DETAILED ACTION
 	Claims 1-27 are pending. This is in response to the application filed on November 13, 2019.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
Claim 5 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The claim recites “the object” but claim 3 recites “metric sources of objects”. It is unclear which object of which node the claim refers to.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the terms 
10. A computer system to proactively manage resources in a distributed computing system, the system comprising: one or more hardware processors; one or more physical data-storage devicesstoring machine-readable instructions that when executed using the one or more processors…
Claims 11-18 are rejected as being dependent to claim 10.
 	Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a process to collect streaming data periodically in a distributed system for anomaly. Collecting data for analysis is known as an abstract idea. This judicial exception is not integrated into a practical application because generating an alert and displaying the streams of metric data and log messages associated with the anomalous behavior in a graphical user interface does not improve the distributed computing system if malicious application executing in the system is detected. Moreover, using a processor to perform analysis is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of performing log message analysis on log messages associated with the nodes to detect anomalous behavior). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the 
 	Claims 2-9 are rejected with same reasoning above since they only recite in detail on how stream of metric data and log message are analyzed.
	Claims 10 and 19 are rejected with same reasoning presented in claim 1 rejection.
	Claims 11-18 and 20-27 are also rejected with same reasoning.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 10 and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by PG Pub 20160110549 (hereinafter Schmitt)
Regarding claim 1, Schmitt discloses a process stored in one or more data-storage devices and executed using one or more processors of a computer system to detect and troubleshoot anomalous behavior of an application executing in a distributed computing system (par. [0014]-[0019] discloses scanning targeted software for security flaws in a network utilized in any data processing scenario including, for example, a cloud computing service such as a Software as a Service (SaaS), a Platform as a Service (PaaS), a Infrastructure as a Service (IaaS), application program interface (API) as a service (APIaaS), or other forms of network services), the process comprising: 
 	discovering nodes comprising the application (par. [0033] discloses analyzing target software for security vulnerabilities for a number of iterations over a period of time. Since it can be sued as Saas or APIaaS mentioned above. This suggests to analyze target software for vulnerabilities it has to know which device(s) running the target software);
 	 performing anomaly detection on multiple streams of metric data associated with the nodes in a time frame, the time frame containing the most recently generated metric values of the streams of metric data (Fig. 3, par. [0036]–[0043] disclose the analysis performs based on a combination of a defined number of iterations of obtaining statistical data over a defined period of time such as daily, weekly, monthly, or yearly); 
 	performing log message analysis on log messages associated with the nodes to detect anomalous behavior recorded in the log messages in the time frame (par. [0040]-[0041] disclose statistical data stored in the historical scan database is analyzed for 
 	generating an alert and displaying the streams of metric data and log messages associated with the anomalous behavior in a graphical user interface when anomalous behavior is detected in at least one of the one or more streams of metric data and the log messages (par. [0042] discloses when the security flaws identified by the security correlation module the prioritized security flaws are presented to a user via the output devices). 
	Claims 10 and 19 are rejected in view of claim 1 rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3, 11-13 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Schmitt in view of PG Pub 20140237595 (hereinafter Sridhara)
 	Regarding claim 2, Schmitt does not disclose wherein discovering the structure of nodes comprising the application comprises: partitioning nodes executing in the distributed computing system into types based on information streamed from agents within each node; determining which nodes have communications connections; and identifying nodes comprising the application based on the node types and nodes with communication connections. Sridhara discloses classifying mobile devices based on device specific features or state specific features (Fig. 2 and par. [0063]-[00090] discloses having a behavior observer unit (e.g. agent) and behavior analyzer unit to identify malicious software applications where identifying data network activity, which may include types of connections, protocols, port numbers, server/client that the device is connected to, the number of connections, volume or frequency of communications, etc. Furthermore, Sridhara discloses having a device-specific feature generator to classify the device based on Bluetooth capability, iPhone configured for Verizon network, etc. (Fig. 3 and par. [0097]-[0104]) where all of the information stored in in a device-specific classifier database on the server’s side.  Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Schmitt with Sridhara to teach the claimed features. One would have done so to prevent malicious software that can negatively impact a mobile computing device's long-term and continued performance and power utilization levels that is beneficial to consumers. 	Regarding claim 3, Schmitt discloses modules to predicting and prioritizing  performing anomaly detection on the multiple streams of metric data comprises: for each time frame, receiving multiple streams of metric data generated by metric sources of objects executing the nodes, updating a performance model based on most recently received metric values of the streams of metric data, and detecting changes in one or more of the streams of metric data based on the updated performance model by modifying the modules of predicting and prioritizing software security flaws, in Schmitt,  based on the process of updating device-specific lean classifier model in Sridhara to detect the most relevant malware behavior to provide an improved solution over "one-size-fits-all" approach (Sridhara, par. [0167]).
	Claims 11-13 and 20-21 are rejected in view of claims 2-3 rejections respectively.

