DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims:
Claims 1-19 are pending in Instant Application.

Priority
Examiner acknowledges Applicant’s claim to priority benefits of continuation of Application No. 15/994,534 filed 05/31/2018.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 05/05/2021, 06/08/2021, and 11/18/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) are being considered if signed and initialed by the Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-8 and 10-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-15 of U.S. Patent No. 11,044,533. 
Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-8 and 10-19 of the instant application merely broaden the scope of the claims 1-15 of U.S. Patent No. 11,044,533. It has been held that the omission of an element and its function is an obvious expedient if the remaining elements perform the same function as before (See MPEP §804.II.B.1 and §2144.04 IIA).
Claims of Instant Application
Claims of U.S. Patent No. 11,044,533
Reasons
       1. A system, comprising: a processor configured to: at a first time, compute a set of quality metrics for a plurality of groups of streaming sessions, wherein the set of quality metrics comprises at least one of video start failure, exits before video start, video startup time, or rebuffering ratio; identify an anomaly at least in part by performing anomaly detection using the set of quality metrics and historical information; diagnose a cause of the identified anomaly; and generate an alert based at least in part on the diagnosis; 
1. A system, comprising: a processor configured to: at a first time, compute, for each group of video streaming sessions in a plurality of groups of video streaming sessions, a set of quality metrics, wherein the set of quality metrics comprises at least one of video start failure, exits before video start, video startup time, and rebuffering ratio, and wherein a group of video streaming sessions comprises a plurality of video streaming sessions grouped by a set of dimensions; identify an anomaly in at least one group of video streaming at least in part by performing anomaly detection using (1) a corresponding set of quality metrics computed for the at least one group of video streaming sessions and (2) historical information, wherein performing the anomaly detection comprises determining, for the at least one group, anomalous behavior with respect to at least one of video start failure, exits before video start, video startup time, and rebuffering ratio, and wherein identifying the anomaly diagnose a cause of the identified anomaly at least in part by traversing a diagnosis graph, wherein each node in the diagnosis graph corresponds to a different grouping of video streaming sessions, wherein the traversing comprises visiting a child node of a node that corresponds to a group of video streaming sessions determined to have anomalous behavior with respect to at least one and generate an alert based at least in part on the diagnosis, wherein generating the alert comprises providing a report as output, and wherein the report comprises a list of video streaming sessions impacted by the identified anomaly; and a memory coupled to the processor and configured to provide the processor with instructions.


        2. The system of claim 1 wherein the set of quality metrics comprises aggregated Quality of Experience (QoE) metrics computed for a given group of video streaming sessions collected within an interval of time.
Similar claim limitation, however the patent is more specific regarding the type of streaming (video).
        3. The system of claim 1 wherein a group of streaming sessions represents a set of streaming sessions defined by a set of dimensions comprising at least one of state, city, designated market area (DMA), device type, name of a content asset, content delivery network 
3. The system of claim 1 wherein a group of video streaming sessions represents a set of video streaming sessions defined by a set of dimensions comprising at least one of state, city, designated market area (DMA), device type, name of a content asset, content delivery network (CDN), content type, Internet Service Provider (ISP), and autonomous system number (ASP).

       4. The system of claim 1 wherein the processor is further configured to construct a time series using the set of quality metrics and the historical information, wherein the historical information comprises a set of quality metrics computed at a previous time.
      4. The system of claim 1 wherein the processor is further configured to construct a time series using the set of quality metrics computed for the at least one group of video streaming sessions and the historical information, wherein the historical information comprises a set of quality metrics computed at a previous time.
Similar limitation, however the instant application is broader.

1
Claim 1 of the patent contains the claim limitation.
       6. The system of claim 5 wherein the anomaly is identified based at least in part on determining that the aggregated metric exceeds the deviation threshold for a threshold amount of time.
       5. The system of claim 1 wherein the anomaly is identified based at least in part on determining that the aggregated metric exceeds the deviation threshold for a threshold amount of time.
Same limitation.
       7. The system of claim 5 wherein the anomaly is identified based at least in part on determining a measure of streaming 
The system of claim 1 wherein the anomaly is identified based at least in part on determining a measure of video streaming sessions impacted by the anomaly.

