DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Acknowledgement is made of Applicant's claim amendments on 7/2/2021. The claim amendments are entered. Presently, claims 1, 2, 6-12, 14-18, and 20 are now pending. Claims 3-5, 13, and 19 have been cancelled. Claims 1, 11, and 17 have been amended.

 Applicant has amended the specification to provide the requisite trademark designations for some of the marks. Accordingly, the specification objection is withdrawn.  

Applicant has canceled claim 19 to address the claim objection issue. Accordingly, the claim objection is withdrawn. 

Response to Arguments
Applicant's arguments filed on 7/2/2021 have been fully considered but they are not persuasive.

Applicant argues that the combination of the cited references fail to cure the deficiencies because they allegedly do not teach the newly amended claim limitations (Applicant’s Reply pgs. 

Applicant also argues that Gopalakrishnan	allegedly does not teach the claimed limitations because it does not teach that a future predicted value is based on a past predicted value (Applicant’s reply pg. 13). This is not persuasive. Gopalakrishnan discloses the use of a historical models, e.g. a Hidden Markov Model (HMM) or a Gaussian Mixture Model (GMM), etc., to make predictions. 
As stated in Gopalakrishnan, HMM can be used for predicting future states. HMMs can make a prediction about a state X based on observed states and hidden states by calculating probabilities, i.e. a forward probability and a backward probability between the state and the previous states. This is an iterative process that is updated as the HMM computes the probabilities in order to make an optimal prediction. The HMM can further optimize this computation by using an expectation-optimization (EM) algorithm, such as the Baum-Welch (BW) algorithm described in Gopalakrishnan. BW is also an iterative process that takes into account the current and previous data in order to perform the computations, i.e. the various states at a time of t-1 from a state X along with its corresponding probabilities of the HMM. By doing so, the BW algorithm can help train and optimize the HMM as it updates and learns. This is taught in Gopalakrishnan. Thus, the predictions made at a state X are being fed back into the model via the computations as previously described by nature of the HMM and BW’s operations. 
Likewise, Gopalakrishnan also teaches that a GMM can make predictions based on previous data. With GMM, the model looks at a Gaussian distribution of data to determine a relationship between the data, e.g. to cluster similar data together. The Gaussian mixture in the Gopalakrishnan when it discloses that the GMM learns and is utilized for its predictive ability. 
It is noted that Gopalakrishnan teaches various models because it recognizes that anomaly detection is a dynamic issue that may require a more adaptive/flexible detection technique to account for the fact that anomalies can vary depending on different factors, e.g. different data structure type, etc. Yet regardless of which model is being used to make the anomaly detection, the model is taking into account the predictions as it iteratively updates its computations to arrive at a more recent optimal prediction. 
Accordingly, Gopalakrishnan does teach the claim limitations by virtue of teaching the various models. It is understood that these models utilize iterative computations to arrive at an optimal probability determination that can predict whether an anomaly has occurred. Indeed the iterative processes of HMM with BW is known by PHOSITA (see e.g. Degirmenci), and similarly for the iterative process of GMM with its EM (see e.g. Bishop or Reynolds). Therefore, the argument is not persuasive. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 2, 7, 8, 10-12, 15, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Biem (U.S. Pat. App. Pre-Grant Pub. No. 2015/0347217, hereinafter Biem) in view of Leverich et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0065298, hereinafter Leverich) and Gopalakrishnan et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0285700, hereinafter Gopalakrishnan). 