Claims 4, 13 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Schmitt in view of Sridhara and further in view of PG Pub 20190124099 (hereinafter Maselyukh) 	Regarding claim 4, Schmitt and Sridhara do not disclose for new metric values of the streams of metric data, computing a mean of the recently received metric values; computing a sample standard deviation of the recently received metric values; and for each new metric value of the streams of metric data, computing a standard-score model based on the recently received metric value, the mean, and the sample standard deviation. Maselyukh discloses data streams collected then partitioned into time intervals where a value associated with each data stream for each of the plurality of time intervals is calculated a deviation for an anomaly in the collected data streams if the calculated deviation is above a threshold (Fig. 2, par. [0010] and [0041]-[0093]). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Schmitt and Sridhara with Maselyukh to teach the claimed features. One would have done so to improve anomaly detection that can reduce the number of false positive detections whilst also improving the overall detection rate to ensure a higher proportion of true anomalies (Maselyukh).
 	Claims 13 and 22 are rejected in view of claim 4 rejection.


Claims 6, 8, 15, 17, 24 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Schmitt in view of Sridhara and further in view of PG Pub 20140108640 (hereinafter Mathis) 	Regarding claim 6, Schmitt and Sridhara do not disclose for each stream of the multiple streams of metric data, computing forecast metric values in a forecast interval; and computing a forecast confidence interval for each of the forecast metric values. Mathis discloses a method “…for anomaly detection in time series data using predictive modeling… The time-series data includes values for a network-site analytics metric over time. The method includes generating a predictive model for the metric based on a segment of the time-series data and using the predictive model to predict an expected value range for the network-site analytics metric for a future time…” (par. [0003]). Note,  although the application Mathis used is not for malware detection, the passage above suggest for any time-series data a predictive model can be used to predict (e.g. forecast) anomaly if an actual value is off the expected (predicted) value range (par. [0031]-[0036] discloses the time-series data analysis involves the forecasted value, standard error and confidence level). Therefore, it would have been obvious before the effective filing date of the claimed invention to modifying Schmitt and Sridhara with Mathis by applying the predictive model on each statistical data per interval of Schmitt would further teach the claimed features. One would have done so to improve data analytics on large amounts of data with large number of associated metrics (Mathis).

Regarding claim 8, Schmitt, Sridhara and Mathis disclose wherein performing anomaly detection to detect changes in one or more of the streams of metric data based on the updated performance model comprises: determining a threshold based on the performance model; and when one or more streams of the metric data violates the threshold, identifying the resource as exhibiting anomalous behavior (Mathis, par. [0012] and [0027] disclose a metric is a measure of activities or performance. Hence, the predictive analytic would provide a predictive expected value vs the obtained actual value. If the actual value exceeds the expected range by a threshold it would consider to be anomalous.

 	Claims 15 and 24 are rejected in view of claim 6 rejection.

 	Claims 17 and 26 are rejected in view of claim 8 rejection.

Claims 9, 18 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Schmitt in view of Sridhara and further in view of PG Pub 20070143851 (hereinafter Nicodemus)
Regarding claim 9, Schmitt and Sridhara do not disclose wherein performing log message analysis on the log messages comprises: determining an event type for each log messages; computed a relative frequency of each event type generated in the time frame; and generating an alert when the relative frequency of one of the event types is greater than an associated relative frequency threshold. Nicodemus discloses a system of monitoring software vulnerabilities with agent installed on each endpoint to be monitored (Fig. 5 and related text). Nicodemus discloses using different analysis algorithms such as mean-based, Standard-deviation based, etc. (par. [0917]-[0950]) 
 	Claims 18 and 27 are rejected in view of claim 9 rejection.

Allowable Subject Matter
Claims 5, 7, 14, 16, 23 and 25 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2432