DETAILED ACTION
Claims 1-9 and 12, 13, 15, and 16 are presented for examination. Claims 1-3, 5, 7-9, 12, 13, and 15 stand currently amended.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Finality of Office Action
The following is a brief summary description of new ground(s) of rejection (if any) and the reason why those new ground(s) are made necessary by this amendment:
No new grounds of rejection are presented herein.
Response to Arguments
Applicant's remarks filed 30 November 2021 and remarks filed 26 January 2022 have been fully considered and Examiner’s response is as follows:
Remarks filed 26 January 2022:
Applicant remarks page 12 argues:
Applicant respectfully disagrees with the Examiner.
Applicant respectfully notes, for example, wherein Guan appears to only disclose a dimensionality reduction, however, fails to disclose the first filtering and second filtering as claimed herein.
In addition, for example, Applicant respectfully notes wherein merely disclosing a dimensionality reduction is not and cannot reasonably be considered as disclosing a combination of several particular dimensionality reductions as claimed herein.
Applicant respectfully notes, for example, wherein Guan does not disclose or suggest the particular combination of two dimensionality reductions (filters), each comprising another dimensionality reduction (subset of sensors); as claimed herein.
This argument is unpersuasive.
The claims recite no particular differences between the claimed first and second filtering steps. The only recited difference is a slight difference, but overlapping in scope, temporal limitation of the filtering step preceding the constructing and comparing respectively. See claims 1 and 12 last clause.
The claimed filtering steps do not have a different subset of sensors. Both the first and second filtering are “by only selecting the packet metatdata and the error code only from the subset of the sensors.” The recitation of the subset of sensors is verbatim identical.
anomalies of variations in the statistical data representative of the packet metadata obtained from the sensor relative to the future variations predicted by the prediction algorithm.” Thus, the anomaly detection is dependent on the same prediction algorithm used for the prediction of future variations. The anomalies of variation are claimed merely as variations from the predicted future variations of the same prediction algorithm.
Furthermore, looking at dependent claims 8, both the first and second filterings are recited as “utilize only the sensors which send signals determined chronologically the function of executed events in the log file and related to the error code or anomaly.” Thus, claim 8 further describes which signals the first and second filterings actually output and they are the same sensor signals for both.
Furthermore, looking at dependent claim 12, only a singular “a filtering algorithm” is claimed. Specification page 13 lines 8-9 and 13-14 state the first and second filtering steps are both “by the filtering algorithm (6).” There is only one filtering algorithm used to accomplish both recited filtering steps.
The mere recitation of “first” and “second” filtering within the claim fails to impart any differences for the first and second filtering steps. Using a single filtering algorithm accomplishes both.
Applicant remarks page 13 further argues:
these two filtering steps in the claimed invention are not the same filtering steps and are used for different purposes in the claimed invention, than that of Guan.
For example, one filtering step used for anomaly detection and the other for prediction of future variations.
This argument is unpersuasive.
The purpose for which Guan teaches performing dimensionality reduction and feature selection may be different than the alleged purpose of performing these steps in the invention. The prior art may teach different advantages and different rationales for performing these steps. All that is required of the prior art is that it teach the same steps with the same characteristics as claimed. A different rationale for performing the same step is not a patentable distinction when the features of the recited step(s) are the same.
Here, the recited anomaly detection is explicitly linked to the prediction of future variation as claimed such that the anomaly detection is recited in the claim as an anomaly of variation “relative to the future variations predicted by the prediction algorithm.” 
Applicant remarks page 13 further argues:
Applicant has further clarified such limitations by stating wherein the predicting comprises the first filtering and the constructing, and the detecting comprises the second filtering and the comparing, wherein the first filtering precedes the constructing, and wherein the second filtering precedes the comparing.
In other words, for example, the first filtering and the second filtering are not and cannot reasonably be considered as the same step of dimensionality reduction, as the two different filterings occur at different times under different steps with different data sets.
Examiner respectfully disagrees according to the current recitation of the claims.
Regarding the timing, the comparing step is comparing future variation of the prediction algorithm. Accordingly, preceding the construction of the prediction algorithm is also preceding the comparing. The recited timings are overlapping ranges.
As discussed above, the first and second filtering steps use the same filtering algorithm on the same subset of sensor data. There are no recited differences in the filterings so it is not clear that any differences in performing the respective filterings.
Regarding the argument of “different data sets” the recitation in the claim recites explicitly the filterings performed on the same verbatim data sets. Accordingly different data sets are not claimed. Nor is it even indicated within even the Specification that the first and second filterings involve different data sets.
Applicant remarks page 14 further argues:
Applicant respectfully notes, for example, wherein one of ordinary skill in the art would understand and appreciate wherein such a disclosure as that of Guan cannot reasonably be considered as two filterings, specifically one for a prediction and one for an anomaly, as claimed herein.
This argument is unpersuasive.
As discussed in more detail above, the anomaly detection uses the same prediction algorithm. Accordingly, a filtering for the prediction algorithm accomplishes a filtering for both prediction of future variation using said prediction algorithm and a filtering to what is necessary for the anomaly detection using the same prediction algorithm. 
Applicant remarks page 14-15 argues:
For example, Biem teaches …. Applicant asserts that the claims are novel and unobvious over the cited references that never mention network packets.
This argument is unpersuasive.


