)(2).
With respect to claim 1, Bushey discloses the invention as claimed including a method for monitoring a system, (see, e.g., paragraphs 4, 15, and 25, “methods to protect an industrial asset control system from cyber threats”, “monitor streams of data from the monitoring nodes”, “ monitoring node data may be converted to features using comprising:
acquiring a series of status index data of a monitored system during at least one data collection period, as a series of historical status index data (see, e.g., paragraphs 2, 15 and 37, “receive, via a plurality of real-time monitoring node signal inputs, streams of monitoring node signal values over time that represent a current operation of the industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140”, “a historical batch with pertinent feature vector information may be kept for some duration of time.” [i.e., receive/acquire a stream/series of historical status data of a monitored system]);
obtaining a feature extraction algorithm matching the series of historical status index data (see, e.g., FIG. 3 – depicting “FEATURE EXTRACTION” element 352 and paragraphs 26-27, 31 and 37, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., a feature extraction algorithm], “deep learning features (e.g., generated by mining experimental and/or historical data sets)” [i.e., generate deep learning features/algorithms matching series/sets of historical data], “real-time threat detection platform 350 may receive the boundaries along with streams of data from the monitoring nodes [i.e., stream/series of status data for the monitored system]. The platform 350 may include a feature extraction on each monitoring node element”, “a historical batch with pertinent feature  by: 
introducing the series of historical status index data into a pre-trained recommended feature extraction model (see, e.g., paragraphs 13, 15, and 26, “a series of normal values over time that represent normal operation of an industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior) .… threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 … a cloud database that correlates multiple attacks on a wide range of plant assets” [i.e., introduce/provide streams/series of historical data from data source 110 to pre-trained threat detection/extraction model 155 trained to detect normal or threatened behaviors/features], “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., introducing the stream/series of historical status data into a pre-trained feature extraction algorithm/model]) 
to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm (as indicated above, “match the series of historical status index data to a feature extraction algorithm” have been interpreted as “match the series of historical status index data to” the previously-introduced “feature extraction algorithm” and “the series of status index data” have been interpreted as the previously-introduced “the series of historical status index 
the obtained feature extraction algorithm being a recommended feature extraction algorithm (see, e.g., FIG. 3 – feature extraction element 352 and paragraphs 26 and 45, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., the obtained feature extraction algorithm], “embodiments may provide an advanced anomaly detection algorithm” [i.e., being an advanced, recommended algorithm], “predictive modeling information) and/an output device … to … transmit recommendations” [i.e., including a recommended algorithm]) … ; 
determining a maximum value and a minimum value of feature values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm (see, e.g., FIG. 4 depicting minimum boundary 414 and maximum boundary 416 and paragraphs 15, 26-27, and 35, “Examples of features as applied to data might include the maximum and minimum … an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm], “different types of features may be utilized … including … statistical features (e.g., … maximum, minimum values of time series signals, location of maximum and minimum values”, “[e]ach graph includes an average boundary 412 (solid line), minimum boundary 414 (dotted line), and maximum boundary 416 (dashed line) and an indication associated with current feature location for each monitoring node parameter” [i.e., determining a maximum and minimum value of features]); 
determining, based on the determined maximum value and minimum value, a normal value range of feature values obtained by performing feature extraction on the series of status index data of the monitored system according to the recommended feature extraction algorithm (see, e.g., paragraphs 22 and 26, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary (e.g., a linear boundary, non-linear boundary, multi-dimensional boundary, etc.) for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node … a decision boundary might be generated … with a feature-based learning algorithm and a high fidelity model or a ; and 
monitoring the monitored system according to the recommended feature extraction algorithm and the normal value range (see, e.g., paragraphs 25-26, “monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring [monitored] in substantially real-time. Abnormalities may be detected by classifying the monitored data as being "normal" or disrupted (or degraded). This decision boundary may be constructed using dynamic models”, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., monitoring the system according to the feature extraction algorithm and the normal value range]).
Although Bushey substantially discloses the claimed invention, Bushey is not relied on to explicitly disclose wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model.
In the same field, analogous art Ide teaches wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model (as indicated above, “the feature extraction algorithm” has been interpreted as any of the u of D … we call this feature vector an activity vector”, “[o]ur feature extraction technique provides a natural way to summarize the information contained in D … and the activity vector extraction technique allows us to further reduce the degrees of freedom … of each of sub-problems … the feature vector has a clear interpretation that is comprehensible to system administrators” [i.e., a relationship between the series of status data/feature vector and the feature extraction technique/algorithm], “extract a typical pattern from the past activity vectors, and … calculate the dissimilarity of the present activity vector from this typical one”, “infer that an anomalous situation is occurring in the system.” [i.e., feature extraction model characterizes a corresponding relationship between a series of status index data/activity vectors and the feature extraction algorithm]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bushey to incorporate the teachings of Ide to provide an automated runtime anomaly detection method at the application 