Regarding claim 1, Biem teaches:
A system comprising:  
2a plurality of network devices associated with a cloud platform ([0028]: “the monitoring … are performed by one or more computing units 112 of computing system 110. In yet a further embodiment, the monitoring … are performed by the server and/or one or more of the computing units”, wherein the computing system can comprise a “cloud and/or enterprise system” ([0027]). The computing system can be coupled to a server that comprise a processor, with the processor comprising “one or more sensor modules 168 (a.k.a., sensors) used to collect data regarding the computing system and to provide one or more metrics regarding the data, referred to as key performance indicators” ([0036]-[0037]). Wherein the sensor(s) and the computing unit(s) can comprise the network devices.), 
each network 3device of the plurality of network devices configured to generate a respective 4data stream that includes a current value of a performance metric in real-time ([0055]: “For instance, the sensors collect data from one or more of the computing units 112, and provide that data to, for instance, an application, which based on the collected data generates values for one or more metrics. These metrics, referred to as key performance indicators (KPIs), include, for instance, the mean, standard deviation, or other types of metrics computed for each type of collected data. The computed metric values are obtained, e.g., by the sensors from the application, and input to predictor module 400.”); 
5a decision system in communication with the plurality of network devices, the 6decision system comprising ([0028]: “servers” or “computing units”, depending on a particular embodiment since either can be used for “monitoring and/or predicting” anomalies from the time series data.):  
7a processor ([0031] and [0035]-[0036]: “processor”);   
…; and 
8a non-transitory computer readable medium comprising instructions 9executable by the processor to ([0075]: “a computer program product 800 includes, for instance, one or more non-transitory computer readable storage media 802 to store computer readable program code means or logic 804 thereon to provide and facilitate one or more aspects of the present invention”.):  
10obtain, via the plurality of network devices, one or more data 11streams, each of the one or more data streams comprising real-12time time-series data indicative of a network activity generated 13by a respective network device ([0047]: “Referring to FIG. 3, initially, values for one or more metrics are obtained, STEP 300. For instance, the one or more sensors collect data in time series from one or more of the computing units. Time series is a sequence of data points, measured typically at successive time instants spaced at uniform time intervals. The data can be any type of data depending on the system being monitored. In this example, the data relates to the performance of the computing system, and thus, includes, for instance, response times, memory used, and/or number of transactions processed within a specified time period, etc. Based on this collected data, one or more values for one or more metrics relating to the collected data, such as the mean (e.g., average response time, average memory used, etc.), the standard deviation, etc., for each type of data collected, are computed.”);  
….……
While the cited reference teaches the limitations of claim 1, it does not explicitly teach: “a data stream buffer” on line 8 and “wherein one or more network devices of the plurality of network devices are configured to publish periodically data points to the data stream buffer, and the data stream buffer is configured to associate the published data points to their respective data streams” on lines 25-29. Leverich discloses the claim limitations, teaching:
“a data stream buffer”: describing various types of buffers, e.g. signal, reorder and output buffers, for the data (Leverich [0173]-[0180]), 
“wherein one or more network devices of the plurality of network devices are configured to publish periodically data points to the data stream buffer, and the data stream buffer is configured to associate the published data points to their respective data streams”: describing that various buffers for the data can be used to store and place/order the signal data based on various parameters such as timestamps on the various network devices (Leverich [0174]-[0180]). 
A periodic analysis wherein data points of a data stream may be extracted based on various key performance indicators (KPIs) categories for potential anomaly detection (Leverich [0145]-[0149]). Wherein the KPIs with the associated data points and info can be published/displayed to a user (Leverich [0123]-[0124]). 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited reference to include the buffers in Leverich. Doing so would enable “[a] continuous anomaly detection service [that] receives data stream and performs continuous anomaly detection on the incoming data streams. This continuous anomaly detection is performed based on anomaly detection definitions, which define a signal used for anomaly detection and an anomaly detection configuration. These anomaly detection definitions can be modified, such that continuous anomaly detection continues to be performed for the data stream and the signal, based on the new anomaly detection definition.” (Leverich Abstract).

While the cited references disclose the limitations of claim 1, they do not explicitly teach: “1814build a historic model of historic data for a data stream of the one 15or more data streams; determine, in real-time, a predicted value of the data stream at a 17future time, based on the historic model; determine a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model; determine a variation between the predicted value and the current 19value of the data stream at the future time; 20determine whether an anomaly has occurred based on whether the 21variation exceeds a threshold variation, wherein the threshold 22variation is determined as a function of the historic model; and 23update the historic model based on the determination of whether 24the anomaly has occurred,” on lines 14-25. Gopalakrishnan discloses the claim limitations, teaching:
“14build a historic model of historic data for a data stream of the one 15or more data streams (Gopalakrishnan [0025]: describing an example model comprising “Supervised Time Series models using historical data”. See Gopalakrishnan [0042]-[0043]: describing that historical data can be derived from traffic data changes over time and that such data can be used to build various models based on this historical data, e.g. Gaussian Mixture ([0064]) or regressive ([0066]) or Hidden Markov ([0071]) models. An overview of the process is given at [0085]-[0086].);  
18 determine, in real-time, a predicted value of the data stream at a 17future time, based on the historic model (Gopalakrishnan [0070]-[0072] and Fig. 7: describing that the current data is observed at time t1 and state s1 that can be used to predict an anomaly at time tn and state sn. Similarly, see Gopalakrishnan [0075] and Fig. 9: describing network time series data that is currently being received and then being used to determine if “there is an anomaly in the data”.); 18
determine a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model (Gopalakrishnan [0043]-[0044] and [0072]: describing that the prediction of a future value is based on previously observed/predicted values. See also [0085]-[0086]: describing that the models can learn.);
determine a variation between the predicted value and the current 19value of the data stream at the future time (Gopalakrishnan [0043]: “In an embodiment, an anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed [time series data] values by more than a threshold exceeds a predefined number within a specified time period or window. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model or a Hidden Markov Model (HMM) model built (i.e., parameters learned) from the historical data.”);  
20determine whether an anomaly has occurred based on whether the 21variation exceeds a threshold variation, wherein the threshold 22variation is determined as a function of the historic model (Gopalakrishnan [0086]: “In an embodiment, the anomaly is detected when a predicted value determined according to the primary predictor differs from an observed value by more than a threshold. In an embodiment, the anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed values by more than a threshold exceeds a predefined number within a specified time period. In an embodiment, the primary predictor includes a Hidden Markov Model. In an embodiment, determining whether an anomaly is detected in the network time series data includes determining the anomaly according to a Hidden Markov Model. In an embodiment, the alternative predictor includes one of a current data predictor or a Gaussian Mixture Model (GMM). In an embodiment, determining whether an anomaly is detected includes determining a likelihood that the primary predictor will accurately predict a next observed data value within a specified range of acceptable values. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model built from the historical data. In an embodiment, the GMM model includes parameters learned from the historical data. In an embodiment, the likelihood is computed according to a Hidden Markov Model (HMM) model built from the historical data. In an embodiment, the HMM model includes parameters learned from the historical data.”); and  
23update the historic model based on the determination of whether 24the anomaly has occurred (Gopalakrishnan [0075]: “The method 900 begins at block 902 where a predictor receives network time series data. The predictor includes an anomaly detector that may have been trained using historical data. At block 904, the anomaly detector determines if there is an anomaly in the network time series data 904…. If, at block 904, an anomaly is detected, then the method 900 proceeds to block 908 where the predictor generates a prediction associated with the data using an alternate predictor.” Wherein “the alternative predictor includes one of a current data predictor and a Gaussian Mixture Model (GMM)” ([0087]) with the GMM comprising a “historical predictor” based on historical time series data ([0064]).),”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the determinations in Gopalakrishnan. Doing so would enable “[s]ystem and method embodiments … for adaptive anomaly detection based predictor for network data.” (Gopalakrishnan Abstract). Wherein such techniques can be used to predict network anomaly that can then be used by the system “to adjust network parameters” (Gopalakrishnan Abstract). 