Remarks filed 30 November 2021:
Applicant remarks filed 26 January 2022 appear to include all arguments presented in the remarks filed 30 November 2021 in addition to containing further remarks. Accordingly, all arguments presented as filed 30 November 2021 are already addressed above with Examiner’s response to the same arguments from the remarks filed 26 January 2022. No additional response is necessitated by the 30 November 2021 remarks.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6, 8, 9, 12, 13, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gross, K., & Lu, W. "Early Detection of Signal and Process Anomalies in Enterprise Computing Systems" (2002) [herein “Gross”] in view of Samak, T., et al. “Online Fault and Anomaly Detection for Large-Scale Scientific Workflows” IEEE Int'l Conf. on High Performance Computing & Communication, pp. 373-381 (2011) [herein “Samak”], US patent 10,261,851 B2 Velipasaoglu, et al. [herein “Velipasaoglu”], and Guan, Q., et al. “Anomaly Detection in Large-Scale Coalition Clusters for Dependability Assurance” IEEE Int’l Conf. on High Performance Computing, pp. 1-10 (2010) [herein “Guan”].
Claim 1 recites “1. A method for supervising a supercomputer.” Gross title discloses “Early Detection of Signal and Process Anomalies in Enterprise Computing Systems.” Enterprise computing systems correspond with supercomputers. Gross introduction first paragraph discloses “In this paper, we present an advanced online machine monitoring technique originally developed for statistical process control (SPC) applications in safety-critical industries and apply this novel approach to enhance the reliability, availability, and serviceability (RAS) of enterprise computing systems.” A machine monitoring technique for reliability, availability, and serviceability is a supervising of the enterprise computing system.
Claim 1 further recites “the method comprising: obtaining packet metadata by a computer infrastructure comprising a processor, from a sensor comprising a network card of a compute node of the supercomputer, wherein said packet metadata comprises at least one of:
a number of packets sent from the compute node,
a number of packets received by the compute node,
and wherein said supercomputer comprises … and sensors coupled therewith wherein said sensors comprise network cards.” Gross page 2 section 1 last paragraph discloses “performance metrics (throughput, load, transaction latencies, queue lengths, etc.), or soft error arrival rates.” A throughput of a computer system corresponds to monitored metadata of the computer system. Gross section 3.2 “[Error] Counts from Fibre Channel Arbitrated Loops” is applying the performance metric to a packet based network of the fibre channel.
But Gross does not explicitly disclose packets; however, in analogous art of anomaly detection in a computer system, Velipasaoglu column 5 lines 58-62 teaches:
Examples of other performance metrics include bandwidth, packets per second, connections per second, maximum concurrent connections, bits per second, errors, dropped packets, flows per second, round trip time (RTT), web requests, jitter, or transactions per second.
Packets per second is a number of packets sent/received.
Velipasaoglu column 5 lines 41-51 teach:
detection engine 118 collects statistical samples of traffic data from a multiplicity of resources for different performance metrics by receiving incoming data stream from the resources as a series of data packets.
… performance metrics for the different resources (routers, switches, firewalls, load balancers, servers, applications)
Collecting data from servers, routers, and switches is sensors of corresponding network card sensors. The resources collect the packet per second data and accordingly are packets.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak and Velipasaoglu. One having ordinary skill in the art would have found motivation to use collect packet performance data into the system of detecting of a network. See Velipasaoglu column 5 lines 53-63.
Claim 1 further recites “and wherein said supercomputer comprises multiple compute nodes.” Gross title discloses “Early Detection of Signal and Process Anomalies in Enterprise Computing Systems.” Enterprise computing systems correspond with supercomputers.
Gross does not explicitly disclose compute nodes; however, in analogous art of online anomaly detection in computer systems, Samak page 373 section I second paragraph teaches “These resources include compute nodes, storage, and networks.” Compute nodes in the plural are multiple compute nodes.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use computers comprising compute node resources into the system of detecting anomalies in computer systems for the advantageous purpose of applying anomaly detection to complex computation workflows. See Samak abstract.
Claim 1 recites a plurality of times “by the processor.” Gross page 2 left column first paragraph last sentence discloses “applications for enterprise computing systems.” Software applications on a computing system are executed by a processor. This disclosure is relevant for each of the following repeated recitations of “by the processor.”
Claim 1 further recites “predicting at regular intervals, by the processor executing a prediction algorithm, future variations in statistical data representative of the packet metadata obtained from the sensor.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a prediction algorithm.
Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is making the predictions at regular intervals.
detecting in real time, by the processor executing a detection algorithm, anomalies of variations in the statistical data representative of the packet metadata obtained from the sensor relative to the future variations predicted by the prediction algorithm.” Gross section 2 third paragraph discloses “When process changes are detected.” Detecting process changes is detecting anomalies of variation. Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is real time.
Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The likelihood ratio test is detecting whether or not there is an anomaly of variation. See also Gross equation (1). The null hypothesis corresponds with normal behavior of the expected future variation of the prediction algorithm.
Claim 1 further recites “wherein the predicting of the future variations and detecting the anomalies are preceded by selecting, by the processor of the computer infrastructure, for each sensor a type of packet metadata determined chronologically as a function of executed events in a log file.” Gross page 2 section 1 last paragraph discloses:
online monitoring of noisy performance signals of a variety of types that are important to assuring the continuous availability of enterprise computing systems, including variables associated with physical parameters (…), performance metrics (…), or soft error arrival rates.
Whichever performance signal SPRT is used on is a respectively selected type of sensor metadata. As discussed above, the performance metric of throughput of a network is packet metadata.