       8. The system of claim 5 wherein the baseline comprises a mean of the aggregated metric within a time period, and wherein the deviation threshold is based at least in part on the baseline and a standard deviation of the aggregated metric.
       7. The system of claim 1 wherein the baseline comprises a mean of the aggregated metric within a time period, and wherein the deviation threshold is based at least in part on the baseline and a standard deviation of the aggregated metric.
Same limitation.
       10. The system of claim 1 wherein the processor is further configured to construct a diagnosis graph, wherein nodes of the diagnosis graph correspond to groups of streaming sessions, and wherein diagnosing the cause of the identified anomaly 

Claims 1 and 8 of the patent contain similar claim limitation.
       11. The system of claim 10 wherein evaluating the constructed diagnosis graph comprises performing a breadth first search (BFS) traversal of the diagnosis graph.
       9. The system of claim 8 wherein traversing the constructed diagnosis graph comprises performing a breadth first search (BFS) traversal of the diagnosis graph.
Similar limitation.
       12. The system of claim 10 wherein a node in the diagnosis graph is diagnosed as the cause is of the identified anomaly based at least in part on determining 
The system of claim 8 wherein the node in the diagnosis graph is diagnosed as the cause of the identified anomaly based at least in part on determining that the node is anomalous and that a threshold amount of children of the node are anomalous.

       13. The system of claim 10 wherein in response to determining that a node is anomalous and that a threshold number of anomalous children is not met, a depth first search (DFS) is performed starting from the node.
       11. The system of claim 8 wherein in response to determining that the node is anomalous and that a threshold number of anomalous children is not met, a depth first search (DFS) is performed starting from the node.

Same limitation.
       14. The system of claim 10 wherein a plurality of causes are identified based at least in part on the evaluating of the constructed diagnosis graph, and wherein the processor is further 
The system of claim 8 wherein a plurality of causes are identified based at least in part on the traversing of the constructed diagnosis graph, and wherein the processor is further configured to resolve the plurality of causes into the diagnosed cause of the identified anomaly.

       15. The system of claim 10 wherein the diagnosis graph comprises a directed acyclic graph.
       13. The system of claim 8 wherein the diagnosis graph comprises a directed acyclic graph.
Same limitation.
       16. The system of claim 1 wherein the cause comprises a group of streaming sessions in the plurality of groups of streaming sessions.
1
Claim 1 of the patent contains the claim limitation.
       17. The system of claim 1 wherein generating the alert comprises providing a report as output, and wherein the report comprises a list of streaming sessions impacted by the identified anomaly.
1
Claim 1 of the patent contains the claim limitation.