Regarding claim 2, Biem teaches:
The system of claim 1, wherein the instructions are further executable by the 2processor to: 3poll one or more of the plurality of network devices for respective data streams ([0036], [0047], [0055]: describing that “the sensors collect data from one or more of the computing units 112, and provide that data to, for instance, an application, which based on the collected data generates values for one or more metrics. These metrics, referred to as key performance indicators (KPIs)”.).

Regarding claim 7, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, Leverich further teaches: “wherein the instructions are further executable by the processor to: 3determine a pattern of anomalies in the historic model of the data stream; and 4trigger an alert responsive to a determination of the pattern of anomalies in the 5data stream”. Leverich discloses the claim limitations, teaching:
“wherein the instructions are further executable by the processor to: 3determine a pattern of anomalies in the historic model of the data stream (Leverich [0141]-[0142]: describing that historical data and that “when an anomaly definition is initially configured, it may be desired to access a prior store of data (e.g., historical data 908) to establish the necessary number of the sequential set of data points in the first instance [that signals the occurrence of an anomaly]”.); and 
4trigger an alert responsive to a determination of the pattern of anomalies in the 5data stream (Leverich [0113]: describing that when an anomaly is detected, an anomaly score can be determined wherein “the anomaly scores may be compared to one or more thresholds in order to determine whether an anomaly has occurred and what types of alerts should be provided in response to a detected anomaly”.) ”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the anomaly detection and alerts in Leverich. A motivation to combine the cited references with Leverich was previously given.



Regarding claim 8, Biem teaches:
The system of claim 1, wherein the instructions are further executable by the 2processor to:  3predict, based on the presence of anomalies in the data stream, whether an 4incident will occur at respective network device of the plurality of network 5devices associated with the data ([0055]: describing that the “a predictor module 400 receives input from one or more sensors. For instance, the sensors collect data from one or more of the computing units 112, and provide that data to, for instance, an application, which based on the collected data generates values for one or more metrics” (Biem [0055]). An output of the predictions can then be sent to a “seasonal residual component”, “combination module”, and “statistical model module” to compute the “predicted anomaly” (see Biem [0066] and [0068]-[0069]). Whereby such a predicted anomaly is associated with the various sensors and their corresponding networked computing devices.).

Regarding claim 10, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, Leverich further teaches: “The system of claim 1, wherein the instructions are further executable by the 2processor to: 3receive analyst feedback indicative of whether to flag the variation as an anomaly; 4and 5update the historic model based on the analyst feedback.” Leverich discloses the claim limitations, teaching: 
“The system of claim 1, wherein the instructions are further executable by the 2processor to:  
3receive analyst feedback indicative of whether to flag the variation as an anomaly (Leverich [0125]-[0126]: describing that the user can provide feedback in real-time to the system regarding the anomaly detection and classification.); 4and
(Leverich [0123] and [0125]-[0126]: describing that a user can give feedback via a sensitivity setting, whereby a higher setting would result in a lower anomaly detection as determined by evaluating with historical data.).”
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the anomaly detection and feedback in Leverich. A motivation to combine the cited references with Leverich was previously given.

Regarding claim 11, Biem teaches:
An apparatus comprising:  
2a processor ([0031] and [0035]-[0036]: “processor”);  
…; and
3a non-transitory computer readable medium comprising instructions executable by 4the processor to ([0075]: “a computer program product 800 includes, for instance, one or more non-transitory computer readable storage media 802 to store computer readable program code means or logic 804 thereon to provide and facilitate one or more aspects of the present invention”.):  
5obtain, via a plurality of network devices, one or more data streams, each of the one or more data streams comprising real-time time-series data 49indicative of a network activity generated by a respective network device ([0047]: “Referring to FIG. 3, initially, values for one or more metrics are obtained, STEP 300. For instance, the one or more sensors collect data in time series from one or more of the computing units. Time series is a sequence of data points, measured typically at successive time instants spaced at uniform time intervals. The data can be any type of data depending on the system being monitored. In this example, the data relates to the performance of the computing system, and thus, includes, for instance, response times, memory used, and/or number of transactions processed within a specified time period, etc. Based on this collected data, one or more values for one or more metrics relating to the collected data, such as the mean (e.g., average response time, average memory used, etc.), the standard deviation, etc., for each type of data collected, are computed.”);  
….