Gross section 2 second paragraph discloses “a sample from the process at a given moment tn in time.” Sampling observations over time is a chronological recording of sensor data. Gross page 3 right column last paragraph line 3 discloses “time series.”
Gross does not explicitly disclose collected data is events in a log file; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing the logs on storage of the system. The structured collection of data is an aggregation of the data. The collection of data logs involving “events” and “timestamp” indicates the collected data is event based and chronological with the timestamp.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 1 further recites “and selecting an error code found in the compute node wherein the type of packet metadata and the error code are utilized for the predicting and the detecting of the anomalies.” Gross does not explicitly disclose error codes; however, in analogous art of online anomaly detection in computer systems, Samak page 375 section III teaches:
Hard failures are detected and reported by lower layers and thus are directly observable from error codes and messages. Soft failures are either not noticed or not reported by the lower layers. Common examples of soft failures include poor network performance and low memory (e.g., due to an application leak).
… detecting hard failures is simply a matter of looking at error codes …
The analysis presented here uses observation from hard failures and performance metrics to model soft failures and predict their occurrence.
Hard failure error codes are error codes. Using observations from hard failures is using the error code. Modeling soft failures with performance metrics is using the packet metadata.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data and error codes into the system of detecting anomalies in computer systems for the advantageous purpose of detecting both hard and soft errors. See Samak page 375 section III.
Claim 1 further recites “and the selecting among the sensors of a subset of the sensors that is less than a total number of sensors to keep only the sensors which having the packet metadata necessary for the predicting of the future variations and the detecting of the anomalies; wherein the predicting of the future variations comprises a first filtering by only selecting the packet metadata and the error code only from the subset of the sensors; wherein detecting the anomalies comprises a second filtering by only selecting the packet metadata and the error code only from the subset of the sensors.” Gross does not explicitly disclose filtering or selecting sensor data; however, in analogous art of anomaly detection in high-performance computing systems, Guan section 3.2 teaches:
To make the anomaly detection tractable and yield high detection accuracy, we apply dimensionality reduction, which transforms the collected health data to a new feature space with only the more relevant attributes preserved [16].
Dimensionality reduction to only the more relevant attributes is filtering to only the more relevant attributes. The more relevant attributes correspond with selecting only data necessary for the prediction of variations and anomalies. Guan section 3.2.2 page 5 left column last paragraph teaches:
Feature selection is to select a smaller set of features that contains as much information as possible. This goal can be interpreted as maximizing the joint mutual information.
Feature selection is a form of dimensionality reduction which selects a smaller set of data.
Dimensionality reduction and/or feature selection are both a first and second filtering. The filtering is a first filtering when it is done for the prediction of future variations (i.e. normal behavior or null hypothesis prediction of the likelihood function taught by Gross); and the filtering is a second feature when it is done for anomaly detection (i.e. anomaly detection or alternative hypothesis of the likelihood function taught by Gross). Notably, the anomalies detected are claimed as anomalies of variation relative to the future values predicted by the prediction algorithm. The anomaly detection is a comparison relative to predicting the future variation and is thus dependent upon the same prediction algorithm as the predicting of future variations.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak, Velipasaoglu, and Guan. One having ordinary skill in the art would have found motivation to use dimensionality reduction and/or feature selection into the system of detecting anomalies in computer systems for the advantageous purpose of making the data easier to classify and facilitate anomaly detection. See Guan section 3.2 last sentence.
Claim 1 further recites “sending the anomalies of the variations in the statistical data representative of the packet metadata and the error code from the processor to a display coupled with said processor.” Gross page 2 section 2 third paragraph discloses “When process changes are 
Claim 1 further recites “wherein the predicting further comprises storing in a storage coupled with the processor of the statistical data sent by the sensor.” Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 1 further recites “in a form of the packet metadata and the error code representative of the statistical data.” Gross does not explicitly disclose packets; however, in analogous art of anomaly detection in a computer system, Velipasaoglu column 5 lines 58-62 teaches:
Examples of other performance metrics include bandwidth, packets per second, connections per second, maximum concurrent connections, bits per second, errors, dropped packets, flows per second, round trip time (RTT), web requests, jitter, or transactions per second.
Packets per second is a number of packets sent/received.
Velipasaoglu column 5 lines 41-51 teach:
detection engine 118 collects statistical samples of traffic data from a multiplicity of resources for different performance metrics by receiving incoming data stream from the resources as a series of data packets.
… performance metrics for the different resources (routers, switches, firewalls, load balancers, servers, applications)

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak and Velipasaoglu. One having ordinary skill in the art would have found motivation to use collect packet performance data into the system of detecting anomalies in computer systems for the advantageous purpose of detecting anomalous performance of a network. See Velipasaoglu column 5 lines 53-63.
Gross does not explicitly disclose error codes; however, in analogous art of online anomaly detection in computer systems, Samak page 375 section III teaches:
Hard failures are detected and reported by lower layers and thus are directly observable from error codes and messages. Soft failures are either not noticed or not reported by the lower layers. Common examples of soft failures include poor network performance and low memory (e.g., due to an application leak).
… detecting hard failures is simply a matter of looking at error codes …
The analysis presented here uses observation from hard failures and performance metrics to model soft failures and predict their occurrence.
Hard failure error codes are error codes. Using observations from hard failures is using the error code. Modeling soft failures with performance metrics is using the packet metadata.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data and error codes into the system of detecting anomalies in computer systems for the advantageous purpose of detecting both hard and soft errors. See Samak page 375 section III.
