DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	Claims 20-30, 33-36, and 38-42 are currently pending in this application.
	Claims 22-23, 25, 28, 30, 35-36, 38 are amended as filed on 10/08/2021.
	Claims 31-32 and 37 are canceled as filed on 10/08/2021.
Claims 42 is new as filed on 10/08/2021.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 20-39 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,469,309, hereinafter 309. Although the claims at issue are not identical, they are not patentably distinct from each other because:
	With respect to claim 20, 309 taught a method, comprising: dividing a historical alert dataset into subsets of alert data (column 18, lines 8-12, the wherein the historical alert dataset comprises alert data indicative of a plurality of types of alerts generated by a computing system (column 18, lines 25-27); determining a first amount of overlap in the historical alert dataset in which a first alert type and a second alert type both occur (column 18, lines 25-27); determining a total amount of the historical alert dataset in which the first alert type occurs (column 18, lines 28-48, the ratio to total); and determining a pairwise probability based at least in part on a ratio between the first amount and the total amount (column 18, lines 28-48); identifying a relationship between the first alert type and the second alert type based at least in part on the pairwise probability being greater than a probability threshold (column 18, lines 28-48); and updating a visualization of the historical alert dataset to indicate the relationship (column 18, lines 56-58).
With respect to claim 30, 309 taught a tangible, non-transitory, computer-readable medium having stored thereon program instructions that, upon execution by a computing device, cause the computing device to perform operations (column 20, lines 5-8) comprising: receiving a historical alert dataset comprising a plurality of indications of a plurality of alerts (column 14, lines 9-35), wherein each indication of the plurality of indications corresponds to a configuration item and a timestamp (column 20, lines 9-35, where the predefined time window requires the timestamps); dividing the historical alert dataset to form subsets of alert data having equal time windows (column 20, lines 9-35, where the predefined time window requires the timestamps); determining an amount of co-occurrence of a first alert type and a second alert type over the historical alert dataset, wherein the amount of co-occurrence corresponds to a respective number of the subsets of alert data that respectively comprise the first alert type and the second alert type (column 20, lines 9-35, where the interdependencies contain the co-occurrences); determining a total number of the subsets of alert data in which the first alert type occurs (column 20, lines 9-35, the ratio/total); and determining a frequency parameter value based at least in part on the amount of co-occurrence and the total number of the subsets of alert data in which the first alert type occurs (column 20, lines 9-35); determining a relationship between the first alert type and the second alert type based at least in part on the frequency parameter value being greater than a frequency parameter threshold value (column 20, lines 9-35); and updating a visualization of the historical alert dataset to indicate the relationship (column 20, lines 45-49).
With respect to claim 35, 309 taught a system for grouping alerts generated by monitoring of a device in a computer network (column 20, lines 37-41), the system comprising: a processor (column 20, lines 5-9); and a memory (column 20, lines 5-9) configured to store instructions executable by the processor that, when executed by the processor, cause the system to perform operations comprising: identifying an event pattern within historical alert data independent of known dependency relationships between devices of the computer network, wherein the event pattern is based on a likelihood of a relationship between alert types of the historical alert data (column 20, lines 9-35), and wherein the likelihood is determined based at least in part on a ratio of a total number of occurrences of a respective alert pair with respect to a total number of occurrences of a given alert of the respective alert pair (column 20, lines 9-35, the total/ratio metric); and assigning a current alert to an alert group by matching the current alert to the event pattern (column 20, lines 37-41); and generating, via a presentation module, a graphical display region configured to present the alert group (column 20, lines 42-44).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 20-30, 33-36, 38-39, and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Valadarsky et al. (Patent No. US 7,043,661 B2), hereinafter Valadarsky, in view of Hu et al. (Pre-Grant Publication No. US 2017/0046499 A1), hereinafter Hu.


	However, Valadarsky did not explicitly state a plurality of fixed time windows of respective data sets of alert data and correlating the quantity of datasets associated with the fixed time windows based on identify datasets associated with a total quantity of fixed time windows with then plurality of fixed time windows.  On the other hand, Hu did teach a plurality of fixed time windows of respective data sets of alert data (0029, where the SuperAlarm patterns are the datasets) and correlating the quantity of datasets associated with the fixed time windows based on identify datasets associated with a total quantity of fixed time windows with then plurality of fixed time windows (0029, where the evaluation of the SuperAlarm datasets that are frequently co-occuring requires a multitude of the fixed time windows of 0029.  Furthermore, the total can be seen in the total number of distinctive SuperAlarms in accordance with 0035).  Both of the systems of Valadarsky and Hu are directed towards managing alert data and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Valadarsky, to 

3.	As for claim 21, it is rejected on the same basis as claim 20.  In addition, Valadarsky taught receiving data corresponding to an alert stream; and using the relationship to group a subset of alerts from the alert stream in an alert group (column 2, lines 14-15, where the time + behavior = represents relationships). 