While the cited reference teaches the limitations of claim 11, it does not explicitly teach: “a data stream buffer” on line 3 and “U.S. Application No. wherein one or more network devices of the plurality of network devices are configured to publish periodically data points to the data stream buffer, and the data stream buffer is configured to associate the published data points to their respective data streams” on lines 20-24. Leverich discloses the claim limitations, teaching:
“a data stream buffer”: describing various types of buffers, e.g. signal, reorder and output buffers, for the data (Leverich [0173]-[0180]), 
“wherein one or more network devices of the plurality of network devices are configured to publish periodically data points to the data stream buffer, and the data stream buffer is configured to associate the published data points to their respective data streams”: describing that various buffers for the data can be used to store and place/order the signal data based on various parameters such as timestamps on the various network devices (Leverich [0174]-[0180]). 
A periodic analysis wherein data points of a data stream may be extracted based on various key performance indicators (KPIs) categories for potential anomaly detection (Leverich [0145]-[0149]). Wherein the KPIs with the associated data points and info can be published/displayed to a user (Leverich [0123]-[0124]). 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the apparatus in the cited reference to include the buffers in Leverich. Doing so would enable “[a] continuous anomaly detection service [that] receives data stream and performs continuous anomaly detection on the incoming data streams. This continuous anomaly detection is performed based on anomaly detection definitions, which define a signal used for anomaly detection and an anomaly detection configuration. These anomaly detection definitions can be modified, such that continuous anomaly detection continues to be performed for the data stream and the signal, based on the new anomaly detection definition.” (Leverich Abstract).

While the cited references disclose the limitations of claim 11, they do not explicitly teach: “18149build a historic model of historic data for a data stream of the one or more 10data streams; 11determine, in real-time, a predicted value of the data stream at a future 12time, based on the historic model; 13determine a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model; determine a variation between the predicted value and the current value of 14the data stream at the future time; 15determine whether an anomaly has occurred based on whether the 16variation exceeds a threshold variation, wherein the threshold variation 17is determined as a function of the historic model; and 18update the historic Gopalakrishnan discloses the claim limitations, teaching:
“14build a historic model of historic data for a data stream of the one or more 10data streams (Gopalakrishnan [0025]: describing an example model comprising “Supervised Time Series models using historical data”. See Gopalakrishnan [0042]-[0043]: describing that historical data can be derived from traffic data changes over time and that such data can be used to build various models based on this historical data, e.g. Gaussian Mixture ([0064]) or regressive ([0066]) or Hidden Markov ([0071]) models. An overview of the process is given at [0085]-[0086].);  
determine, in real-time, a predicted value of the data stream at a future 12time, based on the historic model (Gopalakrishnan [0070]-[0072] and Fig. 7: describing that the current data is observed at time t1 and state s1 that can be used to predict an anomaly at time tn and state sn. Similarly, see Gopalakrishnan [0075] and Fig. 9: describing network time series data that is currently being received and then being used to determine if “there is an anomaly in the data”.);  18 
determine a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model (Gopalakrishnan [0043]-[0044] and [0072]: describing that the prediction of a future value is based on previously observed/predicted values. See also [0085]-[0086]: describing that the models can learn.);
determine a variation between the predicted value and the current value of 14the data stream at the future time (Gopalakrishnan [0043]: “In an embodiment, an anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed [time series data] values by more than a threshold exceeds a predefined number within a specified time period or window. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model or a Hidden Markov Model (HMM) model built (i.e., parameters learned) from the historical data.”);  
20 determine whether an anomaly has occurred based on whether the 16variation exceeds a threshold variation, wherein the threshold variation 17is determined as a function of the historic model (Gopalakrishnan [0086]: “In an embodiment, the anomaly is detected when a predicted value determined according to the primary predictor differs from an observed value by more than a threshold. In an embodiment, the anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed values by more than a threshold exceeds a predefined number within a specified time period. In an embodiment, the primary predictor includes a Hidden Markov Model. In an embodiment, determining whether an anomaly is detected in the network time series data includes determining the anomaly according to a Hidden Markov Model. In an embodiment, the alternative predictor includes one of a current data predictor or a Gaussian Mixture Model (GMM). In an embodiment, determining whether an anomaly is detected includes determining a likelihood that the primary predictor will accurately predict a next observed data value within a specified range of acceptable values. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model built from the historical data. In an embodiment, the GMM model includes parameters learned from the historical data. In an embodiment, the likelihood is computed according to a Hidden Markov Model (HMM) model built from the historical data. In an embodiment, the HMM model includes parameters learned from the historical data.”); and  
update the historic model based on the determination of whether the 19anomaly has occurred23 (Gopalakrishnan [0075]: “The method 900 begins at block 902 where a predictor receives network time series data. The predictor includes an anomaly detector that may have been trained using historical data. At block 904, the anomaly detector determines if there is an anomaly in the network time series data 904…. If, at block 904, an anomaly is detected, then the method 900 proceeds to block 908 where the predictor generates a prediction associated with the data using an alternate predictor.” Wherein “the alternative predictor includes one of a current data predictor and a Gaussian Mixture Model (GMM)” ([0087]) with the GMM comprising a “historical predictor” based on historical time series data ([0064]).),”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the apparatus in the cited references to include the determinations in Gopalakrishnan. Doing so would enable “[s]ystem and method embodiments … for adaptive anomaly detection based predictor for network data.” (Gopalakrishnan Abstract). Wherein such techniques can be used to predict network anomaly that can then be used by the system “to adjust network parameters” (Gopalakrishnan Abstract).