Claim 1 further recites “constructing, by the processor executing a modeling algorithm, a predictive mathematical model from the statistical data, the predictive mathematical model being stored in the storage.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a modeling algorithm acting on statistical data.

Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 1 further recites “and, wherein the detecting comprises comparing, by the processor executing the detection algorithm, the packet metadata representative of the statistical data with the future variations and confidence interval stored last in the storage.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.”
Using the likelihood ratio test of Gross equation (1) is comparing the probability of the alternative hypothesis (numerator) with the probability of the null hypothesis (denominator). The probability of the null hypothesis is data representative of future variation.
Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The stopping boundaries A and B are corresponding confidence intervals.
Claim 1 further recites “stored last in the storage.” Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 1 further recites “wherein the first filtering precedes the constructing, and wherein the second filtering precedes the comparing.” The dimensionality reduction and features selection steps taught by Guan sections 3.2 and 3.2.2 discussed above are data pre-processing steps which occur before the anomaly detection algorithm. See e.g. Guan page 2 second paragraph lines 11-16:
Then, …, feature selection is performed to convert the multi-dimensional data into a space of lower dimensions for quick and better analysis. Finally, outlier detection automatically extracts the expected normal behaviors from the data and identifies significant deviations as anomalies.
Feature selection is performed before the outlier detection and before determining “normal behavior from the data.” Thus, the feature selection which corresponds to the first and second filtering precedes the constructing (of normal behavior prediction) and precedes the comparing (of the outlier detection or anomaly detection). Accordingly, dimensionality reduction and/or feature selection precedes the construction of the prediction algorithm and comparing steps of the anomaly detection algorithm.
Claim 2 further recites “2. The method according to claim 1, wherein the predicting comprises: calculating, by the processor a calculation algorithm, the future variations in the statistical data from the predictive mathematical model.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a modeling algorithm acting on statistical data.

Claim 2 further recites “as well as confidence intervals delimiting the future variations in the statistical data.” Gross section 2 first paragraph teaches “pre-specified confidence bounds.” Confidence bounds are confidence intervals.
Claim 2 further recites “and storing in the storage the future variations and the confidence intervals.” As discussed above, Gross section 2 first paragraph teaches “pre-specified confidence bounds.” Pre-specified indicates prior existence before their use indicating they are stored or remembered somewhere.
But Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 3 further recites “3. The method according to claim 2, wherein the constructing of the predictive mathematical model is calculated by the processor executing the modeling algorithm from the statistical data.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal 
Claim 3 further recites “from signals representative of these statistical data sent by the sensor in a period comprising two hours.” Gross abstract line 1 discloses “a real-time … for online surveillance of digitized signals… of enterprise computing systems.” Real-time surveillance is detecting in real time meaning ‘now’ and ‘now’ is within the two hours. The statistical model SPRT is from signals representative of the statistical data.
Claim 4 further recites “4. The method according to claim 1, wherein the predicting is implemented, by the processor, at the regular intervals of sixty minutes.” Gross abstract line 1 discloses “a real-time … for online surveillance of digitized signals… of enterprise computing systems.” Real-time surveillance is predicting in real time. Real time prediction is performing the predictions frequently enough to be considered continuous. A continuous prediction includes predicting over the time periods of regular intervals of sixty minutes as well as the time periods in between.
Claim 6 further recites “6. The method according to claim 2, wherein the predicting further comprises a first aggregation, during a set time interval, by the processor executing an aggregation algorithm, of the statistical data stored in the storage.” Gross page 6 right column second paragraph discloses “The sampling interval for these experiments was 20 minutes.” A 20 minute sampling interval is a set time interval of a first sampling aggregation.
Gross does not explicitly disclose storing the sensor data in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing the logs on storage of the system. The structured collection of data is an aggregation of the data.
Transforming the monitored data into semi-structured data of an SQL database is aggregating the data into the database. This is a first aggregation.
See Samak figure 1.
Claim 6 further recites “the detection step detecting further comprising a second aggregation, by the processor, during a common time interval, of the packet metadata representative of the statistical data sent in real time by the sensor.” Gross page 6 right column second paragraph discloses “The sampling interval for these experiments was 20 minutes.” A 20 minute sampling interval is a common time interval.
Gross page 3 section left column second paragraph below equation (2) discloses “the mean of the process observations.” Using the mean of the observation is an aggregation of the observations. Here, taking a mean value is performing a second aggregation.
Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is real time.
Claim 8 further recites “8. The method according to claim 1, further comprising: predicting at regular intervals, by the processor by executing a prediction algorithm, future variations in statistical data representative of an error code found in the compute node.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The non-normal behavior is predicted anomalies for the statistical data signal. SPRT is a prediction algorithm.
Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is making the predictions at regular intervals.
Gross does not explicitly disclose error codes; however, in analogous art of online anomaly detection in computer systems, Samak page 375 section III teaches:
directly observable from error codes and messages. Soft failures are either not noticed or not reported by the lower layers. Common examples of soft failures include poor network performance and low memory (e.g., due to an application leak).
… detecting hard failures is simply a matter of looking at error codes …
The analysis presented here uses observation from hard failures and performance metrics to model soft failures and predict their occurrence.
Hard failure error codes are error codes. Using observations from hard failures is using variations in statistical data representative of an error code.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data and error codes into the system of detecting anomalies in computer systems for the advantageous purpose of detecting both hard and soft errors. See Samak page 375 section III.