14
Same as described above for the method claim 1.
19
15
Same as described above for the method claim 1.



In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.
Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-8 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Jadallah et al. (U.S. Publication No. 2012/0311126) [Applicant’s IDS] in view of Sathyanarayana et al. (U.S. Publication No. 2016/0164761) [Applicant’s IDS].
As per claim 1, Jadallah disclose a system (Jadallah: paragraph 0052 and fig. 3; QoE system 300), comprising: 
a processor (Jadallah: paragraph 0052; The QoE system 300 includes at least one processor) configured to:
at a first time, compute a set of quality metrics for a plurality of groups of streaming sessions (Jadallah: paragraph 0055; The metric measurement module receives data from the QoE event handler and media session module and measures various metrics 412 as explained in greater detail herein. The metric aggregation module then aggregates the metrics 414 followed by the QoE calculation module calculating and comparing the metrics 416), wherein the set of quality metrics comprises at least one of video start failure, exits before video start, video startup time, or rebuffering ratio (Jadallah: paragraph 0018; the metric measurement module is configured to measure at least one of the group of average number and duration of buffer stall events, average media start latency, average number of restarts after buffer stall events and average number of bit rate transition events);
Jadallah: paragraph 0063; the QoE event handler is adapted to receive data from the media flow recognition module and detect events 408 related to subscribers' perceived quality of experience. The QoE event handler may obtain attributes related to a particular media flow. These attributes can be used to detect various events, for example, buffering events, media restart events, media start latency events, and adaptive streaming bit rate transition events. There may be many instances of the QoE event handler 206, one for each type of event. Each event handler communicates with the media session manager to keep track of the history of media flows, to detect changes in the media flow properties and to report QoE events to the metric measurement module); and
a memory coupled to the processor and configured to provide the processor with instructions (Jadallah: fig. 2; memory 218 couple to processor 216). 
However Jadallah does not explicitly mention diagnose a cause of the identified anomaly; and generate an alert based at least in part on the diagnosis.
However Sathyanarayana teaches:
diagnose a cause of the identified anomaly (Sathyanarayana: paragraph 0053; the emulation engine instances perform a mesh test when an error or anomaly is detected. The mesh test diagnoses where the root of the detected error or anomaly occurs within the distributed platform architecture); and 
 generate an alert based at least in part on the diagnosis (Sathyanarayana: paragraph 0031; Based on the alert parameters, each alert can identify the distributed platform delivery node in which the error occurred, the error at issue, the content stream fragment or chunk where the error or anomaly occurred, various other performance metrics at the time of the error occurrence, and one or more parties that receive the alert…paragraph 0048; The reporting can include logging and/or providing real-time statistics regarding any detected errors or anomalies and observed server-side performance. The real-time statistics can include directly notifying an administrator, content provider, or other user based on any configured alerts that are triggered as a result of detected errors, anomalies, or monitored server performance).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in order to track real-time performance and any errors in the server-side transmission of the content stream under test (Sathyanarayana: Abstract).
As per claim 2, the modified Jadallah teaches the system of claim 1 wherein the set of quality metrics comprises aggregated Quality of Experience (QoE) metrics computed per group of streaming sessions collected within an interval of time (Jadallah: paragraph 0017; a metric measurement module operatively connected to the QoE event handler and configured to measure a metric relating to the detected event; and a quality of experience calculation module operatively connected to the metric measurement module and configured to determine a quality of experience measurement based on the metric…paragraph 0075; In some cases, a media flow session is kept for two sampling intervals, 30 minutes, after receiving the last media flow. This period is intended to allow other modules to have access to the media session record for, for example, calculating and aggregating QoE metrics).  