Regarding claim 12, claim 12 is substantially similar to claim 2 and therefore is rejected on the same ground as claim 2. Claim 12 is an apparatus claim that corresponds to system claim 2.

Regarding claim 15, the rejection of claim 11 is incorporated. While the cited references teach the claim limitations, Leverich further teaches: “wherein the instructions are further executable by the 2processor to: 3trigger an alert responsive to a determination that an anomaly has occurred in the 4data stream for two consecutive polling cycles , wherein a new data point of 5the data stream is generated periodically every polling cycle.” Leverich discloses the claim limitations, teaching: anomaly detection “by comparing data points within a single signal for a single anomaly detection definition with other data points of the same signal. Trending anomaly detection may be performed on the data to determine whether any points (or set of points) within the sequential set of data points of the signal correspond to an anomaly. In this manner, a trending anomaly detection analysis may analyze not only the most recent data point or set of data points, but may continuously determine whether prior data points correspond to an anomaly based on the sequential set of data points of the signal that is currently within the data queue” (Leverich [0111]). Wherein the data queue can be “modified to accommodate different data window selections [of data streams]” (Leverich [0109]) and comprises of “a circular queue that replaces the oldest data points with the most recent data points as incoming received data points” (Leverich [0179]). 
The data can comprise a sequential set of data that can then be used for anomaly detection and triggering alerts when an anomaly is detected. When an anomaly is detected, an anomaly score can be determined wherein “the anomaly scores may be compared to one or more thresholds in order to determine whether an anomaly has occurred and what types of alerts should be provided in response to a detected anomaly” (Leverich [0113]). 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the anomaly detection in Leverich. A motivation to combine the cited references with Leverich was previously given.

Regarding claim 17, Biem teaches:
A method comprising:  
2obtaining, via a decision support system ([0028]: describing “servers” or “computing units”, depending on a particular embodiment since either can be used for “monitoring and/or predicting” anomalies from the time series data.), one or more data streams, each of the 3one or more data streams associated with a respective network device, 4wherein each of the one or more data streams includes real-time time-series 5data indicative of a network activity generated by the respective network 6device ([0047]: “Referring to FIG. 3, initially, values for one or more metrics are obtained, STEP 300. For instance, the one or more sensors collect data in time series from one or more of the computing units. Time series is a sequence of data points, measured typically at successive time instants spaced at uniform time intervals. The data can be any type of data depending on the system being monitored. In this example, the data relates to the performance of the computing system, and thus, includes, for instance, response times, memory used, and/or number of transactions processed within a specified time period, etc. Based on this collected data, one or more values for one or more metrics relating to the collected data, such as the mean (e.g., average response time, average memory used, etc.), the standard deviation, etc., for each type of data collected, are computed.”);  
….