With respect to independent claim 8, Bushey discloses the invention as claimed including an apparatus for monitoring a system (see, e.g., paragraphs 4, 17, and 25, “systems … to protect an industrial asset control system from cyber threats”, “monitor streams of data from the monitoring nodes … might comprise a single apparatus”, “monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring [sic - monitored] in substantially real-time” [i.e., an apparatus for monitoring a system]), comprising:
at least one processor; and
a memory storing instructions, which when executed by the at least one processor, cause the at least one processor to perform operations, the operations (see, e.g., FIG. 13 – depicting “PROCESSOR 1310” and storage device 1330 and paragraphs 45-46, “asset control system protection platform 1300 comprises a processor 1310”, “storage device 1330 stores a program 1312 and/or a threat detection model 1314 for controlling the processor 1310. The processor 1310 performs comprising:
acquiring a series of status index data of a monitored system during at least one data collection period, as a series of historical status index data (see, e.g., paragraphs 2 and 15, “receive, via a plurality of real-time monitoring node signal inputs, streams of monitoring node signal values over time that represent a current operation of the industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140” [i.e., receive/acquire a stream/series of historical status data of a monitored system]);
obtaining a feature extraction algorithm matching the series of historical status index data (see, e.g., FIG. 3 – depicting “FEATURE EXTRACTION” element 352 and paragraphs 26-27, 31 and 37, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., a feature extraction algorithm], “deep learning features (e.g., generated by mining experimental and/or historical data sets)” [i.e., generate deep learning features/algorithms matching series/sets of historical data], “real-time threat detection platform 350 may receive the boundaries along with streams of data from the monitoring nodes [i.e., stream/series of status data for the monitored system]. The platform 350 may include a feature extraction on each monitoring node element”, “a historical batch with pertinent feature vector information may be kept for some duration of time.” [i.e., obtain feature extraction algorithm matching the series/batch of historical status data]) by: 
introducing the series of historical status index data into a pre-trained recommended feature extraction model (see, e.g., paragraphs 13, 15, and 26, “a series of normal values over time that represent normal operation of an industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior) .… threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 … a cloud database that correlates multiple attacks on a wide range of plant assets” [i.e., introduce/provide streams/series of historical data from data source 110 to pre-trained threat detection/extraction model 155 trained to detect normal or threatened behaviors/features], “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., introducing the stream/series of historical status data into a pre-trained feature extraction algorithm/model]) 
to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm (as indicated above, “match the series of historical status index data to a feature extraction algorithm” have been interpreted as “match the series of historical status index data to” the previously-introduced “feature extraction algorithm” and “the series of status index data” have been interpreted as the previously-introduced “the series of historical status index data”) (see, e.g., paragraphs 26-28 and 31, “a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates 
the obtained feature extraction algorithm being a recommended feature extraction algorithm (see, e.g., FIG. 3 – feature extraction element 352 and paragraphs 26 and 45, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., the obtained feature extraction algorithm], “embodiments may provide an advanced anomaly detection algorithm” [i.e., being an advanced, recommended algorithm], “predictive modeling information) and/an output device … to … transmit recommendations” [i.e., including a recommended algorithm]) … ; 
determining a maximum value and a minimum value of feature values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm (see, e.g., FIG. 4 ; 
determining, based on the determined maximum value and minimum value, a normal value range of feature values obtained by performing feature extraction on the series of status index data of the monitored system according to the recommended feature extraction algorithm (see, e.g., paragraphs 22 and 26, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary (e.g., a linear boundary, non-linear boundary, multi-dimensional boundary, etc.) for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node … a decision boundary might be generated … with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system” [i.e., determining, based on the minimum and maximum values, a normal value range within the decision boundary], “an appropriate set of multi-dimensional feature vectors, which may be extracted ; and 
monitoring the monitored system according to the recommended feature extraction algorithm and the normal value range (see, e.g., paragraphs 25-26, “monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring [monitored] in substantially real-time. Abnormalities may be detected by classifying the monitored data as being "normal" or disrupted (or degraded). This decision boundary may be constructed using dynamic models”, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., monitoring the system according to the feature extraction algorithm and the normal value range]).
Although Bushey substantially discloses the claimed invention, Bushey is not relied on to explicitly disclose wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model.
In the same field, analogous art Ide teaches wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model (as indicated above, “the feature extraction algorithm” has been interpreted as any of the previously-introduced “the feature extraction algorithm”, “the obtained feature extraction algorithm”, or the “recommended feature extraction algorithm”) (see, e.g., pages 440-445, “we address online anomaly detection for computer systems. We model a Web-u of D … we call this feature vector an activity vector”, “[o]ur feature extraction technique provides a natural way to summarize the information contained in D … and the activity vector extraction technique allows us to further reduce the degrees of freedom … of each of sub-problems … the feature vector has a clear interpretation that is comprehensible to system administrators” [i.e., a relationship between the series of status data/feature vector and the feature extraction technique/algorithm], “extract a typical pattern from the past activity vectors, and … calculate the dissimilarity of the present activity vector from this typical one”, “infer that an anomalous situation is occurring in the system.” [i.e., feature extraction model characterizes a corresponding relationship between a series of status index data/activity vectors and the feature extraction algorithm]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bushey to incorporate the teachings of Ide to provide an automated runtime anomaly detection method at the application layer of multi-node computer systems by deriving a probability distribution for an anomaly measure defined for a time-series of data (i.e., a series of status data) (See, e.g., Ide, Abstract, page 440). Doing so would have allowed Bushey to automatically 