4.	As for claim 22, it is rejected on the same basis as claim 21.  In addition, Valadarsky taught after identifying the relationship, receiving the first alert comprising a first alert type at a time within the time window (column 2, lines 14-17), wherein the first alert type comprises the first configuration item, the first alert metric or both (column 15, lines 19-27); in response to receiving the first alert, determining to group the first alert in the alert group based at least in part on the relationship (column 2, lines 14-17); and receiving a second alert comprising the first alert type at a time after the fixed time window; and in response to receiving the second alert, not grouping the second alert into the alert group (column 2, lines 14-15, where the time + behavior = represents relationships.  Accordingly, new groups will be created based on alerts not following into the time/behavior window).

5.	As for claim 23, it is rejected on the same basis as claim 20.  In addition, Valadarsky taught determining an additional relationship when an amount of alerts, received during a first time window of the plurality of fixed time windows is greater than 

6.	As for claim 24, it is rejected on the same basis as claim 23.  In addition, Valadarsky taught determining the amount of alerts over a duration of time, wherein the duration of time is based at least in part on a product of a value associated with arrival times of consecutive historical alerts and a factor value (column 2, lines 14-15, where the behavior is the factor and the alerts are historical alerts are they are utilized in the historical correlation).

7.	As for claim 25, it is rejected on the same basis as claim 23.  In addition, Valadarsky taught identifying a configuration item identifier and an alert pattern identifier for a first alert of the alert group, wherein the configuration item identifier is associated with the first alert, and wherein the alert pattern identifier is associated with the 

8.	As for claim 26, it is rejected on the same basis as claim 20.  In addition, Valadarsky taught receiving data corresponding to an alert stream; determining that the relationship matches a respective alert of the alert stream based at least in part on an alert type of the respective alert or a pattern of the respective alert matching that of the relationship; in response to the relationship matching the respective alert of the alert stream, determining that a time window associated with the respective alert is active; and in response to determining that the time window is active, adding the respective alert to an alert group corresponding to the relationship and the time window (column 2, lines 14-15, where the action of an active time window is given in order to properly group the alerts based on time and behavior).



10.	As for claim 28, it is rejected on the same basis as claim 20.  In addition, Valadarsky taught wherein identifying the relationship between the first alert type and the second alert type based at least in part on the conditional probability being greater than the probability threshold value comprises: setting the probability threshold to a first value to generate a first probability threshold (column 16, lines 52-67, where establishing the baseline probability threshold is given under broadest reasonable interpretation); identifying a first relationship using the first probability threshold; setting the probability threshold to a second value to generate a second probability threshold, wherein the second value is greater than the first value; identifying a second relationship using the second probability threshold; and identifying the relationship between the first alert type and the second alert type to correspond to the second relationship (column 14, lines 59-62, where the second probability threshold is generated when the system decides to use the second probability value under broadest reasonable interpretation).

11.	As for claim 29, it is rejected on the same basis as claim 28.  In addition, Valadarsky taught wherein identifying the first relationship using the first probability threshold comprises: filtering a plurality of pairwise probabilities associated with the first 

12.	With respect to claim 30, Valadarsky taught a tangible, non-transitory, computer-readable medium having stored thereon program instructions that, upon execution by a computing device, cause the computing device to perform operations (column 1, lines 49-50) comprising: receiving a historical alert dataset comprising a plurality of alerts (column 2, lines 14-15, where the groups are the subsets.  See also, column 4, lines 49-52.   Furthermore, the historical alert data can be seen in column 22, lines 21-31) wherein alert data is generated at least in party by monitoring an operating condition of a portion of a computing network and generating an alert when an alert metric associated with the operating condition crosses a threshold value (column 3, lines 51-56, where the different fault types are different alarm types and the groups are configuration items.  Furthermore, the different root causes of column 16, lines 54-60 that are provided are also alert types), and wherein the portion of the computing network is represented using one or more configuration items in a configuration management database (column 15, lines 4-27, where the peak event is the alert that the system utilizes for alarm generation); dividing the historical alert dataset alert data 
	However, Valadarsky did not explicitly state a plurality of fixed time windows of respective data sets of alert data and correlating the quantity of datasets associated with the fixed time windows based on identify datasets associated with a total quantity 

15.	As for claim 33, it is rejected on the same basis as claim 30.  In addition, Valadarsky taught wherein the historical alert dataset is associated with a plurality of configuration items (column 8, lines 18-38, where the correlation data correlates the parent alert with a child alert, the parent being the cause of the child alert in accordance with column 6, lines 20-23, 30-33, where the configuration items are the devices of column 6, lines 62-66). 