While Biem discloses the limitations of claim 17, it does not explicitly teach: “18147creating, via the decision support system, a historic model of historic data for a data stream of the one or more data streams; 51determining, via the decision support system, a predicted value of the data stream at a future time, based on the historic model; 11determining, via the decision support system, a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model; determining, via the decision support system, a variation between the predicted 12value and the current value of the data stream at the future time; 13determining, via the decision support system, whether an anomaly has occurred in 14the data stream based on whether the variation exceeds a threshold variation, 15wherein the threshold variation is determined as a function of the historic 16model; and 17updating, via the decision support system, the historic model based on the 18determination of whether the anomaly has occurred,” on lines 6-18. Gopalakrishnan discloses the claim limitations, teaching:
“14creating, via the decision support system, a historic model of historic data for a data stream of the one or more data streams (Gopalakrishnan [0025]: describing an example model comprising “Supervised Time Series models using historical data”. See Gopalakrishnan [0042]-[0043]: describing that historical data can be derived from traffic data changes over time and that such data can be used to build various models based on this historical data, e.g. Gaussian Mixture ([0064]) or regressive ([0066]) or Hidden Markov ([0071]) models. An overview of the process is given at [0085]-[0086].);  
determining, via the decision support system, a predicted value of the data stream at a future time, based on the historic model 18 (Gopalakrishnan [0070]-[0072] and Fig. 7: describing that the current data is observed at time t1 and state s1 that can be used to predict an anomaly at time tn and state sn. Similarly, see Gopalakrishnan [0075] and Fig. 9: describing network time series data that is currently being received and then being used to determine if “there is an anomaly in the data”.); 18
determining, via the decision support system, a second predicted value of the data stream at a second future time, based at least in part on the predicted value fed into the historic model (Gopalakrishnan [0043]-[0044] and [0072]: describing that the prediction of a future value is based on previously observed/predicted values. See also [0085]-[0086]: describing that the models can learn.);
determining, via the decision support system, a variation between the predicted 12value and the current value of the data stream at the future time (Gopalakrishnan [0043]: “In an embodiment, an anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed [time series data] values by more than a threshold exceeds a predefined number within a specified time period or window. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model or a Hidden Markov Model (HMM) model built (i.e., parameters learned) from the historical data.”);  
20determining, via the decision support system, whether an anomaly has occurred in 14the data stream based on whether the variation exceeds a threshold variation, 15wherein the threshold variation is determined as a function of the historic 16model (Gopalakrishnan [0086]: “In an embodiment, the anomaly is detected when a predicted value determined according to the primary predictor differs from an observed value by more than a threshold. In an embodiment, the anomaly is detected when the number of predicted values determined according to the primary predictor that differ from corresponding observed values by more than a threshold exceeds a predefined number within a specified time period. In an embodiment, the primary predictor includes a Hidden Markov Model. In an embodiment, determining whether an anomaly is detected in the network time series data includes determining the anomaly according to a Hidden Markov Model. In an embodiment, the alternative predictor includes one of a current data predictor or a Gaussian Mixture Model (GMM). In an embodiment, determining whether an anomaly is detected includes determining a likelihood that the primary predictor will accurately predict a next observed data value within a specified range of acceptable values. In an embodiment, determining whether an anomaly is detected includes determining a likelihood of occurrence of the observed data point. In an embodiment, the anomaly is detected when the number of calculated likelihood values that fall below a threshold exceeds a predefined number within a specified time period. In an embodiment, the likelihood is computed according to a Gaussian Mixture Model (GMM) model built from the historical data. In an embodiment, the GMM model includes parameters learned from the historical data. In an embodiment, the likelihood is computed according to a Hidden Markov Model (HMM) model built from the historical data. In an embodiment, the HMM model includes parameters learned from the historical data.”); and  
23 updating, via the decision support system, the historic model based on the 18determination of whether the anomaly has occurred (Gopalakrishnan [0075]: “The method 900 begins at block 902 where a predictor receives network time series data. The predictor includes an anomaly detector that may have been trained using historical data. At block 904, the anomaly detector determines if there is an anomaly in the network time series data 904…. If, at block 904, an anomaly is detected, then the method 900 proceeds to block 908 where the predictor generates a prediction associated with the data using an alternate predictor.” Wherein “the alternative predictor includes one of a current data predictor and a Gaussian Mixture Model (GMM)” ([0087]) with the GMM comprising a “historical predictor” based on historical time series data ([0064]).),”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the method in Biem to include the determinations in Gopalakrishnan. Doing so would enable “[s]ystem and method embodiments … for adaptive anomaly detection based predictor for network data.” (Gopalakrishnan Abstract). Wherein such techniques can be used to predict network anomaly that can then be used by the system “to adjust network parameters” (Gopalakrishnan Abstract).

While the cited references teach the limitations of claim 17, they do not explicitly teach: “U.S. Application No. U.S. Application No. wherein publishing periodically, by the respective network device, data points for each of the one or more data streams to a data stream buffer, and associating, by the data stream buffer, the published data points to their respective data streams” on lines 17-20. Leverich discloses the claim limitations, teaching: various types of buffers, e.g. signal, reorder and output buffers, for the data, wherein the various buffers for the data can be used to store and place/order the signal data based on various parameters such as timestamps on the various network devices (Leverich [0173]-[0180]).
A periodic analysis wherein data points of a data stream may be extracted based on various key performance indicators (KPIs) categories for potential anomaly detection (Leverich [0145]-[0149]). Wherein the KPIs with the associated data points and info can be published/displayed to a user (Leverich [0123]-[0124]).  
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the method in the cited references to include the buffers in Leverich. Doing so would enable “[a] continuous anomaly detection service [that] receives data stream and performs continuous anomaly detection on the incoming data streams. This continuous anomaly detection is performed based on anomaly detection definitions, which define a signal used for anomaly detection and an anomaly detection configuration. These anomaly detection definitions can be modified, such that continuous anomaly detection continues to be performed for the data stream and the signal, based on the new anomaly detection definition.” (Leverich Abstract).


Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Biem (U.S. Pat. App. Pre-Grant Pub. No. 2015/0347217, hereinafter Biem), Leverich et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0065298, hereinafter Leverich), and Gopalakrishnan et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0285700, hereinafter Gopalakrishnan) in view of Greenhill et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2008/0297513, hereinafter Greenhill).