With respect to independent claim 15, Bushey discloses the invention as claimed including a non-transitory computer storage medium storing a computer program, which when executed by one or more processors, cause the one or more processors to perform operations (see, e.g., FIG. 13 - storage device 1330, program 1312 and threat detection model 1314 and paragraphs 19 and 46, “a computer-readable storage medium may store thereon instructions that when executed by a machine result in performance according to any of the embodiments described herein”, “storage device 1330 stores a program 1312 and/or a threat detection model 1314 for controlling the processor 1310. The processor 1310 performs instructions of the programs 1312, 1314, and thereby operates in accordance with any of the embodiments described herein”), the operations comprising:
acquiring a series of status index data of a monitored system during at least one data collection period, as series of historical status index data (see, e.g., paragraphs 2 and 15, “receive, via a plurality of real-time monitoring node signal inputs, streams of monitoring node signal values over time that represent a current operation of the industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model 
obtaining a feature extraction algorithm matching the series of historical status index data (see, e.g., FIG. 3 – depicting “FEATURE EXTRACTION” element 352 and paragraphs 26-27, 31 and 37, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., a feature extraction algorithm], “deep learning features (e.g., generated by mining experimental and/or historical data sets)” [i.e., generate deep learning features/algorithms matching series/sets of historical data], “real-time threat detection platform 350 may receive the boundaries along with streams of data from the monitoring nodes [i.e., stream/series of status data for the monitored system]. The platform 350 may include a feature extraction on each monitoring node element”, “a historical batch with pertinent feature vector information may be kept for some duration of time.” [i.e., obtain feature extraction algorithm matching the series/batch of historical status data]) by: 
introducing the series of historical status index data into a pre-trained recommended feature extraction model (see, e.g., paragraphs 13, 15, and 26, “a series of normal values over time that represent normal operation of an industrial asset control system”, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior) .… threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 … a cloud database that correlates multiple attacks on a wide range of plant assets” [i.e., 
to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm (as indicated above, “match the series of historical status index data to a feature extraction algorithm” have been interpreted as “match the series of historical status index data to” the previously-introduced “feature extraction algorithm” and “the series of status index data” have been interpreted as the previously-introduced “the series of historical status index data”) (see, e.g., paragraphs 26-28 and 31, “a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior) .… threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130 … a cloud database” [i.e., a pre-trained model 155 with decision boundary relationship between stream/series of status data], “set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., the feature extraction algorithm], “Embodiments may also be associated with time series analysis features, such as cross-correlations, auto-correlations” [i.e., correlate/match the series of historical status index data], “real-time threat detection platform 350 may receive the boundaries along with streams of data from the monitoring nodes. The platform 350 may include a feature 
the obtained feature extraction algorithm being a recommended feature extraction algorithm (see, e.g., FIG. 3 – feature extraction element 352 and paragraphs 26 and 45, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., the obtained feature extraction algorithm], “embodiments may provide an advanced anomaly detection algorithm” [i.e., being an advanced, recommended algorithm], “predictive modeling information) and/an output device … to … transmit recommendations” [i.e., including a recommended algorithm]) … ; 
determining a maximum value and a minimum value of feature values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm (see, e.g., FIG. 4 depicting minimum boundary 414 and maximum boundary 416 and paragraphs 15, 26-27, and 35, “Examples of features as applied to data might include the maximum and minimum … an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm], “different types of features may be utilized … including … statistical features (e.g., … maximum, minimum values of time series signals, location of maximum and minimum values”, “[e]ach graph includes an average boundary 412 (solid line), minimum boundary 414 (dotted line), and maximum boundary 416 (dashed line) and an indication associated with current feature ; 
determining, based on the determined maximum value and minimum value, a normal value range of feature values obtained by performing feature extraction on the series of status index data of the monitored system according to the recommended feature extraction algorithm (see, e.g., paragraphs 22 and 26, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary (e.g., a linear boundary, non-linear boundary, multi-dimensional boundary, etc.) for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node … a decision boundary might be generated … with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system” [i.e., determining, based on the minimum and maximum values, a normal value range within the decision boundary], “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm]); and 
monitoring the monitored system according to the recommended feature extraction algorithm and the normal value range (see, e.g., paragraphs 25-26, “monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the control system may be monitoring [monitored] in substantially real-time. Abnormalities may be detected by classifying the monitored data as being "normal" or disrupted (or degraded). This decision boundary may be constructed using dynamic models”, “an appropriate set of multi-dimensional 
Although Bushey substantially discloses the claimed invention, Bushey is not relied on to explicitly disclose wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model.
In the same field, analogous art Ide teaches wherein the corresponding relationship between the series of status index data and the feature extraction algorithm is characterized by the recommended feature extraction model (as indicated above, “the feature extraction algorithm” has been interpreted as any of the previously-introduced “the feature extraction algorithm”, “the obtained feature extraction algorithm”, or the “recommended feature extraction algorithm”) (see, e.g., pages 440-445, “we address online anomaly detection for computer systems. We model a Web-based system as a weighted graph”, “graph mining in terms of a vector space model” [i.e., feature extraction model], “we describe a new method of feature extraction and show that graph time sequences are reduced to time-series of directional data” [i.e., relationship between series of status data and the feature extraction method/algorithm], “data for the dependency matrix D is sequentially obtained at each time t=1,2,... each a fixed interval [i.e., series of status index data], and that the dependency graph has a single connected component. We define the feature vector u of D … we call this feature vector an activity vector”, “[o]ur feature extraction technique provides a natural way to summarize the information contained in D … and the activity vector extraction technique 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bushey to incorporate the teachings of Ide to provide an automated runtime anomaly detection method at the application layer of multi-node computer systems by deriving a probability distribution for an anomaly measure defined for a time-series of data (i.e., a series of status data) (See, e.g., Ide, Abstract, page 440). Doing so would have allowed Bushey to automatically detect faults in a Web application and identify faulty services without having to use detailed knowledge of the behavior of the monitored system, as suggested by Ide (See, e.g., Ide, Abstract, page 440). This is an example of “use of known technique to improve similar devices (methods, or products) in the same way.” See MPEP 2143.