Claim 8 further recites “filtering by the processor in the first filtering and in the second filtering, to utilize only the sensors which send signals determined chronologically the function of executed events in the log file and related to the error code or anomaly for prediction and/or detection of the anomalies.” Gross section 2 second paragraph discloses “a sample from the process at a given moment tn in time.” Sampling observations over time is a chronological recording of sensor data. Gross page 3 right column last column discloses “time series.”
Gross does not explicitly disclose collected data is chronological as a function of events; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing the logs on storage of the system. The structured collection of data is an aggregation of the data. The collection of data logs involving “events” and “timestamp” indicates the collected data is event based and chronological with the timestamp.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer See Samak figure 1.
Dimensionality reduction and/or feature selection as taught by Guan discussed above corresponds with respective first and second filtering of the input log data. A dimensionality reduction and feature selection of this chronological set of collected data is a filtering of chronological signals as claimed.
Claim 8 further recites “and detecting in real time, by the processor executing a detection algorithm, the anomalies of the variations in the statistical data representative of the error code found in the compute node relative to the future variations predicted in the predicting.” Gross section 2 third paragraph discloses “When process changes are detected.” Detecting process changes is detecting anomalies of variation. Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is real time.
Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The likelihood ratio test is detecting whether or not there is an anomaly of variation. See also Gross equation (1). The null hypothesis corresponds with normal behavior of the expected future variation of the prediction algorithm. The alternative hypothesis corresponds with predicted anomalies.
Claim 9 further recites “9. The method according to claim 1, wherein the predicting comprises a first displaying in which the packet metadata representative of values of the future variations as well as confidence intervals to said display to be displayed by the display.” Gross page 2 section 2 third paragraph discloses “When process changes are detected, the action taken can be simply setting the status of a data-disturbance warning flag, e-mailing a human operator, or coordinating with a control actuator for real-time, closed-loop monitoring and control systems.” At least emailing a human operator is displaying the detected process changes.

When the teachings of Gross are combined with the teachings of Velipasaoglu column 5 as discussed above regarding packet throughput values as performance metrics, then the corresponding figures showing actual observations would correspond to showing packet throughput values.
Claim 12 further recites “12. A system for supervising of a supercomputer.” Gross title discloses “Early Detection of Signal and Process Anomalies in Enterprise Computing Systems.” Enterprise computing systems correspond with supercomputers. Gross introduction first paragraph discloses “In this paper, we present an advanced online machine monitoring technique originally developed for statistical process control (SPC) applications in safety-critical industries and apply this novel approach to enhance the reliability, availability, and serviceability (RAS) of enterprise computing systems.” A machine monitoring technique for reliability, availability, and serviceability is a supervising of the enterprise computing system.
Claim 12 further recites “comprising a computer infrastructure including a processor and storage.” Gross page 2 left column first paragraph last sentence discloses “applications for enterprise computing systems.” Software applications on a computing system are executed by a processor and storage. This disclosure is relevant for each of the following repeated recitations of “by the processor.”
Claim 12 further recites “wherein said processor is configured to: obtain packet metadata by the computer infrastructure comprising the processor, from a sensor comprising a network card of a compute node of the supercomputer, wherein said packet metadata comprises at least one of:
a number of packets sent from the compute node,
a number of packets received by the compute node,
and wherein said supercomputer comprises … and sensors coupled therewith, wherein said sensors comprise network cards.” Gross page 2 section 1 last paragraph discloses “performance metrics (throughput, load, transaction latencies, queue lengths, etc.), or soft error arrival rates.” A throughput of a computer system corresponds to monitored metadata of the computer system. Gross section 3.2 “[Error] Counts from Fibre Channel Arbitrated Loops” is applying the performance metric to a packet based network of the fibre channel.

Examples of other performance metrics include bandwidth, packets per second, connections per second, maximum concurrent connections, bits per second, errors, dropped packets, flows per second, round trip time (RTT), web requests, jitter, or transactions per second.
Packets per second is a number of packets sent/received.
Velipasaoglu column 5 lines 41-51 teach:
detection engine 118 collects statistical samples of traffic data from a multiplicity of resources for different performance metrics by receiving incoming data stream from the resources as a series of data packets.
… performance metrics for the different resources (routers, switches, firewalls, load balancers, servers, applications)
Collecting data from servers, routers, and switches is sensors of corresponding network card sensors. The resources collect the packet per second data and accordingly are packets.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak and Velipasaoglu. One having ordinary skill in the art would have found motivation to use collect packet performance data into the system of detecting anomalies in computer systems for the advantageous purpose of detecting anomalous performance of a network. See Velipasaoglu column 5 lines 53-63.
Claim 12 further recites “and wherein said supercomputer comprises multiple compute nodes.” Gross title discloses “Early Detection of Signal and Process Anomalies in Enterprise Computing Systems.” Enterprise computing systems correspond with supercomputers.
Gross does not explicitly disclose compute nodes; however, in analogous art of online anomaly detection in computer systems, Samak page 373 section I second paragraph teaches “These resources include compute nodes, storage, and networks.” Compute nodes in the plural are multiple compute nodes.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use computers comprising compute node resources into the system of detecting anomalies in computer systems for the advantageous purpose of applying anomaly detection to complex computation workflows. See Samak abstract.
by the processor.” Gross page 2 left column first paragraph last sentence discloses “applications for enterprise computing systems.” Software applications on a computing system are executed by a processor. This disclosure is relevant for each of the following repeated recitations of “by the processor.”
Claim 12 further recites “predict at regular intervals, by the processor by execution of a prediction algorithm, future variations in statistical data representative of the packet metadata obtained from the sensor.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a prediction algorithm.
Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is making the predictions at regular intervals.
Claim 12 further recites “detect in real time, by the processor, execution of a detection algorithm, anomalies of variations in the statistical data representative of the packet metadata obtained from the sensor relative to the future variations predicted by the prediction algorithm.” Gross section 2 third paragraph discloses “When process changes are detected.” Detecting process changes is detecting anomalies of variation. Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is real time.
Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The likelihood ratio test is detecting whether or not there is an anomaly of variation. See also Gross equation (1). The null hypothesis corresponds with normal behavior of the expected future variation of the prediction algorithm.
Claim 12 further recites “wherein the predict of the future variations and the detect the anomalies are preceded by selection, by the processor of the computer infrastructure, for each sensor a type of packet metadata determined chronologically as a function of executed events in a log file.” Gross page 2 section 1 last paragraph discloses:
online monitoring of noisy performance signals of a variety of types that are important to assuring the continuous availability of enterprise computing systems, including variables associated with physical parameters (…), performance metrics (…), or soft error arrival rates.
Whichever performance signal SPRT is used on is a respectively selected type of sensor metadata. As discussed above, the performance metric of throughput of a network is packet metadata.
Gross section 2 second paragraph discloses “a sample from the process at a given moment tn in time.” Sampling observations over time is a chronological recording of sensor data. Gross page 3 right column last column discloses “time series.”
Gross does not explicitly disclose collected data is events in a log file; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing the logs on storage of the system. The structured collection of data is an aggregation of the data. The collection of data logs involving “events” and “timestamp” indicates the collected data is event based and chronological with the timestamp.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 12 further recites “and selection of an error code found in the compute node wherein the type of packet metadata and the error code are utilized for the predict and the detect of the anomalies.” Gross does not explicitly disclose error codes; however, in analogous art of online anomaly detection in computer systems, Samak page 375 section III teaches:
Hard failures are detected and reported by lower layers and thus are directly observable from error codes and messages. Soft failures are either not noticed or not reported by the 
… detecting hard failures is simply a matter of looking at error codes …
The analysis presented here uses observation from hard failures and performance metrics to model soft failures and predict their occurrence.
Hard failure error codes are error codes. Using observations from hard failures is using the error code. Modeling soft failures with performance metrics is using the packet metadata.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data and error codes into the system of detecting anomalies in computer systems for the advantageous purpose of detecting both hard and soft errors. See Samak page 375 section III.
Claim 12 further recites “and the selection among the sensors of a subset of the sensors that is less than a total number of sensors to keep only the sensors which having the packet metadata necessary for the predict of the future variations and the detect of the anomalies; wherein the predict of the future variations comprises a first filtering by only selection of the packet metadata and the error code only from the subset of the sensors; wherein the detect of the anomalies comprises a second filtering by only selection of the packet metadata and the error code only from the subset of the sensors.” Gross does not explicitly disclose filtering or selecting sensor data; however, in analogous art of anomaly detection in high-performance computing systems, Guan section 3.2 teaches:
To make the anomaly detection tractable and yield high detection accuracy, we apply dimensionality reduction, which transforms the collected health data to a new feature space with only the more relevant attributes preserved [16].
Dimensionality reduction to only the more relevant attributes is filtering to only the more relevant attributes. The more relevant attributes correspond with selecting only data necessary for the prediction of variations and anomalies. Guan section 3.2.2 page 5 left column last paragraph teaches:
Feature selection is to select a smaller set of features that contains as much information as possible. This goal can be interpreted as maximizing the joint mutual information.
Feature selection is a form of dimensionality reduction which selects a smaller set of data.
Dimensionality reduction and/or feature selection are both a first and second filtering. The filtering is a first filtering when it is done for the prediction of future variations (i.e. normal behavior or null 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak, Velipasaoglu, and Guan. One having ordinary skill in the art would have found motivation to use dimensionality reduction and/or feature selection into the system of detecting anomalies in computer systems for the advantageous purpose of making the data easier to classify and facilitate anomaly detection. See Guan section 3.2 last sentence.
Claim 12 further recites “send the anomalies of the variations in the statistical data representative of the packet metadata and the error code from the processor to a display coupled with said processor.” Gross page 2 section 2 third paragraph discloses “When process changes are detected, the action taken can be simply setting the status of a data-disturbance warning flag, e-mailing a human operator, or coordinating with a control actuator for real-time, closed-loop monitoring and control systems.” At least emailing a human operator is displaying the detected process changes anomaly information.
Claim 12 further recites “wherein the predict further comprises store in said storage coupled with the processor of the statistical data sent by the sensor.” Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer See Samak figure 1.
Claim 12 further recites “in a form of the packet metadata and the error code representative of the statistical data.” Gross does not explicitly disclose packets; however, in analogous art of anomaly detection in a computer system, Velipasaoglu column 5 lines 58-62 teaches:
Examples of other performance metrics include bandwidth, packets per second, connections per second, maximum concurrent connections, bits per second, errors, dropped packets, flows per second, round trip time (RTT), web requests, jitter, or transactions per second.
Packets per second is a number of packets sent/received.
Velipasaoglu column 5 lines 41-51 teach:
detection engine 118 collects statistical samples of traffic data from a multiplicity of resources for different performance metrics by receiving incoming data stream from the resources as a series of data packets.
