Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Application number 16/388,057 filed on 4/18/2019 have been considered.  Claims 1-20 are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/7/2019 is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-2, 4-12, 14-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Averbuch et al. (US 9,843,596 hereinafter Averbuch) in view of Urmanov et al. (US 2015/0294052 hereinafter Urmanov).
Regarding claim 1, Averbuch discloses a method for performing prognostic-surveillance operations on a computer system, comprising: 
obtaining a multimodal dataset containing two or more different types of data gathered during operation of the computer system, wherein the multimodal dataset includes time-series data for different variables associated with operation of the computer system (FIG. 2 & 6, col. 10, lines 16-64, col. 11, lines 19-47, col. 20, lines 37-
forming a set of feature groups from the multimodal dataset, wherein each feature group comprises variables from the multimodal dataset containing the same type of data (col. 10, lines 16-64, col. 11, lines 1-17; i.e. processing the multi-dimensional data to provide statistical matrices of features); 
performing prognostic-surveillance operations on real-time multimodal data received from the computer system, wherein the prognostic-surveillance operations use the model as a classifier to detect anomalies (FIG. 1, col. 5, line 28-col. 6, line 10, col. 11, lines 17-58; i.e. the detection procedure classifies newly arrived data as either normal or abnormal); and 
when an anomaly is detected, triggering an alert (col. 54, lines 64-65).
Averbuch does not explicitly disclose computing a tripoint similarity matrix for each feature group in the set of feature groups; aggregating the tripoint similarity matrices for the set of feature groups to produce a crossmodal tripoint similarity matrix; using the crossmodal tripoint similarity matrix to cluster the multimodal dataset to form a model.
However, Urmanov discloses computing a tripoint similarity matrix for each feature group in the set of feature groups (Urmanov, FIG. 4, ¶ [0014]);  aggregating the tripoint similarity matrices for the set of feature groups to produce a crossmodal tripoint similarity matrix (Urmanov, FIG. 4, ¶ [0026]-[0030]); using the crossmodal tripoint similarity matrix to cluster the multimodal dataset to form a model (Urmanov, FIG. 4, ¶ [0031]-[0036]); 

Regarding claim 2, Averbuch in view of Urmanov discloses the method of claim 1, wherein the multimodal dataset comprises a table with n rows, wherein each of the n rows represents an event, and wherein each column of the table contains data values for a single variable (Urmanov, FIG. 4, ¶ [0030]); and wherein the tripoint similarity matrix for each of the feature groups is a sparse n x k tripoint similarity matrix V with n rows, wherein each row contains k similarity values for k nearest-neighbor rows of the row, and wherein indices for 8 the nearest-neighbor rows are stored in an associated n x k index matrix C (Urmanov, FIG. 4, ¶ [0026]-[0030]).
Regarding claim 4, Averbuch in view of Urmanov discloses the method of claim 2, wherein the method further comprises reducing a number of rows in a sparse similarity matrix by using an iterative staging process, wherein each iterative stage replaces neighborhoods of similar rows with representative rows (Urmanov, FIG. 4, ¶ [0038]).
Regarding claim 5, Averbuch in view of Urmanov discloses the method of claim 1, wherein aggregating the tripoint similarity matrices for the set of feature groups involves combining similarity values from the tripoint similarity matrices for the set of feature groups, wherein while combining two similarity values to produce a resulting similarity value: when the two similarity values are both positive, the resulting similarity value is greater than either of the two similarity values and is less than 1.0 (Urmanov, FIG. 4, ¶ [0020]-[0023]); when the two similarity values are both negative, the resulting 
Regarding claim 6, Averbuch in view of Urmanov discloses the method of claim 1, wherein clustering the multimodal dataset involves using a tripoint clustering technique (Urmanov, FIG. 4, ¶ [0031]-[0036]).
Regarding claim 7, Averbuch in view of Urmanov discloses the method of claim 1, wherein the different types of data in the multimodal dataset include two or more of the following: textual data; event data; numerical integer data; numerical floating-point data; audio data; and image data (Averbuch, FIG. 6, col. 10, lines 50-64; Urmanov, FIG. 4, ¶ [0011]).
Regarding claim 8, Averbuch in view of Urmanov discloses the method of claim 1, wherein the different types of data in the multimodal dataset originate from two or more of the following: a badge reader for a building that houses the computer system; a Wi-Fi system associated with the computer system; a single-sign-on (SSO) system associated with the computer system; an email server for the computer system; textual data in the computer system; a biometric reader for physical access; and numerical data in the computer system (Averbuch, FIG. 6, col. 10, lines 50-64; Urmanov, FIG. 4, ¶ [0011]).

Regarding claim 10, Averbuch in view of Urmanov discloses the method of claim 1, wherein when an anomaly is detected, the method further comprises performing a remedial action, which can include one of the following: informing a system administrator about the anomaly and providing contextual information; scheduling execution of diagnostics and/or security scanning applications on the affected parts of the computer system; suspending affected users or services; enforcing multi-factor authentication for affected users or services; initiating service migration from affected parts of the system; taking actions to facilitate reallocation and/or rebalancing affected resources and services; and modifying settings of firewalls to deny or throttle traffic to affected resources or services (Averbuch, col. 43, lines 64-67; Urmanov, ¶ [0011]).
Regarding claim 11, see claim 1 above for the same reasons of rejections.
Regarding claim 12, see claim 2 above for the same reasons of rejections.
Regarding claim 14, see claim 4 above for the same reasons of rejections.
Regarding claim 15, see claim 5 above for the same reasons of rejections.
Regarding claim 16, see claim 1 above for the same reasons of rejections.
Regarding claim 17, Averbuch discloses a system that performs prognostic-surveillance operations on a computer system, comprising: 
at least one processor and at least one associated memory (FIG. 6-8); and 

obtains a multimodal dataset containing two or more different types of data gathered during operation of the computer system, wherein the multimodal dataset includes time-series data for different variables associated with operation of the computer system (FIG. 2 & 6, col. 10, lines 16-64, col. 11, lines 19-47, col. 20, lines 37-47; i.e. obtaining multi-dimensional data comprising real time network data and non-network related data); 
forms a set of feature groups from the multimodal dataset, wherein each feature group comprises variables from the multimodal dataset containing the same type of data (col. 10, lines 16-64, col. 11, lines 1-17; i.e. processing the multi-dimensional data to provide statistical matrices of features); 
performs prognostic-surveillance operations on real-time multimodal data received from the computer system, wherein the prognostic-surveillance operations use the model as a classifier to detect anomalies FIG. 1, col. 5, line 28-col. 6, line 10, col. 11, lines 17-58; i.e. the detection procedure classifies newly arrived data as either normal or abnormal); and 
when an anomaly is detected, triggers an alert (col. 54, lines 64-65).
Averbuch does not explicitly disclose computes a tripoint similarity matrix for each feature group in the set of feature groups; aggregates the tripoint similarity matrices for the set of feature groups to produce a crossmodal tripoint similarity matrix; uses the crossmodal tripoint similarity matrix to cluster the multimodal dataset to form a model.

Therefore, it would have obvious to one of ordinary skill in the art before effective filing date of the claimed invention to incorporate Urmanov’s teaching into Averbuch in order to increase the accuracy of the anomaly detection (Urmanov, ¶ [0010]-[0012]).
Regarding claim 18, see claim 2 above for the same reasons of rejections.
Regarding claim 20, see claim 4 above for the same reasons of rejections.
Allowable Subject Matter
Claims 3, 13 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHI D NGUY whose telephone number is (571)270-7311.  The examiner can normally be reached on Monday-Friday 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/C.D.N/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435