Regarding claims 6, 13 and 20, as discussed above, Bushey in view of Ide teaches the method of claim 1, the apparatus of claim 8, and the system of claim 15.
 wherein the monitoring the monitored system according to the recommended feature extraction algorithm and the normal value range comprises:
collecting periodically status index data of the monitored system and generating another series of status index data as a monitored series of status index data (see, e.g., paragraphs 46 and 51, “receive, via a plurality of real-time monitoring node signal inputs, streams of monitoring node signal values over time that represent a current operation of the industrial asset control system … for each stream of monitoring node signal values, generate a current monitoring node feature vector” [i.e., generating another stream/series of status data as a monitored series of status index data], “a monitoring node in an industrial asset control system … detects the series of monitoring node values 1404 over time (e.g., in batches of 30 to 50 seconds of data)” [i.e., periodically collecting status data of the monitored system]);
performing feature extraction on the monitored series of status index data according to the recommended feature extraction algorithm to obtain feature values of the monitored series of status index data (see, e.g., paragraph 26, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm to obtain feature values from the status data]); and
determining the monitored system as abnormal, if the feature values of the monitored series of status index data are not within the normal value range (see, e.g., paragraphs 22, 25 and 33, “each generated current monitoring node feature vector 

Regarding claim 7, as discussed above, Bushey in view of Ide teaches the method of claim 1.
Bushey further discloses determining the monitored system as normal, if the feature values of the monitored series of status index data are within the normal value range (see, e.g., paragraphs 22, 25 and 33, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node”, “a decision boundary might be generated … in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system … classifying the monitored data as being ‘normal’,” “it may be detected whether or not a signal is in the normal operating space … through the use of localized decision boundaries” [i.e., determining the 

Regarding claim 14, as discussed above, Bushey in view of Ide teaches the apparatus of claim 8.
Bushey further discloses determining the monitored system as normal, if the feature values of the monitored series of status index data are within the normal value range (see, e.g., paragraphs 22, 25 and 33, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node”, “a decision boundary might be generated … in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system … classifying the monitored data as being "normal”,” “it may be detected whether or not a signal is in the normal operating space … through the use of localized decision boundaries” [i.e., determining the monitored system as normal if feature values are within the normal boundary]).

Claims 2, 3, 9, 10, 16, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bushey in view of Ide as applied to independent claims 1, 8 and 15 above, and further in view of Parandehgheibi et al. (U.S. Patent Application Pub. No. 2016/0359740 A1, hereinafter “Parandehgheibi”). Parandehgheibi was filed on June 3, 2016, and this date is before the effective filing date of this application, i.e., September 9, 2016. Therefore, Parandehgheibi constitutes prior art under 35 U.S.C. 102(a)(2). 

Bushey further discloses further comprising building the recommended feature extraction model (see, e.g., paragraph 15, “Information from the normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model creation computer 140 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from threatened behavior). The decision boundary may then be used by a threat detection computer 150 executing a threat detection model 155” [i.e., building the model]), the building the recommended feature extraction model comprising:
obtaining the recommended feature extraction model through training by using a machine learning method (see, e.g., paragraph 26, “machine learning techniques) may be used to generate decision boundaries … a training method may be used for supervised learning to teach decision boundaries. This type of supervised learning may take into account an operator's knowledge about system operation (e.g., the differences between normal and abnormal operation)” [i.e., obtaining the model through training using a machine learning method with data including knowledge from an operator]) …
the feature extraction algorithm corresponding to the series of status index data of the monitored system (as indicated above, “the series of status index data” has been interpreted as the previously-introduced “the series of historical status index data”) (see, e.g., paragraphs 25-26, “monitoring node data may be converted to features using advanced feature-based methods, and the real-time operation of the .
Although Bushey in view of Ide substantially teaches the claimed invention, Bushey in view of Ide is not relied on to teach based on a manually labeled series of status index data of the monitored system.
In the same field, analogous art Parandehgheibi teaches based on a manually labeled series of status index data of the monitored system (see, e.g., paragraphs 37 and 89, “if a training set of example data with known outlier labels exists, supervised anomaly detection techniques may be used. Supervised anomaly detection techniques utilize data sets that have been labeled as normal and abnormal and train a classifier”, “the administrator or user can manually label nodes to create the training data” [i.e., training based on manually labeled status data]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Parandehgheibi with Bushey in view of Ide to provide feature vectors or other suitable data structures to represent various features or attributes of a flow of data (i.e., a series of status data) and enable use of these feature vectors improve network monitoring and management tasks (See, e.g., Parandehgheibi, paragraphs 16 and 21). Doing so would have allowed Bushey in view of Ide to evaluate feature vectors of flows according to a similarity (or distance) metric to 