… performance metrics for the different resources (routers, switches, firewalls, load balancers, servers, applications)
Collecting data from servers, routers, and switches is sensors of corresponding network card sensors. The resources collect the packet per second data and accordingly are packets.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak and Velipasaoglu. One having ordinary skill in the art would have found motivation to use collect packet performance data into the system of detecting anomalies in computer systems for the advantageous purpose of detecting anomalous performance of a network. See Velipasaoglu column 5 lines 53-63.
Gross does not explicitly disclose error codes; however, in analogous art of online anomaly detection in computer systems, Samak page 375 section III teaches:
Hard failures are detected and reported by lower layers and thus are directly observable from error codes and messages. Soft failures are either not noticed or not reported by the lower layers. Common examples of soft failures include poor network performance and low memory (e.g., due to an application leak).
… detecting hard failures is simply a matter of looking at error codes …
The analysis presented here uses observation from hard failures and performance metrics to model soft failures and predict their occurrence.
Hard failure error codes are error codes. Using observations from hard failures is using the error code. Modeling soft failures with performance metrics is using the packet metadata.
See Samak page 375 section III.
Claim 12 further recites “wherein the computer infrastructure further comprises a modeling algorithm stored in the storage configured to construct a predictive mathematical model from the statistical data stored in the storage, wherein said predict further comprises said construct said predictive mathematical model.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a modeling algorithm acting on statistical data.
Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 12 further recites “wherein the detecting is configured to compare signals representative of the statistical data with the future variations and confidence intervals stored last in the storage.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.”

Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The stopping boundaries A and B are corresponding confidence intervals.
Claim 12 further recites “stored last in the storage.” Gross does not explicitly disclose storing in a storage of the system; however, in analogous art of online anomaly detection in computer systems, Samak page 374 figure 1 and section II(A) second paragraph teaches:
Logs are automatically sent to the submission host, where they populate directories on disk. We have developed a program called monitord that continuously transforms these directories of logs on the submission host into a stream of NetLogger log events. These are semi-structured collections of name/value pairs with a required type and timestamp
Populating directories on disk of the host is storing in storage of the system.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross and Samak. One having ordinary skill in the art would have found motivation to use logging data on disk into the system of detecting anomalies in computer systems for the advantageous purpose of making recent and historical data available to query and analyze. See Samak figure 1.
Claim 12 further recites “wherein the first filtering precedes said construct, and wherein the second filtering precedes said compare.” The dimensionality reduction and features selection steps taught by Guan sections 3.2 and 3.2.2 discussed above are data pre-processing steps which occur before the anomaly detection algorithm. See e.g. Guan page 2 second paragraph lines 11-16:
Then, …, feature selection is performed to convert the multi-dimensional data into a space of lower dimensions for quick and better analysis. Finally, outlier detection automatically extracts the expected normal behaviors from the data and identifies significant deviations as anomalies.
Feature selection is performed before the outlier detection and before determining “normal behavior from the data.” Thus, the feature selection which corresponds to the first and second filtering precedes the constructing (of normal behavior prediction) and precedes the comparing (of the outlier detection or 
Claim 13 further recites “13. The system according to claim 12, wherein the computer infrastructure further comprises: a calculation algorithm stored in the storage capable of calculating the future variations in the statistical data from the predictive mathematical model.” Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” The normal behavior is predicted future variation for the statistical data signal. SPRT is a modeling algorithm acting on statistical data.
Gross page 3 equation (1) teaches calculation of a log likelihood ratio. The denominator corresponds to the null hypothesis of normal behavior. The probability associated with normal behavior (the null hypothesis) corresponds to a prediction of future variation in the statistical data. Calculation of the respective probability is a calculation of the future variation from the mathematical model.
Claim 13 further recites “as well as the confidence intervals delimiting the future variations in the statistical data.” Gross section 2 first paragraph teaches “pre-specified confidence bounds.” Confidence bounds are confidence intervals.
Claim 15 further recites “15. The system according to claim 12, wherein the computer infrastructure further comprises at least one aggregation algorithm stored in the storage capable of aggregating each minute of the statistical data stored in the storage and aggregating each minute of the packet metadata, representative of the statistical data, sent in real time by the sensor.” Gross section 4 lines 9-11 disclose “SPRT-based tools are also being put in place for real-time proactive fault monitoring in server, storage, and network interconnect systems.” A sequential real-time monitoring is real time. Gross page 3 right column last paragraph line 3 discloses “time series.”
Gross page 6 right column second paragraph discloses “The sampling interval for these experiments was 20 minutes.” The sampling period is a first aggregation of collected data.
Gross does not explicitly disclose a sampling period of “each minute.” However, in analogous art of anomaly detection in a computer system, Velipasaoglu column 5 lines 22-24 teach “performance metrics such as packets per second and connections per second are collected every two minutes to See MPEP §2144.05(I).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak, and Velipasaoglu. One having ordinary skill in the art would have found motivation to use a sampling period of one minute into the system of detecting anomalies in computer systems for the advantageous purpose of detecting anomalous performance of a network. See Velipasaoglu column 5 lines 53-63.
Claim 16 further recites “16. The system according to claim 12, wherein the computer infrastructure further comprises a filtering algorithm stored in the storage configured to filter the statistical data stored, the storage and the signals, representative of the statistical data, as a function of the sensor having sent the signals representative of the statistical data.” Gross does not explicitly disclose filtering or selecting sensor data; however, in analogous art of anomaly detection in high-performance computing systems, Guan section 3.2 teaches:
To make the anomaly detection tractable and yield high detection accuracy, we apply dimensionality reduction, which transforms the collected health data to a new feature space with only the more relevant attributes preserved [16].