As per claim 3, the modified Jadallah teaches the system of claim 1 wherein a group of streaming sessions represents a set of streaming sessions defined by a set of dimensions comprising at least one of state, city, designated market area (DMA), device type, name of a content asset, content delivery network (CDN), content type, Internet Service Provider (ISP), and autonomous system number (ASP) (Jadallah: paragraph 0072 and fig. 9; Dimensions can also be used in the metric aggregation module to group and aggregate facts based on elements of interest to the network or QoE system. Examples of dimensions include: subscriber geographical location, content provider name, content delivery network name, type of stream, client device name, operating system name, browser name, container name, transport protocol, session protocol, audio codec name, video codec name and resolution). 
As per claim 4, the modified Jadallah teaches the system of claim 1 wherein the processor is further configured to construct a time series using the set of quality metrics and the historical information, wherein the historical information comprises a set of quality metrics computed at a previous time (Jadallah:  paragraph 0109; After the metric aggregation module has determined a QoE of the media stream per subscriber or per session, the QoE system may provide a report to be viewed by the operator or ISP. Reporting can be used to analyze long-term trending and drill into data to investigate the causes of low QoE scores. The QoE system may send raw data from the measurements to a storage system that will store the metrics in a long-term storage medium, or the memory component of the QoE system may be equipped to store the metrics for a longer period of time, for example one week, one month, or over a five year period. Then at some later time, the QoE system can extract the raw data from long-term storage and create reports various trending or historical analysis to investigate causes or trends in low QoE scores). 
As per claim 5, the modified Jadallah teaches the system of claim 1 wherein identifying the anomaly comprises determining a baseline and deviation threshold for an aggregated metric with respect to a group of streaming sessions (Sathyanarayana: paragraph 0030; The error and anomaly detection parameters configure the thresholds and conditions that determine an error or anomaly in the transmission of a content stream. By configuring different error and anomaly detection parameters for different instances of an emulation engine, the error and anomaly detection can be made to differ for different content streams under test and for different PoPs being monitored. In other words, each instantiated emulation engine can be configured to detect a different set of errors or anomalies according to a different set of criteria).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in order to track real-time performance and any errors in the server-side transmission of the content stream under test (Sathyanarayana: Abstract).
As per claim 6, the modified Jadallah teaches the system of claim 5 wherein the anomaly is identified based at least in part on determining that the aggregated metric exceeds the deviation threshold for a threshold amount of time (Jadallah:  paragraph 0070; In order to detect this kind of event, the QoE event handler detects upon the arrival of the media request if the same subscriber requested the same media content recently, by communicating with the media session manager. If the same request was found for the same subscriber and there was at least one buffer stall event, the QoE event handler may subtract the last access time of existing media content from a current request time. If the difference is less than or equal to a predetermined threshold value, for example, approximately 800 to 1000 seconds or 900 seconds, QoE event handler reports a media restart event to the QoE metric measurement module).
As per claim 7, the modified Jadallah teaches the system of claim 5 wherein the anomaly is identified based at least in part on determining a measure of streaming sessions impacted by the anomaly (Sathyanarayana: paragraph 0046; The process then verifies (at 455) any received chunks. Chunk verification involves inspecting the received chunks for errors or anomalies including invalid checksums, improper metadata or header information, and malformed payloads as some examples. The detected errors and anomalies can vary depending on the streaming protocol with which the content stream under test is passed).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in order to track real-time performance and any errors in the server-side transmission of the content stream under test (Sathyanarayana: Abstract).