Regarding claims 3, 10 and 17, as discussed above, Bushey in view of Ide teaches the method of claim 1, the apparatus of claim 8, and the system of claim 15.
Bushey further discloses wherein the obtaining a feature extraction algorithm matching the series of historical status index data by introducing the series of historical status index data into a pre-trained recommended feature extraction model to match the series of historical status index data to a feature extraction algorithm according to a pre-trained corresponding relationship between the series of status index data and the feature extraction algorithm, the feature extraction algorithm being a recommended feature extraction algorithm comprises:
introducing the series of historical status index data into the recommended feature extraction model (see, e.g., paragraphs 13, 15 and 26, “a series of normal values over time that represent normal operation of an industrial asset control system”, “normal space data source 110 and the threatened space data source 120 may be provided to a threat detection model … threat detection model 155 may, for example, monitor streams of data from the monitoring nodes 130”, “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” 
Although Bushey in view of Ide substantially teaches the claimed invention, Bushey in view of Ide is not relied on to teach obtain feature extraction algorithms with a matching degree used to represent an accuracy of determining feature extraction algorithms based on the series of historical status index data; and 
defining a feature extraction algorithm with a highest matching degree as the recommended feature extraction algorithm.
In the same field, analogous art Parandehgheibi teaches to obtain feature extraction algorithms with a matching degree used to represent an accuracy of determining feature extraction algorithms based on the series of historical status index data (see, e.g., paragraph 92, “The suitable clustering algorithm can be user-specified or can be based on a maximum rule (e.g., the ML [machine learning] algorithm with the highest level of confidence, highest level of accuracy, etc.), a minimum rule (e.g., the ML algorithm with the lowest error rate, …. a majority rule (e.g., the greatest number of ADM runs meeting a specified threshold level of accuracy)” [i.e., algorithms with a matching degree representing their accuracy based on historical data]); and
defining a feature extraction algorithm with a highest matching degree as the recommended feature extraction algorithm (see, e.g., paragraphs 92 and 110, “The suitable clustering algorithm can be … based on a maximum rule (e.g., the ML algorithm with the highest level of confidence, highest level of accuracy, etc.)”, “using domain-specific similarity measures and machine learning algorithms most suitable for 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Parandehgheibi with Bushey in view of Ide to provide feature vectors to represent features or attributes of a flow of data (i.e., a series of status data) and enable using these feature vectors improve network monitoring and management tasks (See, e.g., Parandehgheibi, paragraphs 16 and 21). Doing so would have allowed Bushey in view of Ide to evaluate feature vectors of flows according to a similarity (or distance) metric to determine whether one of the flows corresponds to anomalous (or routine) conditions as compared to a historical flow or set of flows labeled as anomalous or routine (i.e., abnormal or in a normal range), as suggested by Parandehgheibi (See, e.g., Parandehgheibi, paragraph 21). This is an example of “use of known technique to improve similar devices (methods, or products) in the same way.” See MPEP 2143.

Claims 4, 5, 11, 12, 18 and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable over Bushey in view of Ide as applied to claims 1, 8 and 15 above, and further in view of non-patent literature Guan et al. ("Adaptive anomaly identification by exploring metric subspace in cloud computing infrastructures." 2013 IEEE 32nd International Symposium on Reliable Distributed Systems. IEEE, 2013, pages 205-214., hereinafter “Guan”).
Regarding claims 4 and 18, as discussed above, Bushey in view of Ide teaches the method of claim 1 and the system of claim 15.
wherein the determining a maximum value and a minimum value of feature values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm comprises:
performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm to obtain feature values of the series of historical status index data (see, e.g., paragraph 26, “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction according to the feature extraction algorithm on the historical data to obtain feature values of the data]);
acquiring a preset maximum abnormal point proportion and a preset minimum abnormal point proportion based on which the monitored system utilizes the recommended feature extraction algorithm to perform the feature extraction (see, e.g., paragraphs 22 and 26-27, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … separating a normal state from an abnormal state” [i.e., a preset abnormal point], “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., utilizing the feature extraction algorithm to perform feature extraction], “different types of features may be utilized … including … statistical features (e.g., … maximum, minimum values of time series signals, location of maximum and minimum values” [i.e., acquiring preset maximum and minimum abnormal point proportions]),
acquiring a number of the obtained feature values as a first number (see, e.g., paragraph 21, “threat detection computer platform may receive the streams of monitoring node signal values and, for each stream of monitoring node signal values, generate a current monitoring node feature vector” [i.e., acquire a number of obtained feature values in a feature vector for a first stream as a first number]); …
values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm (see, paragraph 26, “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., utilizing the feature extraction algorithm to perform feature extraction]).
Although Bushey substantially discloses the claimed invention, Bushey is not relied on to explicitly disclose the preset maximum abnormal point proportion and the preset minimum abnormal point proportion being numerical values greater than or equal to 0 and smaller than 1.
In the same field, analogous art Ide teaches the preset maximum abnormal point proportion and the preset minimum abnormal point proportion being numerical values greater than or equal to 0 and smaller than 1 (see, e.g., pages 445-446, “if z(t) is greater than a given threshold, we infer that an anomalous situation is occurring in the system” [i.e., greater than a preset minimum abnormal point], “the distribution of z ∈ [0,1] can be approximated by the X2-distribution with N-1 degrees of freedom.” [i.e., proportions that are numerical values greater than or equal to 0 and smaller than 1]).