Regarding claim 6, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, they do not explicitly teach: “3 wherein the instructions are further executable by the 2processor to: retrieve metadata associated with the data stream, the metadata indicative of a 4range of a minimum value and maximum value of the data stream based on a 5type of the performance metric associated with the data stream.” Greenhill discloses the claim limitations, teaching: 
“wherein the instructions are further executable by the 2processor to:
3retrieve metadata associated with the data stream (Greenhill [0052]-[0053] and [0101]-[0112]: describing that the “Process Data Management System (PDMS)” can obtain metadata from the data/text streams related to an event.), 
the metadata indicative of a 4range of a minimum value and maximum value of the data stream based on a 5type of the performance metric associated with the data stream (Greenhill [0072]: describing that the process data, from which metadata can be derived, can include various “certain statistics of the data 14 are calculated and stored in the process database 20 with the data stream. These include: mean, standard deviation, various central moments (skewness, kurtosis), maximum, minimum, and frequency distribution (represented as a histogram using a pre-set number of frequency bins”.)
 to include the metadata in Greenhill. Doing so would enable a “method of analysis suitable for process control, comprises the steps of: receiving first data streams representing values from a process; receiving second data streams representing states of the process; recording metadata about the data streams; calculating relationships between pairs of the data streams; and recording relationship data resulting from the calculating step together with an association between at least one relationship datum and its corresponding meta-data.” (Greenhill Abstract).

Claim 9, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Biem (U.S. Pat. App. Pre-Grant Pub. No. 2015/0347217, hereinafter Biem), Leverich et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0065298, hereinafter Leverich), and Gopalakrishnan et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0285700, hereinafter Gopalakrishnan) in view of Futamura et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2007/0150949, hereinafter Futmura).

Regarding claim 9, the rejection of claim 1 is incorporated. While the cited references teach the claim limitations, they do not explicitly teach: “wherein the instructions are further executable by the 2processor to: 3perform a remedial action responsive to determining the presence of the anomaly 4on the data stream, wherein the remedial action includes determining one or 5more network devices of the plurality of network devices associated with the 6anomaly”. Fatamura discloses the claim limitations, teaching: that “[i]f an anomaly is detected, the ADS [anomaly detection server] 101 in step 215 triggers an alarm, e.g., by sending a notification to appropriate personnel, taking remedial action (e.g., automatically blocking traffic from a particular sender), or performing some other operation specified to be performed when an alarm is triggered, and optionally based on the type of alarm” (Fatamura [0033]). 
See also [0030]: describing the operation of the ADS via various hardware/software configurations and at various network locations. 
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the remedial action in Fatamura. Doing so would enable “methodologies and systems for detecting an anomaly in a flow of data or data stream…. [Wherein if an anomaly is detected as determined when a] deviation exceeds the predetermined amount, an alarm is triggered.” (Fatamura Abstract). See also Fatamura [0029]: describing various applications of the anomaly detection methodologies. 

Regarding claim 16, claim 16 is substantially similar to claim 9 and therefore is rejected on the same ground as claim 9. Claim 16 is an apparatus claim that corresponds to system claim 9.

Regarding claim 20, claim 20 is substantially similar to claim 9 and therefore is rejected on the same ground as claim 9. Claim 20 is a method claim that corresponds to system claim 9.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Biem (U.S. Pat. App. Pre-Grant Pub. No. 2015/0347217, hereinafter Biem), Leverich et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0065298, hereinafter Leverich), and Gopalakrishnan et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0285700, hereinafter Gopalakrishnan) in view of Raman et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0179588, hereinafter Raman).

Regarding claim 14, the rejection of claim 11 is incorporated. While the cited references teaches the claim limitations, they do not explicitly teach: “wherein the instructions are further executable by the 2processor to: 3determine the threshold variation for a data stream based, at least in part, on a 4range of a minimum value and a maximum value of the data stream, wherein 5the range of the minimum value and the maximum value is updated in real-6time, and is based, at least in part, on metadata associated with a type of the 7performance metric associated with the data stream”. Raman discloses the claim limitations, teaching:
“wherein the instructions are further executable by the 2processor to:  
3determine the threshold variation for a data stream based, at least in part, on a 4range of a minimum value and a maximum value of the data stream (Raman [0187]-[0188]: “A dynamic threshold value is obtained as a result of execution of a data stream language program. A threshold block may specify either one of low/high threshold or both.
The input to the threshold block may be a plurality of data stream values generated as a result of executing blocks of a data stream language program, for example, a plurality of data streams obtained as a result of grouping a set of input data streams.”), 
wherein 5the range of the minimum value and the maximum value is updated in real-6time (Raman [0187]-[0188]: describing that an incoming plurality of data stream can comprise minimum or maximum values that can be allotted to a fixed/dynamic threshold value.), and 
(Raman [0058]-[0059]: describing metadata attributes that can comprise source and metric data, wherein metadata can be “[a] value of a dimension is also referred to as a coordinate value of the data stream. A coordinate value may be represented as a metadata attribute stored in the metadata store 230.”).
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the apparatus in the cited references to include the threshold and max and min in Raman. Doing so would enable “[a]n instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. The data stream language allows users to specify a search condition using a find block for identifying the set of data streams processed by the data stream language program. The set of identified data streams may change dynamically. The data stream language allows users to group data streams into sets of data streams based on distinct values of one or more metadata attributes associated with the input data streams. The data stream language allows users to specify a threshold block for determining whether data values of input data streams are outside boundaries specified using low/high thresholds. The elements of the set of data streams input to the threshold block can dynamically change. The low/high threshold values can be specified as data streams and can dynamically change.” (Raman Abstract). 
 