Sathyanarayana: paragraph 0030; The error and anomaly detection parameters configure the thresholds and conditions that determine an error or anomaly in the transmission of a content stream. By configuring different error and anomaly detection parameters for different instances of an emulation engine, the error and anomaly detection can be made to differ for different content streams under test and for different PoPs being monitored…paragraph 0032; the system configures each instantiated emulation engine with a default set of test and monitoring parameters, error and anomaly detection parameters, and alert parameters when the tester does not customize the parameters. The default parameters can vary depending on the streaming protocol used for the content stream under test or can vary depending on the content stream itself. The default parameters can be overridden or added to by user specified parameters. The default parameters provide a baseline set of metrics and errors to monitor. The default parameters can also configure a set of automatic alerts. These default alerts may fire whenever a serious error is detected in the transmission of a content stream).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in Sathyanarayana: Abstract).
As per claim 16, the modified Jadallah teaches the system of claim 1 wherein the cause comprises a group of streaming sessions in the plurality of groups of streaming sessions (Sathyanarayana: paragraph 0031; Based on the alert parameters, each alert can identify the distributed platform delivery node in which the error occurred, the error at issue, the content stream fragment or chunk where the error or anomaly occurred, various other performance metrics at the time of the error occurrence, and one or more parties that receive the alert).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in order to track real-time performance and any errors in the server-side transmission of the content stream under test (Sathyanarayana: Abstract).
As per claim 17, the modified Jadallah teaches the system of claim 1 wherein generating the alert comprises providing a report as output, and wherein the report comprises a list of streaming sessions impacted by the identified anomaly (Sathyanarayana: paragraph 0035; the instantiated emulation engine instances write any statistics, errors, or anomalies tracked during the client-side player emulation to a common log file as the statistics, errors, or anomalies occur or are detected. In other words, all instantiated emulation engine instances continually write to the same log file and the system continually reads from the common log file in order to update and generate the compiled report in real-time. In some embodiments, each instantiated emulation engine instance continually writes any statistics, errors, or anomalies tracked during the client-side player emulation to a different log file with the system continually aggregating the entries from the log files of all instantiated emulation engine instances in order to update and generate the compiled report in real-time).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sathyanarayana with the teachings as in Jadallah. The motivation for doing so would have been made in order to track real-time performance and any errors in the server-side transmission of the content stream under test (Sathyanarayana: Abstract).
With respect to claim 18, it is substantially similar to claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, Jadallah also teaches a method (Jadallah: a method for measuring quality of experience for media streaming in a network).
With respect to claim 19, it is substantially similar to claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, Jadallah also teaches a computer program embodied in a non-transitory computer readable storage medium and comprising computer instructions (Jadallah: paragraph 0120; a computer program product stored in a machine-readable medium (also referred to as a computer-readable medium)…The instructions stored on the machine-readable medium can be executed by a processor or other suitable processing device, and can interface with circuitry to perform the described tasks).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Jadallah et al. (U.S. Publication No. 2012/0311126) [Applicant’s IDS], in view of Sathyanarayana et al. (U.S. Publication No. 2016/0164761) [Applicant’s IDS], and further in view of Sunshine et al. (U.S. Publication No. 2006/0282225).
As per claim 9, the modified Jadallah teaches the system of claim 1.
However the modified Jadallah does not explicitly mention wherein identifying the anomaly comprises using a hidden Markov model to determine a probability that a group is in an anomalous state at the first time. 
However Sunshine teaches:
wherein identifying the anomaly comprises using a hidden Markov model to determine a probability that a group is in an anomalous state at the first time (Sunshine: paragraph 0071; This module utilizes Hidden Markov Models (HMM) to identify anomalies based on probabilities of passing from one state to a second state. The HMM use different algorithms to define these probabilities such as a Viterbi algorithm, a forward-backward algorithm, or a Baum-Welsh algorithm, as would be known to those skilled in the art. All of these methods are designed to find hidden patterns in data. The output is a prediction of an anomaly based on a number of discrete state variables).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Sunshine with the teachings as in the modified Jadallah. The motivation for doing so would have been for utilizing Hidden Markov Models (HMM) to identify anomalies (Sunshine: Abstract).