Although Bushey in view of Ide substantially teaches the claimed invention, Bushey in view of Ide is not relied on to teach calculating a product of the first number and the preset minimum abnormal point proportion and rounding the calculated product into a second number; 
calculating and rounding a product of the first number and the preset maximum abnormal point proportion to be a third number; 
calculating a difference of the first number and the third number as a fourth number; 
ordering the obtained feature values in an ascending order; 
selecting, from the obtained feature values, a feature value with the order being the second number plus 1 as the minimum value of eigenvalues ...; and
selecting, from the obtained feature values, a feature value with the order being the fourth number minus 1 as the maximum value of feature values.
calculating a product of the first number and the preset minimum abnormal point proportion and rounding the calculated product into a second number (see, e.g., page 207, “cloud performance metrics are profiled from various components at runtime. The collected data include performance and runtime states of hardware devices … in cloud anomaly detection, normalization is necessary … to pre-process the cloud performance data and scale the metrics to [0, 1]. Let X(t) represent a vector of M cloud performance metrics” [i.e., first number of obtained features] “minN(t) denote[s] the synthetic … minimum values of a cloud performance metric” [i.e., preset minimum abnormal point proportion] “in a time window, which is ended at time t. They are updated iteratively based on … minN(t−1) and the new measurement of the metric by following the equation …
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., calculating a product of the first number and the minimum abnormal point proportion and adjusting/rounding the product into a second number]);
calculating and rounding a product of the first number and the preset maximum abnormal point proportion to be a third number (see, e.g., page 207, “cloud performance metrics are profiled from various components at runtime. The collected data include performance and runtime states of hardware devices … in cloud anomaly detection, normalization is necessary … to pre-process the cloud performance data and scale the metrics to [0, 1]. Let X(t) represent a vector of M cloud performance metrics” [i.e., first number of obtained features] “maxN(t) … denote[s] the synthetic maximum … values of a cloud performance metric” [i.e., preset maximum abnormal point proportion] in a time window, which is ended at time t. They are updated iteratively maxN(t−1) … and the new measurement of the metric by following the equation 
    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., calculating a product of the first number and the maximum abnormal point proportion and adjusting/rounding the product into a third number]);
calculating a difference of the first number and the third number as a fourth number (see, e.g., page 208, “If the difference |Xt −Mt| between the measurement and the estimation of MRPCs at a time point” [i.e., calculate difference of first and third numbers as fourth number, the difference] “is greater than a threshold, an anomaly is detected”);
ordering the obtained feature values in an ascending order (see, e.g., page 207, “the coefficient λ represents the adjustment ratio. It controls the ascending … rate”);
selecting, from the obtained feature values, a feature value with the order being the second number plus 1 as the minimum value of eigenvalues (see, e.g., pages 207-208, “minN(t) denote[s] the synthetic … minimum values of a cloud performance metric [i.e., a minimum value] in a time window, which is ended at time t … Increment t by 1” [i.e., number plus 1], “repeat step 2 until the synaptic weight wji converges to the ith component of the eigenvector associated with the jth eigenvalue of the correlation matrix of the input vector x(t)” [i.e., selecting a minimum value of eigenvalues]) … ; and
selecting, from the obtained feature values, a feature value with the order being the fourth number minus 1 as the maximum value (see, e.g., page 207, maxN(t) … denote[s] the synthetic maximum … values of a cloud performance metric [i.e., maximum value] in a time window, which is ended at time t. They are updated iteratively based on maxN(t−1)” [i.e., number minus 1 as the maximum value]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Guan with Bushey in view of Ide use feature extraction techniques that reduce metric dimensionality in order to handle large metric dimensions and large volumes of performance data (i.e., status data) associated with anomaly detection in cloud computing systems (i.e., a monitored system), and to leverage most relevant principal components (MRPCs) to devise a learning based approach for identifying cloud system anomalies (See, e.g., Guan, pages 206 and 212). Doing so would have allowed Bushey in view of Ide to achieve high accuracy of anomaly detection and low overhead for cloud computing systems, as suggested by Guan (See, e.g., Guan, page 212). This is an example of “use of known technique to improve similar devices (methods, or products) in the same way.” See MPEP 2143.