16.	As for claim 34, it is rejected on the same basis as claim 30.  In addition, Valadarsky taught identifying the first alert type as corresponding to a first configuration 

17.	With respect to claim 35, Valadarsky taught system for grouping alerts (column 15, lines 4-27), wherein alert data is generated at least in part by monitoring an operating condition of a computing network that corresponds to one or more of a plurality of configuration items and generating an alert when an alert metric associated with the operating condition crosses a threshold value (column 15, lines 4-27, where the alarms are monitored), the system comprising: a processor (figure 2); a memory configured to store instructions executable by the processor that, when executed by the processor, cause the system to perform operations (figure 2) comprising: determining a conditional probability indicative of a likelihood of a relationship between a first alert and a second alert based at least in part on a ratio, wherein the ratio compares a first number of occurrences indicative of when the first alert and the second alert co-occur within a plurality of subsets of the alert data to a second number of occurrences of the first alert within the plurality of subsets of the alert data, wherein the first alert corresponds to a first type of alert and the second alert corresponds to a second type of 
	However, Valadarsky did not explicitly state a plurality of fixed time windows of respective data sets of alert data and wherein the ratio compares a first quantity of fixed time windows within the plurality of fixed time windows in which a first alert and a second alert co-occur within a same fixed time window of the alert data, and a total quantity of fixed time windows within the plurality of fixed time windows in which the first alert occurs.  On the other hand, Hu did teach a plurality of fixed time windows of respective data sets of alert data and wherein the ratio compares a first quantity of fixed time windows within the plurality of fixed time windows in which a first alert and a second alert co-occur within a same fixed time window of the alert data, and a total quantity of fixed time windows within the plurality of fixed time windows in which the first alert occurs (0029, where the SuperAlarm patterns are the datasets and wherein the evaluation of the SuperAlarm datasets that are frequently co-occuring requires a multitude of the fixed time windows of 0029.  Furthermore, the total can be seen in the total number of distinctive SuperAlarms in accordance with 0035).  Both of the systems of Valadarsky and Hu are directed towards managing alert data and therefore, it would 

18.	As for claim 36, it is rejected on the same basis as claim 35.  In addition, Valadarsky taught prioritizing the alert group with respect to an additional alert group in a visualization rendered on a graphical user interface based at least in part on respective severities of alerts associated with the alert group (column 16, lines 52-67, where the cluster represents a plurality of groups in accordance with column 2, lines 14-15, and wherein the user interface display can be seen in column 9, lines 60-63 & column 10, lines 10-14); and updating information indicating a dependency relationship between a first configuration item configured to generate the first type of alert and a second configuration item configured to generate the second type of alert based on the determined conditional probability value (column 1, lines 52-53, where the root cause analysis includes determining dependencies between the alarm groups of column 2, lines 13-15).

20.	As for claim 38, it is rejected on the same basis as claim 37.  In addition, Valadarsky taught compare an avalanche time window to each of the plurality of fixed time windows to locate alert intersections, wherein the avalanche of alerts occurs over the avalanche time window (0014, where the sequence of SuperAlarm patterns are a cluster of alarms, which is an avalanche of alarms in accordance with the applicant’s 

21.	As for claim 39, it is rejected on the same basis as claim 38.  In addition, Valadarsky taught identifying the event pattern when the score of the additional intersection is greater than an avalanche pattern threshold parameter (column 16, lines 52-67, where the probability is the threshold and the cluster is the avalanche of data).

22.	As for claim 41, it is rejected on the same basis as claim 35.  In addition, Valadarsky taught wherein the first type of alert corresponds to a first configuration item, a first alert metric, or both, and wherein the second type of alert corresponds to a second configuration item, a second alert metric, or both (column 15, lines 4-27, where the assigned group is the configuration items and the relation is the second configuration item in accordance with column 16, lines 52-59). 

Claim 40 is rejected under 35 U.S.C. 103 as being unpatentable over Valadarsky, in view of Hu, and in further view of Bose et al. (Pre-Grant Publication No. US 2012/0259962 A1), hereinafter Bose.

.

Claim 42 is rejected under 35 U.S.C. 103 as being unpatentable over Valadarsky, in view of Hu, and in further view of Shulman et al. (Pre-Grant Publication No. US 2017/0244749 A1), hereinafter Shulman.

24.	As for claim 42, it is rejected on the same basis as claim 30.  However, Valadarsky did not explicitly state wherein the alert metric comprises an amount of server traffic.  On the other hand, Bose did teach wherein the alert metric comprises an amount of server traffic (0076, where the alerts include the amount of server traffic).  Both the systems of Valadarsky and Shulman are directed towards 

Response to Arguments
Applicant’s arguments with respect to the claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

25.	The applicant argues on page 12 that “Valadarsky at most teaches that alarms which arrived during a period of time are grouped together. See Valadarsky, col. 15, ll. 30-35. Indeed, Valadarsky appears silent to grouping a subset alerts of an alert stream based on an amount of alerts being greater than an alert count threshold. Therefore, Valadarsky does not disclose determining an additional relationship when an amount of alerts is greater than an alert count threshold and determining a union between the relationship and the additional relationship to group a subset of alerts into an alert group”.  However, Valadarsky’s column 1, lines 54-55 shows that the system correlates the different alerts in order to find the root cause.  A subset of alerts is obvious as the system would otherwise correlate every 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 





/JOSEPH L GREENE/Primary Examiner, Art Unit 2452