Claims 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Jadallah et al. (U.S. Publication No. 2012/0311126) [Applicant’s IDS], in view of Sathyanarayana et al. (U.S. Publication No. 2016/0164761) [Applicant’s IDS], and further in view of Muddu et al. (U.S. Publication No. 2017/0223036) [Applicant’s IDS].
As per claim 10, the modified Jadallah teaches the system of claim 1.
However the modified Jadallah does not explicitly mention wherein the processor is further configured to construct a diagnosis graph, wherein nodes of the diagnosis graph correspond to groups of streaming sessions, and wherein diagnosing the cause of the identified anomaly comprises evaluating the constructed diagnosis graph. 
However Muddu teaches:
wherein the processor is further configured to construct a diagnosis graph, wherein nodes of the diagnosis graph correspond to groups of streaming sessions, and wherein diagnosing the cause of the identified anomaly comprises evaluating the constructed diagnosis graph (Muddu: paragraph 0179 and figs. 46A and 46B; The anomalies may also be stored in the graph database 374. In some embodiments, the anomalies can be stored in graph database 374 in the form of anomaly nodes in a graph or graphs and paragraph 0186; anomalies and threats are detected by comparing incoming event data (e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis (e.g., in the case of security graphs or security graph projections). Preferably, this detection is performed by various machine learning models).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Muddu with the teachings as in the modified Jadallah. The motivation for doing so would have been for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence (Muddu: Abstract).
As per claim 11, the modified Jadallah teaches the system of claim 10 wherein evaluating the constructed diagnosis graph comprises performing a breadth first search (BFS) traversal of the diagnosis graph (Muddu: paragraph 0547; the process initially traverses the graph node by node and maps the nodes onto a one-dimensional (1D) grid. The graph may be traversed in any order. For example, a breadth first search (BFS) order may be convenient. An example of a 1D grid resulting from traversing graph 6101 in BFS order is shown as grid 6102 in FIG. 61A. In FIG. 61A).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Muddu with the teachings as in the modified Jadallah. The motivation for doing so would have been for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence (Muddu: Abstract).
As per claim 12, the modified Jadallah teaches the system of claim 10 wherein a node in the diagnosis graph is diagnosed as the cause is of the identified anomaly based at least in part on determining that the node is anomalous and that a threshold amount of Muddu: paragraph 0224; the individual relationship graph of that anomalous event is revised to include an anomaly node (along appropriate edges), so that when the composite relationship graph is created, it can be used to determine what other entities might be involved or affected by this anomaly).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Muddu with the teachings as in the modified Jadallah. The motivation for doing so would have been for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence (Muddu: Abstract).
As per claim 13, the modified Jadallah teaches the system of claim 10 wherein in response to determining that a node is anomalous and that a threshold number of anomalous children is not met, a depth first search (DFS) is performed starting from the node (Muddu: paragraph 0520; The “memory capacity” of the PST model can be controlled by the maximum length of historic symbols, which is the probabilistic suffix tree's depth, and is the length of the Markov chain…paragraphs 0522-0523 and fig. 52; An example of a PST model having been trained by a particular sequence [100111] is shown in FIG. 52. In the PST model shown in FIG. 52, the PST's depth is 3…because different types of entities may have different characteristics in their behaviors, to further enhance the accuracy of behavioral anomaly detection for a specific entity (e.g., a user), various embodiments of the PST model can be configured to first establish a baseline prediction profile (or simply “baseline”) for a specific entity after the PST model is trained).
Muddu: Abstract).
As per claim 14, the modified Jadallah teaches the system of claim 10 wherein a plurality of causes are identified based at least in part on the evaluating of the constructed diagnosis graph, and wherein the processor is further configured to resolve the plurality of causes into the diagnosed cause of the identified anomaly (Muddu: paragraph 0185; Baseline profiles can be continuously updated (whether in real-time as event data streams in, or in batch according to a predefined schedule) in response to received event data, i.e., they can be updated dynamically and/or adaptively based on event data. If the human user 604 begins to access source code server 610 more frequently in support of his work, for example, and his accessing of source code server 610 has been judged to be legitimate by the security platform 300 or a network security administrator (i.e., the anomalies/threats detected upon behavior change have been resolved and deemed to be legitimate activities), his baseline profile 614 is updated to reflect the updated "normal" behavior for the human user 604).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Muddu with the teachings as in the modified Jadallah. The motivation for doing so would have been for Muddu: Abstract).
As per claim 15, the modified Jadallah teaches the system of claim 10 wherein the diagnosis graph comprises a directed acyclic graph (Muddu: paragraph 0311; The topology-based assignments maintain a directed acyclical graph (DAG) structure that allows for dynamic execution of model-specific process threads and management of the input data dependencies of these model-specific process threads).
Therefore it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Muddu with the teachings as in the modified Jadallah. The motivation for doing so would have been for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence (Muddu: Abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARINA J. GARCIA-CHING whose telephone number is (571)270-7159. The examiner can normally be reached Monday - Wednesday (9:00 AM - 5:00 PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KARINA J GARCIA-CHING/Examiner, Art Unit 2449   
                                                                                                                                                                                          /VIVEK SRIVASTAVA/Supervisory Patent Examiner, Art Unit 2449