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Biem (U.S. Pat. App. Pre-Grant Pub. No. 2015/0347217, hereinafter Biem), Gopalakrishnan et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0285700, hereinafter Gopalakrishnan), and Leverich et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2019/0065298, hereinafter Leverich) in view of Greenhill et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2008/0297513, hereinafter Greenhill) and Raman et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2016/0179588, hereinafter Raman).

Regarding claim 18, the rejection of claim 17 is incorporated. While the cited references teaches the claim limitations, they do not explicitly teach: “2retrieving, via the decision support system, metadata associated with the data 3stream, the metadata indicative of a range of a minimum value and maximum 4value of the data stream based on a type of the performance metric associated 5with the data stream; and 6determining, via the decision support system, the threshold variation for the data 7stream based, at least in part, on the range of the minimum value and 8maximum value of a data stream, wherein the range of the minimum value 9and maximum value is updated in real-time based on the current value of the 10data stream.” Greenhill discloses the claim limitations, teaching:
“2retrieving, via the decision support system, metadata associated with the data 3stream (Greenhill [0052]-[0053] and [0101]-[0112]: describing that the “Process Data Management System (PDMS)” can obtain metadata from the data/text streams related to an event.), 
the metadata indicative of a range of a minimum value and maximum 4value of the data stream based on a type of the performance metric associated 5with the data stream (Greenhill [0072]: describing that the process data, from which metadata can be derived, can include various “certain statistics of the data 14 are calculated and stored in the process database 20 with the data stream. These include: mean, standard deviation, various central moments (skewness, kurtosis), maximum, minimum, and frequency distribution (represented as a histogram using a pre-set number of frequency bins”.); and  

Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the system in the cited references to include the metadata in Greenhill. Doing so would enable a “method of analysis suitable for process control, comprises the steps of: receiving first data streams representing values from a process; receiving second data streams representing states of the process; recording metadata about the data streams; calculating relationships between pairs of the data streams; and recording relationship data resulting from the calculating step together with an association between at least one relationship datum and its corresponding meta-data.” (Greenhill Abstract).

While the cited references teach the limitations of claim 18, they do not explicitly teach: “determining, via the decision support system, the threshold variation for the data 7stream based, at least in part, on the range of the minimum value and 8maximum value of a data stream, wherein the range of the minimum value 9and maximum value is updated in real-time based on the current value of the 10data stream” on lines 6-10. Raman discloses the claim limitations, teaching:
“determining, via the decision support system, the threshold variation for the data 7stream based, at least in part, on the range of the minimum value and 8maximum value of a data stream (Raman [0187]-[0188]: “A dynamic threshold value is obtained as a result of execution of a data stream language program. A threshold block may specify either one of low/high threshold or both.
The input to the threshold block may be a plurality of data stream values generated as a result of executing blocks of a data stream language program, for example, a plurality of data streams obtained as a result of grouping a set of input data streams.”),
wherein the range of the minimum value 9and maximum value is updated in real-time based on the current value of the 10data stream (Raman [0187]-[0188]: describing that an incoming plurality of data stream can comprise minimum or maximum values that can be allotted to a fixed/dynamic threshold value.)”.
Thus, it would have been obvious to Person Having Ordinary Skill in the Art (PHOSITA) before the effective filing date (EFD) to modify the apparatus in the cited references to include the threshold and max and min in Raman. Doing so would enable “[a]n instrumentation analysis system processes data streams by executing instructions specified using a data stream language program. The data stream language allows users to specify a search condition using a find block for identifying the set of data streams processed by the data stream language program. The set of identified data streams may change dynamically. The data stream language allows users to group data streams into sets of data streams based on distinct values of one or more metadata attributes associated with the input data streams. The data stream language allows users to specify a threshold block for determining whether data values of input data streams are outside boundaries specified using low/high thresholds. The elements of the set of data streams input to the threshold block can dynamically change. The low/high threshold values can be specified as data streams and can dynamically change.” (Raman Abstract).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

The prior art made of record as cited and not relied upon is considered pertinent to Applicant's disclosure:
Vela et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2014/0111517): describing forecasting model with key performance indicators (KPI) to determine anomalous data for network traffic. The forecast model can analyze the historical information to identify anomalous behavior and predict future operations of the system. The model can also correct the anomalous data. 
Wang et. al. (U.S. Pat. App. Pre-Grant Pub. No. 2012/0303413)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SELENE A HAEDI whose telephone number is (571)270-5762.  The examiner can normally be reached on M-F 11 AM - 7 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on (571)272-3768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.H./Examiner, Art Unit 2121  





/Li B. Zhen/Supervisory Patent Examiner, Art Unit 2121