Regarding claim 11, as discussed above, Bushey in view of Ide teaches the apparatus of claim 8.
Bushey further discloses wherein the determining a maximum value and a minimum value of feature values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm comprises:
performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm to obtain feature values of the series of historical status index data (see, e.g., paragraph 26, “an appropriate set of multi-dimensional feature vectors … may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction according to the feature extraction algorithm on the historical data to obtain feature values of the data]); 
acquiring a preset maximum abnormal point proportion and a preset minimum abnormal point proportion based on which the monitored system utilizes the recommended feature extraction algorithm to perform the feature extraction (see, e.g., paragraphs 22 and 26-27, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … separating a normal state from an abnormal state” [i.e., a preset abnormal point], “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., utilizing the feature extraction algorithm to perform feature extraction], “different types of features may be utilized … including … statistical features (e.g., … maximum, minimum values of time series signals, location of maximum and minimum values” [i.e., acquiring preset maximum and minimum abnormal point proportions]), …
acquiring a number of the obtained feature values as a first number (see, e.g., paragraph 21, “threat detection computer platform may receive the streams of monitoring node signal values and, for each stream of monitoring node signal values, generate a current monitoring node feature vector” [i.e., acquire a number of obtained feature values in a feature vector for a first stream as a first number]); …
values obtained by performing feature extraction on the series of historical status index data according to the recommended feature extraction algorithm .
Although Bushey substantially discloses the claimed invention, Bushey is not relied on to explicitly disclose the preset maximum abnormal point proportion and the preset minimum abnormal point proportion being numerical values greater than or equal to 0 and smaller than 1.
In the same field, analogous art Ide teaches the preset maximum abnormal point proportion and the preset minimum abnormal point proportion being numerical values greater than or equal to 0 and smaller than 1 (see, e.g., pages 445-446, “if z(t) is greater than a given threshold, we infer that an anomalous situation is occurring in the system [i.e., greater than a preset minimum abnormal point] … the distribution of z ∈ [0,1] can be approximated by the X2-distribution with N-1 degrees of freedom.” [i.e., proportions that are numerical values greater than or equal to 0 and smaller than 1]], “pre-process the cloud performance data and scale the metrics to [0, 1]”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Bushey to incorporate the teachings of Ide to provide an automated runtime anomaly detection method at the application layer of multi-node computer systems by deriving a probability distribution for an anomaly measure defined for a time-series of data (i.e., a series of status data) (See, e.g., Ide, Abstract, page 440). Doing so would have allowed Bushey to automatically detect faults in a Web application and identify faulty services without having to use 
Although Bushey in view of Ide substantially teaches the claimed invention, Bushey in view of Ide is not relied on to teach calculating a product of the first number and the preset minimum abnormal point proportion and rounding the calculated product into a second number;
calculating and rounding a product of the first number and the preset maximum abnormal point proportion to be a third number;
calculating a difference of the first number and the third number as a fourth number; 
ordering the obtained feature values in an ascending order;
selecting, from the obtained feature values, a feature value with the order being the second number plus 1 as the minimum value of feature values …; and
selecting, from the obtained feature values, a feature value with the order being the fourth number minus 1 as the maximum value.
In the same field, analogous art Guan teaches calculating a product of the first number and the preset minimum abnormal point proportion and rounding the calculated product into a second number (see, e.g., page 207, “cloud performance metrics are profiled from various components at runtime. The collected data include performance and runtime states of hardware devices … in cloud anomaly detection, normalization is necessary … to pre-process the cloud performance data and scale the metrics to [0, 1]. Let X(t) represent a vector of M cloud performance metrics” [i.e., first number of obtained features], “minN(t) denote[s] the synthetic … minimum values of a  in a time window, which is ended at time t. They are updated iteratively based on … minN(t−1) and the new measurement of the metric by following the equation …
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., calculating a product of the first number and the minimum abnormal point proportion and adjusting/rounding the product into a second number]);
calculating and rounding a product of the first number and the preset maximum abnormal point proportion to be a third number (see, e.g., page 207, “cloud performance metrics are profiled from various components at runtime. The collected data include performance and runtime states of hardware devices … in cloud anomaly detection, normalization is necessary … to pre-process the cloud performance data and scale the metrics to [0, 1]. Let X(t) represent a vector of M cloud performance metrics” [i.e., first number of obtained features], “maxN(t) … denote[s] the synthetic maximum … values of a cloud performance metric” [i.e., preset maximum abnormal point proportion]” in a time window, which is ended at time t. They are updated iteratively based on maxN(t−1) … and the new measurement of the metric by following the equation … 
    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., calculating a product of the first number and the maximum abnormal point proportion and adjusting/rounding the product into a third number]);
calculating a difference of the first number and the third number as a fourth number (see, e.g., page 208, “If the difference |Xt −Mt| between the measurement and ;
ordering the obtained feature values in an ascending order (see, e.g., page 207, “the coefficient λ represents the adjustment ratio. It controls the ascending … rate”);
selecting, from the obtained feature values, a feature value with the order being the second number plus 1 as the minimum value of feature values (see, e.g., page 207, “minN(t) denote[s] the synthetic … minimum values of a cloud performance metric in a time window, which is ended at time t. They are updated iteratively based on … minN(t−1)” [i.e., selecting a minimum value] “and the new measurement of the metric by following the equation … 
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
 [i.e., t + 1, number plus 1]); and
selecting, from the obtained feature values, a feature value with the order being the fourth number minus 1 as the maximum value (see, e.g., page 207, “maxN(t) … denote[s] the synthetic maximum … values of a cloud performance metric” [i.e., maximum value] “in a time window, which is ended at time t. They are updated iteratively based on maxN(t−1)” [i.e., number minus 1 as the maximum value]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Guan with Bushey in view of Ide use feature extraction techniques that reduce metric dimensionality in order to handle large metric dimensions and large volumes of performance data (i.e., status data) associated with anomaly detection in cloud computing systems (i.e., a monitored system), and to 