Dimensionality reduction to only the more relevant attributes is filtering to only the more relevant attributes. The more relevant attributes correspond with selecting only data necessary for the prediction of variations and anomalies. Guan section 3.2.2 page 5 left column last paragraph teaches:
Feature selection is to select a smaller set of features that contains as much information as possible. This goal can be interpreted as maximizing the joint mutual information.
Feature selection is a form of dimensionality reduction which selects a smaller set of data.
Dimensionality reduction and/or feature selection are both a first and second filtering. The filtering is a first filtering when it is done for the prediction of future variations (i.e. normal behavior or null hypothesis prediction of the likelihood function taught by Gross); and the filtering is a second feature when it is done for anomaly detection (i.e. anomaly detection or alternative hypothesis of the likelihood function taught by Gross). Notably, the anomalies detected are claimed as anomalies of variation relative to the future values predicted by the prediction algorithm. The anomaly detection is a comparison relative 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak, Velipasaoglu, and Guan. One having ordinary skill in the art would have found motivation to use dimensionality reduction and/or feature selection into the system of detecting anomalies in computer systems for the advantageous purpose of making the data easier to classify and facilitate anomaly detection. See Guan section 3.2 last sentence.
Dependent Claims 5 and 7
Claims 5 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Gross, Samak, Velipasaoglu, and Guan as applied to claim 1 above, and further in view of US 2014/0358833 A1 Biem, et al. [herein “Biem”].
Claim 5 further recites “5. The method according to claim 2, wherein said confidence interval is 5%.” Gross page 6 left column first paragraph discloses “Fig. 6 shows the SPRT index traveling to the lower boundary, at which times the conclusion can be made, with a 3-nines confidence factor.” A 3-nine confidence factor corresponds with 99.9 and indicates a 0.1% confidence interval for the boundary thereof. 0.1 percent is within a 5% confidence interval range.
Claim 5 further recites “and wherein the detecting further comprises: storing, in the storage, in a table of anomalies, the anomalies detected by the processor executing the detection algorithm.” Gross does not explicitly disclose a table of anomalies; however, in analogous art of anomaly detection in a computer system, Biem paragraph 69 discloses: 
by tracking the metric and anomaly score that predicts a future anomaly, a determination is made as to which component of the system will cause a problem in the future (i.e., which component is associated with the predicted anomalous metric). For example, each metric has a corresponding index, and a table, list or other data structure maps the index to a component.
The anomaly score table for the corresponding metric is a table of anomalies, the anomalies detected by the detection algorithm.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine Gross, Samak, Velipasaoglu, Guan, and Biem. One having See Biem paragraph 69.
Claim 5 further recites “an anomaly being detected when the packet metadata representative of a statistical data exit from the confidence intervals and/or move away from the future variations.” From the above list of alternatives the Examiner is selecting “move away from the future variations.”
Gross section 2 third paragraph discloses “The [Sequential Probability Ratio Test (SPRT)] is a binary hypothesis test, which analyzes process observations sequentially to determine whether or not the signal is consistent with normal behavior.” Gross page 3 equation (1) teaches calculation of a log likelihood ratio. The denominator corresponds to the null hypothesis of normal behavior. The resulting likelihood ration SPRT score indicates whether or not the values are moving away from the expected future variation of normal behavior.
Gross page 2 right column last paragraph discloses “At each time step in a calculation, a test index is calculated and compared to two stopping boundaries A and B (defined below). The test index is equal to the natural log of a likelihood ratio (Ln).” The stopping boundaries A and B are corresponding confidence intervals. Reaching a stopping boundary with the likelihood ratio is detecting an anomaly when the statistical data moves away from normal behavior.
Claim 7 further recites “7. The method according to claim 5, wherein the first filtering in the predicting, by said processor executing a filtering algorithm, is of the statistical data as a function of said sensor having sent signals representative of these statistical data during the predicting of the future variations.” The dimensionality reduction and features selection steps taught by Guan sections 3.2 and 3.2.2 discussed above are data pre-processing steps which occur before the anomaly detection algorithm. See e.g. Guan section 2 lines 7-15. Accordingly, dimensionality reduction and/or feature selection precedes construction of an anomaly detection model.
Claim 7 further recites “and the second filtering in the detecting, by the processor executing the filtering algorithm, is of the signals representative of the statistical data as a function of said sensor having sent these representative signals.” The dimensionality See e.g. Guan section 2 lines 7-15. Accordingly, dimensionality reduction and/or feature selection precedes the comparing steps of the anomaly detection algorithm.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2015/0127595 A1 Hawkins, II; Jeffrey C. et al.
teaches
Modeling and Detection of Anomaly Based on Prediction.
¶48 “pre-processing” and “filtering” of data; ¶54 aggregating data over time periods; ¶40 anomaly detection based on deviation from anticipated ranges/distributions.
US 8,611,219 B2 Golic; Jovan

Detecting anomalies in a communication system using symbolic packet features
US 10,142,353 B2 Yadav; Navindra et al.

Monitoring and managing datacenters
US 9,407,651 B2 Mathis; Craig M.

Anomaly detection in network-site metrics using predictive modeling


Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jay B Hann whose telephone number is (571)272-3330. The examiner can normally be reached M-F 10am-7pm EDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rehana Perveen can be reached on (571)272-3676. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Jay Hann/Primary Examiner, Art Unit 2148                                                                                                                                                                                                        3 February 2022