Regarding claims 5, 12, and 19, as discussed above, Bushey in view of Ide teaches the method of claim 1, the apparatus of claim 8, and the system of claim 15.
Bushey further discloses wherein the determining, based on the determined maximum value and minimum value, a normal value range of feature values obtained by performing feature extraction on the series of status index data of the monitored system according to the recommended feature extraction algorithm (see, e.g., paragraphs 22 and 26, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node … a decision boundary might be generated … in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system” [i.e., determining, based on the minimum and maximum values, a normal value range within the decision boundary], “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm]) comprises: …
determining that the normal value range of feature values obtained by performing feature extraction on the series of status index data of the monitored system according to the recommended feature extraction algorithm (see, e.g., paragraphs 22 and 26, “each generated current monitoring node feature vector may be compared to a corresponding decision boundary … for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node … a decision boundary might be generated … in accordance with a feature-based learning algorithm and a high fidelity model or a normal operation of the industrial asset control system” [i.e., determining the normal value range within the decision boundary], “an appropriate set of multi-dimensional feature vectors, which may be extracted automatically (e.g., via an algorithm)” [i.e., performing feature extraction on the data according to the feature extraction algorithm]) ...
is greater than or equal to the minimum value of the value range and is smaller than or equal to the maximum value of the value range (see, e.g., FIG. 4 and paragraph 35, “Each graph includes an average boundary 412 (solid line), minimum boundary 414 (dotted line), and maximum boundary 416 (dashed line) [i.e., minimum and maximum values of the value range] and an indication associated with current feature location for each monitoring node parameter) … monitoring node location is between the minimum and maximum boundaries (that is, the ‘X’ is between the dotted and dashed lines). As a result, the system may determine that the operation of the industrial asset control system is normal” [i.e., normal value range is between minimum and maximum boundaries, greater than or equal to the minimum value and smaller than or equal to the maximum value of the value range]).
defining a product of the determined minimum value and a predetermined reduction factor as a minimum value of the value range, the predetermined reduction factor being a numerical value greater than 0 and smaller than 1; and
defining a product of the determined maximum value and a predetermined magnification factor as a maximum value of the value range, the predetermined magnification factor being a numerical value greater than 1.
In the same field, analogous art Guan teaches defining a product of the determined minimum value and a predetermined reduction factor as a minimum value of the value range, the predetermined reduction factor being a numerical value greater than 0 and smaller than 1 (see, e.g., page 207, “in cloud anomaly detection, normalization is necessary … to pre-process the cloud performance data and scale the metrics to [0, 1]” [i.e., a predetermined scaling/reduction factor that is a numerical value between 0 and 1], “minN(t) denote[s] the synthetic … minimum values of a cloud performance metric” [i.e., minimum value] “in a time window, which is ended at time t. They are updated iteratively based on … minN(t−1) and the new measurement of the metric by following the equation …
    PNG
    media_image1.png
    200
    400
    media_image1.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., a product of the minimum value and the scaling/reduction factor]).
defining a product of the determined maximum value and a predetermined magnification factor as a maximum value of the value range, the predetermined magnification factor being a numerical value greater than 1 (see, e.g., page 207, “maxN(t) … denote[s] the synthetic maximum … values of a cloud performance metric” [i.e., maximum value] “in a time window, which is ended at time t. They are updated iteratively based on maxN(t−1) … and the new measurement of the metric by following the equation … 
    PNG
    media_image2.png
    200
    400
    media_image2.png
    Greyscale
 where the coefficient λ represents the adjustment ratio” [i.e., a product of the maximum value and the adjustment ratio/magnification factor greater than 1]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Guan with Bushey in view of Ide use feature extraction techniques that reduce metric dimensionality in order to handle large metric dimensions and large volumes of performance data (i.e., status data) associated with anomaly detection in cloud computing systems (i.e., a monitored system), and to leverage most relevant principal components (MRPCs) to devise a learning based approach for identifying cloud system anomalies (See, e.g., Guan, pages 206 and 212). Doing so would have allowed Bushey in view of Ide to achieve high accuracy of anomaly detection and low overhead for cloud computing systems, as suggested by Guan (See, e.g., Guan, page 212). This is an example of “use of known technique to improve similar devices (methods, or products) in the same way.” See MPEP 2143.

Conclusion
Applicant's amendment necessitated the new grounds of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

The examiner requests, in response to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application.
When responding to this office action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the reference cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RANDY K BALDWIN whose telephone number is (571)270-5222. The examiner can normally be reached on Mon - Fri 9:00-6:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamran Afshar can be reached on 571-272-7796. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/R.K.B./Examiner, Art Unit 2125

/KAMRAN AFSHAR/Supervisory Patent Examiner, Art Unit 2125